Cyber Attack | Breaking Cybersecurity News | The Hacker News

A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices. Observed during the second half of 2022, the new version has been dubbed  V3G4  by Palo Alto Networks Unit 42, which identified three different campaigns likely conducted by the same threat actor. "Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet," Unit 42 researchers  said . "The threat actor has the capability to utilize those devices to conduct further attacks, such as distributed denial-of-service (DDoS) attacks." The attacks primarily single out exposed servers and networking devices running Linux, with the adversary weaponizing as many as 13 flaws that could lead to remote code execution (RCE). Some of the notable flaws relate to critical flaws in Atlassian Confluence Server and Data Center, DrayTek Vigor routers, Airspan AirSpot, and Geu...

Telecommunication service providers in the Middle East are being targeted by a previously undocumented threat actor as part of a suspected intelligence gathering mission. Cybersecurity firms SentinelOne and QGroup are tracking the activity cluster under the former's work-in-progress moniker  WIP26 . "WIP26 relies heavily on public cloud infrastructure in an attempt to evade detection by making malicious traffic look legitimate," researchers Aleksandar Milenkoski, Collin Farr, and Joey Chen  said  in a report shared with The Hacker News. This includes the misuse of Microsoft 365 Mail, Azure, Google Firebase, and Dropbox for malware delivery, data exfiltration, and command-and-control (C2) purposes. The initial intrusion vector used in the attacks entails "precision targeting" of employees via WhatsApp messages that contain links to Dropbox links to supposedly benign archive files. The files, in reality, harbor a malware loader whose core feature is to depl...

Microsoft on Monday attributed a China-based cyber espionage actor to a set of attacks targeting diplomatic entities in South America. The tech giant's Security Intelligence team is tracking the cluster under the emerging moniker  DEV-0147 ,  describing  the activity as an "expansion of the group's data exfiltration operations that traditionally targeted government agencies and think tanks in Asia and Europe." The threat actor is said to use established hacking tools such as ShadowPad to infiltrate targets and maintain persistent access. ShadowPad, also called PoisonPlug, is a  successor  to the  PlugX remote access trojan  and has been widely put to use by Chinese adversarial collectives with links to the Ministry of State Security (MSS) and People's Liberation Army (PLA), per Secureworks. One of the other malicious tools utilized by DEV-0147 is a webpack loader called QuasarLoader , which allows for deploying additional payloads onto the compro...

Security operations centers (SOCs) are under pressure from both sides: threats are growing more complex and frequent, while security budgets are no longer keeping pace. Today's security leaders are expected to reduce risk and deliver results without relying on larger teams or increased spending. At the same time, SOC inefficiencies are draining resources. Studies show that up to half of all alerts are false positives, with some reports citing false positive rates as high as 99 percent . This means highly trained analysts spend a disproportionate amount of time chasing down harmless activity, wasting effort, increasing fatigue, and raising the chance of missing real threats. In this environment, the business imperative is clear: maximize the impact of every analyst and every dollar by making security operations faster, smarter, and more focused. Enter the Agentic AI SOC Analyst The agentic AI SOC Analyst is a force multiplier that enables organizations to do more with the team an...

Web infrastructure company Cloudflare on Monday disclosed that it thwarted a record-breaking distributed denial-of-service (DDoS) attack that peaked at over 71 million requests per second (RPS). "The majority of attacks peaked in the ballpark of 50-70 million requests per second (RPS) with the largest exceeding 71 million," the company  said , calling it a "hyper-volumetric" DDoS attack. It's also the largest HTTP DDoS attack reported to date, more than 35% higher than the previous 46 million RPS DDoS attack that  Google Cloud mitigated in June 2022 . Cloudflare said the attacks singled out websites secured by its platform and that they emanated from a botnet comprising more than 30,000 IP addresses that belonged to "numerous" cloud providers. Targeted websites included a popular gaming provider, cryptocurrency companies, hosting providers, and cloud computing platforms. HTTP attacks of this kind are designed to send a tsunami of HTTP requests t...

The advanced persistent threat (APT) actor known as  Tonto Team  carried out an unsuccessful attack on cybersecurity company Group-IB in June 2022. The Singapore-headquartered firm  said  that it detected and blocked malicious phishing emails originating from the group targeting its employees. It's also the second attack aimed at Group-IB, the first of which took place in March 2021. Tonto Team, also called Bronze Huntley,  Cactus Pete , Earth Akhlut, Karma Panda, and UAC-0018, is a suspected Chinese hacking group that has been linked to attacks targeting a wide range of organizations in Asia and Eastern Europe. The actor is known to be active since at least 2009 and is said to  share ties  to the Third Department ( 3PLA ) of the People's Liberation Army's Shenyang TRB ( Unit 65016 ). Attack chains involve spear-phishing lures containing malicious attachments created using the Royal Road Rich Text Format (RTF) exploitation toolkit to drop backdoo...

After the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from  ESXiArgs ransomware attacks , the threat actors have bounced back with an updated version that encrypts more data. The emergence of the new variant was reported by a system administrator on an online forum, where another participant stated that files larger than 128MB will have 50% of their data encrypted, making the recovery process more challenging. Another notable change is the removal of the Bitcoin address from the ransom note, with the attackers now urging victims to contact them on Tox to obtain the wallet information. The threat actors "realized that researchers were tracking their payments, and they may have even known before they released the ransomware that the encryption process in the original variant was relatively easy to circumvent," Censys  said  in a write-up. "In other words: they are watching." Statistics shared...

Four different rogue packages in the Python Package Index ( PyPI ) have been found to carry out a number of malicious actions, including dropping malware, deleting the netstat utility, and manipulating the SSH authorized_keys file. The packages in question are  aptx ,  bingchilling2 ,  httops , and  tkint3rs , all of which were collectively downloaded about 450 times before they were taken down. While aptx is an attempt to impersonate Qualcomm's  highly popular audio codec  of the same name, httops and tkint3rs are typosquats of https and tkinter, respectively. "Most of these packages had well thought out names, to purposely confuse people," security researcher and journalist Ax Sharma  said . An analysis of the malicious code injected in the setup script reveals the presence of an obfuscated  Meterpreter payload  that's disguised as " pip ," a legitimate package installer for Python, and which can be leveraged to gain shell access to the...

The Gootkit malware is prominently going after healthcare and finance organizations in the U.S., U.K., and Australia, according to new findings from Cybereason. The cybersecurity firm said it investigated a Gootkit incident in December 2022 that adopted a new method of deployment, with the actors abusing the foothold to deliver  Cobalt Strike  and  SystemBC  for post-exploitation. "The threat actor displayed fast-moving behaviors, quickly heading to control the network it infected, and getting elevated privileges in less than four hours," Cybereason  said  in an analysis published February 8, 2023. Gootkit, also called Gootloader, is exclusively attributed to a threat actor tracked by Mandiant as UNC2565. Starting its life in 2014 as a banking trojan, the malware has since morphed into a loader capable of delivering next-stage payloads. The shift in tactics was  first uncovered  by Sophos in March 2021. Gootloader takes the form of heavily-o...

A Russian national on February 7, 2023, pleaded guilty in the U.S. to money laundering charges and for attempting to conceal the source of funds obtained in connection with Ryuk ransomware attacks. Denis Mihaqlovic Dubnikov, 30, was  arrested  in Amsterdam in November 2021 before he was extradited from the Netherlands in August 2022. He is awaiting sentencing on April 11, 2023. "Between at least August 2018 and August 2021, Dubnikov and his co-conspirators laundered the proceeds of Ryuk ransomware attacks on individuals and organizations throughout the United States and abroad," the Department of Justice (DoJ)  said . Dubnikov and his accomplices are said to have engaged in various criminal schemes designed to obscure the trail of the ill-gotten proceeds. According to DoJ, a chunk of the 250 Bitcoin ransom paid by a U.S. company in July 2019 after a Ryuk attack was sent to Dubnikov in exchange for about $400,000. The crypto was subsequently converted to Tether and t...

The first-ever Linux variant of the Clop ransomware has been detected in the wild, but with a faulty encryption algorithm that has made it possible to reverse engineer the process. "The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom," SentinelOne researcher Antonis Terefos  said  in a report shared with The Hacker News. The cybersecurity firm, which has made available a decryptor , said it observed the ELF version on December 26, 2022, while also noting its similarities to the Windows flavor when it comes using the same encryption method. The detected sample is said to be part of a larger attack targeting educational institutions in Colombia, including La Salle University, around the same time. The university was added to the criminal group's leak site in early January 2023, per  FalconFeedsio . Known to have been active since 2019, the Clop (stylized as Cl0p) ransomware operation  suff...

VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an  ongoing ransomware attack spree  worldwide. "Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs)," the virtualization services provider  said . The company is further recommending users to upgrade to the latest available supported releases of vSphere components to mitigate known issues and  disable the OpenSLP service  in ESXi. "In 2021, ESXi 7.0 U2c and ESXi 8.0 GA began shipping with the service disabled by default," VMware added. The announcement comes as unpatched and unsecured VMware ESXi servers around the world have been targeted in a  large-scale   ransomware campaign  dubbed ESXiArgs by likely exploiting a two-ye...

E-commerce industries in South Korea and the U.S. are at the receiving end of an ongoing GuLoader malware campaign, cybersecurity firm Trellix disclosed late last month. The malspam activity is notable for transitioning away from malware-laced Microsoft Word documents to NSIS executable files for loading the malware. Other countries targeted as part of the campaign include Germany, Saudi Arabia, Taiwan and Japan. NSIS , short for Nullsoft Scriptable Install System, is a script-driven open source tool used to develop installers for the Windows operating system. While attack chains in 2021 leveraged a ZIP archive containing a macro-laced Word document to drop an executable file tasked with loading GuLoader, the new phishing wave employs NSIS files embedded within ZIP or ISO images to activate the infection. "Embedding malicious executable files in archives and images can help threat actors evade detection," Trellix researcher Nico Paulo Yturriaga  said . Over the cours...

The Brazilian threat actors behind an advanced and modular point-of-sale (PoS) malware known as  Prilex  have reared their head once again with new updates that allow it to block contactless payment transactions. Russian cybersecurity firm Kaspersky  said  it detected three versions of Prilex (06.03.8080, 06.03.8072, and 06.03.8070) that are capable of targeting NFC-enabled credit cards, taking its criminal scheme a notch higher. Having evolved out of ATM-focused malware into PoS malware over the years since going operational in 2014, the threat actor has steadily incorporated new features that are designed to facilitate credit card fraud, including a technique called  GHOST transactions . While contactless payments have taken off in a big way, in part due to the COVID-19 pandemic, the underlying motive behind the new functionality is to disable the feature so as to force the user to insert the card into the PIN pad. To that end, the latest version of Pril...

The Russia-affiliated Sandworm used yet another wiper malware strain dubbed  NikoWiper  as part of an attack that took place in October 2022 targeting an energy sector company in Ukraine. "The NikoWiper is based on  SDelete , a command line utility from Microsoft that is used for securely deleting files," cybersecurity company ESET  revealed  in its latest APT Activity Report shared with The Hacker News. The Slovak cybersecurity firm said the attacks coincided with  missile strikes  orchestrated by the Russian armed forces aimed at the Ukrainian energy infrastructure, suggesting overlaps in objectives. The disclosure comes merely days after ESET attributed Sandworm to a Golang-based data wiper known as  SwiftSlicer  that was deployed against an unnamed Ukrainian entity on January 25, 2023. The advanced persistent threat (APT) group linked to Russia's foreign military intelligence agency GRU has also been implicated in a partially success...

The U.K. National Cyber Security Centre (NCSC) on Thursday warned of spear-phishing attacks mounted by Russian and Iranian state-sponsored actors for information-gathering operations. "The attacks are not aimed at the general public but targets in specified sectors, including academia, defense, government organizations, NGOs, think tanks, as well as politicians, journalists, and activists," the NCSC  said . The agency attributed the intrusions to  SEABORGIUM  (aka Callisto, COLDRIVER, and TA446) and  APT42  (aka ITG18, TA453, and Yellow Garuda). The similarities in the modus operandi aside, there is no evidence the two groups are collaborating with each other. The activity is typical of spear-phishing campaigns, where the threat actors send messages tailored to the targets, while also taking enough time to research their interests and identify their social and professional circles. The initial contact is designed to appear innocuous in an attempt to gain th...

New research has linked the operations of a politically motivated hacktivist group known as Moses Staff to another nascent threat actor named  Abraham's Ax  that emerged in November 2022. This is based on "several commonalities across the iconography, videography, and leak sites used by the groups, suggesting they are likely operated by the same entity," Secureworks Counter Threat Unit (CTU)  said  in a report shared with The Hacker News. Moses Staff, tracked by the cybersecurity firm under the moniker  Cobalt Sapling , made its  first appearance  on the threat landscape in September 2021 with the goal of primarily targeting Israeli organizations. The geopolitical group is believed to be  sponsored  by the Iranian government and has since been linked to a string of espionage and sabotage attacks that make use of tools like  StrifeWater RAT  and open source utilities such as  DiskCryptor  to harvest sensitive informatio...

A North Korean nation-state group notorious for crypto heists has been attributed to a new wave of malicious email attacks as part of a "sprawling" credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy. The state-aligned threat actor is being tracked by Proofpoint under the name  TA444 , and by the larger cybersecurity community as APT38,  BlueNoroff , Copernicium, and Stardust Chollima. TA444 is "utilizing a wider variety of delivery methods and payloads alongside blockchain-related lures, fake job opportunities at prestigious firms, and salary adjustments to ensnare victims," the enterprise security firm  said  in a report shared with The Hacker News. The advanced persistent threat is something of an aberration among state-sponsored groups in that its operations are financially motivated and geared towards generating illicit revenue for the Hermit Kingdom as opposed to espionage and data theft. T...

Organizations in East Asia are being targeted by a likely Chinese-speaking actor dubbed DragonSpark while employing uncommon tactics to go past security layers. "The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation," SentinelOne  said  in an analysis published today. A striking aspect of the intrusions is the consistent use of SparkRAT to conduct a variety of activities, including stealing information, obtaining control of an infected host, or running additional PowerShell instructions. The threat actor's end goals remain unknown as yet, although espionage or cybercrime is likely to be the motive. DragonSpark's ties to China stem from the use of the  China Chopper  web shell to deploy malware – a widely used attack pathway among Chinese threat actors. Furthermore, not only do the open source tools used in the cyber assaults originate from develop...

The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. Emotet, which officially  reemerged  in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that's distributed via phishing emails. Attributed to a cybercrime group tracked as  TA542  (aka Gold Crestwood or Mummy Spider), the virus has  evolved  from a banking trojan to a malware distributor since its first appearance in 2014. The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities. Two latest additions to Emotet's module arsenal comprise an  SMB spreader  that's designed to facilitate lateral...