#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

Credential Theft | Breaking Cybersecurity News | The Hacker News

Category — Credential Theft
Google Ads Users Targeted in Malvertising Scam Stealing Credentials and 2FA Codes

Google Ads Users Targeted in Malvertising Scam Stealing Credentials and 2FA Codes

Jan 15, 2025 Malvertising / Malware
Cybersecurity researchers have alerted to a new malvertising campaign that's targeting individuals and businesses advertising via Google Ads by attempting to phish for their credentials via fraudulent ads on Google. "The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages," Jérôme Segura, senior director of threat intelligence at Malwarebytes, said in a report shared with The Hacker News. It's suspected the end goal of the campaign is to reuse the stolen credentials to further perpetuate the campaigns, while also selling them to other criminal actors on underground forums. Based on posts shared on Reddit , Bluesky , and Google's own support forums , the threat has been active since at least mid-November 2024. The activity cluster is a lot similar to campaigns that leverage stealer malware to steal data related to Facebook advertising and business accounts in order to ...
Fortinet Warns of New Zero-Day Used in Attacks on Firewalls with Exposed Interfaces

Fortinet Warns of New Zero-Day Used in Attacks on Firewalls with Exposed Interfaces

Jan 14, 2025 Vulnerability / Network Security
Threat hunters are calling attention to a new campaign that has targeted Fortinet FortiGate firewall devices with management interfaces exposed on the public internet. "The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes," cybersecurity firm Arctic Wolf said in an analysis published last week. The malicious activity is believed to have commenced in mid-November 2024, with unknown threat actors gaining unauthorized access to management interfaces on affected firewalls to alter configurations and extract credentials using DCSync . The exact initial access vector is currently not known, although it has been assessed with "high confidence" that it's likely driven by the exploitation of a zero-day vulnerability given the "compressed timeline across affected organizations as well as firmware versions af...
Product Walkthrough: How Reco Discovers Shadow AI in SaaS

Product Walkthrough: How Reco Discovers Shadow AI in SaaS

Jan 09, 2025AI Security / SaaS Security
As SaaS providers race to integrate AI into their product offerings to stay competitive and relevant, a new challenge has emerged in the world of AI: shadow AI.  Shadow AI refers to the unauthorized use of AI tools and copilots at organizations. For example, a developer using ChatGPT to assist with writing code, a salesperson downloading an AI-powered meeting transcription tool, or a customer support person using Agentic AI to automate tasks – without going through the proper channels. When these tools are used without IT or the Security team's knowledge, they often lack sufficient security controls, putting company data at risk. Shadow AI Detection Challenges Because shadow AI tools often embed themselves in approved business applications via AI assistants, copilots, and agents they are even more tricky to discover than traditional shadow IT. While traditional shadow apps can be identified through network monitoring methodologies that scan for unauthorized connections based on...
When Good Extensions Go Bad: Takeaways from the Campaign Targeting Browser Extensions

When Good Extensions Go Bad: Takeaways from the Campaign Targeting Browser Extensions

Dec 30, 2024 Browser Security / GenAI Security
News has been making headlines over the weekend of the extensive attack campaign targeting browser extensions and injecting them with malicious code to steal user credentials. Currently, over 25 extensions, with an install base of over two million users, have been found to be compromised, and customers are now working to figure out their exposure (LayerX, one of the companies involved in protecting against malicious extensions is offering a complimentary service to audit and remediate organizations' exposure - to sign-up click here ). While this is not the first attack to target browser extensions, the scope and sophistication of this campaign are a significant step up in terms of the threats posed by browser extensions and the risks they pose to organizations. Now that details of the attack have been publicized, users and organizations need to assess their risk exposure to this attack and to browser extensions in general. This article is aimed at helping organizations understand t...
cyber security

Secure Your Azure: Proactive Tips for Cloud Protection

websiteWizCloud Security
Discover how to boost your Azure cloud security with practical steps to help you maintain control and visibility.
Dozens of Chrome Extensions Hacked, Exposing Millions of Users to Data Theft

Dozens of Chrome Extensions Hacked, Exposing Millions of Users to Data Theft

Dec 29, 2024 Endpoint Protection / Browser Security
A new attack campaign has targeted known Chrome browser extensions, leading to at least 35 extensions being compromised and exposing over 2.6 million users to data exposure and credential theft. The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign and used their access permissions to insert malicious code into legitimate extensions in order to steal cookies and user access tokens. The first company to shed light the campaign was cybersecurity firm Cyberhaven, one of whose employees was targeted by a phishing attack on December 24, allowing the threat actors to publish a malicious version of the extension. On December 27, Cyberhaven disclosed that a threat actor compromised its browser extension and injected malicious code to communicate with an external command-and-control (C&C) server located on the domain cyberhavenext[.]pro, download additional configuration files, and exfiltrate user data. The phishing email, which purported...
Researchers Uncover PyPI Packages Stealing Keystrokes and Hijacking Social Accounts

Researchers Uncover PyPI Packages Stealing Keystrokes and Hijacking Social Accounts

Dec 24, 2024 Malware / Data Exfiltration
Cybersecurity researchers have flagged two malicious packages that were uploaded to the Python Package Index (PyPI) repository and came fitted with capabilities to exfiltrate sensitive information from compromised hosts, according to new findings from Fortinet FortiGuard Labs. The packages, named zebo and cometlogger , attracted 118 and 164 downloads each, prior to them being taken down. According to ClickPy statistics, a majority of these downloads came from the United States, China, Russia, and India.  Zebo is a "typical example of malware, with functions designed for surveillance, data exfiltration, and unauthorized control," security researcher Jenna Wang said, adding cometlogger "also shows signs of malicious behavior, including dynamic file manipulation, webhook injection, stealing information, and anti-[virtual machine] checks." The first of the two packages, zebo, uses obfuscation techniques, such as hex-encoded strings, to conceal the URL of the co...
Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware

Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware

Dec 17, 2024 Malware / Credential Theft
A new social engineering campaign has leveraged Microsoft Teams as a way to facilitate the deployment of a known malware called DarkGate . "An attacker used social engineering via a Microsoft Teams call to impersonate a user's client and gain remote access to their system," Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta said . "The attacker failed to install a Microsoft Remote Support application but successfully instructed the victim to download AnyDesk, a tool commonly used for remote access." As recently documented by cybersecurity firm Rapid7, the attack involved bombarding a target's email inbox with "thousands of emails," after which the threat actors approached them via Microsoft Teams by masquerading as an employee of an external supplier. The attacker then went on to instruct the victim to install AnyDesk on their system, with the remote access subsequently abused to deliver multiple payloads, includ...
Hackers Use Corrupted ZIPs and Office Docs to Evade Antivirus and Email Defenses

Hackers Use Corrupted ZIPs and Office Docs to Evade Antivirus and Email Defenses

Dec 04, 2024 Email Security / Malware
Cybersecurity researchers have called attention to a novel phishing campaign that leverages corrupted Microsoft Office documents and ZIP archives as a way to bypass email defenses. "The ongoing attack evades #antivirus software, prevents uploads to sandboxes, and bypasses Outlook's spam filters, allowing the malicious emails to reach your inbox," ANY.RUN said in a series of posts on X. The malicious activity entails sending emails containing ZIP archives or Office attachments that are intentionally corrupted in such a way that they cannot be scanned by security tools. These messages aim to trick users into opening the attachments with false promises of employee benefits and bonuses. In other words, the corrupted state of the files means that they are not flagged as suspicious or malicious by email filters and antivirus software. However, the attack still works because it takes advantage of the built-in recovery mechanisms of programs like Word, Outlook, and WinRAR ...
North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks

North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks

Dec 03, 2024 Threat Intelligence / Email Security
The North Korea-aligned threat actor known as Kimsuky has been linked to a series of phishing attacks that involve sending email messages that originate from Russian sender addresses to ultimately conduct credential theft. "Phishing emails were sent mainly through email services in Japan and Korea until early September," South Korean cybersecurity company Genians said . "Then, from mid-September, some phishing emails disguised as if they were sent from Russia were observed." This entails the abuse of VK's Mail.ru email service, which supports five different alias domains, including mail.ru, internet.ru, bk.ru, inbox.ru, and list.ru. Genians said it has observed the Kimsuky actors leveraging all the aforementioned sender domains for phishing campaigns that masquerade as financial institutions and internet portals like Naver. Other phishing attacks have entailed sending messages that mimic Naver's MYBOX cloud storage service and aim to trick users into ...
Comprehensive Guide to Building a Strong Browser Security Program

Comprehensive Guide to Building a Strong Browser Security Program

Nov 13, 2024 Browser Security / SaaS Security
The rise of SaaS and cloud-based work environments has fundamentally altered the cyber risk landscape. With more than 90% of organizational network traffic flowing through browsers and web applications, companies are facing new and serious cybersecurity threats. These include phishing attacks, data leakage, and malicious extensions. As a result, the browser also becomes a vulnerability that needs to be protected. LayerX has released a comprehensive guide titled "Kickstarting Your Browser Security Program" This in-depth guide serves as a roadmap for CISOs and security teams looking to secure browser activities within their organization; including step-by-step instructions, frameworks, and use cases. Below, we bring its main highlights. Prioritizing Browser Security Browsers now serve as the primary interface for SaaS applications, creating new malicious opportunities for cyber adversaries. The risks include: Data leakage - Browsers can expose sensitive data by allowing empl...
New Phishing Tool GoIssue Targets GitHub Developers in Bulk Email Campaigns

New Phishing Tool GoIssue Targets GitHub Developers in Bulk Email Campaigns

Nov 12, 2024 Email Security / Threat Intelligence
Cybersecurity researchers are calling attention to a new sophisticated tool called GoIssue that can be used to send phishing messages at scale targeting GitHub users. The program, first marketed by a threat actor named cyberdluffy (aka Cyber D' Luffy) on the Runion forum earlier this August, is advertised as a tool that allows criminal actors to extract email addresses from public GitHub profiles and send bulk emails directly to user inboxes. "Whether you're aiming to reach a specific audience or expand your outreach, GoIssue offers the precision and power you need," the threat actor claimed in their post. "GoIssue can send bulk emails to GitHub users, directly to their inboxes, targeting any recipient." SlashNext said the tool marks a "dangerous shift in targeted phishing" that could act as a gateway to source code theft, supply chain attacks, and corporate network breaches via compromised developer credentials. "Armed with this inform...
New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks

New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks

Nov 12, 2024 Cyber Attack / Cybercrime
Cybersecurity researchers have flagged a new ransomware family called Ymir that was deployed in an attack two days after systems were compromised by a stealer malware called RustyStealer. "Ymir ransomware introduces a unique combination of technical features and tactics that enhance its effectiveness," Russian cybersecurity vendor Kaspersky said . "Threat actors leveraged an unconventional blend of memory management functions – malloc, memmove, and memcmp – to execute malicious code directly in the memory. This approach deviates from the typical sequential execution flow seen in widespread ransomware types, enhancing its stealth capabilities." Kaspersky said it observed the ransomware used in a cyber attack targeting an unnamed organization in Colombia, with the threat actors previously delivering the RustyStealer malware to gather corporate credentials. It's believed that the stolen credentials were used to gain unauthorized access to the company's n...
Malicious PyPI Package ‘Fabrice’ Found Stealing AWS Keys from Thousands of Developers

Malicious PyPI Package 'Fabrice' Found Stealing AWS Keys from Thousands of Developers

Nov 07, 2024 Vulnerability / Cloud Security
Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) that has racked up thousands of downloads for over three years while stealthily exfiltrating developers' Amazon Web Services (AWS) credentials. The package in question is " fabrice ," which typosquats a popular Python library known as " fabric ," which is designed to execute shell commands remotely over SSH.  While the legitimate package has over 202 million downloads, its malicious counterpart has been downloaded more than 37,100 times to date. As of writing, "fabrice" is still available for download from PyPI. It was first published in March 2021. The typosquatting package is designed to exploit the trust associated with "fabric," incorporating "payloads that steal credentials, create backdoors, and execute platform-specific scripts," security firm Socket said . "Fabrice" is designed to carry out its malicious actions ...
Massive Git Config Breach Exposes 15,000 Credentials; 10,000 Private Repos Cloned

Massive Git Config Breach Exposes 15,000 Credentials; 10,000 Private Repos Cloned

Nov 01, 2024 Vulnerability / Cloud Security
Cybersecurity researchers have flagged a "massive" campaign that targets exposed Git configurations to siphon credentials, clone private repositories, and even extract cloud credentials from the source code. The activity, codenamed EMERALDWHALE , is estimated to have collected over 10,000 private repositories and stored in an Amazon S3 storage bucket belonging to a prior victim. The bucket, consisting of no less than 15,000 stolen credentials, has since been taken down by Amazon. "The stolen credentials belong to Cloud Service Providers (CSPs), Email providers, and other services," Sysdig said in a report. "Phishing and spam seem to be the primary goal of stealing the credentials." The multi-faceted criminal operation, while not sophisticated, has been found to leverage an arsenal of private tools to steal credentials as well as scrape Git config files, Laravel .env files, and raw web data. It has not been attributed to any known threat actor or grou...
Enterprise Identity Threat Report 2024: Unveiling Hidden Threats to Corporate Identities

Enterprise Identity Threat Report 2024: Unveiling Hidden Threats to Corporate Identities

Oct 31, 2024 Identity Security / Browser Security
In the modern, browser-centric workplace, the corporate identity acts as the frontline defense for organizations. Often referred to as "the new perimeter", the identity stands between safe data management and potential breaches. However, a new report reveals how enterprises are often unaware of how their identities are being used across various platforms. This leaves them vulnerable to data breaches, account takeovers, and credential theft. The "Enterprise Identity Threat Report 2024" ( download here ) is based on exclusive data available only to the LayerX Browser Security platform. This data derives from LayerX's unique visibility into every user action in the browser, across industries. It provides a detailed analysis of emerging risks and uncovered hidden threats. To register to a live webinar to cover the key findings in this report, Click here . Below is a deeper dive into some of the report's most critical findings: 1. The Greatest Risk Comes from 2% of Users Security profe...
Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials

Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials

Oct 20, 2024 Vulnerability / Email Security
Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. Russian cybersecurity company Positive Technologies said it discovered last month an email that was sent to an unspecified governmental organization located in one of the Commonwealth of Independent States (CIS) countries. However, it bears noting that the message was originally sent in June 2024. "The email appeared to be a message without text, containing only an attached document," it said in an analysis published earlier this week. "However, the email client didn't show the attachment. The body of the email contained distinctive tags with the statement eval(atob(...)), which decode and execute JavaScript code." The attack chain, per Positive Technologies, is an attempt to exploit CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting ( XSS ) v...
Expert Insights / Articles Videos
Cybersecurity Resources