The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Cyber Attack

U.S. Treasury Sanctions Hacking Group Backed by Iranian Intelligence

U.S. Treasury Sanctions Hacking Group Backed by Iranian Intelligence

September 18, 2020Ravie Lakshmanan
The U.S. government on Thursday imposed  sweeping sanctions  against an Iranian threat actor backed by the country's Ministry of Intelligence and Security (MOIS) for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors. According to the U.S. Treasury and the Federal Bureau of Investigation (FBI), the sanctions target Rana Intelligence Computing Company (or Rana), which the agencies said operated as a front for the threat group  APT39  (aka Chafer or Remix Kitten), Iranian cyber espionage hacking collective active since 2014 known for its attacks on companies in the U.S. and the Middle East with an aim to pilfer personal information and advance Iran's national security objectives. To that effect, 45 individuals who served in various capacities while employed at the front company, including as managers, programmers, and hacking experts, have been implicated in the sanctions, which also prohibit U
U.S. Announces Charges Against 2 Russian and 2 Iranian Hackers

U.S. Announces Charges Against 2 Russian and 2 Iranian Hackers

September 17, 2020Wang Wei
Immediately after revealing criminal charges against 5 Chinese and 2 Malaysian hackers , the United States government yesterday also made two separate announcements charging two Iranian and two Russian hackers and added them to the FBI's most-wanted list. The two Russian nationals—Danil Potekhin and Dmitrii Karasavidi—are accused of stealing $16.8 million worth of cryptocurrencies in a series of phishing attacks throughout 2017 and 2018. "This tactic used a combination of phishing and spoofing to exploit Internet users' trust in known companies and organizations to fraudulently obtain their login credentials, including email addresses, password information, and other personal information," the DoJ said . In addition to the criminal charges, the U.S. Department of the Treasury has also sanctioned both Russian hackers , freezing all their assets under U.S. jurisdiction and banning them from doing business with Americans. "Karasavidi laundered the proceeds
FBI adds 5 Chinese APT41 hackers to its Cyber's Most Wanted List

FBI adds 5 Chinese APT41 hackers to its Cyber's Most Wanted List

September 16, 2020Mohit Kumar
The United States government today announced charges against 5 alleged members of a Chinese state-sponsored hacking group and 2 Malaysian hackers that are responsible for hacking more than 100 companies throughout the world. Named as APT41 and also known as 'Barium,' 'Winnti, 'Wicked Panda,' and 'Wicked Spider,' the cyber-espionage group has been operating since at least 2012 and is not just involved in strategic intelligence collection from valuable targets in many sectors, but also behind financially motivated attacks against online gaming industry. According to a press release published by the U.S. Justice Department, two of the five Chinese hackers—Zhang Haoran (张浩然) and Tan Dailin (谭戴林)—were charged back in August 2019, and the other three of them—Jiang Lizhi (蒋立志), Qian Chuan (钱川) and Fu Qiang (付强)—and two Malaysian co-conspirators were in separate indictments in August 2020. The later indicted three Chinese hackers are associated with a netw
2 Hackers Charged for Defacing Sites after U.S. Airstrike Killed Iranian General

2 Hackers Charged for Defacing Sites after U.S. Airstrike Killed Iranian General

September 16, 2020Ravie Lakshmanan
The US Department of Justice (DoJ) on Tuesday indicted two hackers for their alleged involvement in defacing several websites in the country following the assassination of Iranian major general Qasem Soleimani earlier this January. Behzad Mohammadzadeh (aka Mrb3hz4d), 19, and Marwan Abusrour (aka Mrwn007), 25, have been charged with conspiracy to commit intentional damage to a protected computer for a widespread "cyber-assault" that affected over 1,400 websites with pro-Iranian and pro-Palestinian messages. "The hackers victimized innocent third parties in a campaign to retaliate for the military action that killed Soleimani, a man behind countless acts of terror against Americans and others that the Iranian regime opposed," said Assistant Attorney General for National Security John C. Demers in a statement. The defendants, from Iran and Palestine, respectively, are now wanted by the US authorities and are no longer free to travel outside their countries wi
New Report Explains COVID-19's Impact on Cyber Security

New Report Explains COVID-19's Impact on Cyber Security

September 16, 2020The Hacker News
Most cybersecurity professionals fully anticipated that cybercriminals would leverage the fear and confusion surrounding the Covid-19 pandemic in their cyberattacks. Of course, malicious emails would contain subjects relating to Covid-19, and malicious downloads would be Covid-19 related. This is how cybercriminals operate. Any opportunity to maximize effectiveness, no matter how contemptible, is taken. While many have anecdotally suggested ways in which Covid-19 related cyberattacks would unfold, we have little data supporting the actual impact of Covid-19 on cybersecurity. Several have reported that the number of malicious emails with the subject related to Covid-19 has grown several hundred percent and that the majority of Covid-19 related emails are now malicious. Beyond the anticipated increase in Covid-19 related malicious emails, videos, and an array of downloadable files, which we all anticipated, what else is going on behind the scenes? Interestingly, cybersecurity
New Linux Malware Steals Call Details from VoIP Softswitch Systems

New Linux Malware Steals Call Details from VoIP Softswitch Systems

September 11, 2020Ravie Lakshmanan
Cybersecurity researchers have discovered an entirely new kind of Linux malware dubbed "CDRThief" that targets voice over IP (VoIP) softswitches in an attempt to steal phone call metadata. "The primary goal of the malware is to exfiltrate various private data from a compromised softswitch, including call detail records ( CDR )," ESET researchers said in a Thursday analysis . "To steal this metadata, the malware queries internal MySQL databases used by the softswitch. Thus, attackers demonstrate a good understanding of the internal architecture of the targeted platform." Softswitches (short for software switches) are generally VoIP servers that allow for telecommunication networks to provide management of voice, fax, data and video traffic, and call routing. ESET's research uncovered that CDRThief targeted a specific Linux VoIP platform, namely the VOS2009 and 3000 softswitches from Chinese company Linknat, and had its malicious functionalit
Hackers Stole $5.4 Million From Eterbase Cryptocurrency Exchange

Hackers Stole $5.4 Million From Eterbase Cryptocurrency Exchange

September 10, 2020Swati Khandelwal
Cybercriminals successfully plundered another digital cryptocurrency exchange. European cryptocurrency exchange Eterbase this week disclosed a massive breach of its network by an unknown group of hackers who stole cryptocurrencies worth 5.4 million dollars. Eterbase, which has now entered maintenance mode until the security issue is resolved, described itself as Europe's Premier Digital Asset Exchange. Based in Bratislava, Slovakia, and launched in 2019, Eterbase is a small cryptocurrency exchange platform that focuses on crypto to SEPA integration (via individual IBAN accounts), multi-asset support, and regulatory compliance. On Monday night, malicious threat actors managed to raid six Eterbase's hot wallets for Bitcoin, Ethereum, XRP, Tezos, Algorand, and TRON and transferred the funds into their wallets managed at six rival crypto exchanges, Eterbase reported on its Telegram channel on Tuesday. According to a tweet posted by the affected exchange, Eterbase t
New Raccoon Attack Could Let Attackers Break SSL/TLS Encryption

New Raccoon Attack Could Let Attackers Break SSL/TLS Encryption

September 10, 2020Ravie Lakshmanan
A group of researchers has detailed a new timing vulnerability in Transport Layer Security (TLS) protocol that could potentially allow an attacker to break the encryption and read sensitive communication under specific conditions. Dubbed " Raccoon Attack ," the server-side attack exploits a side-channel in the cryptographic protocol (versions 1.2 and lower) to extract the shared secret key used for secure communications between two parties. "The root cause for this side channel is that the TLS standard encourages non-constant-time processing of the DH secret," the researchers explained their findings in a paper. "If the server reuses ephemeral keys, this side channel may allow an attacker to recover the premaster secret by solving an instance of the Hidden Number Problem." However, the academics stated that the vulnerability is hard to exploit and relies on very precise timing measurements and on a specific server configuration to be exploitable.
New PIN Verification Bypass Flaw Affects Visa Contactless Payments

New PIN Verification Bypass Flaw Affects Visa Contactless Payments

September 07, 2020Ravie Lakshmanan
Even as Visa issued a warning about a new JavaScript web skimmer known as Baka , cybersecurity researchers have uncovered an authentication flaw in the company's EMV enabled payment cards that permits cybercriminals to obtain funds and defraud cardholders as well as merchants illicitly. The research , published by a group of academics from the ETH Zurich, is a PIN bypass attack that allows the adversaries to leverage a victim's stolen or lost credit card for making high-value purchases without knowledge of the card's PIN, and even trick a point of sale (PoS) terminal into accepting an unauthentic offline card transaction. All modern contactless cards that make use of the Visa protocol, including Visa Credit, Visa Debit, Visa Electron, and V Pay cards, are affected by the security flaw, but the researchers posited it could apply to EMV protocols implemented by Discover and UnionPay as well. The loophole, however, doesn't impact Mastercard, American Express, and JC
Evilnum hackers targeting financial firms with a new Python-based RAT

Evilnum hackers targeting financial firms with a new Python-based RAT

September 04, 2020Ravie Lakshmanan
An adversary known for targeting the fintech sector at least since 2018 has switched up its tactics to include a new Python-based remote access Trojan (RAT) that can steal passwords, documents, browser cookies, email credentials, and other sensitive information. In an analysis published by Cybereason researchers yesterday, the Evilnum group has not only tweaked its infection chain but has also deployed a Python RAT called "PyVil RAT," which possesses abilities to gather information, take screenshots, capture keystrokes data, open an SSH shell and deploy new tools. "Since the first reports in 2018 through today, the group's TTPs have evolved with different tools while the group has continued to focus on fintech targets," the cybersecurity firm said . "These variations include a change in the chain of infection and persistence, new infrastructure that is expanding over time, and the use of a new Python-scripted Remote Access Trojan (RAT)" to spy
Iranian Hackers Pose as Journalists to Trick Victims Into Installing Malware

Iranian Hackers Pose as Journalists to Trick Victims Into Installing Malware

August 28, 2020Ravie Lakshmanan
An Iranian cyberespionage group known for targeting government, defense technology, military, and diplomacy sectors is now impersonating journalists to approach targets via LinkedIn and WhatsApp and infect their devices with malware. Detailing the new tactics of the "Charming Kitten" APT group, Israeli firm Clearsky said, "starting July 2020, we have identified a new TTP of the group, impersonating 'Deutsche Welle' and the 'Jewish Journal' using emails alongside WhatsApp messages as their main platform to approach the target and convince them to open a malicious link." This development is the first time the threat actor is said to have carried out a watering hole attack through WhatsApp and LinkedIn, which also includes making phone calls to victims, Clearsky noted in a Thursday analysis. After the company alerted Deutsche Welle about the impersonation and the watering hole in their website, the German broadcaster confirmed, "the repor
QakBot Banking Trojan Returned With New Sneaky Tricks to Steal Your Money

QakBot Banking Trojan Returned With New Sneaky Tricks to Steal Your Money

August 27, 2020Ravie Lakshmanan
A notorious banking trojan aimed at stealing bank account credentials and other financial information has now come back with new tricks up its sleeve to target government, military, and manufacturing sectors in the US and Europe, according to new research. In an analysis released by Check Point Research today, the latest wave of Qbot activity appears to have dovetailed with the return of Emotet — another email-based malware behind several botnet-driven spam campaigns and ransomware attacks — last month, with the new sample capable of covertly gathering all email threads from a victim's Outlook client and using them for later malspam campaigns. "These days Qbot is much more dangerous than it was previously — it has an active malspam campaign which infects organizations, and it manages to use a 'third-party' infection infrastructure like Emotet's to spread the threat even further," the cybersecurity firm said. Using Hijacked Email Threads as Lures F
Russian Arrested After Offering $1 Million to U.S. Company Employee for Planting Malware

Russian Arrested After Offering $1 Million to U.S. Company Employee for Planting Malware

August 26, 2020Mohit Kumar
Hackers always find a way in, even if there's no software vulnerability to exploit. The FBI has arrested a Russian national who recently traveled to the United States and offered $1 million in bribe to an employee of a targeted company for his help in installing malware into the company's computer network manually. Egor Igorevich Kriuchkov , 27-year-old, entered the United States as a tourist and was arrested in Los Angeles after meeting with the unnamed employee of an undisclosed Nevada-based company numerous times, between August 1 to August 21, to discuss the conspiracy. "On or about July 16, EGOR IGOREVICH KRIUCHKOV used his WhatsApp account to contact the employee of victim company and arranged to visit in person in the District of Nevada," the court documents say. "On or about July 28, EGOR IGOREVICH KRIUCHKOV entered the United States using his Russian Passport and a B1/B2 tourist visa." Kriuchkov also asked the employee to participate in
A Google Drive 'Feature' Could Let Attackers Trick You Into Installing Malware

A Google Drive 'Feature' Could Let Attackers Trick You Into Installing Malware

August 22, 2020Ravie Lakshmanan
An unpatched security weakness in Google Drive could be exploited by malware attackers to distribute malicious files disguised as legitimate documents or images, enabling bad actors to perform spear-phishing attacks comparatively with a high success rate. The latest security issue—of which Google is aware but, unfortunately, left unpatched—resides in the " manage versions " functionality offered by Google Drive that allows users to upload and manage different versions of a file, as well as in the way its interface provides a new version of the files to the users. Logically, the manage versions functionally should allow Google Drive users to update an older version of a file with a new version having the same file extension, but it turns out that it's not the case. According to A. Nikoci, a system administrator by profession who reported the flaw to Google and later disclosed it to The Hacker News, the affected functionally allows users to upload a new version wit
Hackers Target Defense Contractors' Employees By Posing as Recruiters

Hackers Target Defense Contractors' Employees By Posing as Recruiters

August 20, 2020Mohit Kumar
The United States Cybersecurity and Infrastructure Security Agency (CISA) has published a new report warning companies about a new in-the-wild malware that North Korean hackers are reportedly using to spy on key employees at government contracting companies. Dubbed ' BLINDINGCAN ,' the advanced remote access trojan acts as a backdoor when installed on compromised computers. According to the FBI and CISA, North Korean state-sponsored hackers Lazarus Group , also known as Hidden Cobra , are spreading BLINDINGCAN to "gather intelligence surrounding key military and energy technologies." To achieve this, attackers first identify high-value targets, perform extensive research on their social and professional networks, and then pose as recruiters to send malicious documents loaded with the malware, masquerading as job advertisements and offerings. However, such employment scams and social engineering strategies are not new and were recently spotted being used in
Experian South Africa Suffers Data Breach Affecting Millions; Attacker Identified

Experian South Africa Suffers Data Breach Affecting Millions; Attacker Identified

August 20, 2020Mohit Kumar
The South African arm of one of the world's largest credit check companies Experian yesterday announced a data breach incident that exposed personal information of millions of its customers. While Experian itself didn't mention the number of affect customers, in a report , the South African Banking Risk Information Centre—an anti-fraud and banking non-profit organization who worked with Experian to investigate the breach—disclosed that the attacker had reportedly stolen data of 24 million South Africans and 793,749 business entities. Notably, according to the company, the suspected attacker behind this breach had already been identified, and the stolen data of its customers had successfully been deleted from his/her computing devices. "We have identified the suspect and confirm that Experian South Africa was successful in obtaining and executing an Anton Piller order which resulted in the individual's hardware being impounded and the misappropriated data being
Researchers Exploited A Bug in Emotet to Stop the Spread of Malware

Researchers Exploited A Bug in Emotet to Stop the Spread of Malware

August 17, 2020Ravie Lakshmanan
Emotet, a notorious email-based malware behind several botnet-driven spam campaigns and ransomware attacks, contained a flaw that allowed cybersecurity researchers to activate a kill-switch and prevent the malware from infecting systems for six months. "Most of the vulnerabilities and exploits that you read about are good news for attackers and bad news for the rest of us," Binary Defense's James Quinn said. "However, it's important to keep in mind that malware is software that can also have flaws. Just as attackers can exploit flaws in legitimate software to cause harm, defenders can also reverse-engineer malware to discover its vulnerabilities and then exploit those to defeat the malware." The kill-switch was alive between February 6, 2020, to August 6, 2020, for 182 days, before the malware authors patched their malware and closed the vulnerability. Since its first identification in 2014, Emotet has evolved from its initial roots as a banking
Researcher Demonstrates 4 New Variants of HTTP Request Smuggling Attack

Researcher Demonstrates 4 New Variants of HTTP Request Smuggling Attack

August 05, 2020Ravie Lakshmanan
A new research has identified four new variants of HTTP request smuggling attacks that work against various commercial off-the-shelf web servers and HTTP proxy servers. Amit Klein, VP of Security Research at SafeBreach who presented the findings today at the Black Hat security conference, said that the attacks highlight how web servers and HTTP proxy servers are still susceptible to HTTP request smuggling even after 15 years since they were first documented. What is HTTP Request Smuggling? HTTP request smuggling (or HTTP Desyncing) is a technique employed to interfere with the way a website processes sequences of HTTP requests that are received from one or more users. Vulnerabilities related to HTTP request smuggling typically arise when the front-end (a load balancer or proxy) and the back-end servers interpret the boundary of an HTTP request differently, thereby allowing a bad actor to send (or "smuggle") an ambiguous request that gets prepended to the next le
US Government Warns of a New Strain of Chinese 'Taidoor' Virus

US Government Warns of a New Strain of Chinese 'Taidoor' Virus

August 04, 2020Ravie Lakshmanan
Intelligence agencies in the US have released information about a new variant of 12-year-old computer virus used by China's state-sponsored hackers targeting governments, corporations, and think tanks. Named " Taidoor, " the malware has done an 'excellent' job of compromising systems as early as 2008 , with the actors deploying it on victim networks for stealthy remote access. "[The] FBI has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation," the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) said in a joint advisory . The US Cyber Command has also uploaded four samples of the Taidoor RAT on the public malware repository VirusTotal to let 50+ Antivirus companies check the virus's involvement in other unattributed cam
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.