#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
AI Security

The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Singapore Banks to Phase Out OTPs for Online Logins Within 3 Months

Singapore Banks to Phase Out OTPs for Online Logins Within 3 Months

Jul 15, 2024 Cybersecurity / Mobile Security
Retail banking institutions in Singapore have three months to phase out the use of one-time passwords (OTPs) for authentication purposes when signing into online accounts to mitigate the risk of phishing attacks. The decision was announced by the Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS) on July 9, 2024. "Customers who have activated their digital token on their mobile device will have to use their digital tokens for bank account logins via the browser or the mobile banking app," the MAS said . "The digital token will authenticate customers' login without the need for an OTP that scammers can steal, or trick customers into disclosing." The MAS is also urging customers to activate their digital tokens to safeguard against attacks that are designed to steal credentials and hijack their accounts for conducting financial fraud. "This measure provides customers with further protection against unauthorized access to
New HardBit Ransomware 4.0 Uses Passphrase Protection to Evade Detection

New HardBit Ransomware 4.0 Uses Passphrase Protection to Evade Detection

Jul 15, 2024 Network Security / Data Protection
Cybersecurity researchers have shed light on a new version of a ransomware strain called HardBit that comes packaged with new obfuscation techniques to deter analysis efforts. "Unlike previous versions, HardBit Ransomware group enhanced the version 4.0 with passphrase protection," Cybereason researchers Kotaro Ogino and Koshi Oyama said in an analysis. "The passphrase needs to be provided during the runtime in order for the ransomware to be executed properly. Additional obfuscation hinders security researchers from analyzing the malware." HardBit, which first emerged in October 2022, is a financially motivated threat actor that, similar to other ransomware groups, operates with an aim to generate illicit revenues via double extortion tactics. What makes the threat group stand out is that it does not operate a data leak site, and instead pressurizes victims to pay up by threatening to conduct additional attacks in the future. Its primary mode of communication
HUMINT: Diving Deep into the Dark Web

HUMINT: Diving Deep into the Dark Web

Jul 09, 2024Cybercrime / Dark Web
Discover how cybercriminals behave in Dark Web forums- what services they buy and sell, what motivates them, and even how they scam each other. Clear Web vs. Deep Web vs. Dark Web Threat intelligence professionals divide the internet into three main components: Clear Web - Web assets that can be viewed through public search engines, including media, blogs, and other pages and sites. Deep Web - Websites and forums that are unindexed by search engines. For example, webmail, online banking, corporate intranets, walled gardens, etc. Some of the hacker forums exist in the Deep Web, requiring credentials to enter. Dark Web - Web sources that require specific software to gain access. These sources are anonymous and closed, and include Telegram groups and invite-only forums. The Dark Web contains Tor, P2P, hacker forums, criminal marketplaces, etc. According to Etay Maor, Chief Security Strategist at Cato Networks , "We've been seeing a shift in how criminals communicate and co
AT&T Confirms Data Breach Affecting Nearly All Wireless Customers

AT&T Confirms Data Breach Affecting Nearly All Wireless Customers

Jul 13, 2024 Data Breach / Network Security
American telecom service provider AT&T has confirmed that threat actors managed to access data belonging to "nearly all" of its wireless customers as well as customers of mobile virtual network operators (MVNOs) using AT&T's wireless network. "Threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023," it said . This comprises telephone numbers with which an AT&T or MVNO wireless number interacted – including telephone numbers of AT&T landline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month. A subset of these records also contained one or more cell site identification numbers , potentially allowing the threat actors to triang
cyber security

Top 4 Security Risks of GenAI

websiteWizGenAI Security / Technology
Gain a competitive edge and unlock the top 4 major emerging risks within GenAI. This report from Gartner provides insights and recommended actions for security and product leaders.
DarkGate Malware Exploits Samba File Shares in Short-Lived Campaign

DarkGate Malware Exploits Samba File Shares in Short-Lived Campaign

Jul 12, 2024 Malware / Cyber Attack
Cybersecurity researchers have shed light on a short-lived DarkGate malware campaign that leveraged Samba file shares to initiate the infections. Palo Alto Networks Unit 42 said the activity spanned the months of March and April 2024, with the infection chains using servers running public-facing Samba file shares hosting Visual Basic Script (VBS) and JavaScript files. Targets included North America, Europe, and parts of Asia. "This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware," security researchers Vishwa Thothathri, Yijie Sui, Anmol Maurya, Uday Pratap Singh, and Brad Duncan said . DarkGate, which first emerged in 2018, has evolved into a malware-as-a-service (MaaS) offering used by a tightly controlled number of customers. It comes with capabilities to remotely control compromised hosts, execute code, mine cryptocurrency, launch reverse shells, and drop addit
Australian Defence Force Private and Husband Charged with Espionage for Russia

Australian Defence Force Private and Husband Charged with Espionage for Russia

Jul 12, 2024 Cyber Crime / Online Safety
Two Russian-born Australian citizens have been arrested and charged in the country for spying on behalf of Russia as part of a "complex" law enforcement operation codenamed BURGAZADA . This includes a 40-year-old woman, an Australian Defence Force (ADF) Army Private, and her husband, a 62-year-old self-employed laborer. Media reports have identified them as Kira Korolev and Igor Korolev, respectively, noting that they had been in Australia for over a decade. The married couple were arrested at their home in the Brisbane suburb of Everton Park on July 11, 2024, the Australian Federal Police (AFP) said in a statement. They have been charged with one count each of preparing for an espionage offense, which carries a maximum penalty of 15 years' imprisonment. "It is the first time an espionage offense has been laid in Australia since new laws were introduced by the Commonwealth in 2018," the AFP said . The federal law enforcement agency has alleged the pair
Ever Wonder How Hackers Really Steal Passwords? Discover Their Tactics in This Webinar

Ever Wonder How Hackers Really Steal Passwords? Discover Their Tactics in This Webinar

Jul 12, 2024 Digital Security / Online Safety
In today's digital age, passwords serve as the keys to our most sensitive information, from social media accounts to banking and business systems. This immense power brings with it significant responsibility—and vulnerability. Most people don't realize their credentials have been compromised until the damage is done. Imagine waking up to drained bank accounts, stolen identities, or a company's reputation in tatters. This isn't just a hypothetical scenario – it's the harsh reality faced by countless individuals and organizations every day. Recent data reveals that compromised credentials are the single biggest attack vector in 2024. That means stolen passwords, not exotic malware or zero-day exploits, are the most common way hackers breach systems and wreak havoc. To help you navigate this critical issue, we invite you to join our exclusive webinar, " Compromised Credentials in 2024: What to Know About the World's #1 Attack Vector. " What You'
Critical Exim Mail Server Vulnerability Exposes Millions to Malicious Attachments

Critical Exim Mail Server Vulnerability Exposes Millions to Malicious Attachments

Jul 12, 2024 Vulnerability / Software Security
A critical security issue has been disclosed in the Exim mail transfer agent that could enable threat actors to deliver malicious attachments to target users' inboxes. The vulnerability , tracked as CVE-2024-39929, has a CVSS score of 9.1 out of 10.0. It has been addressed in version 4.98. "Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users," according to a description shared on the U.S. National Vulnerability Database (NVD). Exim is a free, mail transfer agent that's used in hosts that are running Unix or Unix-like operating systems. It was first released in 1995 for use at the University of Cambridge.  Attack surface management firm Censys said 4,830,719 of the 6,540,044 public-facing SMTP mail servers are running Exim. As of July 12, 2024, 1,563,085 internet-accessible
U.S. Seizes Domains Used by AI-Powered Russian Bot Farm for Disinformation

U.S. Seizes Domains Used by AI-Powered Russian Bot Farm for Disinformation

Jul 12, 2024 Disinformation / Artificial Intelligence
The U.S. Department of Justice (DoJ) said it seized two internet domains and searched nearly 1,000 social media accounts that Russian threat actors allegedly used to covertly spread pro-Kremlin disinformation in the country and abroad on a large scale. "The social media bot farm used elements of AI to create fictitious social media profiles — often purporting to belong to individuals in the United States — which the operators then used to promote messages in support of Russian government objectives," the DoJ said . The bot network, comprising 968 accounts on X, is said to be part of an elaborate scheme hatched by an employee of Russian state-owned media outlet RT (formerly Russia Today), sponsored by the Kremlin, and aided by an officer of Russia's Federal Security Service (FSB), who created and led an unnamed private intelligence organization. The developmental efforts for the bot farm began in April 2022 when the individuals procured online infrastructure while anon
Palo Alto Networks Patches Critical Flaw in Expedition Migration Tool

Palo Alto Networks Patches Critical Flaw in Expedition Migration Tool

Jul 11, 2024 Vulnerability / Enterprise Security
Palo Alto Networks has released security updates to address five security flaws impacting its products, including a critical bug that could lead to an authentication bypass. Cataloged as CVE-2024-5910 (CVSS score: 9.3), the vulnerability has been described as a case of missing authentication in its Expedition migration tool that could lead to an admin account takeover. "Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition," the company said in an advisory. "Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue." The flaw impacts all versions of Expedition prior to version 1.2.92, which remediates the problem. Synopsys Cybersecurity Research Center's (CyRC) Brian Hysell has been credited with discovering and reporting the issue. While there is no evidence that the vulnerability has be
60 New Malicious Packages Uncovered in NuGet Supply Chain Attack

60 New Malicious Packages Uncovered in NuGet Supply Chain Attack

Jul 11, 2024 Software Security / Threat Intelligence
Threat actors have been observed publishing a new wave of malicious packages to the NuGet package manager as part of an ongoing campaign that began in August 2023, while also adding a new layer of stealth to evade detection. The fresh packages, about 60 in number and spanning 290 versions, demonstrate a refined approach from the previous set that came to light in October 2023, software supply chain security firm ReversingLabs said. The attackers pivoted from using NuGet's MSBuild integrations to "a strategy that uses simple, obfuscated downloaders that are inserted into legitimate PE binary files using Intermediary Language (IL) Weaving, a .NET programming technique for modifying an application's code after compilation," security researcher Karlo Zanki said . The end goal of the counterfeit packages, both old and new, is to deliver an off-the-shelf remote access trojan called SeroXen RAT . All the identified packages have since been taken down. The latest coll
Chinese APT41 Upgrades Malware Arsenal with DodgeBox and MoonWalk

Chinese APT41 Upgrades Malware Arsenal with DodgeBox and MoonWalk

Jul 11, 2024 Cyber Espionage / Network Security
The China-linked advanced persistent threat (APT) group codenamed APT41 is suspected to be using an "advanced and upgraded version" of a known malware called StealthVector to deliver a previously undocumented backdoor dubbed MoonWalk. The new variant of StealthVector – which is also referred to as DUSTPAN – has been designated DodgeBox by Zscaler ThreatLabz, which discovered the loader strain in April 2024. "DodgeBox is a loader that proceeds to load a new backdoor named MoonWalk," security researchers Yin Hong Chang and Sudeep Singh said . "MoonWalk shares many evasion techniques implemented in DodgeBox and utilizes Google Drive for command-and-control (C2) communication." APT41 is the moniker assigned to a prolific state-sponsored threat actor affiliated with China that's known to be active since at least 2007. It's also tracked by the broader cybersecurity community under the names Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atl
Streamlined Security Solutions: PAM for Small to Medium-sized Businesses

Streamlined Security Solutions: PAM for Small to Medium-sized Businesses

Jul 11, 2024 Compliance / Identity Management
Today, all organizations are exposed to the threat of cyber breaches, irrespective of their scale. Historically, larger companies were frequent targets due to their substantial resources, sensitive data, and regulatory responsibilities, whereas smaller entities often underestimated their attractiveness to hackers. However, this assumption is precarious, as cybercriminals frequently exploit perceived vulnerabilities in smaller firms for expedient profit.  Small to medium-sized organizations often lack the resources and expertise for robust privileged identity management . Yet they increasingly require PAM solutions. Fortunately, the market now offers numerous vendors specializing in these needs. Recognizing the demand for accessible solutions, these vendors provide affordable options tailored to organizations aiming to meet stringent compliance standards or enhance security practices, requiring minimal installation and maintenance to gain full access controls .  To enhance threat awa
New Poco RAT Targets Spanish-Speaking Victims in Phishing Campaign

New Poco RAT Targets Spanish-Speaking Victims in Phishing Campaign

Jul 11, 2024 Malware / Threat Intelligence
Spanish language victims are the target of an email phishing campaign that delivers a new remote access trojan (RAT) called Poco RAT since at least February 2024. The attacks primarily single out mining, manufacturing, hospitality, and utilities sectors, according to cybersecurity company Cofense. "The majority of the custom code in the malware appears to be focused on anti-analysis, communicating with its command-and-control center (C2), and downloading and running files with a limited focus on monitoring or harvesting credentials," it said . Infection chains begin with phishing messages bearing finance-themed lures that trick recipients into clicking on an embedded URL pointing to a 7-Zip archive file hosted on Google Drive. Other methods observed include the use of HTML or PDF files directly attached to the emails or downloaded via another embedded Google Drive link. The abuse of legitimate services by threat actors is not a new phenomenon as it allows them to bypass
PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks

PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks

Jul 11, 2024 Cyber Attack / Vulnerability
Multiple threat actors have been observed exploiting a recently disclosed security flaw in PHP to deliver remote access trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) botnets. The vulnerability in question is CVE-2024-4577 (CVSS score: 9.8), which allows an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. It was publicly disclosed in early June 2024. "CVE-2024-4577 is a flaw that allows an attacker to escape the command line and pass arguments to be interpreted directly by PHP," Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg said in a Wednesday analysis. "The vulnerability itself lies in how Unicode characters are converted into ASCII." The web infrastructure company said it began observing exploit attempts against its honeypot servers targeting the PHP flaw within 24 hours of it being public knowledge. This included exploits designed to deliver a remote
GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Jobs

GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Jobs

Jul 11, 2024 Software Security / Vulnerability
GitLab has shipped another round of updates to close out security flaws in its software development platform, including a critical bug that allows an attacker to run pipeline jobs as an arbitrary user. Tracked as CVE-2024-6385, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0. "An issue was discovered in GitLab CE/EE affecting versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.4, and 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances," the company said in a Wednesday advisory. It's worth noting that the company patched a similar bug late last month ( CVE-2024-5655 , CVSS score: 9.6) that could also be weaponized to run pipelines as other users. Also addressed by GitLab is a medium-severity issue (CVE-2024-5257, CVSS score: 4.9) that allows a Developer user with admin_compliance_framework permissions to modify the URL for a group namespace. All the security shortcomings have been fi
New Ransomware Group Exploiting Veeam Backup Software Vulnerability

New Ransomware Group Exploiting Veeam Backup Software Vulnerability

Jul 10, 2024 Data Breach / Malware
A now-patched security flaw in Veeam Backup & Replication software is being exploited by a nascent ransomware operation known as EstateRansomware. Singapore-headquartered Group-IB, which discovered the threat actor in early April 2024, said the modus operandi involved the exploitation of CVE-2023-27532 (CVSS score: 7.5) to carry out the malicious activities. Initial access to the target environment is said to have been facilitated by means of a Fortinet FortiGate firewall SSL VPN appliance using a dormant account. "The threat actor pivoted laterally from the FortiGate Firewall through the SSL VPN service to access the failover server," security researcher Yeo Zi Wei said in an analysis published today. "Before the ransomware attack, there were VPN brute-force attempts noted in April 2024 using a dormant account identified as 'Acc1.' Several days later, a successful VPN login using 'Acc1' was traced back to the remote IP address 149.28.106[.]25
Smash-and-Grab Extortion

Smash-and-Grab Extortion

Jul 10, 2024 IoT Security / Firmware Security
The Problem The "2024 Attack Intelligence Report" from the staff at Rapid7 [1] is a well-researched, well-written report that is worthy of careful study. Some key takeaways are:  53% of the over 30 new vulnerabilities that were widely exploited in 2023 and at the start of 2024 were zero-days . More mass compromise events arose from zero-day vulnerabilities than from n-day vulnerabilities. Nearly a quarter of widespread attacks were zero-day attacks where a single adversary compromised dozens to hundreds of organizations simultaneously. Attackers are moving from initial access to exploitation in minutes or hours rather than days or weeks. So the conventional patch and put strategy is as effective as a firetruck showing up after a building has burned to the ground! Of course, patch and put could prevent future attacks, but taking into account that patch development takes from days to weeks [2] and that the average time to apply critical patches is 16 days [3], devices are vulner
Cybersecurity
Expert Insights
Cybersecurity Resources