Cyber Attack | Breaking Cybersecurity News | The Hacker News

Security researchers from Check Point Threat Intelligence Team have discovered the comeback of an APT (advanced persistent threat) surveillance group targeting institutions across the Middle East, specifically the Palestinian Authority. The attack, dubbed "Big Bang," begins with a phishing email sent to targeted victims that includes an attachment of a self-extracting archive containing two files—a Word document and a malicious executable. Posing to be from the Palestinian Political and National Guidance Commission, the Word document serves as a decoy to distract victims while the malware is installed in the background. The malicious executable, which runs in the background, act as the first stage info-stealer malware designed for intelligence gathering to identify potential victims (on the basis of what is unclear as of now), and then it accordingly downloads the second stage malware designed for espionage. "While the analysis...discloses the capabilities of

Digitally signed malware has become much more common in recent years to mask malicious intentions. Security researchers have discovered a new malware campaign misusing stolen valid digital certificates from Taiwanese tech-companies, including D-Link, to sign their malware and making them look like legitimate applications. As you may know, digital certificates issued by a trusted certificate authority (CA) are used to cryptographically sign computer applications and software and are trusted by your computer for execution of those programs without any warning messages. However, malware author and hackers who are always in search of advanced techniques to bypass security solutions have seen been abusing trusted digital certificates in recent years. Hackers use compromised code signing certificates associated with trusted software vendors in order to sign their malicious code, reducing the possibility of their malware being detected on targeted enterprise networks and consumer

To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to  privileged identity management  aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with continuous high-level privileges. By adopting this strategy, organizations can enhance security, minimize the window of opportunity for potential attackers and ensure that users access privileged resources only when necessary.  What is JIT and why is it important?   JIT privileged access provisioning  involves granting privileged access to users on a temporary basis, aligning with the concept of least privilege. This principle provides users with only the minimum level of access required to perform their tasks, and only for the amount of time required to do so. One of the key advantages of JIT provisioning

Hacker himself got hacked. It turns out that most samples of the LokiBot malware being distributed in the wild are modified versions of the original sample, a security researcher has learned. Targeting users since 2015, LokiBot is a password and cryptocoin-wallet stealer that can harvest credentials from a variety of popular web browsers, FTP, poker and email clients, as well as IT administration tools such as PuTTY. The original LokiBot malware was developed and sold by online alias "lokistov," a.k.a. "Carter," on multiple underground hacking forums for up to $300, but later some other hackers on the dark web also started selling same malware for a lesser price (as low as $80). It was believed that the source code for LokiBot was leaked which might have allowed others to compile their own versions of the stealer. However, a researcher who goes by alias " d00rt " on Twitter found that someone made little changes (patching) in the original Lok

Security researchers have discovered an interesting piece of malware that infects systems with either a cryptocurrency miner or ransomware, depending upon their configurations to decide which of the two schemes could be more profitable. While ransomware is a type of malware that locks your computer and prevents you from accessing the encrypted data until you pay a ransom to get the decryption key required to decrypt your files, cryptocurrency miners utilize infected system's CPU power to mine digital currencies . Both ransomware and cryptocurrency mining-based attacks have been the top threats so far this year and share many similarities such as both are non-sophisticated attacks, carried out for money against non-targeted users, and involve digital currency. However, since locking a computer for ransom doesn't always guarantee a payback in case victims have nothing essential to losing, in past months cybercriminals have shifted more towards fraudulent cryptocurrency

Maintainers of the Gentoo Linux distribution have now revealed the impact and "root cause" of the attack that saw unknown hackers taking control of its GitHub account last week and modifying the content of its repositories and pages. The hackers not only managed to change the content in compromised repositories but also locked out Gentoo developers from their GitHub organisation. As a result of the incident, the developers were unable to use GitHub for five days. What Went Wrong? Gentoo developers have revealed that the attackers were able to gain administrative privileges for its Github account, after guessing the account password. The organisation could have been saved if it was using a two-factor authentication, which requires an additional passcode besides the password in order to gain access to the account. "The attacker gained access to a password of an organization administrator. Evidence collected suggests a password scheme where disclosure on on

Global entertainment ticketing service Ticketmaster has admitted that the company has suffered a security breach, warning customers that their personal and payment information may have been accessed by an unknown third-party. The company has blamed a third-party support customer service chat application for the data breach that believed to affect tens of thousands of its customers. The customer support chat application, made by Inbenta Technologies—a third-party artificial intelligence tech supplier—used to help major websites interact with their customers. In its statement , Ticketmaster said it discovered malicious software on the customer support application hosted on its UK website that allowed attackers to extract the personal and payment information from its customers buying tickets. Ticketmaster disabled the Inbenta product across all of its websites as soon as it recognized the malicious code. However, Inbenta Technologies turned away blame back to Ticketmaster, sa

Security researchers have uncovered a new highly-targeted cyber espionage campaign, which is believed to be associated with a hacking group behind KHRAT backdoor Trojan and has been targeting organizations in South East Asia. According to researchers from Palo Alto , the hacking group, which they dubbed RANCOR, has been found using two new malware families—PLAINTEE and DDKONG—to target political entities primarily in Singapore and Cambodia. However, in previous years, threat actors behind KHRAT Trojan were allegedly linked to a Chinese cyber espionage group, known as DragonOK. While monitoring the C&C infrastructure associated with KHRAT trojan, researchers identified multiple variants of these two malware families, where PLAINTEE appears to be the latest weapon in the group's arsenal that uses a custom UDP protocol to communicate with its remote command-and-control server. To deliver both PLAINTEE and DDKONG, attackers use spear phishing messages with different inf

Security-oriented BSD operating system OpenBSD has decided to disable support for Intel's hyper-threading performance-boosting feature, citing security concerns over Spectre-style timing attacks . Introduced in 2002, Hyper-threading is Intel's implementation of Simultaneous Multi-Threading (SMT) that allows the operating system to use a virtual core for each physical core present in processors in order to improve performance. The Hyper-threading feature comes enabled on computers by default for performance boosting, but in a detailed post published Tuesday, OpenBSD maintainer Mark Kettenis said such processor implementations could lead to Spectre-style timing attacks. "SMT (Simultaneous multithreading) implementations typically share TLBs and L1 caches between threads," Kettenis wrote. "This can make cache timing attacks a lot easier, and we strongly suspect that this will make several Spectre-class bugs exploitable." In cryptography, side-channe

Security researchers have been warning about a simple technique that cyber criminals and email scammers are using in the wild to bypass most AI-powered phishing detection mechanisms implemented by widely used email services and web security scanners. Dubbed ZeroFont , the technique involves inserting hidden words with a font size of zero within the actual content of a phishing email, keeping its visual appearance same, but at the same time, making it non-malicious in the eyes of email security scanners. According to cloud security company Avanan , Microsoft Office 365 also fails to detect such emails as malicious crafted using ZeroFont technique. Like Microsoft Office 365, many emails and web security services use natural language processing and other artificial intelligence-based machine learning techniques to identify malicious or phishing emails faster. The technology helps security companies to analyze, understand and derive meaning from unstructured text embedded in an

Remember the ' Olympic Destroyer ' cyber attack? The group behind it is still alive, kicking and has now been found targeting biological and chemical threat prevention laboratories in Europe and Ukraine, and a few financial organisation in Russia. Earlier this year, an unknown group of notorious hackers targeted Winter Olympic Games 2018 , held in South Korea, using a destructive malware that purposely planted sophisticated false flags to trick researchers into mis-attributing the campaign. Unfortunately, the destructive malware was successful to some extent, at least for a next few days, as immediately after the attack various security researchers postmortem the Olympic Destroyer malware and started attributing the attack to different nation-state hacking groups from North Korea, Russia, and China. Later researchers from Russian antivirus vendor Kaspersky Labs uncovered more details about the attack, including the evidence of false attribution artifacts, and conclud

A 29-year-old former CIA computer programmer who was charged with possession of child pornography last year has now been charged with masterminding the largest leak of classified information in the agency's history. Joshua Adam Schulte , who once created malware for both the CIA and NSA to break into adversaries computers, was indicted Monday by the Department of Justice on 13 charges of allegedly stealing and transmitting thousands of classified CIA documents , software projects , and hacking utilities . Schulte has also been suspected of leaking the stolen archive of documents to anti-secrecy organization WikiLeaks, who then began publishing the classified information in March 2017 in a series of leaks under the name " Vault 7 ." It is yet unconfirmed whether Schulte leaked documents to WikiLeaks and if yes, then when, but he had already been a suspect since January 2017 of stealing classified national defense information from the CIA in 2016. According to

Cybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks. The campaign is believed to be active covertly since fall 2017 but was spotted in March by security researchers from Kaspersky Labs, who have attributed these attacks to a Chinese-speaking threat actor group called LuckyMouse . LuckyMouse, also known as Iron Tiger, EmissaryPanda, APT 27 and Threat Group-3390, is the same group of Chinese hackers who was found targeting Asian countries with Bitcoin mining malware early this year. The group has been active since at least 2010 and was behind many previous attack campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors. This time the group chose a national data center as its target from an unnamed country in Central Asia in an attempt to gain "access to a wide range of government

It's no secret that expecting security controls to block every infection vector is unrealistic. For most organizations, the chances are very high that threats have already penetrated their defenses and are lurking in their network. Pinpointing such threats quickly is essential, but traditional approaches to finding these needles in the haystack often fall short. Now there is a unique opportunity for more feasible, more effective threat hunting capabilities, and it stems from a most unusual effort: rethinking the approach to wide area networking. When we look at the cyber kill-chain today, there are two major phases—infection and post-infection. Security experts acknowledge that organizations can get infected no matter how good their security controls are. The simple fact is, infection vectors change rapidly and continuously. Attackers use new delivery methods – everything from social engineering to zero-day exploits – and they often are effective. In most cases, an infecti

Security researchers have been warning about cybercriminals who have made over 20 million dollars in just past few months by hijacking insecurely configured Ethereum nodes exposed on the Internet. Qihoo 360 Netlab in March tweeted about a group of cybercriminals who were scanning the Internet for port 8545 to find insecure geth clients running Ethereum nodes and, at that time, stole 3.96234 units of Ethereum cryptocurrency (Ether). However, researchers now noticed that another cybercriminal group have managed to steal a total 38,642 Ether, worth more than $20,500,000 at the time of writing, in past few months by hijacking Ethereum wallets of users who had opened their JSON-RPC port 8545 to the outside world. Geth is one of the most popular clients for running Ethereum node and enabling JSON-RPC interface on it allows users to remotely access the Ethereum blockchain and node functionalities, including the ability to send transactions from any account which has been unlocked b

If you have already uninstalled Flash player, well done! But if you haven't, here's another great reason for ditching it. Adobe has released a security patch update for a critical vulnerability in its Flash Player software that is actively being exploited in the wild by hackers in targeted attacks against Windows users. Independently discovered last week by several security firms—including ICEBRG ,  Qihoo 360  and Tencent—the Adobe Flash player zero-day attacks have primarily been targeting users in the Middle East using a specially crafted Excel spreadsheet. "The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers," Qihoo 360 published vulnerability analysis in a blog post. The stack-based buffer overflow vulnerability, tracked as CVE-2018-5002, impacts Adobe Flash Player 29.0.0.171 and earlier versions on

After the discovery of massive VPNFilter malware botnet , security researchers have now uncovered another giant botnet that has already compromised more than 40,000 servers, modems and internet-connected devices belonging to a wide number of organizations across the world. Dubbed Operation Prowli , the campaign has been spreading malware and injecting malicious code to take over servers and websites around the world using various attack techniques including use of exploits, password brute-forcing and abusing weak configurations. Discovered by researchers at the GuardiCore security team, Operation Prowli has already hit more than 40,000 victim machines from over 9,000 businesses in various domains, including finance, education and government organisations. Here's the list devices and services infected by the Prowli malware: Drupal and WordPress CMS servers hosting popular websites Joomla! servers running the K2 extension Backup servers running HP Data Protector softw

Hundreds of thousands of websites running on the Drupal CMS—including those of major educational institutions and government organizations around the world—have been found vulnerable to a highly critical flaw for which security patches were released almost two months ago. Security researcher Troy Mursch scanned the whole Internet and found  over 115,000 Drupal websites are still vulnerable to the Drupalgeddon2 flaw despite repetitive warnings. Drupalgeddon2 (CVE-2018-7600) is a highly critical remote code execution vulnerability discovered late March in Drupal CMS software (versions < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1) that could allow attackers to completely take over vulnerable websites. For those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or standard Drupal installations under the privileges of the user. Since Drupalgeddon2 had much potential to derive attention of motivated attacke

Despite the continual emergence of new cyber attacks because of misconfigured servers and applications, people continue to ignore security warnings. A massive malware campaign designed to target open Redis servers, about which researchers warned almost two months ago, has now grown and already hijacked at least 75% of the total servers running publicly accessible Redis instances. Redis, or REmote DIctionary Server, is an open source, widely popular data structure tool that can be used as an in-memory distributed database, message broker or cache. Since it is designed to be accessed inside trusted environments, it should not be exposed on the Internet. Dubbed RedisWannaMine , a similar malware leveraging same loophole was discovered in late March by data center security vendor Imperva and designed to drop a cryptocurrency mining script on the targeted servers—both database and application. According to Imperva's March blog post , this cryptojacking threat was "more c