The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

The U.S. government on Wednesday said the Chinese state-sponsored hacking group known as  Volt Typhoon  had been embedded into some critical infrastructure networks in the country for at least five years. Targets of the threat actor include communications, energy, transportation, and water and wastewater systems sectors in the U.S. and Guam. "Volt Typhoon's choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions," the U.S. government  said . The joint advisory, which was released by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), was also backed by other nations that are part of the Five Eyes (FVEY) intelligence all

If you've listened to software vendors in the identity space lately, you will have noticed that "unified" has quickly become the buzzword that everyone is adopting to describe their portfolio. And this is great! Unified identity has some amazing benefits!  However (there is always a however, right?) not every "unified" "identity" "security" "platform" is made equal. Some vendors call the combination of workforce IDaaS and customer IDaaS a unified identity solution, while others offer a glorified 2FA service – unified only in the mind of their marketers.  Your landscape matters!   So forget for a moment what the vendors claim, and think back to  your  organization and  your   identity security  landscape. Consider this new definition: "unified" is what has the ability to consolidate your identity challenges with a complete identity solution.  Here's an example: you're responsible for the identity infrastructure of a large hospital. Frontline workers, administrative employees, a

How's your vulnerability management program doing? Is it effective? A success? Let's be honest, without the right metrics or analytics, how can you tell how well you're doing, progressing, or if you're getting ROI? If you're not measuring, how do you know it's working? And even if you are measuring, faulty reporting or focusing on the wrong metrics can create blind spots and make it harder to communicate any risks to the rest of the business. So how do you know what to focus on? Cyber hygiene, scan coverage, average time to fix, vulnerability severity, remediation rates, vulnerability exposure… the list is endless. Every tool on the market offers different metrics, so it can be hard to know what is important. This article will help you identify and define the key metrics that you need to track the state of your vulnerability management program, the progress you've made, so you can create audit-ready reports that: Prove your security posture Meet vulnerability remediation SLAs an

The threat actors behind a loader malware called  HijackLoader  have added new techniques for defense evasion, as the malware continues to be increasingly used by other threat actors to deliver additional payloads and tooling. "The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe," CrowdStrike researchers Donato Onofri and Emanuele Calvelli  said  in a Wednesday analysis. "This new approach has the potential to make defense evasion stealthier." HijackLoader was  first documented  by Zscaler ThreatLabz in September 2023 as having been used as a conduit to deliver DanaBot, SystemBC, and RedLine Stealer. It's also known to share a high degree of similarity with another loader known as IDAT Loader. Both the loaders are assessed to be operated by the same cybercrime group. In the intervening months, HijackLoader has been  propagated  via ClearFake and put to

Google has unveiled a new pilot program in Singapore that aims to prevent users from sideloading certain apps that abuse Android app permissions to read one-time passwords and gather sensitive data. "This enhanced fraud protection will analyze and automatically block the installation of apps that may use sensitive runtime permissions frequently abused for financial fraud when the user attempts to install the app from an Internet-sideloading source (web browsers, messaging apps or file managers)," the company  said . The feature is designed to examine the permissions declared by a third-party app in real-time and look for those that seek to gain access to sensitive permissions associated with reading SMS messages, deciphering or dismissing notifications from legitimate apps, and accessibility services that have been  routinely   abused  by Android-based malware for  extracting valuable information . As part of the test, users in Singapore who attempt to sideload such apps

The North Korea-linked nation-state actor known as Kimsuky is suspected of using a previously undocumented Golang-based information stealer called  Troll Stealer . The malware steals "SSH, FileZilla, C drive files/directories, browsers, system information, [and] screen captures" from infected systems, South Korean cybersecurity company S2W  said  in a new technical report. Troll Stealer's links to Kimsuky stem from its similarities to known malware families, such as AppleSeed and AlphaSeed malware that have been attributed to the group. Kimsuky, also tracked under the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima, is well known for its propensity to steal sensitive, confidential information in offensive cyber operations. In late November 2023, the threat actors were  sanctioned  by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) for gathering intelligence to further North

Cisco, Fortinet, and VMware have released security fixes for multiple security vulnerabilities, including critical weaknesses that could be exploited to perform arbitrary actions on affected devices. The first set from Cisco consists of three flaws – CVE-2024-20252 and CVE-2024-20254 (CVSS score: 9.6) and CVE-2024-20255 (CVSS score: 8.2) – impacting Cisco Expressway Series that could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks. All the issues, which were found during internal security testing, stem from insufficient CSRF protections for the web-based management interface that could permit an attacker to perform arbitrary actions with the privilege level of the affected user. "If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts," Cisco  said  about CVE-2024-20252 and CVE-2024-20254. On the other hand, successful exploitatio

The threat actors behind the  KV-botnet  made "behavioral changes" to the malicious network as U.S. law enforcement began issuing commands to neutralize the activity. KV-botnet is the name given to a network of compromised small office and home office (SOHO) routers and firewall devices across the world, with one specific cluster acting as a covert data transfer system for other Chinese state-sponsored actors, including  Volt Typhoon  (aka Bronze Silhouette, Insidious Taurus, or Vanguard Panda). Active since at least February 2022, it was  first documented  by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The botnet is known to comprise two main sub-groups, viz. KV and JDY, with the latter principally used for scanning potential targets for reconnaissance. Late last month, the U.S. government  announced  a court-authorized disruption effort to take down the KV cluster, which is typically reserved for manual operations against high-profile targets c

The maintainers of shim have released  version 15.8  to address six security flaws, including a critical bug that could pave the way for remote code execution under specific circumstances. Tracked as  CVE-2023-40547  (CVSS score: 9.8), the vulnerability could be exploited to achieve a Secure Boot bypass. Bill Demirkapi of the Microsoft Security Response Center (MSRC) has been  credited  with discovering and reporting the bug. Major Linux distributions that use shim such as Debian , Red Hat , SUSE , and Ubuntu have all released advisories for the security flaw. "The shim's http boot support (httpboot.c) trusts attacker-controlled values when parsing an HTTP response, leading to a completely controlled out-of-bounds write primitive," Oracle's Alan Coopersmith  noted  in a message shared on the Open Source Security mailing list oss-security. Demirkapi, in a  post  shared on X (formerly Twitter) late last month, said the vulnerability "exists in every Linux bo

2024 will be the year of the vCISO. An incredible 45% of MSPs and MSSPs are  planning to start offering  vCISO services in 2024. As an MSP/MSSP providing vCISO services, you own the organization's cybersecurity infrastructure and strategy. But you also need to position yourself as a reliable decision-maker, navigating professional responsibilities, business needs and leadership requirements. A  new webinar by Cynomi , vCISO platform leader, hosting CISO and vCISO veteran Jesse Miller from PowerPSA Consulting, provides MSPs and MSSPs with an effective 100-day plan to build themselves up for success. The webinar provides a tangible five-step 100-day action plan that any MSP/MSSP can follow when they engage with a new vCISO client. It also provides guidance on vCISO goals and pitfalls to avoid. By watching the webinar, you can position yourself as a strategic and long-term partner for your clients. They will see you as capable of driving security transformation and managing security con

A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses. The initiative, dubbed the  Pall Mall Process , aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by establishing guiding principles and policy options for States, industry, and civil society in relation to the development, facilitation, purchase, and use of such tools. The declaration stated that "uncontrolled dissemination" of spyware offerings contributes to "unintentional escalation in cyberspace," noting it poses risks to cyber stability, human rights, national security, and digital security. "Where these tools are used maliciously, attacks can access victims' devices, listen to calls, obtain photos and remotely operate a camera and microphone via 'zero-click&

Chinese state-backed hackers broke into a computer network that's used by the Dutch armed forces by targeting Fortinet FortiGate devices. "This [computer network] was used for unclassified research and development (R&D)," the Dutch Military Intelligence and Security Service (MIVD)  said  in a statement. "Because this system was self-contained, it did not lead to any damage to the defense network." The network had less than 50 users. The intrusion, which took place in 2023, leveraged a known critical security flaw in FortiOS SSL-VPN ( CVE-2022-42475 , CVSS score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests. Successful exploitation of the flaw paved the way for the deployment of a backdoor dubbed  COATHANGER  from an actor-controlled server that's designed to grant persistent remote access to the compromised appliances. "The COATHANGER malware is stealthy and persistent," the Dutch N

JetBrains is alerting customers of a critical security flaw in its TeamCity On-Premises continuous integration and continuous deployment (CI/CD) software that could be exploited by threat actors to take over susceptible instances. The vulnerability, tracked as  CVE-2024-23917 , carries a CVSS rating of 9.8 out of 10, indicative of its severity. "The vulnerability may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server," the company  said . The issue impacts all TeamCity On-Premises versions from 2017.1 through 2023.11.2. It has been addressed in version 2023.11.3. An unnamed external security researcher has been credited with discovering and reporting the flaw on January 19, 2024. Users who are unable to update their servers to version 2023.11.3 can alternately download a security patch plugin to apply fixes for the flaw. "If your server is publicly acce

Threat actors are leveraging bogus Facebook job advertisements as a lure to trick prospective targets into installing a new Windows-based stealer malware codenamed  Ov3r_Stealer . "This malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors," Trustwave SpiderLabs said in a report shared with The Hacker News. Ov3r_Stealer is capable of siphoning IP address-based location, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products installed on the compromised host. While the exact end goal of the campaign is unknown, it's likely that the stolen information is offered for sale to other threat actors. Another possibility is that Ov3r_Stealer could be updated over time to act as a  QakBot-like loader  for additional payloads, including ransomware. The starting point of the attack is a weapo

Three new security vulnerabilities have been discovered in Azure HDInsight's Apache  Hadoop ,  Kafka , and  Spark  services that could be exploited to achieve privilege escalation and a regular expression denial-of-service ( ReDoS ) condition. "The new vulnerabilities affect any authenticated user of Azure HDInsight services such as Apache Ambari and Apache Oozie," Orca security researcher Lidor Ben Shitrit  said  in a technical report shared with The Hacker News. The list of flaws is as follows - CVE-2023-36419  (CVSS score: 8.8) - Azure HDInsight Apache Oozie Workflow Scheduler XML External Entity (XXE) Injection Elevation of Privilege Vulnerability CVE-2023-38156  (CVSS score: 7.2) - Azure HDInsight Apache Ambari Java Database Connectivity (JDBC) Injection Elevation of Privilege Vulnerability Azure HDInsight Apache Oozie Regular Expression Denial-of-Service (ReDoS) Vulnerability (no CVE) The two privilege escalation flaws could be exploited by an authenticate

SaaS applications are the darlings of the software world. They enable work from anywhere, facilitate collaboration, and offer a cost-effective alternative to owning the software outright. At the same time, the very features that make SaaS apps so embraced – access from anywhere and collaboration – can also be exploited by threat actors. Recently, Adaptive Shield commissioned a Total Economic Impact™ (TEI) study conducted by Forrester Consulting. The study demonstrates the impactful ROI achieved by a multimedia company with an annual revenue of $10 billion. While the quantitative ROI is significant, at 201%, the qualitative security ROI improvements were substantial.  Figure 1: Summary of the TEI Study In this article, we'll examine the study's findings of how Adaptive Shield's SaaS Security Posture Management (SSPM) platform impacted this global enterprise.  Learn how a $10B media firm dramatically improved their security posture with SSPM The Organization's Top SaaS Challenges