The Hacker News Logo
Subscribe to Newsletter

The Hacker News — Cyber Security and Hacking News Website: Cyber Attack

FBI Mapping 'Joanap Malware' Victims to Disrupt the North Korean Botnet

FBI Mapping 'Joanap Malware' Victims to Disrupt the North Korean Botnet

January 31, 2019Swati Khandelwal
The United States Department of Justice (DoJ) announced Wednesday its effort to "map and further disrupt" a botnet tied to North Korea that has infected numerous Microsoft Windows computers across the globe over the last decade. Dubbed Joanap , the botnet is believed to be part of " Hidden Cobra "—an Advanced Persistent Threat (APT) actors' group often known as Lazarus Group and Guardians of Peace and backed by the North Korean government. Hidden Cobra is the same hacking group that has been allegedly associated with the WannaCry ransomware menace in 2016, the SWIFT Banking attack in 2016, as well as Sony Motion Pictures hack in 2014. Dates back to 2009, Joanap is a remote access tool (RAT) that lands on a victim's system with the help an SMB worm called Brambul , which crawls from one computer to another by brute-forcing Windows Server Message Block (SMB) file-sharing services using a list of common passwords. Once there, Brambul downloads Jo
Europol Now Going After People Who Bought DDoS-for-Hire Services

Europol Now Going After People Who Bought DDoS-for-Hire Services

January 29, 2019Swati Khandelwal
If you were a buyer of any online DDoS-for-hire service, you might be in trouble. After taking down and arresting the operators of the world's biggest DDoS-for-hire service last year, the authorities are now in hunt for customers who bought the service that helped cyber criminals launch millions of attacks against several banks, government institutions, and gaming industry. Europol has announced that British police are conducting a number of live operations worldwide to track down the users of the infamous Webstresser.org service that the authorities dismantled in April 2018. Launched in 2015, Webstresser let its customers rent the service for about £10 to launch Distributed Denial of Service (DDoS) attacks against their targets with little to no technical knowledge, which resulted in more than 4 million DDoS attacks. According to the Europol announcement published on Monday, the agency gained access to the accounts of over 151,000 registered Webstresser users last yea
GandCrab ransomware and Ursnif virus spreading via MS Word macros

GandCrab ransomware and Ursnif virus spreading via MS Word macros

January 25, 2019Swati Khandelwal
Security researchers have discovered two separate malware campaigns, one of which is distributing the Ursnif data-stealing trojan and the GandCrab ransomware in the wild, whereas the second one is only infecting victims with Ursnif malware. Though both malware campaigns appear to be a work of two separate cybercriminal groups, we find many similarities in them. Both attacks start from phishing emails containing an attached Microsoft Word document embedded with malicious macros and then uses Powershell to deliver fileless malware. Ursnif is a data-stealing malware that typically steals sensitive information from compromised computers with an ability to harvest banking credentials, browsing activities, collect keystrokes, system and process information, and deploy additional backdoors. Discovered earlier last year, GandCrab is a widespread ransomware threat that, like every other ransomware in the market, encrypts files on an infected system and insists victims to pay a ransom
Someone Hacked PHP PEAR Site and Replaced the Official Package Manager

Someone Hacked PHP PEAR Site and Replaced the Official Package Manager

January 23, 2019Mohit Kumar
Beware! If you have downloaded PHP PEAR package manager from its official website in past 6 months, we are sorry to say that your server might have been compromised. Last week, the maintainers at PEAR took down the official website of the PEAR ( pear-php.net ) after they found that someone has replaced original PHP PEAR package manager (go-pear.phar) with a modified version in the core PEAR file system. Though the PEAR developers are still in the process of analyzing the malicious package, a security announcement published on January 19, 2019, confirmed that the allegedly hacked website had been serving the installation file contaminated with the malicious code to download for at least half a year. The PHP Extension and Application Repository (PEAR) is a community-driven framework and distribution system that offers anyone to search and download free libraries written in PHP programming language. These open-source libraries (better known as packages) allows developers to ea
DHS Orders U.S. Federal Agencies to Audit DNS Security for Their Domains

DHS Orders U.S. Federal Agencies to Audit DNS Security for Their Domains

January 23, 2019Swati Khandelwal
The U.S. Department of Homeland Security (DHS) has today issued an "emergency directive" to all federal agencies ordering IT staff to audit DNS records for their respective website domains, or other agency-managed domains, within next 10 business days. The emergency security alert came in the wake of a series of recent incidents involving DNS hijacking , which security researchers with "moderate confidence" believe originated from Iran. Domain Name System (DNS) is a key function of the Internet that works as an Internet's directory where your device looks up for the server IP addresses after you enter a human-readable web address (e.g., thehackernews.com). What is DNS Hijacking Attack? DNS hijacking involves changing DNS settings of a domain, redirecting victims to an entirely different attacker-controlled server with a fake version of the websites they are trying to visit, often with an objective to steal users' data. "The attacker alter
New malware found using Google Drive as its command-and-control server

New malware found using Google Drive as its command-and-control server

January 21, 2019Mohit Kumar
Since most security tools also keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly adopting infrastructure of legitimate services in their attacks to hide their malicious activities. Cybersecurity researchers have now spotted a new malware attack campaign linked to the notorious DarkHydrus APT group that uses Google Drive as its command-and-control (C2) server. DarkHydrus first came to light in August last year when the APT group was leveraging the open-source Phishery tool to carry out credential-harvesting campaign against government entities and educational institutions in the Middle East. The latest malicious campaign conducted by the DarkHydrus APT group was also observed against targets in the Middle East, according to reports published by the 360 Threat Intelligence Center ( 360TIC ) and Palo Alto Networks. This time the advanced threat attackers are using a new variant of their backdoor Trojan, called RogueRobin , which i
Ukrainian Police Arrest 6 Hackers Linked to DDoS and Financial Attacks

Ukrainian Police Arrest 6 Hackers Linked to DDoS and Financial Attacks

January 17, 2019Swati Khandelwal
Ukrainian Police have this week busted out two separate groups of hackers involved in carrying out DDoS attacks against news agencies and stealing money from Ukrainian citizens, respectively. According to the authorities, the four suspected hackers they arrested last week , all aged from 26 to 30 years, stole more than 5 million Hryvnia (around 178,380 USD) from the bank accounts of Ukrainian citizens by hacking into their computers. The suspects carried out their attacks by scanning vulnerable computers on the Internet and infecting them with a custom Trojan malware to take full remote control of the systems. The group then apparently enabled key-logging on the infected computers in an attempt to capture banking credentials of victims when the owners of those infected computers fill in that information on any banking site or their digital currency wallet. Once getting a hold on the victims banking and financial data, the attackers logged into their online banking accounts
Unprotected Government Server Exposes Years of FBI Investigations

Unprotected Government Server Exposes Years of FBI Investigations

January 17, 2019Swati Khandelwal
A massive government data belonging to the Oklahoma Department of Securities (ODS) was left unsecured on a storage server for at least a week, exposing a whopping 3 terabytes of data containing millions of sensitive files. The unsecured storage server, discovered by Greg Pollock , a researcher with cybersecurity firm UpGuard, also contained decades worth of confidential case files from the Oklahoma Securities Commission and many sensitive FBI investigations—all wide open and accessible to anyone without any password. Other severe files exposed included emails, social security numbers, names, and addresses of 10,000 brokers, credentials for remote access to ODS workstations, and communications meant for the Oklahoma Securities Commission, along with a list of identifiable information related to AIDS patients. While the researcher doesn't know exactly how long the server was open to the public, the Shodan search engine revealed that the server had been publicly open since at
Hackers infect e-commerce sites by compromising their advertising partner

Hackers infect e-commerce sites by compromising their advertising partner

January 16, 2019Mohit Kumar
Magecart strikes again, one of the most notorious hacking groups specializes in stealing credit card details from poorly-secured e-commerce websites. According to security researchers from RiskIQ and Trend Micro, cybercriminals of a new subgroup of Magecart, labeled as "Magecart Group 12," recently successfully compromised nearly 277 e-commerce websites by using supply-chain attacks. Magecart is the same group of digital credit card skimmers which made headlines last year for carrying out attacks against some big businesses including Ticketmaster , British Airways , and Newegg . Typically, the Magecart hackers compromise e-commerce sites and insert malicious JavaScript code into their checkout pages that silently captures payment information of customers making purchasing on the sites and then send it to the attacker's remote server. However, the researchers from the two firms today revealed that instead of directly compromising targeted websites, the Magecart G
How to Secure Your Mid-Size Organization From the Next Cyber Attack

How to Secure Your Mid-Size Organization From the Next Cyber Attack

January 15, 2019Mohit Kumar
If you are responsible for the cybersecurity of a medium-sized company , you may assume your organization is too small to be targeted. Well, think again. While the major headlines tend to focus on large enterprises getting breached – such as Sony, Equifax, or Target the actual reality is that small and mid-sized companies are experiencing similar threats. According to Verizon’s 2018 Data Breach Investigations Report, fifty-eight percent of malware attack victims are SMBs. Added to this is the fact that attack vectors that target small and medium-sized businesses are growing increasingly sophisticated, which makes securing them respectively challenging, and the trend of targeting ransomware campaigns on smaller organizations, as attackers assume smaller outfits are more likely to quickly pay in order to avoid damage to their business and reputation. Cisco's 2018 Security Capabilities Benchmark Study states that 44 percent of cyber attacks cost organizations over $500,000 i
DDoSing Hospital Networks Landed This Hacktivist in Jail for Over 10 Years

DDoSing Hospital Networks Landed This Hacktivist in Jail for Over 10 Years

January 11, 2019Mohit Kumar
A simple DDoS attack could land you in jail for 10 years or even more. A Massachusetts man has been sentenced to over 10 years in prison for launching DDoS attacks against the computer network of two healthcare organizations in 2014 to protest the treatment of a teenager at the centers. Beyond serving 121 months in prison, Martin Gottesfeld , 34, was also ordered by U.S. District Judge Nathaniel Gorton to pay nearly $443,000 in restitution for damages he caused to the targeted facilities. Gottesfeld carried out the DDoS attacks on behalf of the Anonymous hacker collective against Boston Children's Hospital (BCH) and Wayside Youth & Family Support Network—a nonprofit home treatment facility that provides a range of mental health counselings to children, young adults, and families in Massachusetts. In April 2014, the hacker used a botnet of over 40,000 network routers that he infected with customized malicious software to carry out the DDoS attacks that not only knocke
Ethereum Classic (ETC) Hit by Double-Spend Attack Worth $1.1 Million

Ethereum Classic (ETC) Hit by Double-Spend Attack Worth $1.1 Million

January 08, 2019Swati Khandelwal
Popular cryptocurrency exchange Coinbase has suspended all transactions of Ethereum Classic (ETC)—the original unforked version of the Ethereum network—on their trading platforms, other products and services after detecting a potential attack on the cryptocurrency network that let someone spend the same digital coins twice. Why is this attack concerning? The heist resulted in the loss of $1.1 million worth of the Ethereum Classic digital currency. The digital currency immediately fell in price after the news came out. Coinbase revealed Monday that it identified "a deep chain reorganization" of the Ethereum Classic blockchain (or 51 percent attack of the network), which means that someone controlling the majority of miners on the network (over 50%) had modified the transaction history. After reorganizing the Ethereum blockchain, the attackers were able to what's called "double spend" about 219,500 ETC by recovering previously spent coins from the rightfu
Hackers Leak Personal Data from Hundreds of German Politicians On Twitter

Hackers Leak Personal Data from Hundreds of German Politicians On Twitter

January 04, 2019Swati Khandelwal
Germany has been hit with the biggest hack in its history. A group of unknown hackers has leaked highly-sensitive personal data from more than 100 German politicians, including German Chancellor Angela Merkel, Brandenburg’s prime minister Dietmar Woidke, along with some German artists, journalists, and YouTube celebrities. The leaked data that was published on a Twitter account ( @_0rbit ) and dated back to before October 2018 includes phone numbers, email addresses, private chats, bills, credit card information and photos of victims' IDs. Although it is yet unclear who perpetrated this mass hack and how they managed to perform it, the leaked data appears to be collected unauthorizedly by hacking into their smartphones. The hack targeted all of Germany's political parties currently represented in the federal parliament, including the CDU, CSU, SPD, FDP, Left party (Die Linke) and Greens, except for the far-right Alternative for Germany (AfD). While Justice Minister
Microsoft Issues Emergency Patch For Under-Attack IE Zero Day

Microsoft Issues Emergency Patch For Under-Attack IE Zero Day

December 20, 2018Swati Khandelwal
Microsoft today issued an out-of-band security update to patch a critical zero-day vulnerability in Internet Explorer (IE) Web browser that attackers are already exploiting in the wild to hack into Windows computers. Discovered by security researcher Clement Lecigne of Google's Threat Analysis Group, the vulnerability, tracked as CVE-2018-8653, is a remote code execution (RCE) flaw in the IE browser's scripting engine. According to the advisory, an unspecified memory corruption vulnerability resides in the scripting engine JScript component of Microsoft Internet Explorer that handles execution of scripting languages. If exploited successfully, the vulnerability could allow attackers to execute arbitrary code in the context of the current user. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change,
New Malware Takes Commands From Memes Posted On Twitter

New Malware Takes Commands From Memes Posted On Twitter

December 18, 2018Wang Wei
Security researchers have discovered yet another example of how cybercriminals disguise their malware activities as regular traffic by using legitimate cloud-based services. Trend Micro researchers have uncovered a new piece of malware that retrieves commands from memes posted on a Twitter account controlled by the attackers. Most malware relies on communication with their command-and-control server to receive instructions from attackers and perform various tasks on infected computers. Since security tools keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly using legitimate websites and servers as infrastructure in their attacks to make the malicious software more difficult to detect. In the recently spotted malicious scheme, which according to the researchers is in its early stage, the hackers uses Steganography —a technique of hiding contents within a digital graphic image in such a way that's invisible to an observer—to hid
New Shamoon Malware Variant Targets Italian Oil and Gas Company

New Shamoon Malware Variant Targets Italian Oil and Gas Company

December 14, 2018Swati Khandelwal
Shamoon is back… one of the most destructive malware families that caused damage to Saudi Arabia's largest oil producer in 2012 and this time it has targeted energy sector organizations primarily operating in the Middle East. Earlier this week, Italian oil drilling company Saipem was attacked and sensitive files on about 10 percent of its servers were destroyed, mainly in the Middle East, including Saudi Arabia, the United Arab Emirates and Kuwait, but also in India and Scotland. Saipem admitted Wednesday that the computer virus used in the latest cyber attack against its servers is a variant Shamoon—a disk wiping malware that was used in the most damaging cyber attacks in history against Saudi Aramco and RasGas Co Ltd and destroyed data on more than 30,000 systems. The cyber attack against Saudi Aramco, who is the biggest customer of Saipem, was attributed to Iran, but it is unclear who is behind the latest cyber attacks against Saipem. Meanwhile, Chronicle, Google'
Dell Resets All Customers' Passwords After Potential Security Breach

Dell Resets All Customers' Passwords After Potential Security Breach

November 29, 2018Mohit Kumar
Multinational computer technology company Dell disclosed Wednesday that its online electronics marketplace experienced a "cybersecurity incident" earlier this month when an unknown group of hackers infiltrated its internal network. On November 9, Dell detected and disrupted unauthorized activity on its network attempting to steal customer information, including their names, email addresses and hashed passwords. According to the company, the initial investigation found no conclusive evidence that the hackers succeeded to extract any information, but as a countermeasure Dell has reset passwords for all accounts on Dell.com website whether the data had been stolen or not. Dell did not share any information on how hackers managed to infiltrate its network at the first place or how many user accounts were affected, but the company did confirm that payment information and Social Security numbers were not targeted. "Credit card and other sensitive customer information
U.S Charges Two Iranian Hackers for SamSam Ransomware Attacks

U.S Charges Two Iranian Hackers for SamSam Ransomware Attacks

November 28, 2018Mohit Kumar
The Department of Justice announced Wednesday charges against two Iranian nationals for their involvement in creating and deploying the notorious SamSam ransomware. The alleged hackers, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah, 27, have been charged on several counts of computer hacking and fraud charges, the indictment unsealed today at New Jersey court revealed. The duo used SamSam ransomware to extort over $6 million in ransom payments since 2015, and also caused more than $30 million in damages to over 200 victims, including hospitals , municipalities, and public institutions. According to the indictment, Savandi and Mansouri have been charged with a total of six counts, including one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two counts of intentional damage to a protected computer, and two counts of transmitting a demand in relation to damaging a protected computer. Si
Rogue Developer Infects Widely Used NodeJS Module to Steal Bitcoins

Rogue Developer Infects Widely Used NodeJS Module to Steal Bitcoins

November 27, 2018Mohit Kumar
A widely used third-party NodeJS module with nearly 2 million downloads a week was compromised after one of its open-source contributor gone rogue, who infected it with a malicious code that was programmed to steal funds stored in Bitcoin wallet apps. The Node.js library in question is "Event-Stream," a toolkit that makes it easy for developers to create and work with streams, a collection of data in Node.js — just like arrays or strings. The malicious code detected earlier this week was added to Event-Stream version 3.3.6, published on September 9 via NPM repository , and had since been downloaded by nearly 8 million application programmers. Event-Stream module for Node.js was originally created by Dominic Tarr, who maintained the Event-Stream library for a long time, but handed over the development and maintenance of the project several months ago to an unknown programmer, called "right9ctrl." Apparently, right9ctrl gained Dominic's trust by making
Real Identity of Hacker Who Sold LinkedIn, Dropbox Databases Revealed

Real Identity of Hacker Who Sold LinkedIn, Dropbox Databases Revealed

November 21, 2018Swati Khandelwal
The real identity of Tessa88—the notorious hacker tied to several high-profile cyber attacks including the LinkedIn , DropBox and MySpace mega breaches—has been revealed as Maksim Vladimirovich Donakov (Максим Владимирович Донаков), a resident of Penza, Russian Federation. In early 2016, a hacker with pseudonym Tessa88 emerged online offering stolen databases from some of the biggest social media websites in the world, including LinkedIn, MySpace, VKontakte (vk.com), Dropbox, Rambler , and Twitter , for sale in various underground hacking forums. The stolen data, taken years ago from several social media sites, included more than half a billion username and password combinations, which were then used in phishing, account takeover, and other cyber attacks. Though Tessa88's profile was active for a few months between February and May 2016, the OPSEC analysis revealed that the same person was involved in various cybercriminal activities since as early as 2012 under different
Exclusive Deals

Get Daily News Updates By Email

Join over 350,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.