Cyber Attack | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers today took the wraps off a previously undocumented backdoor and document stealer that has been deployed against specific targets from 2015 to early 2020. Codenamed " Crutch " by ESET researchers, the malware has been attributed to  Turla  (aka Venomous Bear or Snake), a Russia-based advanced hacker group known for its extensive attacks against governments, embassies, and military organizations through various watering hole and spear-phishing campaigns. "These tools were designed to exfiltrate sensitive documents and other files to Dropbox accounts controlled by Turla operators," the cybersecurity firm said in an analysis shared with The Hacker News. The backdoor implants were secretly installed on several machines belonging to the Ministry of Foreign Affairs in an unnamed country of the European Union. Besides identifying strong links between a Crutch sample from 2016 and Turla's yet another second-stage backdoor called  Gazer , t

A nation-state actor known for its cyber espionage campaigns since 2012 is now using coin miner techniques to stay under the radar and establish persistence on victim systems, according to new research. Attributing the shift to a threat actor tracked as Bismuth, Microsoft's Microsoft 365 Defender Threat Intelligence Team said the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam between July and August earlier this year. "The coin miners also allowed Bismuth to hide its more nefarious activities behind threats that may be perceived to be less alarming because they're 'commodity' malware," the researchers  said  in an analysis published yesterday. The primary victims of the attack have been traced to state-owned enterprises in Vietnam and entities with ties to a Vietnamese government agency. The Windows maker likened Bismuth to  OceanLotus  (or APT32), linking it to spyware

Super Low RPO with Continuous Data Protection: Dial Back to Just Seconds Before an Attack Zerto , a Hewlett Packard Enterprise company, can help you detect and recover from ransomware in near real-time. This solution leverages continuous data protection (CDP) to ensure all workloads have the lowest recovery point objective (RPO) possible. The most valuable thing about CDP is that it does not use snapshots, agents, or any other periodic data protection methodology. Zerto has no impact on production workloads and can achieve RPOs in the region of 5-15 seconds across thousands of virtual machines simultaneously. For example, the environment in the image below has nearly 1,000 VMs being protected with an average RPO of just six seconds! Application-Centric Protection: Group Your VMs to Gain Application-Level Control   You can protect your VMs with the Zerto application-centric approach using Virtual Protection Groups (VPGs). This logical grouping of VMs ensures that your whole applica

A cyberespionage group with suspected ties to the Kazakh and Lebanese governments has unleashed a new wave of attacks against a multitude of industries with a retooled version of a 13-year-old backdoor Trojan. Check Point Research called out hackers affiliated with a group named  Dark Caracal  in a  new report  published yesterday for their efforts to deploy "dozens of digitally signed variants" of the  Bandook  Windows Trojan over the past year, thus once again "reigniting interest in this old malware family." The different verticals singled out by the threat actor include government, financial, energy, food industry, healthcare, education, IT, and legal institutions located in Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey, and the US. The unusually large variety of targeted markets and locations "reinforces a previous hypothesis that the malware is not developed in-house and used by a single entity, but is part of an offensive

Cybersecurity researchers today unveiled a complex and targeted espionage attack on potential government sector victims in South East Asia that they believe was carried out by a sophisticated Chinese APT group at least since 2018. "The attack has a complex and complete arsenal of droppers, backdoors and other tools involving Chinoxy backdoor, PcShare RAT and FunnyDream backdoor binaries, with forensic artefacts pointing towards a sophisticated Chinese actor," Bitdefender said in a new analysis shared with The Hacker News. It's worth noting that the  FunnyDream  campaign has been previously linked to high-profile government entities in Malaysia, Taiwan, and the Philippines, with a majority of victims located in Vietnam. According to the researchers, not only around 200 machines exhibited attack indicators associated with the campaign, evidence points to the fact the threat actor may have compromised  domain controllers  on the victim's network, allowing them to mo

Cybersecurity researchers today disclosed a new kind of modular backdoor that targets point-of-sale (POS) restaurant management software from Oracle in an attempt to pilfer sensitive payment information stored in the devices. The backdoor — dubbed "ModPipe" — impacts Oracle MICROS Restaurant Enterprise Series (RES) 3700 POS systems, a widely used software suite in restaurants and hospitality establishments to efficiently handle POS, inventory, and labor management. A majority of the identified targets are primarily located in the US. "What makes the backdoor distinctive are its downloadable modules and their capabilities, as it contains a custom algorithm designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values," ESET researchers said in an analysis . "Exfiltrated credentials allow ModPipe's operators access to database contents, including various definitions and configuration, status tables and information ab

A week after the US government issued an advisory about a "global intelligence gathering mission" operated by North Korean  state-sponsored hackers , new findings have emerged about the threat group's spyware capabilities. The APT — dubbed " Kimsuky " (aka Black Banshee or Thallium) and believed to be active as early as 2012 — has been now linked to as many as three hitherto undocumented malware, including an information stealer, a tool equipped with malware anti-analysis features, and a new server infrastructure with significant overlaps to its older espionage framework. "The group has a rich and notorious history of offensive cyber operations around the world, including operations targeting South Korean think tanks, but over the past few years they have expanded their targeting to countries including the United States, Russia and various nations in Europe," Cybereason researchers said in an  analysis  yesterday. Last week, the FBI and department

The US Federal Bureau of Investigation (FBI), Departments of Homeland Security, and Health and Human Services (HHS) issued a joint alert Wednesday warning of an "imminent" increase in ransomware and other cyberattacks against hospitals and healthcare providers. "Malicious cyber actors are targeting the [Healthcare and Public Health] Sector with TrickBot malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services," the Cybersecurity and Infrastructure Security Agency  said  in its advisory. The infamous botnet typically spreads via malicious spam email to unsuspecting recipients and can steal financial and personal data and drop other software, such as ransomware, onto infected systems. It's worth noting that cybercriminals have already used TrickBot against a major healthcare provider,  Universal Health Services , whose systems were crippled by Ryuk ransomware late last month. TrickBot has also seen a severe  disrupt

Efforts to disrupt TrickBot may have  shut down  most of its critical infrastructure, but the operators behind the notorious malware aren't sitting idle. According to new findings shared by cybersecurity firm  Netscout , TrickBot's authors have moved portions of their code to Linux in an attempt to widen the scope of victims that could be targeted. TrickBot, a financial Trojan first detected in 2016, has been traditionally a Windows-based crimeware solution, employing different modules to perform a wide range of malicious activities on target networks, including credential theft and perpetrate ransomware attacks. But over the past few weeks, twin efforts led by the US Cyber Command and Microsoft have helped to  eliminate 94%  of TrickBot's command-and-control (C2) servers that were in use and the new infrastructure the criminals operating TrickBot attempted to bring online to replace the previously disabled servers. Despite the steps taken to impede TrickBot, Microsof

Attention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update your web browsing software immediately to the latest version Google released earlier today. Google released Chrome version 86.0.4240.111 today to patch several security high-severity issues, including a zero-day vulnerability that has been exploited in the wild by attackers to hijack targeted computers. Tracked as CVE-2020-15999 , the actively exploited vulnerability is a type of memory-corruption flaw called heap buffer overflow in Freetype, a popular open source software development library for rendering fonts that comes packaged with Chrome. The vulnerability was discovered and reported by security researcher Sergei Glazunov of Google Project Zero on October 19 and is subject to a seven-day public disclosure deadline due to the flaw being under active exploitation. Glazunov also immediately reported the zero-day vulnerability to FreeType developers, who then

The US government on Monday formally charged six Russian intelligence officers for carrying out destructive malware attacks with an aim to disrupt and destabilize other nations and cause monetary losses. The individuals, who work for Unit 74455 of the Russian Main Intelligence Directorate (GRU), have been accused of perpetrating the "most disruptive and destructive series of computer attacks ever attributed to a single group," according to the Justice Department ( DoJ ). All the six men — Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin — have been charged with seven counts of conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft. "The object of the conspiracy was to deploy destructive malware and take other disruptive actions, for the strateg

Cybersecurity researchers uncovered fresh evidence of an ongoing cyberespionage campaign against Indian defense units and armed forces personnel at least since 2019 with an aim to steal sensitive information. Dubbed " Operation SideCopy " by Indian cybersecurity firm  Quick Heal , the attacks have been attributed to an advanced persistent threat (APT) group that has successfully managed to stay under the radar by "copying" the tactics of other threat actors such as the  SideWinder . Exploiting Microsoft Equation Editor Flaw The campaign's starting point is an email with an embedded malicious attachment — either in the form of a ZIP file containing an LNK file or a Microsoft Word document — that triggers an infection chain via a series of steps to download the final-stage payload. Aside from identifying three different infection chains, what's notable is the fact that one of them exploited template injection and Microsoft Equation Editor flaw ( CVE-2017

As ransomware attacks  against critical infrastructure continue to spike in recent months, cybersecurity researchers have uncovered a new entrant that has been actively trying to conduct multistage attacks on large corporate networks of medical labs, banks, manufacturers, and software developers in Russia. The ransomware gang, codenamed "OldGremlin" and believed to be a Russian-speaking threat actor, has been linked to a series of campaigns at least since March, including a successful attack against a clinical diagnostics laboratory that occurred last month on August 11. "The group has targeted only Russian companies so far, which was typical for many Russian-speaking adversaries, such as  Silence  and  Cobalt , at the beginning of their criminal path," Singaporean cybersecurity firm Group-IB said in a report published today and shared with The Hacker News. "Using Russia as a testing ground, these groups then switched to other geographies to distance thems

A UK man who threatened to publicly release stolen confidential information unless the victims agreed to fulfill his digital extortion demands has finally pleaded guilty on Monday at U.S. federal district court in St. Louis, Missouri. Nathan Francis Wyatt , 39, who is a key member of the infamous international hacking group 'The Dark Overlord,' has been sentenced to five years in prison and ordered to pay $1,467,048 in restitution to his victims. Wyatt, who was extradited to the United States late last year after being held for over two years in the United Kingdom, has pleaded guilty to conspiring to commit aggravated identity theft and computer fraud. U.K. police first arrested Wyatt in September 2016 during an investigation into the hacking of an iCloud account belonging to Pippa Middleton, the younger sister of the British royal family member Duchess of Cambridge, and stealing 3,000 images of her. Though he was released in that case without charge due to lack of

German authorities last week  disclosed  that a ransomware attack on the University Hospital of Düsseldorf (UKD) caused a failure of IT systems, resulting in the death of a woman who had to be sent to another hospital that was 20 miles away. The incident marks the first recorded casualty as a consequence of cyberattacks on critical healthcare facilities, which has ramped up in recent months. The attack, which exploited a Citrix ADC  CVE-2019-19781  vulnerability to cripple the hospital systems on September 10, is said to have been "misdirected" in that it was originally intended for Heinrich Heine University, according to an extortion note left by the perpetrators. After law enforcement contacted the threat actors and informed them that they had encrypted a hospital, the operators behind the attack withdrew the ransom demand and provided the decryption key. The case is currently being treated as a homicide, BBC News  reported  over the weekend. Unpatched Vulnerabilities

The U.S. government on Thursday imposed  sweeping sanctions  against an Iranian threat actor backed by the country's Ministry of Intelligence and Security (MOIS) for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors. According to the U.S. Treasury and the Federal Bureau of Investigation (FBI), the sanctions target Rana Intelligence Computing Company (or Rana), which the agencies said operated as a front for the threat group  APT39  (aka Chafer or Remix Kitten), Iranian cyber espionage hacking collective active since 2014 known for its attacks on companies in the U.S. and the Middle East with an aim to pilfer personal information and advance Iran's national security objectives. To that effect, 45 individuals who served in various capacities while employed at the front company, including as managers, programmers, and hacking experts, have been implicated in the sanctions, which also prohibit U

Immediately after revealing criminal charges against 5 Chinese and 2 Malaysian hackers , the United States government yesterday also made two separate announcements charging two Iranian and two Russian hackers and added them to the FBI's most-wanted list. The two Russian nationals—Danil Potekhin and Dmitrii Karasavidi—are accused of stealing $16.8 million worth of cryptocurrencies in a series of phishing attacks throughout 2017 and 2018. "This tactic used a combination of phishing and spoofing to exploit Internet users' trust in known companies and organizations to fraudulently obtain their login credentials, including email addresses, password information, and other personal information," the DoJ said . In addition to the criminal charges, the U.S. Department of the Treasury has also sanctioned both Russian hackers , freezing all their assets under U.S. jurisdiction and banning them from doing business with Americans. "Karasavidi laundered the proceeds

The United States government today announced charges against 5 alleged members of a Chinese state-sponsored hacking group and 2 Malaysian hackers that are responsible for hacking more than 100 companies throughout the world. Named as APT41 and also known as 'Barium,' 'Winnti, 'Wicked Panda,' and 'Wicked Spider,' the cyber-espionage group has been operating since at least 2012 and is not just involved in strategic intelligence collection from valuable targets in many sectors, but also behind financially motivated attacks against online gaming industry. According to a press release published by the U.S. Justice Department, two of the five Chinese hackers—Zhang Haoran (张浩然) and Tan Dailin (谭戴林)—were charged back in August 2019, and the other three of them—Jiang Lizhi (蒋立志), Qian Chuan (钱川) and Fu Qiang (付强)—and two Malaysian co-conspirators were in separate indictments in August 2020. The later indicted three Chinese hackers are associated with a netw

The US Department of Justice (DoJ) on Tuesday indicted two hackers for their alleged involvement in defacing several websites in the country following the assassination of Iranian major general Qasem Soleimani earlier this January. Behzad Mohammadzadeh (aka Mrb3hz4d), 19, and Marwan Abusrour (aka Mrwn007), 25, have been charged with conspiracy to commit intentional damage to a protected computer for a widespread "cyber-assault" that affected over 1,400 websites with pro-Iranian and pro-Palestinian messages. "The hackers victimized innocent third parties in a campaign to retaliate for the military action that killed Soleimani, a man behind countless acts of terror against Americans and others that the Iranian regime opposed," said Assistant Attorney General for National Security John C. Demers in a statement. The defendants, from Iran and Palestine, respectively, are now wanted by the US authorities and are no longer free to travel outside their countries wi