#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

Cyber Attack | Breaking Cybersecurity News | The Hacker News

Category — Cyber Attack
Does Your Help Desk Know Who's Calling?

Does Your Help Desk Know Who's Calling?

Mar 09, 2023 Password Security / Enterprise Security
Phishing, the theft of users' credentials or sensitive data using social engineering, has been a significant threat since the early days of the internet – and continues to plague organizations today,  accounting for more than 30% of all known breaches . And with the mass migration to remote working during the pandemic, hackers have ramped up their efforts to steal login credentials as they take advantage of the chaos and lack of in-person user verification.  This has led to the revival of the old-school technique of vishing, which, like phishing online, involves using social engineering over the phone to steal sensitive information. Vishing attacks have  been on the rise  as a result, with 69% of companies experiencing them in 2021, up from 54% in 2020. These attacks often take the form of job or tech support scams and can be incredibly convincing. In August 2020, the  FBI along with the CISA  issued a warning regarding remote users being targeted by attackers spoofing organizati
Sharp Panda Using New Soul Framework Version to Target Southeast Asian Governments

Sharp Panda Using New Soul Framework Version to Target Southeast Asian Governments

Mar 08, 2023 Advanced Persistent Threat
High-profile government entities in Southeast Asia are the target of a cyber espionage campaign undertaken by a Chinese threat actor known as Sharp Panda since late last year. The intrusions are characterized by the use of a new version of the Soul modular framework, marking a departure from the group's attack chains observed in 2021. Israeli cybersecurity company Check Point  said  the "long-running" activities have historically singled out countries such as Vietnam, Thailand, and Indonesia. Sharp Panda was  first documented  by the firm in June 2021, describing it as a "highly-organized operation that placed significant effort into remaining under the radar." The use of the Soul backdoor in real-world attacks was first  detailed  by Broadcom's Symantec in October 2021 in connection to an unattributed espionage operation targeting defense, healthcare, and ICT sectors in Southeast Asia. The implant's origins, according to  research  published by Fo
The Secret Weakness Execs Are Overlooking: Non-Human Identities

The Secret Weakness Execs Are Overlooking: Non-Human Identities

Oct 03, 2024Enterprise Security / Cloud Security
For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,
Chinese Hackers Targeting European Entities with New MQsTTang Backdoor

Chinese Hackers Targeting European Entities with New MQsTTang Backdoor

Mar 03, 2023 Threat Intelligence / Cyber Attack
The China-aligned Mustang Panda actor has been observed using a hitherto unseen custom backdoor called  MQsTTang  as part of an ongoing social engineering campaign that commenced in January 2023. "Unlike most of the group's malware, MQsTTang doesn't seem to be based on existing families or publicly available projects," ESET researcher Alexandre Côté Cyr  said  in a new report. Attack chains orchestrated by the group have stepped up targeting of European entities in the wake of  Russia's full-scale invasion of Ukraine  last year. The victimology of the current activity is unclear, but the Slovak cybersecurity company said the decoy filenames are in line with the group's previous campaigns that target European political organizations. That said, ESET also observed attacks against unknown entities in Bulgaria and Australia, as well as a governmental institution in Taiwan, indicating a broader focus on Europe and Asia. Mustang Panda has a  history  of using
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware

Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware

Mar 01, 2023 Threat Intelligence / Malware
Six different law firms were targeted in January and February 2023 as part of two disparate threat campaigns distributing  GootLoader  and  FakeUpdates  (aka SocGholish) malware strains. GootLoader , active since late 2020, is a first-stage downloader that's capable of delivering a wide range of secondary payloads such as Cobalt Strike and ransomware. It notably  employs  search engine optimization (SEO) poisoning to funnel victims searching for business-related documents toward drive-by download sites that drop the JavaScript malware. In the  campaign  detailed by cybersecurity company eSentire, the threat actors are said to have compromised legitimate, but vulnerable, WordPress websites and added new blog posts without the owners' knowledge. "When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader," eSentire researcher Keegan Keplinger  said
New EX-22 Tool Empowers Hackers with Stealthy Ransomware Attacks on Enterprises

New EX-22 Tool Empowers Hackers with Stealthy Ransomware Attacks on Enterprises

Feb 28, 2023 Ransomware / Malware
A new post-exploitation framework called EXFILTRATOR-22 (aka EX-22) has emerged in the wild with the goal of deploying ransomware within enterprise networks while flying under the radar. "It comes with a wide range of capabilities, making post-exploitation a cakewalk for anyone purchasing the tool," CYFIRMA  said  in a new report. Some of the notable features include establishing a reverse shell with elevated privileges, uploading and downloading files, logging keystrokes, launching ransomware to encrypt files, and starting a live VNC (Virtual Network Computing) session for real-time access. It's also equipped to persist after system reboots, perform lateral movement via a worm, view running processes, generate cryptographic hashes of files, and extract authentication tokens. The cybersecurity firm assessed with moderate confidence that threat actors responsible for creating the malware are operating from North, East, or Southeast Asia and are likely former affiliat
CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability

CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability

Feb 28, 2023 Software Security / Cyber Attack
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has  added  a high-severity flaw affecting the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Tracked as  CVE-2022-36537  (CVSS score: 7.5), the issue impacts ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, and allows threat actors to retrieve sensitive information via specially crafted requests. "The ZK Framework is an open source Java framework," CISA  said . "This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager." The  vulnerability  was patched in May 2022 in versions 9.6.2, 9.6.0.2, 9.5.1.4, 9.0.1.3, and 8.6.4.2. As  demonstrated  by Huntress in a proof-of-concept (PoC) in October 2022, the vulnerability can be weaponized to bypass authentication, upload a backdoored JDBC database driver to gain code execution, and deploy ransomware on susceptible
PlugX Trojan Disguised as Legitimate Windows Debugger Tool in Latest Attacks

PlugX Trojan Disguised as Legitimate Windows Debugger Tool in Latest Attacks

Feb 27, 2023 Malware / Cyber Attack
The  PlugX  remote access trojan has been observed masquerading as an open source Windows debugger tool called x64dbg in an attempt to circumvent security protections and gain control of a target system. "This file is a legitimate open-source debugger tool for Windows that is generally used to examine kernel-mode and user-mode code, crash dumps, or CPU registers," Trend Micro researchers Buddy Tancio, Jed Valderama, and Catherine Loveria  said  in a report published last week. PlugX, also known as  Korplug , is a post-exploitation  modular implant , which, among other things, is known for its multiple functionalities such as data exfiltration and its ability to use the compromised machine for nefarious purposes. Although first documented a decade ago in 2012, early samples of the malware date as far as February 2008, according to a  Trend Micro report  at the time. Over the years, PlugX has been used by threat actors with a Chinese nexus as well as cybercrime groups. On
New Hacking Cluster 'Clasiopa' Targeting Materials Research Organizations in Asia

New Hacking Cluster 'Clasiopa' Targeting Materials Research Organizations in Asia

Feb 23, 2023 Malware / Threat Intel
Materials research organizations in Asia have been targeted by a previously unknown threat actor using a distinct set of tools. Symantec, by Broadcom Software, is tracking the cluster under the moniker  Clasiopa . The origins of the hacking group and its affiliations are currently unknown, but there are hints that suggest the adversary could have ties to India. This includes references to "SAPTARISHI-ATHARVAN-101" in a custom backdoor and the use of the password "iloveindea1998^_^" for a ZIP archive. It's worth noting that  Saptarishi , meaning "Seven sages" in Sanskrit, refers to a group of seers who are revered in Hindu literature.  Atharvan  was an ancient Hindu priest and is believed to have co-authored one of the four  Vedas , a collection of religious scriptures in Hinduism. "While these details could suggest that the group is based in India, it is also quite likely that the information was planted as false flags, with the password in
Lazarus Group Likely Using New WinorDLL64 Backdoor to Exfiltrate Sensitive Data

Lazarus Group Likely Using New WinorDLL64 Backdoor to Exfiltrate Sensitive Data

Feb 23, 2023 Cyber Threat / Data Security
A new backdoor associated with a malware downloader named  Wslink  has been discovered, with the tool likely used by the notorious North Korea-aligned Lazarus Group, new findings reveal. The payload, dubbed  WinorDLL64  by ESET, is a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine. Its other features comprise listing active sessions, creating and terminating processes, enumerating drives, and compressing directories. Wslink was  first documented  by the Slovak cybersecurity firm in October 2021, describing it as a "simple yet remarkable" malware loader that's capable of executing received modules in memory. "The Wslink payload can be leveraged later for lateral movement, due to its specific interest in network sessions," ESET researcher Vladislav Hrčka  said . "The Wslink loader listens on a port specified in the configuration and can
Attackers Flood NPM Repository with Over 15,000 Spam Packages Containing Phishing Links

Attackers Flood NPM Repository with Over 15,000 Spam Packages Containing Phishing Links

Feb 22, 2023 Open Source / Supply Chain Attack
In what's a continuing assault on the open source ecosystem,  over 15,000 spam packages  have flooded the npm repository in an attempt to distribute phishing links. "The packages were created using automated processes, with project descriptions and auto-generated names that closely resembled one another," Checkmarx researcher Yehuda Gelb  said  in a Tuesday report. "The attackers referred to retail websites using referral IDs, thus profiting from the referral rewards they earned." The modus operandi involves poisoning the registry with rogue packages that include links to phishing campaigns in their README.md files, evocative of a  similar campaign  the software supply chain security firm exposed in December 2022. The fake modules masqueraded as cheats and free resources, with some packages named as "free-tiktok-followers," "free-xbox-codes," and "instagram-followers-free." The ultimate goal of the operation is to entice user
Hydrochasma: New Threat Actor Targets Shipping Companies and Medical Labs in Asia

Hydrochasma: New Threat Actor Targets Shipping Companies and Medical Labs in Asia

Feb 22, 2023 Cyber Espionage / Cyber Attack
Shipping companies and medical laboratories in Asia have been the subject of a suspected espionage campaign carried out by a never-before-seen threat actor dubbed Hydrochasma . The activity, which has been ongoing since October 2022, "relies exclusively on publicly available and living-off-the-land tools," Symantec, by Broadcom Software,  said  in a report shared with The Hacker News. There is no evidence available as yet to determine its origin or affiliation with known threat actors, but the cybersecurity company said the group may be having an interest in industry verticals that are involved in COVID-19-related treatments or vaccines. The standout aspects of the campaign is the absence of data exfiltration and custom malware, with the threat actor employing open source tools for intelligence gathering. By using already available tools, the goal, it appears, is to not only confuse attribution efforts, but also to make the attacks stealthier. The start of the infection
Gcore Thwarts Massive 650 Gbps DDoS Attack on Free Plan Client

Gcore Thwarts Massive 650 Gbps DDoS Attack on Free Plan Client

Feb 22, 2023 Server Security / DDoS Attack
At the beginning of January, Gcore faced an incident involving several L3/L4 DDoS attacks with a peak volume of 650 Gbps. Attackers exploited over 2000 servers belonging to one of the top three cloud providers worldwide and targeted a client who was using a free CDN plan. However, due to Gcore's distribution of infrastructure and a large number of peering partners, the attacks were mitigated, and the client's web application remained available. Why was mitigating these attacks so significant? 1. These attacks were significant because they exceeded the average bandwidth of similar attacks by 60×.  The performed attacks relate to volume-based attacks targeted to saturate the attacked application's bandwidth in order to overflow it. Measuring total volume (bps)—rather than the number of requests—is the way these attacks are usually tabulated. The average bandwidth of this attack type is generally in the tens of Gbps (about 10 Gbps). Therefore, the specified attacks (at 650 Gbps) excee
Researchers Warn of ReverseRAT Backdoor Targeting Indian Government Agencies

Researchers Warn of ReverseRAT Backdoor Targeting Indian Government Agencies

Feb 21, 2023 Cyber Threat / Cyber Attack
A spear-phishing campaign targeting Indian government entities aims to deploy an updated version of a backdoor called ReverseRAT . Cybersecurity firm ThreatMon  attributed  the activity to a threat actor tracked as  SideCopy . SideCopy is a threat group of Pakistani origin that shares overlaps with another actor called  Transparent Tribe . It is so named for mimicking the infection chains associated with  SideWinder  to deliver its own malware. The adversarial crew was first observed delivering ReverseRAT in 2021, when Lumen's Black Lotus Labs  detailed  a set of attacks targeting victims aligned with the government and power utility verticals in India and Afghanistan. Recent attack campaigns associated with SideCopy have primarily  set their sights  on a two-factor authentication solution known as Kavach (meaning "armor" in Hindi) that's used by Indian government officials. The infection journey documented by ThreatMon commences with a phishing email containi
Google Reveals Alarming Surge in Russian Cyber Attacks Against Ukraine

Google Reveals Alarming Surge in Russian Cyber Attacks Against Ukraine

Feb 20, 2023 Threat Analysis / Cyber Attack
Russia's cyber attacks against Ukraine surged by 250% in 2022 when compared to two years ago, Google's Threat Analysis Group (TAG) and Mandiant disclosed in a new joint report. The targeting, which  coincided  and has  since persisted  following the country's military invasion of Ukraine in February 2022, focused heavily on the Ukrainian government and military entities, alongside critical infrastructure, utilities, public services, and media sectors. Mandiant  said  it observed, "more destructive cyber attacks in Ukraine during the first four months of 2022 than in the previous eight years with attacks peaking around the start of the invasion." As many as six unique wiper strains – including WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, and SDelete – have been deployed against Ukrainian networks, suggesting a willingness on the part of Russian threat actors to forgo persistent access. Phishing attacks aimed at NATO countries witnessed a 3
Experts Warn of RambleOn Android Malware Targeting South Korean Journalists

Experts Warn of RambleOn Android Malware Targeting South Korean Journalists

Feb 17, 2023 Mobile Security / Cyber Threat
Suspected North Korean nation-state actors targeted a journalist in South Korea with a malware-laced Android app as part of a social engineering campaign. The findings come from South Korea-based non-profit Interlab, which coined the new malware  RambleOn . The malicious functionalities include the "ability to read and leak target's contact list, SMS, voice call content, location and others from the time of compromise on the target," Interlab threat researcher Ovi Liber  said  in a report published this week. The spyware camouflages as a secure chat app called Fizzle ( ch.seme ), but in reality, acts as a conduit to deliver a next-stage payload hosted on pCloud and Yandex. The chat app is said to have been sent as an Android Package (APK) file over WeChat to the targeted journalist on December 7, 2022, under the pretext of wanting to discuss a sensitive topic. The primary purpose of RambleOn is to function as a loader for another APK file ( com.data.WeCoin ) while
⚡Top Cybersecurity News Stories This Week — Cybersecurity Newsletter

⚡Top Cybersecurity News Stories This Week — Cybersecurity Newsletter

Feb 17, 2023 Weekly Cybersecurity Newsletter
Hey 👋 there, cyber friends! Welcome to  this week's cybersecurity newsletter , where we aim to keep you informed and empowered in the ever-changing world of cyber threats. In today's edition, we will cover some interesting developments in the cybersecurity landscape and share some insightful analysis of each to help you protect yourself against potential attacks. 1. Apple 📱 Devices Hacked with New Zero-Day Bug - Update ASAP! Have you updated your Apple devices lately? If not, it's time to do so, as the tech giant just released security updates for iOS, iPadOS, macOS, and Safari. The update is to fix a zero-day vulnerability that hackers have been exploiting. This vulnerability, tracked as CVE-2023-23529, is related to a type confusion bug in the WebKit browser engine. What does this mean? Well, it means that if you visit a website with malicious code, the bug can be activated, leading to arbitrary code execution. In other words, hackers can take control of your devi
Expert Insights / Articles Videos
Cybersecurity Resources