The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Cyber Attack

Researchers uncover a new Iranian malware used in recent cyberattacks

Researchers uncover a new Iranian malware used in recent cyberattacks

April 08, 2021Ravie Lakshmanan
An Iranian threat actor has unleashed a new cyberespionage campaign against a possible Lebanese target with a backdoor capable of exfiltrating sensitive information from compromised systems. Cybersecurity firm Check Point attributed the operation to APT34, citing similarities with previous techniques used by the threat actor as well as based on its pattern of victimology. APT34  (aka OilRig) is known for its reconnaissance campaigns aligned with the strategic interests of Iran, primarily hitting financial, government, energy, chemical, and telecommunications industries in the Middle East. The group typically resorts to targeting individuals through the use of booby-trapped job offer documents, delivered directly to the victims via LinkedIn messages. Although the latest campaign bears some of the same hallmarks, the exact mode of delivery remains unclear as yet. The Word document analyzed by Check Point — which was  uploaded  to VirusTotal from Lebanon on January 10 — claims to of
Hackers Exploit Unpatched VPNs to Install Ransomware on Industrial Targets

Hackers Exploit Unpatched VPNs to Install Ransomware on Industrial Targets

April 08, 2021Ravie Lakshmanan
Unpatched Fortinet VPN devices are being targeted in a series of attacks against industrial enterprises in Europe to deploy a new strain of ransomware called "Cring" inside corporate networks. At least one of the hacking incidents led to the temporary shutdown of a production site, said cybersecurity firm Kaspersky in a report published on Wednesday, without publicly naming the victim. The attacks happened in the first quarter of 2021, between January and March. "Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the targeted organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage,"  said  Vyacheslav Kopeytsev, a security researcher at Kaspersky ICS CERT. The disclosure comes days after the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)  warned  of advanced persistent threat (APT) actor
PHP Site's User Database Was Hacked In Recent Source Code Backdoor Attack

PHP Site's User Database Was Hacked In Recent Source Code Backdoor Attack

April 07, 2021Ravie Lakshmanan
The maintainers of the PHP programming language have issued an update regarding the security incident that came to light late last month, stating that the actors may have gotten hold of a user database containing their passwords to make unauthorized changes to the repository. "We no longer believe the git.php.net server has been compromised. However, it is possible that the master.php.net user database leaked," Nikita Popov  said  in a message posted on its mailing list on April 6. On March 28, unidentified actors used the names of Rasmus Lerdorf and Popov to  push malicious commits  to the "php-src" repository hosted on the git.php.net server that involved adding a backdoor to the PHP source code in an instance of a software supply chain attack. While this was initially treated as a compromise of the git.php.net server, further investigation into the incident has revealed that the commits were a result of pushing them using HTTPS and password-based authentica
Hackers From China Target Vietnamese Military and Government

Hackers From China Target Vietnamese Military and Government

April 06, 2021Ravie Lakshmanan
A hacking group related to a Chinese-speaking threat actor has been linked to an advanced cyberespionage campaign targeting government and military organizations in Vietnam. The attacks have been attributed with low confidence to the advanced persistent threat (APT) called  Cycldek  (or Goblin Panda, Hellsing, APT 27, and Conimes), which is known for using spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the U.S. at least since 2013. According to researchers from Kaspersky, the offensive, which was observed between June 2020 and January 2021, leverages a method called DLL side-loading to execute shellcode that decrypts a final payload dubbed " FoundCore ." DLL side-loading  has been a tried-and-tested technique used by various threat actors as an obfuscation tactic to bypass antivirus defenses. By loading malicious DLLs into legitimate executables, the idea is to mask their malicious activity under a trusted system or software proc
22-Year-Old Charged With Hacking Water System and Endangering Lives

22-Year-Old Charged With Hacking Water System and Endangering Lives

April 01, 2021Ravie Lakshmanan
A 22-year-old man from the U.S. state of Kansas has been indicted on charges that he unauthorizedly accessed a public water facility's computer system, jeopardizing the residents' safety and health in the local community. Wyatt A. Travnichek, 22, of Ellsworth County, Kansas, has been charged with one count of tampering with a public water system and one count of reckless damage to a protected computer during unauthorized access, according to the Department of Justice (DoJ). "By illegally tampering with a public drinking water system, the defendant threatened the safety and health of an entire community,"  said  Lance Ehrig, Special Agent in Charge of the Environmental Protection Agency (EPA) Criminal Investigation Division in Kansas. "EPA and its law enforcement partners are committed to upholding the laws designed to protect our drinking water systems from harm or threat of harm. Today's indictment sends a clear message that individuals who intentionall
Hackers Set Up a Fake Cybersecurity Firm to Target Security Experts

Hackers Set Up a Fake Cybersecurity Firm to Target Security Experts

March 31, 2021Ravie Lakshmanan
A North Korean government-backed campaign targeting cybersecurity researchers with malware has re-emerged with new tactics in their arsenal as part of a fresh social engineering attack. In an update shared on Wednesday, Google's Threat Analysis Group said the attackers behind the operation set up a fake security company called SecuriElite and a slew of social media accounts across Twitter and LinkedIn in an attempt to trick unsuspecting researchers into visiting the company's booby-trapped website "where a browser exploit was waiting to be triggered." "The new website claims the company is an offensive security company located in Turkey that offers pentests, software security assessments and exploits," TAG's Adam Weidemann  said . The website is said to have gone live on March 17. A total of eight Twitter profiles and seven LinkedIn profiles, who claimed to be vulnerability researchers and human resources personnel at different security firms (inclu
Black Kingdom Ransomware Hunting Unpatched Microsoft Exchange Servers

Black Kingdom Ransomware Hunting Unpatched Microsoft Exchange Servers

March 25, 2021Ravie Lakshmanan
More than a week after Microsoft released a  one-click mitigation tool  to mitigate cyberattacks targeting on-premises Exchange servers, the company  disclosed  that patches have been applied to 92% of all internet-facing servers affected by the ProxyLogon vulnerabilities. The development, a 43% improvement from the previous week, caps off a whirlwind of espionage and malware campaigns that hit thousands of companies worldwide, with as many as 10 advanced persistent threat (APT) groups opportunistically moving quickly to exploit the bugs. According to telemetry data from RiskIQ, there are roughly 29,966 instances of Microsoft Exchange servers still exposed to attacks, down from 92,072 on March 10. While Exchange servers were under assault by multiple Chinese-linked state-sponsored hacking groups prior to  Microsoft's patch  on March 2, the release of  public proof-of-concept  exploits fanned a feeding frenzy of infections, opening the door for escalating attacks like ransomwar
Purple Fox Rootkit Can Now Spread Itself to Other Windows Computers

Purple Fox Rootkit Can Now Spread Itself to Other Windows Computers

March 23, 2021Ravie Lakshmanan
Purple Fox , a Windows malware previously known for infecting machines by using exploit kits and phishing emails, has now added a new technique to its arsenal that gives it worm-like propagation capabilities. The ongoing campaign makes use of a "novel spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes," according to  Guardicore researchers , who say the attacks have spiked by about 600% since May 2020. A total of 90,000 incidents have been spotted through the rest of 2020 and the beginning of 2021. First discovered in March 2018, Purple Fox is distributed in the form of malicious ".msi" payloads hosted on nearly 2,000 compromised Windows servers that, in turn, download and execute a component with  rootkit capabilities , which enables the threat actors to hide the malware on the machine and make it easy to evade detection. Guardicore says Purple Fox hasn't changed much post-exploitat
WARNING: A New Android Zero-Day Vulnerability Is Under Active Attack

WARNING: A New Android Zero-Day Vulnerability Is Under Active Attack

March 22, 2021Ravie Lakshmanan
Google has disclosed that a now-patched vulnerability affecting Android devices that use Qualcomm chipsets is being weaponized by adversaries to launch targeted attacks. Tracked as CVE-2020-11261 (CVSS score 8.4), the flaw concerns an "improper input validation" issue in Qualcomm's Graphics component that could be exploited to trigger memory corruption when an attacker-engineered app requests access to a huge chunk of the device's memory. "There are indications that CVE-2020-11261 may be under limited, targeted exploitation," the search giant said in an updated January security bulletin on March 18. CVE-2020-11261 was discovered and reported to Qualcomm by Google's Android Security team on July 20, 2020, after which it was fixed in January 2021. It's worth noting that the access vector for the vulnerability is "local," meaning that exploitation requires local access to the device. In other words, to launch a successful attack, the
Tesla Ransomware Hacker Pleads Guilty; Swiss Hacktivist Charged for Fraud

Tesla Ransomware Hacker Pleads Guilty; Swiss Hacktivist Charged for Fraud

March 19, 2021Ravie Lakshmanan
The U.S. Department of Justice yesterday announced updates on two separate cases involving cyberattacks—a Swiss hacktivist and a Russian hacker who planned to plant malware in the Tesla company. A Swiss hacker who was involved in the intrusion of cloud-based surveillance firm Verkada and exposed camera footage from its customers was charged by the U.S. Department of Justice (DoJ) on Thursday with conspiracy, wire fraud, and identity theft. Till Kottmann (aka "deletescape" and "tillie crimew"), 21, of Lucerne, Switzerland, and their co-conspirators were accused of hacking dozens of companies and government agencies since 2019 by targeting their "git" and other source code repositories and posting the proprietary data of more than 100 entities on a website called git[.]rip, according to the indictment. Kottmann is alleged to have cloned the source code and other confidential files containing hard-coded administrative credentials and access keys, using th
Mimecast Finds SolarWinds Hackers Stole Some of Its Source Code

Mimecast Finds SolarWinds Hackers Stole Some of Its Source Code

March 17, 2021Ravie Lakshmanan
Email security firm Mimecast on Tuesday revealed that the state-sponsored SolarWinds hackers who broke into its internal network also downloaded source code out of a limited number of repositories. "The threat actor did access a subset of email addresses and other contact information and hashed and salted credentials," the company  said  in a write-up detailing its investigation, adding the adversary "accessed and downloaded a limited number of our source code repositories, as the threat actor is reported to have done with other victims of the SolarWinds Orion supply chain attack." But Mimecast said the source code downloaded by the attackers was incomplete and would be insufficient to build and run any aspect of the Mimecast service and that it did not find signs of any tampering made by the threat actor to the build process associated with the executables that are distributed to its customers.  On January 12, Mimecast  disclosed  that "a sophisticated th
18-Year-Old Hacker Gets 3 Years in Prison for Massive Twitter 'Bitcoin Scam' Hack

18-Year-Old Hacker Gets 3 Years in Prison for Massive Twitter 'Bitcoin Scam' Hack

March 17, 2021Ravie Lakshmanan
A Florida teen accused of masterminding the hacks of several high-profile Twitter accounts last summer as part of a widespread cryptocurrency scam pled guilty to fraud charges in exchange for a three-year prison sentence. Graham Ivan Clark, 18, will also serve an additional three years on probation. The development comes after the U.S. Department of Justice (DoJ)  charged  Mason Sheppard (aka Chaewon), Nima Fazeli (aka Rolex), and Clark (then a juvenile) with conspiracy to commit wire fraud and money laundering. Specifically, 30 felony charges were filed against Clark, including one count of organized fraud, 17 counts of communications fraud, one count of fraudulent use of personal information with over $100,000 or 30 or more victims, 10 counts of fraudulent use of personal information, and one count of access to computer or electronic device without authority. On July 15, 2020, Twitter  suffered  one of the biggest security lapses in its history after the attackers managed to hi
Use This One-Click Mitigation Tool from Microsoft to Prevent Exchange Attacks

Use This One-Click Mitigation Tool from Microsoft to Prevent Exchange Attacks

March 15, 2021Ravie Lakshmanan
Microsoft on Monday released a one-click mitigation software that applies all the necessary countermeasures to secure vulnerable environments against the ongoing widespread  ProxyLogon Exchange Server  cyberattacks. Called Exchange On-premises Mitigation Tool ( EOMT ), the PowerShell-based script serves to mitigate against current known attacks using CVE-2021-26855, scan the Exchange Server using the  Microsoft Safety Scanner  for any deployed web shells, and attempt to remediate the detected compromises. "This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update," Microsoft  said . The development comes in the wake of indiscriminate attacks against unpatched Exchange Servers across the world by more than ten advanced persistent threat actors — most of the government-backed cyberespionage groups — to plant backdoors, coin miners, and  ransomware ,
Rising Demand for DDoS Protection Software Market By 2020-2028

Rising Demand for DDoS Protection Software Market By 2020-2028

March 15, 2021The Hacker News
Distributed Denial of Service (DDoS) attack is a malicious form of attack that disrupts the regular network traffic by overwhelming the website with more traffic than the server can handle. The main aim of this kind of cyberattack is to render the website inoperable. Over recent years, these kinds of attacks are increasing, fueling the demand for the  best DDoS protection  software solutions. Many unplanned data center outages are owing to DDoS attacks. The threat of DDoS is due to access to easy-to-use tools and the profit potential through extortion.  The attacks target businesses directly, leading to substantial financial and personal losses, making it critical to have robust DDoS protection software solutions in place. According to the report of  Market Research Inc , the DDoS protection Software Market is predicted to reach +14% CAGR by 2020 – 2028.  Important Statistics to illustrate the growing demand for DDoS Software Solutions Demand for the DDoS software market is on th
Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild

Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild

March 12, 2021Ravie Lakshmanan
Google has addressed yet another actively exploited zero-day in Chrome browser, marking the second such fix released by the company within a month. The browser maker on Friday shipped 89.0.4389.90 for Windows, Mac, and Linux, which is expected to be rolling out over the coming days/weeks to all users. While the update contains a total of five security fixes, the most important flaw rectified by Google concerns a  use after free  vulnerability in its Blink rendering engine. The bug is tracked as CVE-2021-21193. Details about the flaw are scarce except that it was reported to Google by an anonymous researcher on March 9. According to IBM, the vulnerability is rated 8.8 out of 10 on the CVSS scale, and could allow a remote attacker to execute arbitrary code on the target system. "By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system," the
FIN8 Hackers Return With More Powerful Version of BADHATCH PoS Malware

FIN8 Hackers Return With More Powerful Version of BADHATCH PoS Malware

March 10, 2021Ravie Lakshmanan
Threat actors known for keeping a low profile do so by ceasing operations for prolonged periods in between to evade attracting any attention as well as constantly refining their toolsets to fly below the radar of many detection technologies. One such group is  FIN8 , a financially motivated threat actor that's back in action after a year-and-a-half hiatus with a powerful version of a backdoor with upgraded capabilities including screen capturing, proxy tunneling, credential theft, and  fileless execution . First documented in 2016 by FireEye, FIN8 is known for its attacks against the retail, hospitality, and entertainment industries while making use of a wide array of techniques such as spear-phishing and malicious tools like  PUNCHTRACK  and  BADHATCH  to steal payment card data from point-of-sale (POS) systems. "The FIN8 group is known for taking long breaks to improve  TTPs  and increase their rate of success," Bitdefender researchers  said  in a report published
Cybersecurity Webinar — SolarWinds Sunburst: The Big Picture

Cybersecurity Webinar — SolarWinds Sunburst: The Big Picture

March 09, 2021The Hacker News
The SolarWinds Sunburst attack has been in the headlines since it was first discovered in December 2020.  As the so-called layers of the onion are peeled back, additional information regarding how the vulnerability was exploited, who was behind the attack, who is to blame for the attack, and the long-term ramifications of this type of supply chain vulnerabilities continue to be actively discussed.  Cybersecurity company Cynet is taking a needed step back to provide a full picture of the SolarWinds attack from start to finish in an upcoming webinar, " Lessons Learned from the SolarWinds SUNBURST Attack ." Information regarding many aspects of the attack has been coming out in pieces, but we haven't yet seen this type of comprehensive overview of the technical steps behind the full attack, as well as clear recommendations for protecting against similar future attacks. And this is precisely what's needed so security professionals can gain insights on the attack tact
SolarWinds Hack — New Evidence Suggests Potential Links to Chinese Hackers

SolarWinds Hack — New Evidence Suggests Potential Links to Chinese Hackers

March 09, 2021Ravie Lakshmanan
A malicious web shell deployed on Windows systems by leveraging a previously undisclosed zero-day in SolarWinds' Orion network monitoring software may have been the work of a possible Chinese threat group. In a  report  published by Secureworks on Monday, the cybersecurity firm attributed the intrusions to a threat actor it calls Spiral. Back on December 22, 2020, Microsoft  disclosed  that a second espionage group may have been abusing the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on target systems. The findings were also corroborated by cybersecurity firms Palo Alto Networks'  Unit 42  threat intelligence team and  GuidePoint Security , both of whom described Supernova as a .NET web shell implemented by modifying an "app_web_logoimagehandler.ashx.b6031896.dll" module of the SolarWinds Orion application. The alterations were made possible not by breaching the SolarWinds app update infrastructure but instead b
Microsoft Exchange Hackers Also Breached European Banking Authority

Microsoft Exchange Hackers Also Breached European Banking Authority

March 09, 2021Ravie Lakshmanan
The European Banking Authority (EBA) on Sunday said it had been a victim of a cyberattack targeting its Microsoft Exchange Servers, forcing it to temporarily take its email systems offline as a precautionary measure. "As the vulnerability is related to the EBA's email servers, access to personal data through emails held on that servers may have been obtained by the attacker," the Paris-based regulatory agency  said . EBA said it's launched a full investigation into the incident in partnership with its information and communication technology (ICT) provider, a team of forensic experts, and other relevant entities. In a second update issued on Monday, the agency said it had secured its email infrastructure and that it found no evidence of data extraction, adding it has "no indication to think that the breach has gone beyond our email servers." Besides deploying extra security measures, EBA also noted it's closely monitoring the situation after restor
Iranian Hackers Using Remote Utilities Software to Spy On Its Targets

Iranian Hackers Using Remote Utilities Software to Spy On Its Targets

March 08, 2021Ravie Lakshmanan
Hackers with suspected ties to Iran are actively targeting academia, government agencies, and tourism entities in the Middle East and neighboring regions as part of an espionage campaign aimed at data theft. Dubbed "Earth Vetala" by Trend Micro, the latest finding expands on previous research  published by Anomali  last month, which found evidence of malicious activity aimed at UAE and Kuwait government agencies by exploiting ScreenConnect remote management tool.  The cybersecurity firm linked the ongoing attacks with moderate confidence to a threat actor widely tracked as  MuddyWater , an Iranian hacker group known for its offensives primarily against Middle Eastern nations. Earth Vetala is said to have leveraged spear-phishing emails containing embedded links to a popular file-sharing service called Onehub to distribute malware that ranged from password dumping utilities to custom backdoors, before initiating communications with a command-and-control (C2) server to exe
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.