#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Google Introduces Project Naptime for AI-Powered Vulnerability Research

Google Introduces Project Naptime for AI-Powered Vulnerability Research

Jun 24, 2024 Vulnerability / Artificial Intelligence
Google has developed a new framework called Project Naptime that it says enables a large language model (LLM) to carry out vulnerability research with an aim to improve automated discovery approaches. "The Naptime architecture is centered around the interaction between an AI agent and a target codebase," Google Project Zero researchers Sergei Glazunov and Mark Brand said . "The agent is provided with a set of specialized tools designed to mimic the workflow of a human security researcher." The initiative is so named for the fact that it allows humans to "take regular naps" while it assists with vulnerability research and automating variant analysis. The approach, at its core, seeks to take advantage of advances in code comprehension and general reasoning ability of LLMs, thus allowing them to replicate human behavior when it comes to identifying and demonstrating security vulnerabilities. It encompasses several components such as a Code Browser tool
Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool

Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool

Jun 24, 2024 Artificial Intelligence / Cloud Security
Cybersecurity researchers have detailed a now-patch security flaw affecting the Ollama open-source artificial intelligence (AI) infrastructure platform that could be exploited to achieve remote code execution. Tracked as CVE-2024-37032 , the vulnerability has been codenamed Probllama by cloud security firm Wiz. Following responsible disclosure on May 5, 2024, the issue was addressed in version 0.1.34 released on May 7, 2024. Ollama is a service for packaging, deploying, running large language models (LLMs) locally on Windows, Linux, and macOS devices. At its core, the issue relates to a case of insufficient input validation that results in a path traversal flaw an attacker could exploit to overwrite arbitrary files on the server and ultimately lead to remote code execution. The shortcoming requires the threat actor to send specially crafted HTTP requests to the Ollama API server for successful exploitation. It specifically takes advantage of the API endpoint "/api/pull&qu
Why Regulated Industries are Turning to Military-Grade Cyber Defenses

Why Regulated Industries are Turning to Military-Grade Cyber Defenses

Jun 14, 2024Cybersecurity / Regulatory Compliance
As cyber threats loom large and data breaches continue to pose increasingly significant risks. Organizations and industries that handle sensitive information and valuable assets make prime targets for cybercriminals seeking financial gain or strategic advantage.  Which is why many highly regulated sectors, from finance to utilities, are turning to military-grade cyber defenses to safeguard their operations. Regulatory Pressures Impacting Cyber Decisions Industries such as finance, healthcare, and government are subject to strict regulatory standards, governing data privacy, security, and compliance. Non-compliance with these regulations can result in severe penalties, legal repercussions, and damage to reputation. To meet regulatory requirements and mitigate the ever-increasing risk, organizations are shifting to adopt more robust cybersecurity measures. Understanding the Increase of Threats Attacks on regulated industries have increased dramatically over the past 5 years, with o
Ease the Burden with AI-Driven Threat Intelligence Reporting

Ease the Burden with AI-Driven Threat Intelligence Reporting

Jun 24, 2024 Threat Intelligence / Cybersecurity
Learn about critical threats that can impact your organization and the bad actors behind them from Cybersixgill's threat experts. Each story shines a light on underground activities, the threat actors involved, and why you should care, along with what you can do to mitigate risk.  Cybersecurity professionals are facing unprecedented challenges as they strive to manage increasing workloads amidst limited budgets, inadequate staffing, and growing attack surfaces. Research indicates that a majority of these professionals find their jobs more difficult than ever, and a significant number are contemplating leaving their current positions due to the stress and demands of the role. The value of cyber threat intelligence (CTI) in anticipating and mitigating potential attacks is widely recognized. However, security teams face several challenges in effectively utilizing CTI insights, which can turn a powerful cyber defense weapon into an additional burden that security professionals must cont
cyber security

Join the Live Session: How to Automate SOC 2 & ISO 27001 Compliance

websiteVantaCompliance / Risk Management
Learn about the in-demand frameworks and how Vanta's automation can help you quickly achieve compliance.
RedJuliett Cyber Espionage Campaign Hits 75 Taiwanese Organizations

RedJuliett Cyber Espionage Campaign Hits 75 Taiwanese Organizations

Jun 24, 2024 Cyber Espionage / Hacking
A likely China-linked state-sponsored threat actor has been linked to a cyber espionage campaign targeting government, academic, technology, and diplomatic organizations in Taiwan between November 2023 and April 2024. Recorded Future's Insikt Group is tracking the activity under the name RedJuliett , describing it as a cluster that operates Fuzhou, China, to support Beijing's intelligence collection goals related to the East Asian country. It's also tracked under the names Flax Typhoon and Ethereal Panda . Among other countries targeted by the adversarial collective include Djibouti, Hong Kong, Kenya, Laos, Malaysia, the Philippines, Rwanda, South Korea, and the U.S. In all, as many as 24 victim organizations have been observed communicating with the threat actor infrastructure, including government agencies in Taiwan, Laos, Kenya, and Rwanda. It's also estimated to have targeted at least 75 Taiwanese entities for broader reconnaissance and follow-on exploitation.
Multiple Threat Actors Deploying Open-Source Rafel RAT to Target Android Devices

Multiple Threat Actors Deploying Open-Source Rafel RAT to Target Android Devices

Jun 24, 2024 Mobile Security / Threat Intelligence
Multiple threat actors, including cyber espionage groups, are employing an open-source Android remote administration tool called Rafel RAT to meet their operational objectives by masquerading it as Instagram, WhatsApp, and various e-commerce and antivirus apps. "It provides malicious actors with a powerful toolkit for remote administration and control, enabling a range of malicious activities from data theft to device manipulation," Check Point said in an analysis published last week. It boasts a wide range of features, such as the ability to wipe SD cards, delete call logs, siphon notifications, and even act as ransomware. The use of Rafel RAT by DoNot Team (aka APT-C-35, Brainworm, and Origami Elephant) was previously highlighted by the Israeli cybersecurity company in cyber attacks that leveraged a design flaw in Foxit PDF Reader to trick users into downloading malicious payloads. The campaign, which took place in April 2024, is said to have utilized military-them
ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor

ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor

Jun 22, 2024 Cyber Espionage / Threat Intelligence
Russian organizations have been targeted by a cybercrime gang called ExCobalt using a previously unknown Golang-based backdoor known as GoRed. "ExCobalt focuses on cyber espionage and includes several members active since at least 2016 and presumably once part of the notorious Cobalt Gang ," Positive Technologies researchers Vladislav Lunin and Alexander Badayev said in a technical report published this week. "Cobalt attacked financial institutions to steal funds. One of Cobalt's hallmarks was the use of the CobInt tool , something ExCobalt began to use in 2022." Attacks mounted by the threat actor have singled out various sectors in Russia over the past year, including government, information technology, metallurgy, mining, software development, and telecommunications. Initial access to environments is facilitated by taking advantage of a previously compromised contractor and a supply chain attack, wherein the adversary infected a component used to bu
Warning: New Adware Campaign Targets Meta Quest App Seekers

Warning: New Adware Campaign Targets Meta Quest App Seekers

Jun 22, 2024 Phishing Attack / Adware
A new campaign is tricking users searching for the Meta Quest (formerly Oculus) application for Windows into downloading a new adware family called AdsExhaust. "The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes," cybersecurity firm eSentire said in an analysis, adding it identified the activity earlier this month. "These functionalities allow it to automatically click through advertisements or redirect the browser to specific URLs, generating revenue for the adware operators." The initial infection chain involves surfacing the bogus website ("oculus-app[.]com") on Google search results pages using search engine optimization (SEO) poisoning techniques, prompting unsuspecting site visitors to download a ZIP archive ("oculus-app.EXE.zip") containing a Windows batch script. The batch script is designed to fetch a second batch script from a command-and-control (C2) se
U.S. Treasury Sanctions 12 Kaspersky Executives Amid Software Ban

U.S. Treasury Sanctions 12 Kaspersky Executives Amid Software Ban

Jun 22, 2024 National Security / Cyber Espionage
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) imposed sanctions against a dozen individuals serving executive and senior leadership roles at Kaspersky Lab, a day after the Russian company was banned by the Commerce Department. The move "underscores our commitment to ensure the integrity of our cyber domain and to protect our citizens against malicious cyber threats," Under Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson, said. "The United States will take action where necessary to hold accountable those who would seek to facilitate or otherwise enable these activities." The sanctions, however, do not extend to Kaspersky Lab, its parent or subsidiary companies, nor the company's founder and chief executive officer (CEO), Eugene Kaspersky, OFAC noted. The 12 C-suite and senior-level executives sanctioned are listed below - Andrei Gennadyevich Tikhonov, Chief Operating Officer (COO) and
Chinese Hackers Deploy SpiceRAT and SugarGh0st in Global Espionage Campaign

Chinese Hackers Deploy SpiceRAT and SugarGh0st in Global Espionage Campaign

Jun 21, 2024 Malware / Threat Intelligence
A previously undocumented Chinese-speaking threat actor codenamed SneakyChef has been linked to an espionage campaign primarily targeting government entities across Asia and EMEA (Europe, Middle East, and Africa) with SugarGh0st malware since at least August 2023. "SneakyChef uses lures that are scanned documents of government agencies, most of which are related to various countries' Ministries of Foreign Affairs or embassies," Cisco Talos researchers Chetan Raghuprasad and Ashley Shen said in an analysis published today. Activities related to the hacking crew were first highlighted by the cybersecurity company in late November 2023 in connection with an attack campaign that singled out South Korea and Uzbekistan with a custom variant of Gh0st RAT called SugarGh0st . A subsequent analysis from Proofpoint last month uncovered the use of SugarGh0st RAT against U.S. organizations involved in artificial intelligence efforts, including those in academia, private indust
Military-themed Email Scam Spreads Malware to Infect Pakistani Users

Military-themed Email Scam Spreads Malware to Infect Pakistani Users

Jun 21, 2024 Phishing Attack / Email Security
Cybersecurity researchers have shed light on a new phishing campaign that has been identified as targeting people in Pakistan using a custom backdoor. Dubbed PHANTOM#SPIKE by Securonix, the unknown threat actors behind the activity have leveraged military-related phishing documents to activate the infection sequence. "While there are many methods used today to deploy malware, the threat actors made use of ZIP files with a password-protected payload archive contained within," researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News. The campaign is notable for its lack of sophistication and the use of simple payloads to achieve remote access to target machines. The email messages come bearing a ZIP archive that purports to be meeting minutes related to the International Military-Technical Forum Army 2024, a legitimate event organized by the Ministry of Defense of the Russian Federation. It's set to be held in Moscow in mid
How to Use Tines's SOC Automation Capability Matrix

How to Use Tines's SOC Automation Capability Matrix

Jun 21, 2024 SOC Automation / Security Operation
Created by John Tuckner and the team at automation and AI-powered workflow platform  Tines , the  SOC Automation Capability Matrix (SOC ACM)  is a set of techniques designed to help security operations teams understand their automation capabilities and respond more effectively to incidents.  A customizable, vendor-agnostic tool featuring lists of automation opportunities, it's been shared and recommended by members of the security community since its launch in January 2023, notably by Airbnb engineer Allyn Stott in his BSides and Black Hat talk,  How I Learned to Stop Worrying and Build a Modern Detection & Response Program .   The SOC ACM has been compared to the MITRE ATT&CK and RE&CT frameworks, with one user saying, "it could be a standard for classification of SOAR automations, a bit like the RE&CT framework, but with more automation focus." It's been used by organizations in Fintech, Cloud Security, and beyond, as a basis for assessing and optimizing
Oyster Backdoor Spreading via Trojanized Popular Software Downloads

Oyster Backdoor Spreading via Trojanized Popular Software Downloads

Jun 21, 2024 Malware / Malvertising
A malvertising campaign is leveraging trojanized installers for popular software such as Google Chrome and Microsoft Teams to drop a backdoor called Oyster (aka Broomstick and CleanUpLoader). That's according to findings from Rapid7, which identified lookalike websites hosting the malicious payloads that users are redirected to after searching for them on search engines like Google and Bing. The threat actors are luring unsuspecting users to fake websites purporting to contain legitimate software. But attempting to download the setup binary launches a malware infection chain instead. Specifically, the executable serves as a pathway for a backdoor called Oyster, which is capable of gathering information about the compromised host, communicating with a hard-coded command-and-control (C2) address, and supporting remote code execution. While Oyster has been observed in the past being delivered by means of a dedicated loader component known as Broomstick Loader (aka Oyster Instal
SolarWinds Serv-U Vulnerability Under Active Attack - Patch Immediately

SolarWinds Serv-U Vulnerability Under Active Attack - Patch Immediately

Jun 21, 2024 Vulnerability / Data Protection
A recently patched high-severity flaw impacting SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild. The vulnerability, tracked as CVE-2024-28995 (CVSS score: 8.6), concerns a directory transversal bug that could allow attackers to read sensitive files on the host machine. Affecting all versions of the software prior to and including Serv-U 15.4.2 HF 1, it was addressed by the company in version Serv-U 15.4.2 HF 2 (15.4.2.157) released earlier this month. The list of products susceptible to CVE-2024-28995 is below - Serv-U FTP Server 15.4 Serv-U Gateway 15.4 Serv-U MFT Server 15.4, and Serv-U File Server 15.4 Security researcher Hussein Daher of Web Immunify has been credited with discovering and reporting the flaw. Following the public disclosure, additional technical details and a proof-of-concept (PoC) exploit have since been made available. Cybersecurity firm Rapid7 described the vulnerability as trivial to exploit
U.S. Bans Kaspersky Software, Citing National Security Risks

U.S. Bans Kaspersky Software, Citing National Security Risks

Jun 21, 2024 Software Security / Threat Intelligence
The U.S. Department of Commerce's Bureau of Industry and Security (BIS) on Thursday announced a "first of its kind" ban that prohibits Kaspersky Lab's U.S. subsidiary from directly or indirectly offering its security software in the country. The blockade also extends to the cybersecurity company's affiliates, subsidiaries and parent companies, the department said, adding the action is based on the fact that its operations in the U.S. posed a national security risk. News of the ban was first reported by Reuters. "The company's continued operations in the United States presented a national security risk — due to the Russian Government's offensive cyber capabilities and capacity to influence or direct Kaspersky's operations — that could not be addressed through mitigation measures short of a total prohibition," the BIS said . It further said Kaspersky is subject to the jurisdiction and control of the Russian government and that its software pro
Researchers Uncover UEFI Vulnerability Affecting Multiple Intel CPUs

Researchers Uncover UEFI Vulnerability Affecting Multiple Intel CPUs

Jun 20, 2024 Firmware Security / Vulnerability
Cybersecurity researchers have disclosed details of a now-patched security flaw in Phoenix SecureCore UEFI firmware that affects multiple families of Intel Core desktop and mobile processors. Tracked as CVE-2024-0762 (CVSS score: 7.5), the "UEFIcanhazbufferoverflow" vulnerability has been described as a case of a buffer overflow stemming from the use of an unsafe variable in the Trusted Platform Module (TPM) configuration that could result in the execution of malicious code. "The vulnerability allows a local attacker to escalate privileges and gain code execution within the UEFI firmware during runtime," supply chain security firm Eclypsium said in a report shared with The Hacker News. "This type of low-level exploitation is typical of firmware backdoors (e.g., BlackLotus ) that are increasingly observed in the wild. Such implants give attackers ongoing persistence within a device and often, the ability to evade higher-level security measures running in
French Diplomatic Entities Targeted in Russian-Linked Cyber Attacks

French Diplomatic Entities Targeted in Russian-Linked Cyber Attacks

Jun 20, 2024 Cyber Espionage / Hacking News
State-sponsored actors with ties to Russia have been linked to targeted cyber attacks aimed at French diplomatic entities, the country's information security agency ANSSI said in an advisory. The attacks have been attributed to a cluster tracked by Microsoft under the name Midnight Blizzard (formerly Nobelium), which overlaps with activity tracked as APT29 , BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes. While the monikers APT29 and Midnight Blizzard have been interchangeably used to refer to intrusion sets associated with the Russian Foreign Intelligence Service (SVR), ANSSI said it prefers to treat them as disparate threat clusters alongside a third one dubbed Dark Halo , which has been held responsible for the 2020 supply chain attack via SolarWinds software. "Nobelium is characterized by the use of specific codes, tactics, techniques, and procedures. Most of Nobelium campaigns against diplomatic entities use compromised legitimate email accounts belonging to dipl
Expert Insights
Cybersecurity Resources