#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

How Cybercriminals are Exploiting India's UPI for Money Laundering Operations

How Cybercriminals are Exploiting India's UPI for Money Laundering Operations

Mar 04, 2024 Cybercrime / Mobile Security
Cybercriminals are using a network of hired money mules in India using an Android-based application to orchestrate a massive money laundering scheme. The malicious application, called  XHelper , is a "key tool for onboarding and managing these money mules," CloudSEK researchers Sparsh Kulshrestha, Abhishek Mathew, and Santripti Bhujel  said  in a report. Details about the scam  first emerged  in late October 2023, when Chinese cyber criminals were found to take advantage of the fact that Indian Unified Payments Interface (UPI) service providers operate without coverage under the Prevention of Money Laundering Act (PMLA) to initiate illegal transactions under the guise of offering an instant loan. The ill-gotten proceeds from the operation are transferred to other accounts belonging to hired mules, who are recruited from Telegram in return for commissions ranging from 1-2% of the total transaction amounts. "Central to this operation are Chinese payment gateways expl
From 500 to 5000 Employees - Securing 3rd Party App-Usage in Mid-Market Companies

From 500 to 5000 Employees - Securing 3rd Party App-Usage in Mid-Market Companies

Mar 04, 2024 SaaS Security / Vulnerability Assessment
A company's lifecycle stage, size, and state have a significant impact on its security needs, policies, and priorities. This is particularly true for modern mid-market companies that are either experiencing or have experienced rapid growth. As requirements and tasks continue to accumulate and malicious actors remain active around the clock, budgets are often stagnant at best. Yet, it is crucial to keep track of the tools and solutions that employees are introducing, the data and know-how shared through these tools, and to ensure that these processes are secure. This need is even more pronounced in today's dynamic and interconnected world, where third-party applications and solutions can be easily accessed and onboarded. The potential damage of losing control over the numerous applications with access and permissions to your data requires no explanation. Security leaders in mid-market companies face a unique set of challenges that demand a distinct approach to overcome.  To begin
6 Ways to Simplify SaaS Identity Governance

6 Ways to Simplify SaaS Identity Governance

Feb 21, 2024SaaS Security / Identity Management
With SaaS applications now making up the vast majority of technology used by employees in most organizations, tasks related to identity governance need to happen across a myriad of individual SaaS apps. This presents a huge challenge for centralized IT teams who are ultimately held responsible for managing and securing app access, but can't possibly become experts in the nuances of the native security settings and access controls for hundreds (or thousands) of apps. And, even if they could, the sheer volume of tasks would easily bury them. Modern IT teams need a way to orchestrate and govern SaaS identity governance by engaging the application owners in the business who are most familiar with how the tool is used, and who needs what type of access.  Nudge Security is a  SaaS security and governance solution  that can help you do just that, with automated workflows to save time and make the process manageable at scale. Read on to learn how it works. 1 . Discover all SaaS apps used b
Over 100 Malicious AI/ML Models Found on Hugging Face Platform

Over 100 Malicious AI/ML Models Found on Hugging Face Platform

Mar 04, 2024 AI Security / Vulnerability
As many as 100 malicious artificial intelligence (AI)/machine learning (ML) models have been discovered in the Hugging Face platform. These include instances where loading a  pickle file  leads to code execution, software supply chain security firm JFrog said. "The model's payload grants the attacker a shell on the compromised machine, enabling them to gain full control over victims' machines through what is commonly referred to as a 'backdoor,'" senior security researcher David Cohen  said . "This silent infiltration could potentially grant access to critical internal systems and pave the way for large-scale data breaches or even corporate espionage, impacting not just individual users but potentially entire organizations across the globe, all while leaving victims utterly unaware of their compromised state." Specifically, the rogue model initiates a reverse shell connection to 210.117.212[.]93, an IP address that belongs to the Korea Research
cyber security

NIST Cybersecurity Framework: Your Go-To Cybersecurity Standard is Changing

websiteArmorPointCybersecurity / Risk Management
Find everything you need to know to prepare for NIST CSF 2.0's impending release in this guide.
Phobos Ransomware Aggressively Targeting U.S. Critical Infrastructure

Phobos Ransomware Aggressively Targeting U.S. Critical Infrastructure

Mar 04, 2024 Malware / Cyber Attack
U.S. cybersecurity and intelligence agencies have warned of  Phobos ransomware  attacks targeting government and critical infrastructure entities, outlining the various tactics and techniques the threat actors have adopted to deploy the file-encrypting malware. "Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars," the government  said . The advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). Active since May 2019, multiple variants of Phobos ransomware have been identified to date, namely Eking, Eight, Elbie, Devos, Faust, and Backmydata. Late last year, Cisco Talos  revealed  that the threat actors behind the 8B
U.S. Court Orders NSO Group to Hand Over Pegasus Spyware Code to WhatsApp

U.S. Court Orders NSO Group to Hand Over Pegasus Spyware Code to WhatsApp

Mar 02, 2024 Spyware / Privacy
A U.S. judge has ordered NSO Group to hand over its source code for  Pegasus  and other remote access trojans to Meta as part of the social media giant's ongoing litigation against the Israeli spyware vendor. The decision marks a major legal victory for Meta, which  filed the lawsuit  in October 2019 for using its infrastructure to  distribute the spyware  to approximately 1,400 mobile devices between April and May. This also  included  two dozen Indian activists and journalists. These attacks leveraged a then zero-day flaw in the instant messaging app ( CVE-2019-3568 , CVSS score: 9.8), a critical  buffer overflow bug  in the voice call functionality, to deliver Pegasus by merely placing a call, even in scenarios where the calls were left unanswered. In addition, the attack chain included steps to erase the incoming call information from the logs in an attempt to sidestep detection. Court documents released late last month show that NSO Group has been asked to "produce
U.S. Charges Iranian Hacker, Offers $10 Million Reward for Capture

U.S. Charges Iranian Hacker, Offers $10 Million Reward for Capture

Mar 02, 2024 Cybercrime / Social Engineering
The U.S. Department of Justice (DoJ) on Friday unsealed an indictment against an Iranian national for his alleged involvement in a multi-year cyber-enabled campaign designed to compromise U.S. governmental and private entities. More than a dozen entities are said to have been targeted, including the U.S. Departments of the Treasury and State, defense contractors that support U.S. Department of Defense programs, and an accounting firm and a hospitality company, both based in New York. Alireza Shafie Nasab, 39, claimed to be a cybersecurity specialist for a company named Mahak Rayan Afraz while participating in a persistent campaign targeting the U.S. from at least in or about 2016 through or about April 2021. "As alleged, Alireza Shafie Nasab participated in a cyber campaign using spear-phishing and other hacking techniques to infect more than 200,000 victim devices, many of which contained sensitive or classified defense information,"  said  U.S. Attorney Damian Williams for the So
New Phishing Kit Leverages SMS, Voice Calls to Target Cryptocurrency Users

New Phishing Kit Leverages SMS, Voice Calls to Target Cryptocurrency Users

Mar 01, 2024 Phishing Kit / Cryptocurrency
A novel phishing kit has been observed impersonating the login pages of well-known cryptocurrency services as part of an attack cluster codenamed CryptoChameleon that's designed to primarily target mobile devices. "This kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs, and even photo IDs from hundreds of victims, mostly in the United States," Lookout  said  in a report. Targets of the phishing kit include employees of the Federal Communications Commission (FCC), Binance, Coinbase, and cryptocurrency users of various platforms like Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor. More than 100 victims have been successfully phished to date. The phishing pages are designed such that the fake login screen is displayed only after the victim completes a CAPTCHA test using hCaptcha, thus preventing automa
4 Instructive Postmortems on Data Downtime and Loss

4 Instructive Postmortems on Data Downtime and Loss

Mar 01, 2024 Data Security / Disaster Recovery
More than a decade ago, the concept of the  'blameless'  postmortem changed how tech companies recognize failures at scale. John Allspaw, who coined the term during his tenure at Etsy, argued postmortems were all about controlling our natural reaction to an incident, which is to point fingers: "One option is to assume the single cause is incompetence and scream at engineers to make them 'pay attention!' or 'be more careful!' Another option is to take a hard look at how the accident actually happened, treat the engineers involved with respect, and learn from the event." What can we, in turn, learn from some of the most honest and blameless—and public—postmortems of the last few years? GitLab: 300GB of user data gone in seconds What happened : Back in 2017, GitLab experienced a painful 18-hour outage. That story, and GitLab's subsequent honesty and transparency, has significantly impacted how organizations handle data security today. The incident began when GitLab's secondary datab
New BIFROSE Linux Malware Variant Using Deceptive VMware Domain for Evasion

New BIFROSE Linux Malware Variant Using Deceptive VMware Domain for Evasion

Mar 01, 2024 Linux / Cyber Threat
Cybersecurity researchers have discovered a new Linux variant of a remote access trojan (RAT) called BIFROSE (aka Bifrost) that uses a deceptive domain mimicking VMware. "This latest version of Bifrost aims to bypass security measures and compromise targeted systems," Palo Alto Networks Unit 42 researchers Anmol Maurya and Siddharth Sharma  said . BIFROSE  is one of the long-standing threats that has been active since 2004. It has been offered for sale in underground forums for up to $10,000 in the past, according to a  report  from Trend Micro in December 2015. The malware has been put to use by a state-backed hacking group from China tracked as  BlackTech  (aka Circuit Panda, HUAPI, Manga Taurus, Palmerworm, PLEAD, Red Djinn, and Temp.Overboard), which has a history of striking organizations in Japan, Taiwan, and the U.S. It's suspected that the threat actor purchased the source code or gained access to it around 2010, and repurposed the malware for use in its own
Five Eyes Agencies Warn of Active Exploitation of Ivanti Gateway Vulnerabilities

Five Eyes Agencies Warn of Active Exploitation of Ivanti Gateway Vulnerabilities

Mar 01, 2024 Rootkit / Threat Intelligence
The Five Eyes (FVEY) intelligence alliance has issued a new cybersecurity advisory warning of cyber threat actors exploiting known security flaws in Ivanti Connect Secure and Ivanti Policy Secure gateways, noting that the Integrity Checker Tool (ICT) can be deceived to provide a false sense of security. "Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets," the agencies  said . To date, Ivanti has disclosed five security vulnerabilities impacting its products since January 10, 2024, out of which four have come under active exploitation by multiple threat actors to deploy malware - CVE-2023-46805  (CVSS score: 8.2) - Authentication bypass vulnerability in web component CVE-2024-21887  (CVSS score: 9.1) - Command injection vulnerability in web component CVE-2024-21888  (CVSS score: 8.8) - Privilege escalation vulnerability in web component CVE-2024-21893  (CVSS score: 8
GitHub Rolls Out Default Secret Scanning Push Protection for Public Repositories

GitHub Rolls Out Default Secret Scanning Push Protection for Public Repositories

Mar 01, 2024 DevSecOps / Cybersecurity
GitHub on Thursday announced that it's enabling secret scanning push protection by default for all pushes to public repositories. "This means that when a supported secret is detected in any push to a public repository, you will have the option to remove the secret from your commits or, if you deem the secret safe, bypass the block," Eric Tooley and Courtney Claessens  said . Push protection  was  first piloted  as an opt-in feature in August 2023, although it has been under testing since April 2022. It became  generally available  in May 2023. The  secret scanning  feature is designed to identify over  200 token types  and patterns from more than 180 service providers in order to prevent their fraudulent use by malicious actors.  The development comes nearly five months after the Microsoft subsidiary  expanded  secret scanning to include validity checks for popular services such as Amazon Web Services (AWS), Microsoft, Google, and Slack. It also follows the discovery of an ongoi
New Silver SAML Attack Evades Golden SAML Defenses in Identity Systems

New Silver SAML Attack Evades Golden SAML Defenses in Identity Systems

Feb 29, 2024 Threat Intelligence / Cyber Threat
Cybersecurity researchers have disclosed a new attack technique called  Silver SAML  that can be successful even in cases where mitigations have been applied against Golden SAML attacks. Silver SAML "enables the exploitation of SAML to launch attacks from an identity provider like Entra ID against applications configured to use it for authentication, such as Salesforce," Semperis researchers Tomer Nahum and Eric Woodruff  said  in a report shared with The Hacker News. Golden SAML (short for  Security Assertion Markup Language ) was  first documented  by CyberArk in 2017. The attack vector, in a nutshell, entails the abuse of the interoperable authentication standard to impersonate almost any identity in an organization. It's also similar to the  Golden Ticket attack  in that it grants attackers the ability to gain unauthorized access to any service in a federation with any privileges and to stay persistent in this environment in a stealthy manner. "Golden SAML introduces to a fed
GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks

GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks

Feb 29, 2024 Linux / Network Security
Threat hunters have discovered a new Linux malware called  GTPDOOR  that's designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges ( GRX ) The  malware  is novel in the fact that it leverages the GPRS Tunnelling Protocol ( GTP ) for command-and-control (C2) communications. GPRS roaming allows subscribers to access their GPRS services while they are beyond the reach of their home mobile network. This is facilitated by means of a GRX that transports the roaming traffic using GTP between the visited and the home Public Land Mobile Network ( PLMN ). Security researcher haxrob, who discovered two  GTPDOOR   artifacts  uploaded to VirusTotal from China and Italy, said the backdoor is likely linked to a known threat actor tracked as  LightBasin  (aka UNC1945), which was previously disclosed by CrowdStrike in October 2021 in connection with a series of attacks targeting the telecom sector to steal subscriber information and call metadata. "When run, the f
Cybersecurity Resources