Cyber Attack | Breaking Cybersecurity News | The Hacker News

A North Korean nation-state group notorious for crypto heists has been attributed to a new wave of malicious email attacks as part of a "sprawling" credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy. The state-aligned threat actor is being tracked by Proofpoint under the name  TA444 , and by the larger cybersecurity community as APT38,  BlueNoroff , Copernicium, and Stardust Chollima. TA444 is "utilizing a wider variety of delivery methods and payloads alongside blockchain-related lures, fake job opportunities at prestigious firms, and salary adjustments to ensnare victims," the enterprise security firm  said  in a report shared with The Hacker News. The advanced persistent threat is something of an aberration among state-sponsored groups in that its operations are financially motivated and geared towards generating illicit revenue for the Hermit Kingdom as opposed to espionage and data theft. T

Organizations in East Asia are being targeted by a likely Chinese-speaking actor dubbed DragonSpark while employing uncommon tactics to go past security layers. "The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation," SentinelOne  said  in an analysis published today. A striking aspect of the intrusions is the consistent use of SparkRAT to conduct a variety of activities, including stealing information, obtaining control of an infected host, or running additional PowerShell instructions. The threat actor's end goals remain unknown as yet, although espionage or cybercrime is likely to be the motive. DragonSpark's ties to China stem from the use of the  China Chopper  web shell to deploy malware – a widely used attack pathway among Chinese threat actors. Furthermore, not only do the open source tools used in the cyber assaults originate from develope

The introduction of Open AI's ChatGPT was a defining moment for the software industry, touching off a GenAI race with its November 2022 release. SaaS vendors are now rushing to upgrade tools with enhanced productivity capabilities that are driven by generative AI. Among a wide range of uses, GenAI tools make it easier for developers to build software, assist sales teams in mundane email writing, help marketers produce unique content at low cost, and enable teams and creatives to brainstorm new ideas.  Recent significant GenAI product launches include Microsoft 365 Copilot, GitHub Copilot, and Salesforce Einstein GPT. Notably, these GenAI tools from leading SaaS providers are paid enhancements, a clear sign that no SaaS provider will want to miss out on cashing in on the GenAI transformation. Google will soon launch its SGE "Search Generative Experience" platform for premium AI-generated summaries rather than a list of websites.  At this pace, it's just a matter of a short time befo

The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. Emotet, which officially  reemerged  in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that's distributed via phishing emails. Attributed to a cybercrime group tracked as  TA542  (aka Gold Crestwood or Mummy Spider), the virus has  evolved  from a banking trojan to a malware distributor since its first appearance in 2014. The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities. Two latest additions to Emotet's module arsenal comprise an  SMB spreader  that's designed to facilitate lateral movement using a list of h

The Russian state-sponsored cyber espionage group known as Gamaredon has continued its digital onslaught against Ukraine, with recent attacks leveraging the popular messaging app Telegram to strike military and law enforcement sectors in the country. "The Gamaredon group's network infrastructure relies on multi-stage Telegram accounts for victim profiling and confirmation of geographic location, and then finally leads the victim to the next stage server for the final payload," the BlackBerry Research and Intelligence Team  said  in a report shared with The Hacker News. "This kind of technique to infect target systems is new." Gamaredon , also known by names such as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, is known for its assaults aimed at Ukrainian entities since at least 2013. Last month, Palo Alto Networks Unit 42  disclosed  the threat actor's unsuccessful attempts to break into an unnamed petrol

An ongoing campaign dubbed  Earth Bogle  is leveraging geopolitical-themed lures to deliver the NjRAT remote access trojan to victims across the Middle East and North Africa. "The threat actor uses public cloud storage services such as files[.]fm and failiem[.]lv to host malware, while compromised web servers distribute NjRAT," Trend Micro  said  in a report published Wednesday. Phishing emails, typically tailored to the victim's interests, are loaded with malicious attachments to activate the infection routine. This takes the form of a Microsoft Cabinet (CAB) archive file containing a Visual Basic Script dropper to deploy the next-stage payload. Alternatively, it's suspected that the files are distributed via social media platforms such as Facebook and Discord, in some cases even creating bogus accounts to serve ads on pages impersonating legitimate news outlets. The CAB files, hosted on cloud storage services, also masquerade as sensitive voice recordings to e

New research has found that it is possible for threat actors to abuse a legitimate feature in GitHub Codespaces to deliver malware to victim systems. GitHub Codespaces  is a cloud-based configurable development environment that allows users to debug, maintain, and commit changes to a given codebase from a web browser or via an integration in Visual Studio Code. It also comes with a port forwarding feature that makes it possible to access a web application that's running on a particular port within the codespace directly from the browser on a local machine for testing and debugging purposes. "You can also forward a port manually, label forwarded ports, share forwarded ports with members of your organization, share forwarded ports publicly, and add forwarded ports to the codespace configuration," GitHub  explains  in its documentation. It's  important  to note here that any forwarded port that's made public will also permit any party with knowledge of the URL

Unidentified threat actors have deployed a new backdoor that borrows its features from the U.S. Central Intelligence Agency (CIA)'s  Hive  multi-platform  malware suite , the source code of which was  released  by WikiLeaks in November 2017. "This is the first time we caught a variant of the CIA Hive attack kit in the wild, and we named it  xdr33  based on its embedded Bot-side certificate CN=xdr33," Qihoo Netlab 360's Alex Turing and Hui Wang  said  in a technical write-up published last week. xdr33 is said to be propagated by exploiting an unspecified N-day security vulnerability in F5 appliances. It communicates with a command-and-control (C2) server using SSL with forged Kaspersky certificates. The intent of the backdoor, per the Chinese cybersecurity firm, is to harvest sensitive information and act as a launchpad for subsequent intrusions. It improves upon Hive by adding new C2 instructions and functionalities, among other implementation changes. The  ELF

A majority of internet-exposed Cacti servers have not been patched against a recently patched critical security vulnerability that has come under active exploitation in the wild. That's according to attack surface management platform Censys, which  found  only 26 out of a total of 6,427 servers to be running a  patched version  of Cacti (1.2.23 and 1.3.0). The  issue  in question relates to  CVE-2022-46169  (CVSS score: 9.8), a combination of authentication bypass and command injection that enables an unauthenticated user to execute arbitrary code on an affected version of the open-source, web-based monitoring solution. Details about the flaw, which impacts versions 1.2.22 and below, were first revealed by SonarSource. The flaw was reported to the project maintainers on December 2, 2022. "A hostname-based authorization check is not implemented safely for most installations of Cacti," SonarSource researcher Stefan Schiller  noted  earlier this month, adding "uns

Tainted VPN installers are being used to deliver a piece of surveillanceware dubbed  EyeSpy  as part of a malware campaign that started in May 2022. It uses "components of SecondEye – a legitimate monitoring application – to spy on users of 20Speed VPN, an Iranian-based VPN service, via trojanized installers," Bitdefender  said  in an analysis. A majority of the infections are said to originate in Iran, with smaller detections in Germany and the U.S., the Romanian cybersecurity firm added. SecondEye, according to  snapshots  captured via the Internet Archive, claims to be a commercial monitoring software that can work as a "parental control system or as an online watchdog." As of November 2021, it's offered for sale anywhere between $99 to $200. It comes with a wide range of features that allows it to take screenshots, record microphone, log keystrokes, gather files and saved passwords from web browsers, and remotely control the machines to run arbitrary c

A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access, while also borrowing techniques from other groups like Conti to meet its goals. "Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host," Cybereason researchers  said  in a report published this week. IcedID , also known by the name BokBot, started its life as a banking trojan in 2017 before evolving into a  dropper for other malware , joining the likes of  Emotet ,  TrickBot ,  Qakbot ,  Bumblebee , and  Raspberry Robin . Attacks involving the delivery of IcedID have  leveraged a variety of methods , especially in the wake of  Microsoft's decision to block macros  from Office files downloaded from the web. The intrusion detailed by Cybereason is no different in

Cloud services provider Rackspace on Thursday confirmed that the ransomware gang known as Play was responsible for last month's breach. The security incident, which took place on December 2, 2022, leveraged a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment. "This zero-day exploit is associated with  CVE-2022-41080 ," the Texas-based company  said . "Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for [it] being part of a remote code execution chain that was exploitable." Rackspace's forensic investigation found that the threat actor accessed the Personal Storage Table ( .PST ) of 27 customers out of a total of nearly 30,000 customers on the Hosted Exchange email environment. However, the company said there is no evidence the adversary viewed, misused, or distributed the customer's emails or data from those personal storage folders. It

Ransomware: contemporary threats, how to prevent them and how the FBI can help In April 2021, Dutch supermarkets faced a food shortage. The cause wasn't a drought or a sudden surge in the demand for avocados. Rather, the reason was a ransomware attack. In the past years, companies, universities, schools, medical facilities and other organizations have been targeted by ransomware threat actors, turning ransomware into the internet's most severe security crisis. The Ransomware Landscape Ransomware has existed for more than 30 years, but it became a lucrative source of income for cyber actors and gangs in the past decade. Since 2015, ransomware gangs have been targeting organizations instead of individuals. Consequently, ransom sums have increased significantly, reaching millions of dollars. Ransomware is effective because it pressures victims in two, complementary ways. First, by threatening victims to destroy their data. Second, by threatening to publicize the attack. The s

Chinese international students in the U.K. have been targeted by persistent Chinese-speaking scammers for over a year as part of an activity dubbed  RedZei  (aka RedThief). "The RedZei fraudsters have chosen their targets carefully, researched them and realized it was a rich victim group that is ripe for exploitation," cybersecurity researcher Will Thomas (@BushidoToken)  said  in a write-up published last week. The most notable aspect about the operation is the steps taken by the threat actors to bypass steps taken by users to prevent scam calls, using a new pay-as-you-go U.K. phone number for each wave so as to render phone number-based blocking ineffective. Thomas, pointing out the meticulous tradecraft employed by the scammers, said the threat actor alternates between SIMs from several mobile carriers such as Three, O2, EE, Tesco Mobile, and Telia. Indications are that the lucrative RedZei campaign may have started as far back as August 2019, with a report from The

The  Zerobot  DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network. Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters. Zerobot,  first documented  by Fortinet FortiGuard Labs earlier this month, is a Go-based malware that propagates through vulnerabilities in web applications and IoT devices like firewalls, routers, and cameras. "The most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark ( CVE-2021-42013  and  CVE-2022-33891  respectively), and new DDoS attack capabilities," Microsoft researchers  said . Also called ZeroStresser by its operators, the malware is offered as a DDoS-for-hire service to other criminal actors, with the botnet advertised for sale on various social media networks.

Okta, a company that provides identity and access management services, disclosed on Wednesday that some of its source code repositories were accessed in an unauthorized manner earlier this month. "There is no impact to any customers, including any HIPAA, FedRAMP, or DoD customers," the company  said  in a public statement. "No action is required by customers." The security event, which was  first reported  by Bleeping Computer, involved unidentified threat actors gaining access to the Okta Workforce Identity Cloud ( WIC ) code repositories hosted on GitHub. The access was subsequently abused to copy the source code. The cloud-based identity management platform noted that it was alerted to the incident by Microsoft-owned GitHub in early December 2022. It also emphasized that the breach did not result in unauthorized access to customer data or the Okta service. Upon discovering the lapse, Okta said it placed temporary restrictions on repository access and that i

More zero knowledge attacks, more leaked credentials, more Gen-Z cyber crimes - 2022 trends and 2023 predictions. Cybercrime remains a major threat to individuals, businesses, and governments around the world. Cybercriminals continue to take advantage of the prevalence of digital devices and the internet to perpetrate their crimes. As the internet of things continues to develop, cybercriminals will have access to a greater number of vulnerable devices, allowing them to carry out more sophisticated attacks. Cybercrime is expected to become increasingly profitable as criminals continue to find new and better ways to monetize their attack as entry barriers to cybercrime keep going down.  This article discusses key trends we've noticed in 2022 that will likely continue in 2023, which we'll also elaborate on in the upcoming webinar " The Rise of the Rookie Hacker - a new trend to reckon with " on January 11th. Leaked credentials will continue to be the main attack vect

The Computer Emergency Response Team of Ukraine (CERT-UA) this week  disclosed  that users of the Delta situational awareness program received phishing emails from a compromised email account belonging to the Ministry of Defense. The attacks, which have been attributed to a threat cluster dubbed UAC-0142, aimed to infect systems with two pieces of data-stealing malware referred to as  FateGrab and StealDeal . Delta  is a cloud-based operational situation display system developed by Aerorozvidka that allows real-time monitoring of troops on the battlefield, making it a lucrative target for threat actors. The lure messages, which come with fake warnings to update root certificates in the Delta software, carry PDF documents containing links to archive files hosted on a fraudulent Delta domain, ultimately dropping the malware on compromised systems. While FateGrab is mainly designed to exfiltrate files with specific extensions through File Transfer Protocol ( FTP ), StealDeal single

Threat actors continue to adapt to the latest technologies, practices, and even data privacy laws—and it's up to organizations to stay one step ahead by implementing strong cybersecurity measures and programs.  Here's a look at how cybercrime will evolve in 2023 and what you can do to secure and protect your organization in the year ahead.  Increase in digital supply chain attacks  With the rapid modernization and digitization of supply chains come new security risks. Gartner predicts that  by 2025, 45% of organizations worldwide will have experienced attacks  on their software supply chains—this is a three-fold increase from 2021. Previously, these types of attacks weren't even likely to happen because supply chains weren't connected to the internet. But now that they are, supply chains need to be secured properly.  The introduction of new technology around software supply chains means there are likely security holes that have yet to be identified, but are essenti