The Hacker News | #1 Trusted Cybersecurity News Site

Search giant Google on Friday released an out-of-band security update to fix a new actively exploited zero-day flaw in its Chrome web browser. The high-severity flaw, tracked as  CVE-2022-4262 , concerns a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on November 29, 2022. Type confusion vulnerabilities could be weaponized by threat actors to perform out-of-bounds memory access, or lead to a crash and arbitrary code execution. According to the NIST's National Vulnerability Database, the flaw  permits  a "remote attacker to potentially exploit heap corruption via a crafted HTML page." Google acknowledged active exploitation of the vulnerability but stopped short of sharing additional specifics to prevent further abuse. CVE-2022-4262 is the fourth actively exploited type confusion flaw that Google has addressed since the start of the year. It's also the ninth

Platform certificates used by Android smartphone vendors like Samsung, LG, and MediaTek have been found to be abused to sign malicious apps. The findings were first  discovered and reported  by Google reverse engineer Łukasz Siewierski on Thursday. "A platform certificate is the application signing certificate used to sign the 'android' application on the system image," a report filed through the Android Partner Vulnerability Initiative ( AVPI )  reads . "The 'android' application runs with a highly privileged user id – android.uid.system – and holds system permissions, including permissions to access user data." This effectively means that a rogue application signed with the same certificate can gain the highest level of privileges as the Android operating system, permitting it to harvest all kinds of sensitive information from a compromised device. The list of malicious Android app packages that have abused the certificates is below - com.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week released an Industrial Control Systems (ICS) advisory warning of multiple vulnerabilities in Mitsubishi Electric GX Works3 engineering software. "Successful exploitation of these vulnerabilities could allow unauthorized users to gain access to the MELSEC iQ-R/F/L series CPU modules and the MELSEC iQ-R series OPC UA server module or to view and execute programs," the agency  said . GX Works3  is an  engineering workstation  software used in ICS environments, acting as a mechanism for uploading and downloading programs from/to the controller, troubleshooting software and hardware issues, and performing maintenance operations. The wide range of functions also makes the platform an attractive target for threat actors looking to compromise such systems to commandeer the  managed PLCs . Three of the 10 shortcomings relate to cleartext storage of sensitive data, four relate to the use of a hard-coded cr

Old technology solutions – every organization has a few of them tucked away somewhere.  It could be an old and unsupported storage system or a tape library holding the still-functional backups from over 10 years ago.  This is a common scenario with software too. For example, consider an accounting software suite that was extremely expensive when it was purchased. If the vendor eventually went under, then there's no longer any support for the software – which means that the accounting solution only works on some older operating system that isn't supplied with updates either. How valuable is it to  keep older solutions like this running ? Well, organizations don't enjoy running old legacy systems just for the pleasure of it, but they're often forced to keep them running because it's their only option, or at least the only cost-effective option available to them. If it works, it works…? From a purely functional perspective, there is usually no problem with old te

IBM has fixed a high-severity security vulnerability affecting its Cloud Databases (ICD) for PostgreSQL product that could be potentially exploited to tamper with internal repositories and run unauthorized code. The privilege escalation flaw (CVSS score: 8.8), dubbed " Hell's Keychain " by cloud security firm Wiz, has been described as a "first-of-its-kind supply-chain attack vector impacting a cloud provider's infrastructure." Successful exploitation of the bug could enable a malicious actor to remotely execute code in customers' environments and even read or modify data stored in the PostgreSQL database. "The vulnerability consists of a chain of three exposed secrets (Kubernetes service account token, private container registry password, CI/CD server credentials) coupled with overly permissive network access to internal build servers," Wiz researchers Ronen Shustin and Shir Tamari  said . Hell's Keychain commences with an SQL inject

A previously undocumented Go-based malware is targeting Redis servers with the goal of taking control of the infected systems and likely building a botnet network. The attacks involve taking advantage of a critical security vulnerability in the open source, in-memory, key-value store that was disclosed earlier this year to deploy  Redigo , according to cloud security firm  Aqua . Tracked as CVE-2022-0543 (CVSS score: 10.0), the weakness pertains to a case of sandbox escape in the Lua scripting engine that could be leveraged to attain remote code execution. This is not the first time the flaw has come under active exploitation, what with Juniper Threat Labs uncovering attacks perpetrated by the  Muhstik botnet  in March 2022 to execute arbitrary commands. The Redigo infection chain is similar in that the adversaries scan for exposed Redis servers on port 6379 to establish initial access, following it up by downloading a shared library "exp_lin.so" from a remote server.

The new  Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)  requires CISA to create rules regarding cyber incident reporting by critical infrastructure organizations. The RFI and hearings precede a Notice of Proposed Rulemaking (NPRM) that CISA must publish sooner than  24 months  from the enactment of CIRCIA, which the President signed into law  in March . The sessions and NPRM are steps toward creating the new rule.  CISA is  soliciting expert opinion on what to include  in a report but is taking steps to implement the change soon. Here's what that change means for businesses in the US and what you can do about it now.  Overview of the CISA reporting rule  Owners and operators of critical infrastructure must file cyber incident reports with CISA  within 72 hours . They must report ransom payments for ransomware attacks  within 24 hours . Other businesses can take part voluntarily.  The CISA Director can  subpoena  organizations in noncompliance to compel

Multiple unpatched vulnerabilities have been discovered in three Android apps that allow a smartphone to be used as a remote keyboard and mouse. The apps in question are Lazy Mouse , PC Keyboard , and Telepad , which have been cumulatively downloaded over two million times from the Google Play Store. Telepad is no longer available through the app marketplace but can be downloaded from its website. Lazy Mouse (com.ahmedaay.lazymouse2 and com.ahmedaay.lazymousepro) PC Keyboard (com.beapps.pckeyboard) Telepad (com.pinchtools.telepad) While these apps function by connecting to a server on a desktop and transmitting to it the mouse and keyboard events, the Synopsys Cybersecurity Research Center (CyRC)  found  as many as seven flaws related to weak or missing authentication, missing authorization, and insecure communication. The issues (from CVE-2022-45477 through CVE-2022-45483), in a nutshell, could be exploited by a malicious actor to execute arbitrary commands sans authenticati

The threat actors behind Cuba (aka COLDDRAW) ransomware have received more than $60 million in ransom payments and compromised over 100 entities across the world as of August 2022. In a new advisory shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the agencies  highlighted  a "sharp increase in both the number of compromised U.S. entities and the ransom amounts." The ransomware crew, also known as  Tropical Scorpius , has been observed targeting financial services, government facilities, healthcare, critical manufacturing, and IT sectors, while simultaneously expanding its tactics to gain initial access and interact with breached networks. It's worth noting that despite the name "Cuba," there is no evidence to suggest that the actors have any connection or affiliation with the island country. The entry point for the attacks involves the exploitation of known security flaws, phishing,