The Hacker News - Cybersecurity News and Analysis

Amnesty International today exposed details of a new surveillance campaign that targeted Egyptian civil society organizations with previously undisclosed versions of FinSpy spyware designed to target Linux and macOS systems. Developed by a German company , FinSpy is extremely powerful spying software that is being sold as a legal law enforcement tool to governments around the world but has also been found in use by oppressive and dubious regimes to spy on activists. FinSpy, also known as FinFisher, can target both desktop and mobile operating systems, including Android, iOS, Windows, macOS, and Linux, to gain spying capabilities, including secretly turning on their webcams and microphones, recording everything the victim types on the keyboard, intercepting calls, and exfiltration of data. According to the human rights organization Amnesty International , the newly discovered campaign is not linked to 'NilePhish,' a hacking group known for attacking Egyptian NGOs in a ser

Microsoft's long-lived operating system Windows XP—that still powers over 1% of all laptops and desktop computers worldwide—has had its source code leaked online, allegedly, along with Windows Server 2003. Yes, you heard that right. The source code for Microsoft's 19-year-old operating system was published as a torrent file on notorious bulletin board website 4chan, and it's for the very first time when source code for Microsoft's operating system has been leaked to the public. Several reports suggest that the collection of torrent files, which weigh 43GB in size, also said to include the source code for Windows Server 2003 and several Microsoft's older operating systems, including: Windows 2000 Windows CE 3  Windows CE 4  Windows CE 5  Windows Embedded 7 Windows Embedded CE Windows NT 3.5 Windows NT 4 MS-DOS 3.30  MS-DOS 6.0 The torrent download also includes the alleged source code for various Windows 10 components that  appeared in 2017  and sour

As the pandemic continues to accelerate the shift towards working from home, a  slew of digital threats  have capitalized on the health concern to exploit weaknesses in the remote work infrastructure and carry out malicious attacks. Now according to network security platform provider SAM Seamless Network , over 200,000 businesses that have deployed the Fortigate VPN solution—with default configuration—to enable employees to connect remotely are vulnerable to man-in-the-middle (MitM) attacks, allowing attackers to present a valid SSL certificate and fraudulently take over a connection. "We quickly found that under default configuration the SSL VPN is not as protected as it should be, and is vulnerable to MITM attacks quite easily," SAM IoT Security Lab's Niv Hertz and Lior Tashimov said. "The Fortigate SSL-VPN client only verifies that the CA was issued by Fortigate (or another trusted CA), therefore an attacker can easily present a certificate issued to a differen

Ever wonder how hackers can hack your smartphone remotely? In a report shared with The Hacker News today, Check Point researchers disclosed details about a  critical vulnerability  in Instagram's Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image. What's more worrisome is that the flaw not only lets attackers perform actions on behalf of the user within the Instagram app—including spying on victim's private messages and even deleting or posting photos from their accounts—but also execute arbitrary code on the device. According to an  advisory  published by Facebook, the heap overflow security issue (tracked as CVE-2020-1895 , CVSS score: 7.8) impacts all versions of the Instagram app prior to 128.0.0.26.128, which was released on February 10 earlier this year. "This [flaw] turns the device into a tool for spying on targeted users without their knowledge, as well as enabling

If you're administrating Windows Server, make sure it's up to date with all recent patches issued by Microsoft, especially the one that fixes a recently patched critical vulnerability that could allow unauthenticated attackers to compromise the domain controller. Dubbed 'Zerologon' (CVE-2020-1472) and discovered by Tom Tervoort of  Secura , the privilege escalation vulnerability exists due to the insecure usage of AES-CFB8 encryption for Netlogon sessions, allowing remote attackers to establish a connection to the targeted domain controller over Netlogon Remote Protocol (MS-NRPC). "The attack utilizes flaws in an authentication protocol that validates the authenticity and identity of a domain-joined computer to the Domain Controller. Due to the incorrect use of an AES mode of operation, it is possible to spoof the identity of any computer account (including that of the DC itself) and set an empty password for that account in the domain," researchers at cyber

As ransomware attacks  against critical infrastructure continue to spike in recent months, cybersecurity researchers have uncovered a new entrant that has been actively trying to conduct multistage attacks on large corporate networks of medical labs, banks, manufacturers, and software developers in Russia. The ransomware gang, codenamed "OldGremlin" and believed to be a Russian-speaking threat actor, has been linked to a series of campaigns at least since March, including a successful attack against a clinical diagnostics laboratory that occurred last month on August 11. "The group has targeted only Russian companies so far, which was typical for many Russian-speaking adversaries, such as  Silence  and  Cobalt , at the beginning of their criminal path," Singaporean cybersecurity firm Group-IB said in a report published today and shared with The Hacker News. "Using Russia as a testing ground, these groups then switched to other geographies to distance thems

A back-end server associated with Microsoft Bing exposed sensitive data of the search engine's mobile application users, including search queries, device details, and GPS coordinates, among others. The logging database, however, doesn't include any personal details such as names or addresses. The data leak, discovered by Ata Hakcil of  WizCase  on September 12, is a massive 6.5TB cache of log files that was left for anyone to access without any password, potentially allowing cybercriminals to leverage the information for carrying out extortion and phishing scams. According to WizCase, the Elastic server is believed to have been password protected until September 10, after which the authentication seems to have been inadvertently removed. After the findings were privately disclosed to Microsoft Security Response Center, the Windows maker addressed the misconfiguration on September 16. Misconfigured servers have been a constant  source of data leaks  in recent years, resul

A UK man who threatened to publicly release stolen confidential information unless the victims agreed to fulfill his digital extortion demands has finally pleaded guilty on Monday at U.S. federal district court in St. Louis, Missouri. Nathan Francis Wyatt , 39, who is a key member of the infamous international hacking group 'The Dark Overlord,' has been sentenced to five years in prison and ordered to pay $1,467,048 in restitution to his victims. Wyatt, who was extradited to the United States late last year after being held for over two years in the United Kingdom, has pleaded guilty to conspiring to commit aggravated identity theft and computer fraud. U.K. police first arrested Wyatt in September 2016 during an investigation into the hacking of an iCloud account belonging to Pippa Middleton, the younger sister of the British royal family member Duchess of Cambridge, and stealing 3,000 images of her. Though he was released in that case without charge due to lack of

German authorities last week  disclosed  that a ransomware attack on the University Hospital of Düsseldorf (UKD) caused a failure of IT systems, resulting in the death of a woman who had to be sent to another hospital that was 20 miles away. The incident marks the first recorded casualty as a consequence of cyberattacks on critical healthcare facilities, which has ramped up in recent months. The attack, which exploited a Citrix ADC  CVE-2019-19781  vulnerability to cripple the hospital systems on September 10, is said to have been "misdirected" in that it was originally intended for Heinrich Heine University, according to an extortion note left by the perpetrators. After law enforcement contacted the threat actors and informed them that they had encrypted a hospital, the operators behind the attack withdrew the ransom demand and provided the decryption key. The case is currently being treated as a homicide, BBC News  reported  over the weekend. Unpatched Vulnerabilities

Dear Android users, if you use the Firefox web browser on your smartphones, make sure it has been updated to version 80 or the latest available version on the Google Play Store. ESET security researcher Lukas Stefanko yesterday tweeted an alert demonstrating the exploitation of a recently disclosed high-risk remote command execution vulnerability affecting the Firefox app for Android. Discovered originally by Australian security researcher Chris Moberly , the vulnerability resides in the SSDP engine of the browser that can be exploited by an attacker to target Android smartphones connected to the same Wi-Fi network as the attacker, with Firefox app installed. SSDP, stands for Simple Service Discovery Protocol, is a UDP based protocol that is a part of UPnP for finding other devices on a network. In Android, Firefox periodically sends out SSDP discovery messages to other devices connected to the same network, looking for second-screen devices to cast. Any device on the local netwo

Capping off a busy week of charges and sanctions  against Iranian hackers, a new research offers insight into what's a six-year-long ongoing surveillance campaign targeting Iranian expats and dissidents with an intention to pilfer sensitive information. The threat actor, suspected to be of Iranian origin, is said to have orchestrated the campaign with at least two different moving parts — one for Windows and the other for Android — using a wide arsenal of intrusion tools in the form of info stealers and backdoors designed to steal personal documents, passwords, Telegram messages, and two-factor authentication codes from SMS messages. Calling the operation " Rampant Kitten ," cybersecurity firm Check Point Research said the suite of malware tools had been mainly used against Iranian minorities, anti-regime organizations, and resistance movements such as the Association of Families of Camp Ashraf and Liberty Residents (AFALR), Azerbaijan National Resistance Organization

The U.S. government on Thursday imposed  sweeping sanctions  against an Iranian threat actor backed by the country's Ministry of Intelligence and Security (MOIS) for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors. According to the U.S. Treasury and the Federal Bureau of Investigation (FBI), the sanctions target Rana Intelligence Computing Company (or Rana), which the agencies said operated as a front for the threat group  APT39  (aka Chafer or Remix Kitten), Iranian cyber espionage hacking collective active since 2014 known for its attacks on companies in the U.S. and the Middle East with an aim to pilfer personal information and advance Iran's national security objectives. To that effect, 45 individuals who served in various capacities while employed at the front company, including as managers, programmers, and hacking experts, have been implicated in the sanctions, which also prohibit U

After a long wait and months of beta testing, Google last week finally released Android 11 , the latest version of the Android mobile operating system—with features offering billions of its users more control over their data security and privacy. Android security is always a hot topic and almost always for the wrong reason, including Google's failure to prevent malicious apps from being distributed through the Play Store, over-claim of permissions by apps, and privacy leakages. Though most of such issues can be avoided as long as users take advantage of already available features and a little common sense, most users are still not aware of or following basic security practices. According to Google's latest announcement, the latest Android 11 OS includes a few new built-in measures designed to keep users' data secure by default, increase transparency, and offer better control. Instead of diving deep into smaller or more extensive changes, we have summarized some critica

Did you ever try extracting any information from any website? Well, if you have then you have surely enacted web scraping functions without even knowing it! To put in simpler terms, Web scraping, or also known as web data extraction, is the process of recouping or sweeping data from web-pages. It is a much faster and easier process of retrieving data without undergoing the time-consuming hassle of manual data extraction methods. Web scraping uses advanced automatic tools to reclaim data from millions and billions of websites. The Basics of Web Scraping First, some common terms you'll need to know: The Crawler: The web crawler or popularly known as a 'spider,' is an automated website scraping tool that skims through the internet for information. The spider usually surfs the internet and follows links, and explores various web pages to gather or "scrape" up any information. The Scraper: A scraper or web scraper is a comprehensive website scraper

Immediately after revealing criminal charges against 5 Chinese and 2 Malaysian hackers , the United States government yesterday also made two separate announcements charging two Iranian and two Russian hackers and added them to the FBI's most-wanted list. The two Russian nationals—Danil Potekhin and Dmitrii Karasavidi—are accused of stealing $16.8 million worth of cryptocurrencies in a series of phishing attacks throughout 2017 and 2018. "This tactic used a combination of phishing and spoofing to exploit Internet users' trust in known companies and organizations to fraudulently obtain their login credentials, including email addresses, password information, and other personal information," the DoJ said . In addition to the criminal charges, the U.S. Department of the Treasury has also sanctioned both Russian hackers , freezing all their assets under U.S. jurisdiction and banning them from doing business with Americans. "Karasavidi laundered the proceeds

The United States government today announced charges against 5 alleged members of a Chinese state-sponsored hacking group and 2 Malaysian hackers that are responsible for hacking more than 100 companies throughout the world. Named as APT41 and also known as 'Barium,' 'Winnti, 'Wicked Panda,' and 'Wicked Spider,' the cyber-espionage group has been operating since at least 2012 and is not just involved in strategic intelligence collection from valuable targets in many sectors, but also behind financially motivated attacks against online gaming industry. According to a press release published by the U.S. Justice Department, two of the five Chinese hackers—Zhang Haoran (张浩然) and Tan Dailin (谭戴林)—were charged back in August 2019, and the other three of them—Jiang Lizhi (蒋立志), Qian Chuan (钱川) and Fu Qiang (付强)—and two Malaysian co-conspirators were in separate indictments in August 2020. The later indicted three Chinese hackers are associated with a netw

The US Department of Justice (DoJ) on Tuesday indicted two hackers for their alleged involvement in defacing several websites in the country following the assassination of Iranian major general Qasem Soleimani earlier this January. Behzad Mohammadzadeh (aka Mrb3hz4d), 19, and Marwan Abusrour (aka Mrwn007), 25, have been charged with conspiracy to commit intentional damage to a protected computer for a widespread "cyber-assault" that affected over 1,400 websites with pro-Iranian and pro-Palestinian messages. "The hackers victimized innocent third parties in a campaign to retaliate for the military action that killed Soleimani, a man behind countless acts of terror against Americans and others that the Iranian regime opposed," said Assistant Attorney General for National Security John C. Demers in a statement. The defendants, from Iran and Palestine, respectively, are now wanted by the US authorities and are no longer free to travel outside their countries wi

Most cybersecurity professionals fully anticipated that cybercriminals would leverage the fear and confusion surrounding the Covid-19 pandemic in their cyberattacks. Of course, malicious emails would contain subjects relating to Covid-19, and malicious downloads would be Covid-19 related. This is how cybercriminals operate. Any opportunity to maximize effectiveness, no matter how contemptible, is taken. While many have anecdotally suggested ways in which Covid-19 related cyberattacks would unfold, we have little data supporting the actual impact of Covid-19 on cybersecurity. Several have reported that the number of malicious emails with the subject related to Covid-19 has grown several hundred percent and that the majority of Covid-19 related emails are now malicious. Beyond the anticipated increase in Covid-19 related malicious emails, videos, and an array of downloadable files, which we all anticipated, what else is going on behind the scenes? Interestingly, cybersecurity