The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Cyber Attack

Wormable DarkRadiation Ransomware Targets Linux and Docker Instances

Wormable DarkRadiation Ransomware Targets Linux and Docker Instances

June 22, 2021Ravie Lakshmanan
Cybersecurity researchers have disclosed a new ransomware strain called " DarkRadiation " that's implemented entirely in Bash and targets Linux and Docker cloud containers, while banking on messaging service Telegram for command-and-control (C2) communications. "The ransomware is written in  Bash  script and targets Red Hat/CentOS and Debian Linux distributions," researchers from Trend Micro  said  in a report published last week. "The malware uses OpenSSL's AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram's API to send an infection status to the threat actor(s)." As of writing, there's no information available on the delivery methods or evidence that the ransomware has been deployed in real-world attacks. The findings come from an analysis of a collection of hacking tools hosted on the unidentified threat actor's infrastructure (IP address "185.141.25.168") in a directory called
North Korea Exploited VPN Flaw to Hack South's Nuclear Research Institute

North Korea Exploited VPN Flaw to Hack South's Nuclear Research Institute

June 18, 2021Ravie Lakshmanan
South Korea's state-run Korea Atomic Energy Research Institute (KAERI) on Friday disclosed that its internal network was infiltrated by suspected attackers operating out of its northern counterpart. The intrusion is said to have taken place on May 14 through a vulnerability in an unnamed virtual private network (VPN) vendor and involved a  total of 13 IP addresses , one of which — "27.102.114[.]89" — has been previously linked to a state-sponsored threat actor dubbed  Kimsuky . KAERI, established in 1959 and situated in the city of Daejeon, is a government-funded research institute that designs and develops nuclear technologies related to reactors, fuel rods, radiation fusion, and nuclear safety. Following the intrusion, the think tank said it took steps to block the attacker's IP addresses in question and applied necessary security patches to the vulnerable VPN solution. "Currently, the Atomic Energy Research Institute is investigating the subject of the ha
Cyber espionage by Chinese hackers in neighbouring nations is on the rise

Cyber espionage by Chinese hackers in neighbouring nations is on the rise

June 18, 2021Ravie Lakshmanan
A string of cyber espionage campaigns dating all the way back to 2014 and focused on gathering military intelligence from neighbouring countries have been linked to a Chinese military-intelligence apparatus. In a wide-ranging report published by Massachusetts-headquartered Recorded Future this week, the cybersecurity firm's Insikt Group said it identified ties between a group it tracks as " RedFoxtrot " to the People's Liberation Army (PLA) Unit 69010 operating out of Ürümqi, the capital of the Xinjiang Uyghur Autonomous Region in the country. Previously called the Lanzhou Military Region's Second Technical Reconnaissance Bureau, Unit 69010 is a military cover for a Technical Reconnaissance Bureau (TRB) within China's Strategic Support Force (SSF) Network Systems Department ( NSD ). The connection to PLA Unit 69010 stems from what the researchers said were "lax operational security measures" adopted by an unnamed suspected RedFoxtrot threat act
A New Spyware is Targeting Telegram and Psiphon VPN Users in Iran

A New Spyware is Targeting Telegram and Psiphon VPN Users in Iran

June 17, 2021Ravie Lakshmanan
Threat actors with suspected ties to Iran have been found to leverage instant messaging and VPN apps like Telegram and Psiphon to install a Windows remote access trojan (RAT) capable of stealing sensitive information from targets' devices since at least 2015. Russian cybersecurity firm Kaspersky, which pieced together the activity, attributed the campaign to an advanced persistent threat (APT) group it tracks as Ferocious Kitten, a group that has singled out Persian-speaking individuals allegedly based in the country while successfully operating under the radar. "The targeting of Psiphon and Telegram, both of which are quite popular services in Iran, underlines the fact that the payloads were developed with the purpose of targeting Iranian users in mind," Kaspersky's Global Research and Analysis Team (GReAT)  said . "Moreover, the decoy content displayed by the malicious files often made use of political themes and involved images or videos of resistance bas
Malware Attack on South Korean Entities Was Work of Andariel Group

Malware Attack on South Korean Entities Was Work of Andariel Group

June 16, 2021Ravie Lakshmanan
A malware campaign targeting South Korean entities that came to light earlier this year has been attributed to a North Korean nation-state hacking group called Andariel, once again indicating that  Lazarus  attackers are following the trends and their  arsenal  is in  constant development . "The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity," Russian cybersecurity firm Kaspersky  said  in a deep-dive published Tuesday. Victims of the attack are in the manufacturing, home network service, media, and construction sectors. Designated as part of the Lazarus constellation, Andariel is known for unleashing attacks on South Korean organizations and businesses using specifically tailored methods created for maximum effectivity. In September 2019, the sub-group, along with Lazarus and Bluenoroff, was  sanctioned by the U.S. Treasury Department  for their malicious cyber activity on critical infrastructure. Anda
NoxPlayer Supply-Chain Attack is Likely the Work of Gelsemium Hackers

NoxPlayer Supply-Chain Attack is Likely the Work of Gelsemium Hackers

June 14, 2021Ravie Lakshmanan
A new cyber espionage group named Gelsemium has been linked to a  supply chain attack targeting the NoxPlayer  Android emulator that was disclosed earlier this year. The findings come from a systematic analysis of multiple campaigns undertaken by the APT crew, with evidence of the earliest attack dating back all the way to 2014 under the codename  Operation TooHash  based on malware payloads deployed in those intrusions. "Victims of these campaigns are located in East Asia as well as the Middle East and include governments, religious organizations, electronics manufacturers and universities," cybersecurity firm ESET  said  in an analysis published last week. "Gelsemium's whole chain might appear simple at first sight, but the exhaustive configurations, implanted at each stage, modify on-the-fly settings for the final payload, making it harder to understand." Targeted countries include China, Mongolia, North and South Korea, Japan, Turkey, Iran, Iraq, Saudi
U.S. Recovers $2.3 Million Ransom Paid to Colonial Pipeline Hackers

U.S. Recovers $2.3 Million Ransom Paid to Colonial Pipeline Hackers

June 08, 2021Ravie Lakshmanan
In a major blow, the U.S. Department of Justice on Monday said it has recovered 63.7 bitcoins (currently valued at $2.3 million) paid by Colonial Pipeline to the DarkSide ransomware extortionists on May 8, pursuant to a seizure warrant that was authorized by the Northern District of California. The  ransomware attack  also hobbled the pipeline company's fuel supply, prompting the government to issue an  emergency declaration , even as the company shelled out a ransom amount of approximately  75 bitcoins  ($4.4 million as of May 8) to regain access to its systems. A week after the highly publicized incident, the ransomware-as-a-service syndicate disbanded with a May 14 farewell message to affiliates, stating that its internet servers and cryptocurrency stash were  seized  by unknown law enforcement entities. While DarkSide's announcement was perceived as an exit scam, the latest move from DoJ confirms earlier speculations of law enforcement involvement. Stating that "
Hackers Breached Colonial Pipeline Using Compromised VPN Password

Hackers Breached Colonial Pipeline Using Compromised VPN Password

June 07, 2021Ravie Lakshmanan
The ransomware cartel that masterminded the  Colonial Pipeline attack  early last month crippled the pipeline operator's network using a compromised virtual private network (VPN) account password, the latest investigation into the incident has revealed. The development, which was  reported  by Bloomberg on Friday, involved gaining an initial foothold into the networks as early as April 29 through the VPN account, which allowed employees to access the company's networks remotely. The VPN login — which didn't have multi-factor protections on — was unused but active at the time of the attack, the report said, adding the password has since been discovered inside a batch of leaked passwords on the dark web, suggesting that an employee of the company may have reused the same password on another account that was previously breached. It's, however, unclear how the password was obtained, Charles Carmakal, senior vice president at the cybersecurity firm Mandiant, was quoted a
Necro Python Malware Upgrades With New Exploits and Crypto Mining Capabilities

Necro Python Malware Upgrades With New Exploits and Crypto Mining Capabilities

June 03, 2021Ravie Lakshmanan
New upgrades have been made to a Python-based "self-replicating, polymorphic bot" called Necro in what's seen as an attempt to improve its chances of infecting vulnerable systems and evading detection. "Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command-and-control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code," researchers from Cisco Talos  said  in a deep-dive published today. Said to be in development as far back as 2015,  Necro  (aka N3Cr0m0rPh) targets both Linux and Windows devices, with heightened activity observed at the start of the year as part of a malware campaign dubbed " FreakOut " that was found exploiting  vulnerabilities  in network-attached storage (
Researchers Uncover Hacking Operations Targeting Government Entities in South Korea

Researchers Uncover Hacking Operations Targeting Government Entities in South Korea

June 02, 2021Ravie Lakshmanan
A North Korean threat actor active since 2012 has been behind a new espionage campaign targeting high-profile government officials associated with its southern counterpart to install an Android and Windows backdoor for collecting sensitive information. Cybersecurity firm Malwarebytes attributed the activity to a threat actor tracked as Kimsuky, with the targeted entities comprising of the Ministry of Foreign Affairs, Ambassador of the Embassy of Sri Lanka to the State, International Atomic Energy Agency (IAEA) Nuclear Security Officer, and the Deputy Consul General at Korean Consulate General in Hong Kong. The attacks also involved collecting information about other organizations and universities in the country, including the Korea Internet and Security Agency (KISA), Seoul National University, and Daishin Securities. Malwarebytes, however, noted that there is no evidence of active targeting or compromise by the adversary. The development is only the latest in a series of surveil
Google Researchers Discover A New Variant of Rowhammer Attack

Google Researchers Discover A New Variant of Rowhammer Attack

May 25, 2021Ravie Lakshmanan
A team of security researchers from Google has demonstrated yet another variant of the Rowhammer vulnerability that targets increasingly smaller DRAM chips to bypass all current mitigations, making it a persistent threat to chip security. Dubbed "Half-Double," the new hammering technique hinges on the weak coupling between two memory rows that are not immediately adjacent to each other but one row removed in an attempt to tamper with data stored in memory and attack a system . "Unlike  TRRespass , which exploits the blind spots of manufacturer-dependent defenses, Half-Double is an intrinsic property of the underlying silicon substrate," the researchers  noted . "This is likely an indication that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down. Distances greater than two are conceivable." Rowhammer attacks are similar to  speculative execution  
FBI Analyst Charged With Stealing Counterterrorism and Cyber Threat Info

FBI Analyst Charged With Stealing Counterterrorism and Cyber Threat Info

May 22, 2021Ravie Lakshmanan
The U.S. Department of Justice (DoJ) indicted an employee of the Federal Bureau of Investigation (FBI) for illegally removing numerous national security documents and willfully retaining them at her personal residence during a 13-year period from June 2004 to December 2017.  The federal indictment charged Kendra Kingsbury, 48, with two counts of having unauthorized possession of documents relating to the national defense, according to an  unsealed indictment  that was made public on Friday. Kingsbury worked as an intelligence analyst in the FBI's Kansas City Division for more than 12 years, until her suspension in 2017. "The breadth and depth of classified national security information retained by the defendant for more than a decade is simply astonishing,"  said  Alan E. Kohler, Jr. Assistant Director of the FBI's Counterintelligence Division, in a statement. Stating that Kingsbury knew she was not authorized to remove and retain access to these sensitive govern
Microsoft Warns of Data Stealing Malware That Pretends to Be Ransomware

Microsoft Warns of Data Stealing Malware That Pretends to Be Ransomware

May 21, 2021Ravie Lakshmanan
Microsoft on Thursday warned of a "massive email campaign" that's pushing a Java-based STRRAT malware to steal confidential data from infected systems while disguising itself as a ransomware infection. "This RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them," the Microsoft Security Intelligence team  said  in a series of tweets. The new wave of attacks, which the company spotted last week, commences with spam emails sent from compromised email accounts with "Outgoing Payments" in the subject line, luring the recipients into opening malicious PDF documents that claim to be remittances, but in reality, connect to a rogue domain to download the STRRAT malware. Besides establishing connections to a command-and-control server during execution, the malware comes with a range of features that allow it to collect browser passwords, log keystrokes, and run remote command
Watering Hole Attack Was Used to Target Florida Water Utilities

Watering Hole Attack Was Used to Target Florida Water Utilities

May 20, 2021Ravie Lakshmanan
An investigation undertaken in the aftermath of the  Oldsmar water plant hack  earlier this year has revealed that an infrastructure contractor in the U.S. state of Florida hosted malicious code on its website in what's known as a watering hole attack. "This malicious code seemingly targeted water utilities, particularly in Florida, and more importantly, was visited by a browser from the city of Oldsmar on the same day of the poisoning event," Dragos researcher Kent Backman  said  in a write-up published on Tuesday. The site, which belongs to a Florida-based general contractor involved in building water and wastewater treatment facilities, had no bearing on the intrusion, the American industrial cybersecurity firm said. Watering hole attacks typically allow an adversary to compromise a specific group of end-users by compromising a carefully selected website, which members of that group are known to visit, with an intention to gain access to the victim's system an
Pakistan-Linked Hackers Added New Windows Malware to Its Arsenal

Pakistan-Linked Hackers Added New Windows Malware to Its Arsenal

May 14, 2021Ravie Lakshmanan
Cybercriminals with suspected ties to Pakistan continue to rely on social engineering as a crucial component of its operations as part of an evolving espionage campaign against Indian targets, according to new research. The attacks have been linked to a group called  Transparent Tribe , also known as Operation C-Major, APT36, and Mythic Leopard, which has created fraudulent domains mimicking legitimate Indian military and defense organizations, and other fake domains posing as file-sharing sites to host malicious artifacts. "While military and defense personnel continue to be the group's primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting," researchers from Cisco Talos  said  on Thursday. These domains are used to deliver maldocs distributing  CrimsonRAT , and ObliqueRAT, with the group incorporating new phishing, lu
Rapid7 Source Code Breached in Codecov Supply-Chain Attack

Rapid7 Source Code Breached in Codecov Supply-Chain Attack

May 14, 2021Ravie Lakshmanan
Cybersecurity company Rapid7 on Thursday revealed that unidentified actors improperly managed to get hold of a small portion of its source code repositories in the aftermath of the software supply chain compromise targeting Codecov earlier this year. "A small subset of our source code repositories for internal tooling for our [Managed Detection and Response] service was accessed by an unauthorized party outside of Rapid7," the Boston-based firm  said  in a disclosure. "These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers." On April 15, software auditing startup Codecov alerted customers that its Bash Uploader utility had been infected with a backdoor as early as January 31 by unknown parties to gain access to authentication tokens for various internal software accounts used by developers. The incident didn't come to light until April 1. "The actor gained access bec
U.S. Declares Emergency in 17 States Over Fuel Pipeline Cyber Attack

U.S. Declares Emergency in 17 States Over Fuel Pipeline Cyber Attack

May 11, 2021Ravie Lakshmanan
The ransomware attack  against Colonial Pipeline's networks has prompted the U.S. Federal Motor Carrier Safety Administration (FMCSA) to issue a  regional emergency declaration  in 17 states and the District of Columbia (D.C.). The declaration provides a temporary exemption to Parts 390 through 399 of the Federal Motor Carrier Safety Regulations ( FMCSRs ), allowing alternate transportation of gasoline, diesel, and refined petroleum products to address supply shortages stemming from the attack. "Such [an] emergency is in response to the unanticipated shutdown of the Colonial pipeline system due to network issues that affect the supply of gasoline, diesel, jet fuel, and other refined petroleum products throughout the Affected States," the directive said. "This Declaration addresses the emergency conditions creating a need for immediate transportation of gasoline, diesel, jet fuel, and other refined petroleum products and provides necessary relief." The states
Ransomware Cyber Attack Forced the Largest U.S. Fuel Pipeline to Shut Down

Ransomware Cyber Attack Forced the Largest U.S. Fuel Pipeline to Shut Down

May 09, 2021Ravie Lakshmanan
Colonial Pipeline , which carries 45% of the fuel consumed on the U.S. East Coast, on Saturday said it halted operations due to a ransomware attack,  once again demonstrating  how infrastructure is vulnerable to cyber attacks. "On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack," the company  said  in a statement posted on its website. "We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems." Colonial Pipeline is the largest refined products pipeline in the U.S., a 5,500 mile (8,851 km) system involved in transporting over 100 million gallons from the Texas city of Houston to New York Harbor. Cybersecurity firm FireEye's Mandiant incident response division is said to be assisting with the investigation, according to reports from  Bloomberg
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.