The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Cyber Attack

Digitally Signed Bandook Malware Once Again Targets Multiple Sectors

Digitally Signed Bandook Malware Once Again Targets Multiple Sectors

November 27, 2020Ravie Lakshmanan
A cyberespionage group with suspected ties to the Kazakh and Lebanese governments has unleashed a new wave of attacks against a multitude of industries with a retooled version of a 13-year-old backdoor Trojan. Check Point Research called out hackers affiliated with a group named  Dark Caracal  in a  new report  published yesterday for their efforts to deploy "dozens of digitally signed variants" of the  Bandook  Windows Trojan over the past year, thus once again "reigniting interest in this old malware family." The different verticals singled out by the threat actor include government, financial, energy, food industry, healthcare, education, IT, and legal institutions located in Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey, and the US. The unusually large variety of targeted markets and locations "reinforces a previous hypothesis that the malware is not developed in-house and used by a single entity, but is part of an offensive
Chinese APT Hackers Target Southeast Asian Government Institutions

Chinese APT Hackers Target Southeast Asian Government Institutions

November 17, 2020Ravie Lakshmanan
Cybersecurity researchers today unveiled a complex and targeted espionage attack on potential government sector victims in South East Asia that they believe was carried out by a sophisticated Chinese APT group at least since 2018. "The attack has a complex and complete arsenal of droppers, backdoors and other tools involving Chinoxy backdoor, PcShare RAT and FunnyDream backdoor binaries, with forensic artefacts pointing towards a sophisticated Chinese actor," Bitdefender said in a new analysis shared with The Hacker News. It's worth noting that the  FunnyDream  campaign has been previously linked to high-profile government entities in Malaysia, Taiwan, and the Philippines, with a majority of victims located in Vietnam. According to the researchers, not only around 200 machines exhibited attack indicators associated with the campaign, evidence points to the fact the threat actor may have compromised  domain controllers  on the victim's network, allowing them to mo
New ModPipe Point of Sale (POS) Malware Targeting Restaurants, Hotels

New ModPipe Point of Sale (POS) Malware Targeting Restaurants, Hotels

November 12, 2020Ravie Lakshmanan
Cybersecurity researchers today disclosed a new kind of modular backdoor that targets point-of-sale (POS) restaurant management software from Oracle in an attempt to pilfer sensitive payment information stored in the devices. The backdoor — dubbed "ModPipe" — impacts Oracle MICROS Restaurant Enterprise Series (RES) 3700 POS systems, a widely used software suite in restaurants and hospitality establishments to efficiently handle POS, inventory, and labor management. A majority of the identified targets are primarily located in the US. "What makes the backdoor distinctive are its downloadable modules and their capabilities, as it contains a custom algorithm designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values," ESET researchers said in an analysis . "Exfiltrated credentials allow ModPipe's operators access to database contents, including various definitions and configuration, status tables and information ab
New Kimsuky Module Makes North Korean Spyware More Powerful

New Kimsuky Module Makes North Korean Spyware More Powerful

November 03, 2020Ravie Lakshmanan
A week after the US government issued an advisory about a "global intelligence gathering mission" operated by North Korean  state-sponsored hackers , new findings have emerged about the threat group's spyware capabilities. The APT — dubbed " Kimsuky " (aka Black Banshee or Thallium) and believed to be active as early as 2012 — has been now linked to as many as three hitherto undocumented malware, including an information stealer, a tool equipped with malware anti-analysis features, and a new server infrastructure with significant overlaps to its older espionage framework. "The group has a rich and notorious history of offensive cyber operations around the world, including operations targeting South Korean think tanks, but over the past few years they have expanded their targeting to countries including the United States, Russia and various nations in Europe," Cybereason researchers said in an  analysis  yesterday. Last week, the FBI and department
FBI, DHS Warn Of Possible Major Ransomware Attacks On Healthcare Systems

FBI, DHS Warn Of Possible Major Ransomware Attacks On Healthcare Systems

October 28, 2020Ravie Lakshmanan
The US Federal Bureau of Investigation (FBI), Departments of Homeland Security, and Health and Human Services (HHS) issued a joint alert Wednesday warning of an "imminent" increase in ransomware and other cyberattacks against hospitals and healthcare providers. "Malicious cyber actors are targeting the [Healthcare and Public Health] Sector with TrickBot malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services," the Cybersecurity and Infrastructure Security Agency  said  in its advisory. The infamous botnet typically spreads via malicious spam email to unsuspecting recipients and can steal financial and personal data and drop other software, such as ransomware, onto infected systems. It's worth noting that cybercriminals have already used TrickBot against a major healthcare provider,  Universal Health Services , whose systems were crippled by Ryuk ransomware late last month. TrickBot has also seen a severe  disrupt
TrickBot Linux Variants Active in the Wild Despite Recent Takedown

TrickBot Linux Variants Active in the Wild Despite Recent Takedown

October 28, 2020Ravie Lakshmanan
Efforts to disrupt TrickBot may have  shut down  most of its critical infrastructure, but the operators behind the notorious malware aren't sitting idle. According to new findings shared by cybersecurity firm  Netscout , TrickBot's authors have moved portions of their code to Linux in an attempt to widen the scope of victims that could be targeted. TrickBot, a financial Trojan first detected in 2016, has been traditionally a Windows-based crimeware solution, employing different modules to perform a wide range of malicious activities on target networks, including credential theft and perpetrate ransomware attacks. But over the past few weeks, twin efforts led by the US Cyber Command and Microsoft have helped to  eliminate 94%  of TrickBot's command-and-control (C2) servers that were in use and the new infrastructure the criminals operating TrickBot attempted to bring online to replace the previously disabled servers. Despite the steps taken to impede TrickBot, Microsof
New Chrome 0-day Under Active Attacks – Update Your Browser Now

New Chrome 0-day Under Active Attacks – Update Your Browser Now

October 21, 2020Swati Khandelwal
Attention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update your web browsing software immediately to the latest version Google released earlier today. Google released Chrome version 86.0.4240.111 today to patch several security high-severity issues, including a zero-day vulnerability that has been exploited in the wild by attackers to hijack targeted computers. Tracked as CVE-2020-15999 , the actively exploited vulnerability is a type of memory-corruption flaw called heap buffer overflow in Freetype, a popular open source software development library for rendering fonts that comes packaged with Chrome. The vulnerability was discovered and reported by security researcher Sergei Glazunov of Google Project Zero on October 19 and is subject to a seven-day public disclosure deadline due to the flaw being under active exploitation. Glazunov also immediately reported the zero-day vulnerability to FreeType developers, who then
U.S. Charges 6 Russian Intelligence Officers Over Destructive Cyberattacks

U.S. Charges 6 Russian Intelligence Officers Over Destructive Cyberattacks

October 19, 2020Ravie Lakshmanan
The US government on Monday formally charged six Russian intelligence officers for carrying out destructive malware attacks with an aim to disrupt and destabilize other nations and cause monetary losses. The individuals, who work for Unit 74455 of the Russian Main Intelligence Directorate (GRU), have been accused of perpetrating the "most disruptive and destructive series of computer attacks ever attributed to a single group," according to the Justice Department ( DoJ ). All the six men — Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin — have been charged with seven counts of conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft. "The object of the conspiracy was to deploy destructive malware and take other disruptive actions, for the strateg
Researchers Uncover Cyber Espionage Operation Aimed At Indian Army

Researchers Uncover Cyber Espionage Operation Aimed At Indian Army

September 28, 2020Ravie Lakshmanan
Cybersecurity researchers uncovered fresh evidence of an ongoing cyberespionage campaign against Indian defense units and armed forces personnel at least since 2019 with an aim to steal sensitive information. Dubbed " Operation SideCopy " by Indian cybersecurity firm  Quick Heal , the attacks have been attributed to an advanced persistent threat (APT) group that has successfully managed to stay under the radar by "copying" the tactics of other threat actors such as the  SideWinder . Exploiting Microsoft Equation Editor Flaw The campaign's starting point is an email with an embedded malicious attachment — either in the form of a ZIP file containing an LNK file or a Microsoft Word document — that triggers an infection chain via a series of steps to download the final-stage payload. Aside from identifying three different infection chains, what's notable is the fact that one of them exploited template injection and Microsoft Equation Editor flaw ( CVE-2017
A New Hacking Group Hitting Russian Companies With Ransomware

A New Hacking Group Hitting Russian Companies With Ransomware

September 23, 2020Ravie Lakshmanan
As ransomware attacks  against critical infrastructure continue to spike in recent months, cybersecurity researchers have uncovered a new entrant that has been actively trying to conduct multistage attacks on large corporate networks of medical labs, banks, manufacturers, and software developers in Russia. The ransomware gang, codenamed "OldGremlin" and believed to be a Russian-speaking threat actor, has been linked to a series of campaigns at least since March, including a successful attack against a clinical diagnostics laboratory that occurred last month on August 11. "The group has targeted only Russian companies so far, which was typical for many Russian-speaking adversaries, such as  Silence  and  Cobalt , at the beginning of their criminal path," Singaporean cybersecurity firm Group-IB said in a report published today and shared with The Hacker News. "Using Russia as a testing ground, these groups then switched to other geographies to distance thems
British Hacker Sentenced to 5 Years for Blackmailing U.S. Companies

British Hacker Sentenced to 5 Years for Blackmailing U.S. Companies

September 22, 2020Swati Khandelwal
A UK man who threatened to publicly release stolen confidential information unless the victims agreed to fulfill his digital extortion demands has finally pleaded guilty on Monday at U.S. federal district court in St. Louis, Missouri. Nathan Francis Wyatt , 39, who is a key member of the infamous international hacking group 'The Dark Overlord,' has been sentenced to five years in prison and ordered to pay $1,467,048 in restitution to his victims. Wyatt, who was extradited to the United States late last year after being held for over two years in the United Kingdom, has pleaded guilty to conspiring to commit aggravated identity theft and computer fraud. U.K. police first arrested Wyatt in September 2016 during an investigation into the hacking of an iCloud account belonging to Pippa Middleton, the younger sister of the British royal family member Duchess of Cambridge, and stealing 3,000 images of her. Though he was released in that case without charge due to lack of
A Patient Dies After Ransomware Attack Paralyzes German Hospital Systems

A Patient Dies After Ransomware Attack Paralyzes German Hospital Systems

September 21, 2020Ravie Lakshmanan
German authorities last week  disclosed  that a ransomware attack on the University Hospital of Düsseldorf (UKD) caused a failure of IT systems, resulting in the death of a woman who had to be sent to another hospital that was 20 miles away. The incident marks the first recorded casualty as a consequence of cyberattacks on critical healthcare facilities, which has ramped up in recent months. The attack, which exploited a Citrix ADC  CVE-2019-19781  vulnerability to cripple the hospital systems on September 10, is said to have been "misdirected" in that it was originally intended for Heinrich Heine University, according to an extortion note left by the perpetrators. After law enforcement contacted the threat actors and informed them that they had encrypted a hospital, the operators behind the attack withdrew the ransom demand and provided the decryption key. The case is currently being treated as a homicide, BBC News  reported  over the weekend. Unpatched Vulnerabilities
U.S. Treasury Sanctions Hacking Group Backed by Iranian Intelligence

U.S. Treasury Sanctions Hacking Group Backed by Iranian Intelligence

September 18, 2020Ravie Lakshmanan
The U.S. government on Thursday imposed  sweeping sanctions  against an Iranian threat actor backed by the country's Ministry of Intelligence and Security (MOIS) for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors. According to the U.S. Treasury and the Federal Bureau of Investigation (FBI), the sanctions target Rana Intelligence Computing Company (or Rana), which the agencies said operated as a front for the threat group  APT39  (aka Chafer or Remix Kitten), Iranian cyber espionage hacking collective active since 2014 known for its attacks on companies in the U.S. and the Middle East with an aim to pilfer personal information and advance Iran's national security objectives. To that effect, 45 individuals who served in various capacities while employed at the front company, including as managers, programmers, and hacking experts, have been implicated in the sanctions, which also prohibit U
U.S. Announces Charges Against 2 Russian and 2 Iranian Hackers

U.S. Announces Charges Against 2 Russian and 2 Iranian Hackers

September 17, 2020Wang Wei
Immediately after revealing criminal charges against 5 Chinese and 2 Malaysian hackers , the United States government yesterday also made two separate announcements charging two Iranian and two Russian hackers and added them to the FBI's most-wanted list. The two Russian nationals—Danil Potekhin and Dmitrii Karasavidi—are accused of stealing $16.8 million worth of cryptocurrencies in a series of phishing attacks throughout 2017 and 2018. "This tactic used a combination of phishing and spoofing to exploit Internet users' trust in known companies and organizations to fraudulently obtain their login credentials, including email addresses, password information, and other personal information," the DoJ said . In addition to the criminal charges, the U.S. Department of the Treasury has also sanctioned both Russian hackers , freezing all their assets under U.S. jurisdiction and banning them from doing business with Americans. "Karasavidi laundered the proceeds
FBI adds 5 Chinese APT41 hackers to its Cyber's Most Wanted List

FBI adds 5 Chinese APT41 hackers to its Cyber's Most Wanted List

September 16, 2020Mohit Kumar
The United States government today announced charges against 5 alleged members of a Chinese state-sponsored hacking group and 2 Malaysian hackers that are responsible for hacking more than 100 companies throughout the world. Named as APT41 and also known as 'Barium,' 'Winnti, 'Wicked Panda,' and 'Wicked Spider,' the cyber-espionage group has been operating since at least 2012 and is not just involved in strategic intelligence collection from valuable targets in many sectors, but also behind financially motivated attacks against online gaming industry. According to a press release published by the U.S. Justice Department, two of the five Chinese hackers—Zhang Haoran (张浩然) and Tan Dailin (谭戴林)—were charged back in August 2019, and the other three of them—Jiang Lizhi (蒋立志), Qian Chuan (钱川) and Fu Qiang (付强)—and two Malaysian co-conspirators were in separate indictments in August 2020. The later indicted three Chinese hackers are associated with a netw
2 Hackers Charged for Defacing Sites after U.S. Airstrike Killed Iranian General

2 Hackers Charged for Defacing Sites after U.S. Airstrike Killed Iranian General

September 16, 2020Ravie Lakshmanan
The US Department of Justice (DoJ) on Tuesday indicted two hackers for their alleged involvement in defacing several websites in the country following the assassination of Iranian major general Qasem Soleimani earlier this January. Behzad Mohammadzadeh (aka Mrb3hz4d), 19, and Marwan Abusrour (aka Mrwn007), 25, have been charged with conspiracy to commit intentional damage to a protected computer for a widespread "cyber-assault" that affected over 1,400 websites with pro-Iranian and pro-Palestinian messages. "The hackers victimized innocent third parties in a campaign to retaliate for the military action that killed Soleimani, a man behind countless acts of terror against Americans and others that the Iranian regime opposed," said Assistant Attorney General for National Security John C. Demers in a statement. The defendants, from Iran and Palestine, respectively, are now wanted by the US authorities and are no longer free to travel outside their countries wi
New Report Explains COVID-19's Impact on Cyber Security

New Report Explains COVID-19's Impact on Cyber Security

September 16, 2020The Hacker News
Most cybersecurity professionals fully anticipated that cybercriminals would leverage the fear and confusion surrounding the Covid-19 pandemic in their cyberattacks. Of course, malicious emails would contain subjects relating to Covid-19, and malicious downloads would be Covid-19 related. This is how cybercriminals operate. Any opportunity to maximize effectiveness, no matter how contemptible, is taken. While many have anecdotally suggested ways in which Covid-19 related cyberattacks would unfold, we have little data supporting the actual impact of Covid-19 on cybersecurity. Several have reported that the number of malicious emails with the subject related to Covid-19 has grown several hundred percent and that the majority of Covid-19 related emails are now malicious. Beyond the anticipated increase in Covid-19 related malicious emails, videos, and an array of downloadable files, which we all anticipated, what else is going on behind the scenes? Interestingly, cybersecurity
New Linux Malware Steals Call Details from VoIP Softswitch Systems

New Linux Malware Steals Call Details from VoIP Softswitch Systems

September 11, 2020Ravie Lakshmanan
Cybersecurity researchers have discovered an entirely new kind of Linux malware dubbed "CDRThief" that targets voice over IP (VoIP) softswitches in an attempt to steal phone call metadata. "The primary goal of the malware is to exfiltrate various private data from a compromised softswitch, including call detail records ( CDR )," ESET researchers said in a Thursday analysis . "To steal this metadata, the malware queries internal MySQL databases used by the softswitch. Thus, attackers demonstrate a good understanding of the internal architecture of the targeted platform." Softswitches (short for software switches) are generally VoIP servers that allow for telecommunication networks to provide management of voice, fax, data and video traffic, and call routing. ESET's research uncovered that CDRThief targeted a specific Linux VoIP platform, namely the VOS2009 and 3000 softswitches from Chinese company Linknat, and had its malicious functionalit
Hackers Stole $5.4 Million From Eterbase Cryptocurrency Exchange

Hackers Stole $5.4 Million From Eterbase Cryptocurrency Exchange

September 10, 2020Swati Khandelwal
Cybercriminals successfully plundered another digital cryptocurrency exchange. European cryptocurrency exchange Eterbase this week disclosed a massive breach of its network by an unknown group of hackers who stole cryptocurrencies worth 5.4 million dollars. Eterbase, which has now entered maintenance mode until the security issue is resolved, described itself as Europe's Premier Digital Asset Exchange. Based in Bratislava, Slovakia, and launched in 2019, Eterbase is a small cryptocurrency exchange platform that focuses on crypto to SEPA integration (via individual IBAN accounts), multi-asset support, and regulatory compliance. On Monday night, malicious threat actors managed to raid six Eterbase's hot wallets for Bitcoin, Ethereum, XRP, Tezos, Algorand, and TRON and transferred the funds into their wallets managed at six rival crypto exchanges, Eterbase reported on its Telegram channel on Tuesday. According to a tweet posted by the affected exchange, Eterbase t
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.