The Hacker News | #1 Trusted Cybersecurity News Site

The advanced persistent threat (APT) actor known as Winter Vivern is now targeting officials in Europe and the U.S. as part of an ongoing cyber espionage campaign. "TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe," Proofpoint  said  in a new report. The enterprise security firm is tracking the activity under its own moniker  TA473  (aka UAC-0114), describing it as an adversarial crew whose operations align with that of Russian and Belarussian geopolitical objectives. What it lacks in sophistication, it makes up for in persistence. In recent months, the group has been linked to attacks targeting  state authorities of Ukraine and Poland  as well as  government officials in India, Lithuania, Slovakia, and the Vatican . The NATO-related intrusion wave entails the exploitation of CVE-2022-27926 (CVSS score:

The Cyber Police of Ukraine, in collaboration with law enforcement officials from Czechia, has arrested several members of a cybercriminal gang that set up phishing sites to target European users. Two of the apprehended affiliates are believed to be organizers, with 10 others detained in other territories across the European Union. The suspects are alleged to have created more than 100 phishing portals aimed at users in France, Spain, Poland, Czechia, Portugal, and other nations in the region. These websites masqueraded as online portals offering heavily discounted products below market prices to lure unsuspecting users into placing fake "orders." In reality, the financial information entered on those websites to complete the payments were used to siphon money from the victims' accounts. "For the fraudulent scheme, the participants also created two call centers, in Vinnytsia and in Lviv, and involved operators in their work," the Cyber Police  said . &quo

Streamline your zero-trust access journey with three simple steps for high-risk, remote, and hybrid users.

Organizations rely on Incident response to ensure they are immediately aware of security incidents, allowing for quick action to minimize damage. They also aim to avoid follow on attacks or future related incidents. The SANS Institute provides research and education on information security. In the upcoming webinar, we'll outline , in detail, six components of a SANS incident response plan, including elements such as preparation, identification, containment, and eradication. The 6 steps of a complete IR Preparation:  This is the first phase and involves reviewing existing security measures and policies; performing risk assessments to find potential vulnerabilities; and establishing a communication plan that lays out protocols and alerts staff to potential security risks. During the holidays, the preparation stage of your IR plan is crucial as it gives you the opportunity to communicate holiday-specific threats and put the wheels in motion to address such threats as they are identif

Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a  supply chain attack . The version numbers include  18.12.407 and 18.12.416  for Windows and  18.11.1213, 18.12.402, 18.12.407, and 18.12.416  for macOS. The company said it's engaging the services of Google-owned Mandiant to review the incident. In the interim, it's urging its customers of self-hosted and on-premise versions of the software to update to version 18.12.422. "3CX Hosted and StartUP users do not need to update their servers as we will be updating them over the night automatically," 3CX CEO Nick Galea  said  in a blog post. "Servers will be restarted and the new Electron App MSI/DMG will be installed on the server." Evidence available so far points to either a compromise of 3CX's software build pipeline to distribute Windows and macOS versions of the app package, or alternatively, the poiso

Details have emerged about a now-patched vulnerability in Azure Service Fabric Explorer ( SFX ) that could lead to unauthenticated remote code execution. Tracked as  CVE-2023-23383  (CVSS score: 8.2), the issue has been dubbed "Super FabriXss" by Orca Security, a nod to the  FabriXss flaw  (CVE-2022-35829, CVSS score: 6.2) that was fixed by Microsoft in October 2022. "The Super FabriXss vulnerability enables remote attackers to leverage an XSS vulnerability to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication," security researcher Lidor Ben Shitrit  said  in a report shared with The Hacker News. XSS refers to a kind of  client-side code injection  attack that makes it possible to upload malicious scripts into otherwise trusted websites. The scripts then get executed every time a victim visits the compromised website, thereby leading to unintended consequences. While both FabriXss and Super FabriXss

A Chinese state-sponsored threat activity group tracked as  RedGolf  has been  attributed  to the use of a custom Windows and Linux backdoor called KEYPLUG. "RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally," Recorded Future told The Hacker News. "The group has shown the ability to rapidly weaponize  newly reported vulnerabilities (e.g. Log4Shell and  ProxyLogon ) and has a history of developing and using a large range of custom malware families." The use of KEYPLUG by Chinese threat actors was  first disclosed  by Google-owned Manidant in March 2022 in attacks targeting multiple U.S. state government networks between May 2021 and February 2022. Then in October 2022, Malwarebytes  detailed  a separate set of attacks targeting government entities in Sri Lanka in early August that leveraged a novel implant dubbed DBoxAgent to deploy KEYPLUG. Bot

A group of academics from Northeastern University and KU Leuven has disclosed a fundamental design flaw in the IEEE 802.11 Wi-Fi protocol standard, impacting a wide range of devices running Linux, FreeBSD, Android, and iOS. Successful exploitation of the shortcoming could be abused to hijack TCP connections or intercept client and web traffic, researchers Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef said in a paper published this week. The  approach  exploits  power-save mechanisms  in endpoint devices to trick access points into leaking  data frames  in plaintext, or encrypt them using  an all-zero key . "The unprotected nature of the power-save bit in a frame's header [...] also allows an adversary to force queue frames intended for a specific client resulting in its disconnection and trivially executing a denial-of-service attack," the researchers noted. In other words, the goal is to leak frames from the access point destined to a victim client station

Multi-cloud data storage, once merely a byproduct of the great cloud migration, has now become a strategy for data management. "Multi-cloud by design," and its companion the supercloud, is an ecosystem in which several cloud systems work together to provide many organizational benefits, including increased scale and overall resiliency. And now, even security teams who have long been the holdout on wide-scale cloud adoption, may find a reason to rejoice. Born out of the multi-cloud approach, cyberstorage enables companies to not only enjoy the benefits that multi-cloud brings but also eliminate the risk of data exposure at the same time, marking the beginning of the multi-cloud maturity era. What Is The Supercloud? While many organizations ended up with multiple cloud services as a byproduct of interdepartmental needs, today organizations are intentionally building multi-cloud environments. And rather than manage the various cloud services individually, many are implementin

A new "comprehensive toolset" called  AlienFox  is being distributed on Telegram as a way for threat actors to harvest credentials from API keys and secrets from popular cloud service providers. "The spread of AlienFox represents an unreported trend towards attacking more minimal cloud services, unsuitable for crypto mining, in order to enable and expand subsequent campaigns," SentinelOne security researcher Alex Delamotte  said  in a report shared with The Hacker News. The cybersecurity company characterized the malware as highly modular and constantly evolving to accommodate new features and performance improvements. The primary use of AlienFox is to enumerate misconfigured hosts via scanning platforms like  LeakIX  and  SecurityTrails , and subsequently leverage various scripts in the toolkit to extract credentials from configuration files exposed on the servers. Specifically, it entails searching for susceptible servers associated with popular web framewor