#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

Backdoor | Breaking Cybersecurity News | The Hacker News

Category — Backdoor
Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor

Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor

Aug 20, 2024 Vulnerability / Threat Intelligence
A previously undocumented backdoor named Msupedge has been put to use against a cyber attack targeting an unnamed university in Taiwan. "The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. The origins of the backdoor are presently unknown as are the objectives behind the attack. The initial access vector that likely facilitated the deployment of Msupedge is said to involve the exploitation of a recently disclosed critical flaw impacting PHP ( CVE-2024-4577 , CVSS score: 9.8), which could be used to achieve remote code execution . The backdoor in question is a dynamic-link library (DLL) that's installed in the paths "csidl_drive_fixed\xampp\" and "csidl_system\wbem\." One of the DLLs, wuplog.dll, is launched by the Apache HTTP server (httpd). The parent process for the second ...
Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites

Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites

Apr 06, 2024 Skimmer / Threat Intelligence
Threat actors have been found exploiting a critical flaw in Magento to inject a persistent backdoor into e-commerce websites. The attack leverages  CVE-2024-20720  (CVSS score: 9.1), which has been described by Adobe as a case of "improper neutralization of special elements" that could pave the way for arbitrary code execution. It was  addressed  by the company as part of security updates released on February 13, 2024. Sansec said it discovered a "cleverly crafted layout template in the database" that's being used to automatically inject malicious code to execute arbitrary commands. "Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands," the company  said . "Because the layout block is tied to the checkout cart, this command is executed whenever <store>/checkout/cart is requested." The command in question is  sed , which is used to insert a code execution ...
The Future of Serverless Security in 2025: From Logs to Runtime Protection

The Future of Serverless Security in 2025: From Logs to Runtime Protection

Nov 28, 2024Cloud Security / Threat Detection
Serverless environments, leveraging services such as AWS Lambda, offer incredible benefits in terms of scalability, efficiency, and reduced operational overhead. However, securing these environments is extremely challenging. The core of current serverless security practices often revolves around two key components: log monitoring and static analysis of code or system configuration. But here is the issue with that: 1. Logs Only Tell Part of the Story Logs can track external-facing activities, but they don't provide visibility into the internal execution of functions. For example, if an attacker injects malicious code into a serverless function that doesn't interact with external resources (e.g., external APIs or databases), traditional log-based tools will not detect this intrusion. The attacker may execute unauthorized processes, manipulate files, or escalate privileges—all without triggering log events. 2. Static Misconfiguration Detection is Incomplete Static tools that check ...
Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros

Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros

Mar 30, 2024 Linux / Supply Chain Attack
Red Hat on Friday released an "urgent security alert" warning that two versions of a popular data compression library called  XZ Utils  (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access. The software supply chain compromise, tracked as  CVE-2024-3094 , has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9). "Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code," the IBM subsidiary  said  in an advisory. "This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library." Specifically, the nefarious code baked into the code is  designed...
cyber security

Creating, Managing and Securing Non-Human Identities

websitePermisoCybersecurity / Identity Security
A new class of identities has emerged alongside traditional human users: non-human identities (NHIs). Permiso Security's new eBook details everything you need to know about managing and securing non-human identities, and strategies to unify identity security without compromising agility.
Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics

Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics

Sep 23, 2023 Cyber Espionage / Malware
Cybersecurity researchers have discovered a previously undocumented advanced backdoor dubbed  Deadglyph  employed by a threat actor known as Stealth Falcon as part of a cyber espionage campaign. "Deadglyph's architecture is unusual as it consists of cooperating components – one a native x64 binary, the other a .NET assembly," ESET  said  in a  new report  shared with The Hacker News. "This combination is unusual because malware typically uses only one programming language for its components. This difference might indicate separate development of those two components while also taking advantage of unique features of the distinct programming languages they utilize." It's also suspected that the use of different programming languages is a deliberate tactic to hinder analysis, making it a lot more challenging to navigate and debug. Unlike other traditional backdoors of its kind, the commands are received from an actor-controlled server in the form of...
Iranian Hackers Launch Sophisticated Attacks Targeting Israel with PowerLess Backdoor

Iranian Hackers Launch Sophisticated Attacks Targeting Israel with PowerLess Backdoor

Apr 25, 2023 Cyber Threat / PowerShell
An Iranian nation-state threat actor has been linked to a new wave of phishing attacks targeting Israel that's designed to deploy an updated version of a Windows backdoor called PowerLess . Cybersecurity firm Check Point is tracking the activity cluster under its mythical creature handle  Educated Manticore , which exhibits "strong overlaps" with a hacking crew known as APT35, Charming Kitten, Cobalt Illusion, ITG18, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda. "Like many other actors, Educated Manticore has adopted recent trends and started using ISO images and possibly other archive files to initiate infection chains," the Israeli company  said  in a technical report published today. Active since at least 2011, APT35 has cast a  wide net of targets  by leveraging  fake social media personas ,  spear-phishing techniques , and  N-day vulnerabilities in internet-exposed applications  to gain initial access and drop vario...
Operation Soft Cell: Chinese Hackers Breach Middle East Telecom Providers

Operation Soft Cell: Chinese Hackers Breach Middle East Telecom Providers

Mar 23, 2023 Critical Infrastructure Security
Telecommunication providers in the Middle East are the subject of new cyber attacks that commenced in the first quarter of 2023. The intrusion set has been attributed to a Chinese cyber espionage actor associated with a long-running campaign dubbed  Operation Soft Cell  based on tooling overlaps. "The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy web shells used for command execution," researchers from SentinelOne and QGroup said in a  new technical report  shared with The Hacker News. "Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities." Operation Soft Cell, according to  Cybereason , refers to malicious activities undertaken by China-affiliated actors targeting telecommunications providers since at least 2012. The Soft Cell threat actor, also tracked by Microsoft as  Gallium , is known to target unpa...
Chinese Hackers Targeting European Entities with New MQsTTang Backdoor

Chinese Hackers Targeting European Entities with New MQsTTang Backdoor

Mar 03, 2023 Threat Intelligence / Cyber Attack
The China-aligned Mustang Panda actor has been observed using a hitherto unseen custom backdoor called  MQsTTang  as part of an ongoing social engineering campaign that commenced in January 2023. "Unlike most of the group's malware, MQsTTang doesn't seem to be based on existing families or publicly available projects," ESET researcher Alexandre Côté Cyr  said  in a new report. Attack chains orchestrated by the group have stepped up targeting of European entities in the wake of  Russia's full-scale invasion of Ukraine  last year. The victimology of the current activity is unclear, but the Slovak cybersecurity company said the decoy filenames are in line with the group's previous campaigns that target European political organizations. That said, ESET also observed attacks against unknown entities in Bulgaria and Australia, as well as a governmental institution in Taiwan, indicating a broader focus on Europe and Asia. Mustang Panda has a  history ...
Cyber Attacks Against Middle East Governments Hide Malware in Windows Logo

Cyber Attacks Against Middle East Governments Hide Malware in Windows Logo

Sep 30, 2022
An espionage-focused threat actor has been observed using a steganographic trick to conceal a previously undocumented backdoor in a Windows logo in its attacks against Middle Eastern governments. Broadcom's Symantec Threat Hunter Team attributed the updated tooling to a hacking group it tracks under the name  Witchetty , which is also known as  LookingFrog , a subgroup operating under the TA410 umbrella. Intrusions involving TA410 – which is believed to share connections with a Chinese threat group known as APT10 (aka Cicada, Stone Panda, or TA429) – primarily feature a modular implant called LookBack. Symantec's latest analysis of attacks between February and September 2022, during which the group targeted the governments of two Middle Eastern countries and the stock exchange of an African nation, highlights the use of another backdoor dubbed Stegmap. The new malware leverages  steganography  – a technique used to embed a message (in this case, malware) in a n...
Iranian Hackers Using New PowerShell Backdoor in Cyber Espionage Attacks

Iranian Hackers Using New PowerShell Backdoor in Cyber Espionage Attacks

Feb 01, 2022
An advanced persistent threat group with links to Iran has updated its malware toolset to include a novel PowerShell-based implant called PowerLess Backdoor , according to new research published by Cybereason. The Boston-headquartered cybersecurity company attributed the malware to a hacking group known as Charming Kitten (aka Phosphorous, APT35, or  TA453 ), while also calling out the backdoor's evasive PowerShell execution. "The PowerShell code runs in the context of a .NET application, thus not launching 'powershell.exe' which enables it to evade security products," Daniel Frank, senior malware researcher at Cybereason,  said . "The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy." The threat actor, which is active since at least 2017, has been behind a series of campaigns in recent years, including those wherein the adversa...
Iranian Hackers Exploit Log4j Vulnerability to Deploy PowerShell Backdoor

Iranian Hackers Exploit Log4j Vulnerability to Deploy PowerShell Backdoor

Jan 13, 2022
An Iranian state-sponsored actor has been observed scanning and attempting to abuse the Log4Shell flaw in publicly-exposed Java applications to deploy a hitherto undocumented PowerShell-based modular backdoor dubbed " CharmPower " for follow-on post-exploitation. "The actor's attack setup was obviously rushed, as they used the basic open-source tool for the exploitation and based their operations on previous infrastructure, which made the attack easier to detect and attribute," researchers from Check Point  said  in a report published this week. The Israeli cybersecurity company linked the attack to a group known as  APT35 , which is also tracked using the codenames Charming Kitten, Phosphorus, and TA453, citing overlaps with toolsets previously identified as infrastructure used by the threat actor. Log4Shell  aka CVE-2021-44228 (CVSS score: 10.0) concerns a critical security vulnerability in the popular Log4j logging library that, if successfully exploite...
Experts Discover Backdoor Deployed on the U.S. Federal Agency's Network

Experts Discover Backdoor Deployed on the U.S. Federal Agency's Network

Dec 20, 2021
A U.S. federal government commission associated with international rights has been targeted by a backdoor that reportedly compromised its internal network in what the researchers described as a "classic APT-type operation."  "This attack could have given total visibility of the network and complete control of a system and thus could be used as the first step in a multi-stage attack to penetrate this, or other networks more deeply," Czech security company Avast  said  in a report published last week. The name of the federal entity was not disclosed, but reports from  Ars Technica  and  The Record  tied it to the U.S. Commission on International Religious Freedom ( USCIRF ). Avast said it was making its findings public after unsuccessful attempts to directly notify the agency about the intrusion and through other channels put in place by the U.S. government. At this stage, only "parts of the attack puzzle" have been uncovered, leaving the door open ...
New EwDoor Botnet Targeting Unpatched AT&T Network Edge Devices

New EwDoor Botnet Targeting Unpatched AT&T Network Edge Devices

Dec 01, 2021
A newly discovered botnet capable of staging distributed denial-of-service (DDoS) attacks targeted unpatched Ribbon Communications (formerly Edgewater Networks) EdgeMarc appliances belonging to telecom service provider AT&T by exploiting a four-year-old flaw in the network appliances. Chinese tech giant Qihoo 360's Netlab network security division, which detected the botnet first on October 27, 2021, called it  EwDoor , noting it observed 5,700 compromised IP addresses located in the U.S. during a brief three-hour window. "So far, the EwDoor in our view has undergone three versions of updates, and its main functions can be summarized into two main categories of DDoS attacks and backdoor," the researchers  noted . "Based on the attacked devices are telephone communication related, we presume that its main purpose is DDoS attacks, and gathering of sensitive information, such as call logs." Propagating through a flaw in EdgeMarc devices, EwDoor supports a...
Researchers Uncover FIN8's New Backdoor Targeting Financial Institutions

Researchers Uncover FIN8's New Backdoor Targeting Financial Institutions

Aug 25, 2021
A financially motivated threat actor notorious for setting its sights on retail, hospitality, and entertainment industries has been observed deploying a completely new backdoor on infected systems, indicating the operators are continuously retooling their malware arsenal to avoid detection and stay under the radar. The previously undocumented malware has been dubbed " Sardonic " by Romanian cybersecurity technology company Bitdefender, which it encountered during a  forensic investigation  in the wake of an unsuccessful attack carried out by FIN8 aimed at an unnamed financial institution located in the U.S. Said to be under active development, "Sardonic backdoor is extremely potent and has a wide range of capabilities that help the threat actor leverage new malware on the fly without updating components," Bitdefender researchers Eduard Budaca and Victor Vrabie said in a report shared with The Hacker News. Since emerging on the scene in January 2016, FIN8 has ...
New SideWalk Backdoor Targets U.S.-based Computer Retail Business

New SideWalk Backdoor Targets U.S.-based Computer Retail Business

Aug 25, 2021
A computer retail company based in the U.S. was the target of a previously undiscovered implant called SideWalk as part of a recent campaign undertaken by a Chinese advanced persistent threat group primarily known for singling out entities in East and Southeast Asia. Slovak cybersecurity firm ESET attributed the malware to an advanced persistent threat it tracks under the moniker SparklingGoblin, an adversary believed to be connected to the Winnti umbrella group, noting its similarities to another backdoor dubbed  Crosswalk  that was put to use by the same threat actor in 2019. "SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C [command-and-control] server, makes use of Google Docs as a  dead drop resolver , and  Cloudflare workers  as a C&C server," ESET researchers Thibaut Passilly and Mathieu Tartare  said  in a report published Tuesday. "It can also properly handle communication behind a prox...
New Chinese Malware Targeted Russia's Largest Nuclear Submarine Designer

New Chinese Malware Targeted Russia's Largest Nuclear Submarine Designer

May 03, 2021
A threat actor believed to be working on behalf of Chinese state-sponsored interests was recently observed targeting a Russia-based defense contractor involved in designing nuclear submarines for the naval arm of the Russian Armed Forces. The phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous "Royal Road" Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed " PortDoor ," according to Cybereason's Nocturnus threat intelligence team. "Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more," the researchers  said  in a write-up on Friday. Rubin Design Bureau is a submarine design center located in Saint Petersburg, accounting fo...
Gigaset Android Update Server Hacked to Install Malware on Users' Devices

Gigaset Android Update Server Hacked to Install Malware on Users' Devices

Apr 09, 2021
Gigaset has revealed a malware infection discovered in its Android devices was the result of a compromise of a server belonging to an external update service provider. Impacting older smartphone models — GS100, GS160, GS170, GS180, GS270 (plus), and GS370 (plus) series — the malware took the form of multiple  unwanted apps  that were downloaded and installed through a pre-installed system update app. The infections are said to have occurred starting  March 27 . The German manufacturer of telecommunications devices said it took steps to alert the update service provider of the issue, following which further infections were prevented on April 7. "Measures have been taken to automatically rid infected devices of the malware. In order for this to happen the devices must be connected to the internet (WLAN, WiFi or mobile data). We also recommend connecting the devices to their chargers. Affected devices should automatically be freed from the malware within 8 hours," the ...
Hackers Targeting professionals With 'more_eggs' Malware via LinkedIn Job Offers

Hackers Targeting professionals With 'more_eggs' Malware via LinkedIn Job Offers

Apr 06, 2021
A new spear-phishing campaign is targeting professionals on LinkedIn with weaponized job offers in an attempt to infect targets with a sophisticated backdoor trojan called "more_eggs." To increase the odds of success, the phishing lures take advantage of malicious ZIP archive files that have the same name as that of the victims' job titles taken from their LinkedIn profiles. "For example, if the LinkedIn member's job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position (note the 'position' added to the end)," cybersecurity firm eSentire's Threat Response Unit (TRU)  said  in an analysis. "Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs." Campaigns delivering more_eggs using the  same modus operandi  have been spotted at least since 2018, with the backdo...
Unveiled: SUNSPOT Malware Was Used to Inject SolarWinds Backdoor

Unveiled: SUNSPOT Malware Was Used to Inject SolarWinds Backdoor

Jan 12, 2021
As the investigation into the SolarWinds supply-chain attack continues, cybersecurity researchers have disclosed a third malware strain that was deployed into the build environment to inject the backdoor into the company's Orion network monitoring platform. Called " Sunspot ," the malignant tool adds to a growing list of previously disclosed malicious software such as Sunburst and Teardrop. "This highly sophisticated and novel code was designed to inject the Sunburst malicious code into the SolarWinds Orion Platform without arousing the suspicion of our software development and build teams," SolarWinds' new CEO Sudhakar Ramakrishna  explained . While  preliminary evidence  found that operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor, the latest findings reveal a new timeline that establishes the first brea...
Uncovered: APT 'Hackers For Hire' Target Financial, Entertainment Firms

Uncovered: APT 'Hackers For Hire' Target Financial, Entertainment Firms

Nov 12, 2020
A hackers-for-hire operation has been discovered using a strain of previously undocumented malware to target South Asian financial institutions and global entertainment companies. Dubbed " CostaRicto " by Blackberry researchers, the campaign appears to be the handiwork of APT mercenaries who possess bespoke malware tooling and complex VPN proxy and SSH tunneling capabilities. "CostaRicto targets are scattered across different countries in Europe, Americas, Asia, Australia and Africa, but the biggest concentration appears to be in South Asia (especially India, Bangladesh and Singapore and China), suggesting that the threat actor could be based in that region, but working on a wide range of commissions from diverse clients," the researchers said. The modus operandi in itself is quite straight-forward. Upon gaining an initial foothold in the target's environment via stolen credentials, the attacker proceeds to set up an SSH tunnel to download a backdoor and a p...
Expert Insights / Articles Videos
Cybersecurity Resources