Cyber Attack | Breaking Cybersecurity News | The Hacker News

A previously undocumented "flexible" backdoor called  Kapeka  has been "sporadically" observed in cyber attacks targeting Eastern Europe, including Estonia and Ukraine, since at least mid-2022. The findings come from Finnish cybersecurity firm WithSecure, which attributed the malware to the Russia-linked advanced persistent threat (APT) group tracked as  Sandworm  (aka APT44 or Seashell Blizzard). Microsoft is tracking the same malware under the name KnuckleTouch. "The malware [...] is a flexible backdoor with all the necessary functionalities to serve as an early-stage toolkit for its operators, and also to provide long-term access to the victim estate," security researcher Mohammad Kazem Hassan Nejad  said . Kapeka comes fitted with a dropper that's designed to launch and execute a backdoor component on the infected host, after which it removes itself. The dropper is also responsible for setting up persistence for the backdoor either as a schedul

Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild. Tracked as  CVE-2024-3400  (CVSS score: 10.0), the critical vulnerability is a case of command injection in the GlobalProtect feature that an unauthenticated attacker could weaponize to execute arbitrary code with root privileges on the firewall. Fixes for the shortcoming are available in the following versions - PAN-OS 10.2.9-h1 PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3 Patches for other commonly deployed maintenance releases are expected to be released over the next few days. "This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled," the company  clarified  in its updated advisory. It also said that while Cloud NGFW firewalls are not impacted by CVE-2024-3400, specific PAN-OS

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Friday announced sanctions against an official associated with Hamas for his involvement in cyber influence operations. Hudhayfa Samir 'Abdallah al-Kahlut, 39, also known as Abu Ubaida, has served as the public spokesperson of Izz al-Din al-Qassam Brigades, the military wing of Hamas, since at least 2007. "He publicly threatened to execute civilian hostages held by Hamas following the terrorist group's October 7, 2023, attacks on Israel," the Treasury Department  said . "Al-Kahlut leads the cyber influence department of al-Qassam Brigades. He was involved in procuring servers and domains in Iran to host the official al-Qassam Brigades website in cooperation with Iranian institutions." Alongside Al-Kahlut, two other individuals named William Abu Shanab, 56, and Bara'a Hasan Farhat, 35, for their role in the manufacturing of unmanned aerial vehicles (UAVs) used by Hamas to cond

Threat actors have been exploiting the newly disclosed zero-day flaw in Palo Alto Networks PAN-OS software dating back to March 26, 2024, nearly three weeks before it came to light yesterday. The network security company's Unit 42 division is  tracking  the activity under the name  Operation MidnightEclipse , attributing it as the work of a single threat actor of unknown provenance. The security vulnerability, tracked as  CVE-2024-3400  (CVSS score: 10.0), is a command injection flaw that enables unauthenticated attackers to execute arbitrary code with root privileges on the firewall. It's worth noting that the issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations that have GlobalProtect gateway and device telemetry enabled. Operation MidnightEclipse entails the exploitation of the flaw to create a cron job that runs every minute to fetch commands hosted on an external server ("172.233.228[

Palo Alto Networks is warning that a critical flaw impacting PAN-OS software used in its GlobalProtect gateways is being actively exploited in the wild. Tracked as  CVE-2024-3400 , the issue has a CVSS score of 10.0, indicating maximum severity. "A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall," the company  said  in an advisory published today. The flaw impacts the following versions of PAN-OS, with fixes expected to be released on April 14, 2024 - PAN-OS < 11.1.2-h3 PAN-OS < 11.0.4-h1 PAN-OS < 10.2.9-h1 The company also said that the issue is applicable only to firewalls that have the configurations for both  GlobalProtect gateway  (Network > GlobalProtect > Gateways) and  device telemetry  (Device > Setup > Telemetry) enabled.

The banking trojan known as  Mispadu  has expanded its focus beyond Latin America (LATAM) and Spanish-speaking individuals to target users in Italy, Poland, and Sweden. Targets of the ongoing campaign include entities spanning finance, services, motor vehicle manufacturing, law firms, and commercial facilities, according to Morphisec. "Despite the geographic expansion, Mexico remains the primary target," security researcher Arnold Osipov  said  in a report published last week. "The campaign has resulted in thousands of stolen credentials, with records dating back to April 2023. The threat actor leverages these credentials to orchestrate malicious phishing emails, posing a significant threat to recipients." Mispadu, also called URSA,  came to light  in 2019, when it was observed carrying out credential theft activities aimed at financial institutions in Brazil and Mexico by displaying fake pop-up windows. The Delphi-based malware is also capable of taking screen

The Police of Finland (aka Poliisi) has formally accused a Chinese nation-state actor tracked as APT31 for orchestrating a cyber attack targeting the country's Parliament in 2020. The intrusion, per the authorities, is said to have occurred between fall 2020 and early 2021. The agency described the ongoing criminal probe as both demanding and time-consuming, involving extensive analysis of a "complex criminal infrastructure." The breach was  first disclosed  in December 2020, with the Finnish Security and Intelligence Service (Supo)  describing  it as a  state-backed cyber espionage operation  designed to penetrate the Parliament's information systems. "The police have previously informed that they are investigating the hacking group APT31's connections with the incident," Poliisi said. "These connections have now been confirmed by the investigation, and the police have also identified one suspect." APT31 , also called Altaire, Bronze Vin

In January 2024, Microsoft discovered they'd been the  victim of a hack  orchestrated by Russian-state hackers Midnight Blizzard (sometimes known as Nobelium). The concerning detail about this case is how easy it was to breach the software giant. It wasn't a highly technical hack that exploited a zero-day vulnerability – the hackers used a simple password spray attack to take control of an old, inactive account. This serves as a stark reminder of the importance of password security and why organizations need to protect every user account.  Password spraying: A simple yet effective attack The hackers gained entry by using a  password spray attack in November 2023 , Password spraying is a relatively simple brute force technique that involves trying the same password against multiple accounts. By bombarding user accounts with known weak and compromised passwords, the attackers were able to gain access to a legacy non-production test account within the Microsoft system which provided th

Google on Thursday announced an enhanced version of Safe Browsing to provide real-time, privacy-preserving URL protection and safeguard users from visiting potentially malicious sites. "The  Standard protection mode for Chrome  on desktop and iOS will check sites against Google's server-side list of known bad sites in real-time," Google's Jonathan Li and Jasika Bawa  said . "If we suspect a site poses a risk to you or your device, you'll see a warning with more information. By checking sites in real time, we expect to block 25% more phishing attempts." Up until now, the Chrome browser used a locally-stored list of known unsafe sites that's updated every 30 to 60 minutes, and then leveraging a  hash-based approach  to compare every site visited against the database. Google  first revealed  its plans to switch to real-time server-side checks without sharing users' browsing history with the company in September 2023. The reason for the change, the search giant said, is motivated b

A new malware campaign is leveraging a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code. According to Sucuri, the campaign has  infected more than 3,900 sites  over the past three weeks. "These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024," security researcher Puja Srivastava  said  in a report dated March 7. Infection sequences involve the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that could be exploited to create rogue admin users and install arbitrary plugins. The shortcoming was exploited as part of a  Balada Injector campaign  earlier this January, compromising no less than 7,000 sites. The latest set of attacks lead to the injection of malicious code, which comes in two different variants and is designed to redirect site visitors to other sites such as phishing and scam pages. WordPress site owners are reco

Threat actors have been observed leveraging the  QEMU  open-source hardware emulator as tunneling software during a cyber attack targeting an unnamed "large company" to connect to their infrastructure. While a number of legitimate tunneling tools like Chisel, FRP, ligolo, ngrok, and Plink have been used by adversaries to their advantage, the development marks the first QEMU that has been used for this purpose. "We found that QEMU supported connections between virtual machines: the -netdev option creates network devices (backend) that can then connect to the virtual machines," Kaspersky researchers Grigory Sablin, Alexander Rodchenko, and Kirill Magaskin  said . "Each of the numerous network devices is defined by its type and supports extra options." In other words, the idea is to create a virtual network interface and a socket-type network interface, thereby allowing the virtual machine to communicate with any remote server. The Russian cybersecurit

The threat actors behind the  BlackCat ransomware  have shut down their darknet website and likely pulled an exit scam after uploading a bogus law enforcement seizure banner. "ALPHV/BlackCat did not get seized. They are exit scamming their affiliates," security researcher Fabian Wosar  said . "It is blatantly obvious when you check the source code of the new takedown notice." "There is absolutely zero reason why law enforcement would just put a saved version of the takedown notice up during a seizure instead of the original takedown notice." The U.K.'s National Crime Agency (NCA)  told  Reuters that it had no connection to any disruptions to the BlackCat infrastructure. Recorded Future security researcher Dmitry Smilyanets  posted  screenshots on the social media platform X in which the BlackCat actors claimed that the "feds screwed us over" and that they intended to sell the ransomware's source code for $5 million. The disappearing

Mexican users have been targeted with tax-themed phishing lures at least since November 2023 to distribute a previously undocumented Windows malware called  TimbreStealer . Cisco Talos, which  discovered  the activity, described the authors as skilled and that the "threat actor has previously used similar tactics, techniques and procedures (TTPs) to distribute a banking trojan known as  Mispadu  in September 2023. Besides employing sophisticated obfuscation techniques to sidestep detection and ensure persistence, the phishing campaign makes use of geofencing to single out users in Mexico, returning an innocuous blank PDF file instead of the malicious one if the payload sites are contacted from other locations. Some of the notable evasive maneuvers include leveraging custom loaders and direct system calls to bypass conventional API monitoring, in addition to utilizing Heaven's Gate to execute 64-bit code within a 32-bit process, an approach that was also recently adopted by

Cybersecurity researchers are warning about a spike in email phishing campaigns that are weaponizing the Google Cloud Run service to deliver various banking trojans such as  Astaroth  (aka Guildma),  Mekotio , and  Ousaban  (aka Javali) to targets across Latin America (LATAM) and Europe. "The infection chains associated with these malware families feature the use of malicious Microsoft Installers (MSIs) that function as droppers or downloaders for the final malware payload(s)," Cisco Talos researchers  disclosed  last week. The high-volume malware distribution campaigns, observed since September 2023, have employed the same storage bucket within Google Cloud for propagation, suggesting potential links between the threat actors behind the distribution campaigns. Google Cloud Run is a  managed compute platform  that enables users to run frontend and backend services, batch jobs, deploy websites and applications, and queue processing workloads without having to manage or sca

In the tumultuous landscape of cybersecurity, the year 2023 left an indelible mark with the brazen exploits of the Scattered Spider threat group. Their attacks targeted the nerve centers of major financial and insurance institutions, culminating in what stands as one of the most impactful ransomware assaults in recent memory.  When organizations have no response plan in place for such an attack, it can become overwhelming attempting to prioritize the next steps that will have a compounding impact on the threat actor's ability to retain access to and control over a compromised network. Silverfort's threat research team interacted closely with the identity threats used by Scattered Spider. and in fact, built a response playbook in real time to respond to an active Scattered Spider attack. This webinar will dissect the real-life scenario in which they were called upon to build and execute a response plan while attackers were moving inside an organization's hybrid environme

Hackers backed by Iran and Hezbollah staged cyber attacks designed to undercut public support for the Israel-Hamas war after October 2023. This includes destructive attacks against key Israeli organizations, hack-and-leak operations targeting entities in Israel and the U.S., phishing campaigns designed to steal intelligence, and information operations to turn public opinion against Israel. Iran accounted for nearly 80% of all government-backed phishing activity targeting Israel in the six months leading up to the October 7 attacks, Google said in a new report. "Hack-and-leak and information operations remain a key component in these and related threat actors' efforts to telegraph intent and capability throughout the war, both to their adversaries and to other audiences that they seek to influence," the tech giant  said . But what's also notable about the Israel-Hamas conflict is that the cyber operations appear to be executed independently of the kinetic and batt