Threat Intelligence | Breaking Cybersecurity News | The Hacker News

The Russia-linked nation-state threat actor tracked as  APT28  weaponized a security flaw in the Microsoft Windows Print Spooler component to deliver a previously unknown custom malware called GooseEgg. The post-compromise tool, which is said to have been used since at least June 2020 and possibly as early as April 2019, leveraged a now-patched flaw that allowed for privilege escalation (CVE-2022-38028, CVSS score: 7.8). It was  addressed  by Microsoft as part of updates released in October 2022, with the U.S. National Security Agency (NSA) credited for reporting the flaw at the time. According to new findings from the tech giant's threat intelligence team,  APT28  – also called Fancy Bear and Forest Blizzard (formerly Strontium) – weaponized the bug in attacks targeting Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations. "Forest Blizzard has used the tool [...] to exploit the CVE-2022-38028 vu

Over the past two years, a shocking  51% of organizations surveyed in a leading industry report have been compromised by a cyberattack.  Yes, over half.  And this, in a world where enterprises deploy  an average of 53 different security solutions  to safeguard their digital domain.  Alarming? Absolutely. A recent survey of CISOs and CIOs, commissioned by Pentera and conducted by Global Surveyz Research, offers a quantifiable glimpse into this evolving battlefield, revealing a stark contrast between the growing risks and the tightening budget constraints under which cybersecurity professionals operate. With this report, Pentera has once again taken a magnifying glass to the state of pentesting to release its annual report about today's pentesting practices. Engaging with 450 security executives from North America, LATAM, APAC, and EMEA—all in VP or C-level positions at organizations with over 1,000 employees—the report paints a current picture of modern security validation prac

Imagine a world where the software that powers your favorite apps, secures your online transactions, and keeps your digital life could be outsmarted and taken over by a cleverly disguised piece of code. This isn't a plot from the latest cyber-thriller; it's actually been a reality for years now. How this will change – in a positive or negative direction – as artificial intelligence (AI) takes on a larger role in software development is one of the big uncertainties related to this brave new world. In an era where AI promises to revolutionize how we live and work, the conversation about its security implications cannot be sidelined. As we increasingly rely on AI for tasks ranging from mundane to mission-critical, the question is no longer just, "Can AI  boost cybersecurity ?" (sure!), but also "Can AI  be hacked? " (yes!), "Can one use AI  to hack? " (of course!), and "Will AI  produce secure software ?" (well…). This thought leadership article is about the latter. Cydrill  (a

Palo Alto Networks has shared more details of a critical security flaw impacting PAN-OS that has come under active exploitation in the wild by malicious actors. The company described the vulnerability, tracked as  CVE-2024-3400  (CVSS score: 10.0), as "intricate" and a combination of two bugs in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software. "In the first one, the GlobalProtect service did not sufficiently validate the session ID format before storing them. This enabled the attacker to store an empty file with the attacker's chosen filename," Chandan B. N., senior director of product security at Palo Alto Networks,  said . "The second bug (trusting that the files were system-generated) used the filenames as part of a command."  It's worth noting that while neither of the issues are critical enough on their own, when chained together, they could lead to unauthenticated remote shell command execution. Palo Alto Networks sai

Users of the CrushFTP enterprise file transfer software are being urged to update to the latest version following the discovery of a security flaw that has come under targeted exploitation in the wild. "CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files," CrushFTP  said  in an advisory released Friday. "This has been patched in v11.1.0." That said, customers who are operating their CrushFTP instances within a  DMZ  ( demilitarized zone ) restricted environment are protected against the attacks. Simon Garrelou of Airbus CERT has been credited with discovering and reporting the flaw. It has yet to be assigned a CVE identifier. Cybersecurity company CrowdStrike, in a post shared on Reddit, said it has observed an exploit for the flaw being used in the wild in a "targeted fashion." These intrusions are said to have mainly targeted U.S. entities, with the intelligence gathering activity suspe

Technology, research, and government sectors in the Asia-Pacific region have been targeted by a threat actor called  BlackTech  as part of a recent cyber attack wave. The intrusions pave the way for an updated version of modular backdoor dubbed Waterbear as well as its enhanced successor referred to as Deuterbear. Cybersecurity firm Trend Micro is tracking the threat actor under the moniker Earth Hundun, which is known to be active since at least 2007. It also goes by other names such as Circuit Panda, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard. "Waterbear is known for its complexity, as it uses a number of evasion mechanisms to minimize the chance of detection and analysis," Trend Micro researchers Cyris Tseng and Pierre Lee  said  in an analysis last week. "In 2022, Earth Hundun began using the latest version of Waterbear — also known as Deuterbear — which has several changes, including anti-memory scanning and decryption routines, that make us

Government entities in the Middle East have been targeted as part of a previously undocumented campaign to deliver a new backdoor dubbed CR4T. Russian cybersecurity company Kaspersky said it discovered the activity in February 2024, with evidence suggesting that it may have been active since at least a year prior. The campaign has been codenamed  DuneQuixote . "The group behind the campaign took steps to prevent collection and analysis of its implants and implemented practical and well-designed evasion methods both in network communications and in the malware code," Kaspersky  said . The starting point of the attack is a dropper, which comes in two variants -- a regular dropper that's either implemented as an executable or a DLL file and a tampered installer file for a legitimate tool named  Total Commander . Regardless of the method used, the primary function of the dropper is to extract an embedded command-and-control (C2) address that's decrypted using a nove

Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015. Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform since 2018. More than 20 such documents have been uploaded since 2022. "The documents contained VBA code to drop and run an executable with the name 'ctrlpanel.exe,'" security researcher Vanja Svajcer  said . "The virus is still active in Ukraine and is causing potentially confidential documents to be uploaded to publicly accessible document repositories." A striking aspect of OfflRouter is its inability to spread via email, necessitating that it be propagated via other means, such as sharing documents and removable media, including USB memory sticks containing the infected documents. "It would require manual user intervention to send an infected document as

Sandboxes are synonymous with dynamic malware analysis. They help to execute malicious files in a safe virtual environment and observe their behavior. However, they also offer plenty of value in terms of static analysis. See these five scenarios where a sandbox can prove to be a useful tool in your investigations. Detecting Threats in PDFs PDF files are frequently exploited by threat actors to deliver payloads. Static analysis in a sandbox makes it possible to expose any threat a malicious PDF contains by extracting its structure. The presence of JavaScript or Bash scripts can reveal a possible mechanism for downloading and executing malware.  Sandboxes like ANY.RUN also allows users to scrutinize URLs found in PDFs to identify suspicious domains, potential command and control (C2) servers, or other indicators of compromise. Example: Static analysis of a PDF file in ANY.RUN Interactivity allows our users to manipulate files within a VM as they wish, but static Discovery offers

The threat actor tracked as  TA558  has been observed leveraging steganography as an obfuscation technique to deliver a wide range of malware such as Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm, among others. "The group made extensive use of steganography by sending VBSs, PowerShell code, as well as RTF documents with an embedded exploit, inside images and text files," Russian cybersecurity company Positive Technologies  said  in a Monday report. The campaign has been codenamed SteganoAmor for its reliance on steganography and the choice of file names such as greatloverstory.vbs and easytolove.vbs. A majority of the attacks have targeted industrial, services, public, electric power, and construction sectors in Latin American countries, although companies located in Russia, Romania, and Turkey have also been singled out. The development comes as TA558 has also been spotted  deploying Venom RAT  via phishing attacks aimed at enterprise

In today's rapidly evolving digital landscape, organizations face an increasingly complex array of cybersecurity threats. The proliferation of cloud services and remote work arrangements has heightened the vulnerability of digital identities to exploitation, making it imperative for businesses to fortify their identity security measures. Our recent research report,  The Identity Underground Report , offers valuable insights into the challenges and vulnerabilities organizations encounter in managing digital identities. The report paints a vivid picture of the "hidden" identity security liabilities where attackers leverage Identity Threat Exposures (ITEs) such as forgotten user accounts and misconfigurations to breach organizations' defenses, with each ITE posing a significant threat to organizations' security posture. Discover the most common identity security gaps that lead to compromises in the first-ever threat report focused entirely on the prevalence of

Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild. Tracked as  CVE-2024-3400  (CVSS score: 10.0), the critical vulnerability is a case of command injection in the GlobalProtect feature that an unauthenticated attacker could weaponize to execute arbitrary code with root privileges on the firewall. Fixes for the shortcoming are available in the following versions - PAN-OS 10.2.9-h1 PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3 Patches for other commonly deployed maintenance releases are expected to be released over the next few days. "This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled," the company  clarified  in its updated advisory. It also said that while Cloud NGFW firewalls are not impacted by CVE-2024-3400, specific PAN-OS

"Test files" associated with the  XZ Utils backdoor  have made their way to a Rust crate known as  liblzma-sys , new  findings  from Phylum reveal. liblzma-sys, which has been downloaded over 21,000 times to date, provides Rust developers with bindings to the liblzma implementation, an underlying library that is part of the  XZ Utils  data compression software. The impacted version in question is 0.3.2. "The current distribution (v0.3.2) on Crates.io contains the test files for XZ that contain the backdoor," Phylum  noted  in a GitHub issue raised on April 9, 2024. "The test files themselves are not included in either the .tar.gz nor the .zip tags  here on GitHub  and are only present in liblzma-sys_0.3.2.crate that is installed from Crates.io." Following responsible disclosure, the files in question ("tests/files/bad-3-corrupt_lzma2.xz" and "tests/files/good-large_compressed.lzma") have since been removed from liblzma-sys version

The Iranian threat actor known as MuddyWater has been attributed to a new command-and-control (C2) infrastructure called  DarkBeatC2 , becoming the latest such tool in its arsenal after  SimpleHarm ,  MuddyC3, PhonyC2 , and  MuddyC2Go . "While occasionally switching to a new remote administration tool or changing their C2 framework, MuddyWater's methods remain constant," Deep Instinct security researcher Simon Kenin  said  in a technical report published last week. MuddyWater, also called Boggy Serpens, Mango Sandstorm, and TA450, is assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS). It's known to be active since at least 2017, orchestrating spear-phishing attacks that lead to the deployment of various legitimate Remote Monitoring and Management (RMM) solutions on compromised systems. Prior findings from Microsoft show that the group has ties with another Iranian threat activity cluster tracked as  Storm-1084  (aka DarkBit), with t