#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

Cyber Attack | Breaking Cybersecurity News | The Hacker News

Microsoft, OpenAI Warn of Nation-State Hackers Weaponizing AI for Cyber Attacks

Microsoft, OpenAI Warn of Nation-State Hackers Weaponizing AI for Cyber Attacks

Feb 14, 2024 Artificial Intelligence / Cyber Attack
Nation-state actors associated with Russia, North Korea, Iran, and China are experimenting with artificial intelligence (AI) and large language models (LLMs) to complement their ongoing cyber attack operations. The findings come from a report published by Microsoft in collaboration with OpenAI, both of which  said  they disrupted efforts made by five state-affiliated actors that used its AI services to perform malicious cyber activities by terminating their assets and accounts. "Language support is a natural feature of LLMs and is attractive for threat actors with continuous focus on social engineering and other techniques relying on false, deceptive communications tailored to their targets' jobs, professional networks, and other relationships," Microsoft  said  in a report shared with The Hacker News. While no significant or novel attacks employing the LLMs have been detected to date, adversarial exploration of AI technologies has transcended various phases of the at
U.S. DoJ Dismantles Warzone RAT Infrastructure, Arrests Key Operators

U.S. DoJ Dismantles Warzone RAT Infrastructure, Arrests Key Operators

Feb 11, 2024 Malware / Cybercrime
The U.S. Justice Department (DoJ) on Friday announced the seizure of online infrastructure that was used to sell a remote access trojan (RAT) called  Warzone RAT . The domains –  www.warzone[.]ws  and three others – were "used to sell computer malware used by cybercriminals to secretly access and steal data from victims' computers," the DoJ  said . Alongside the takedown, the international law enforcement effort has arrested and indicted two individuals in Malta and Nigeria for their involvement in selling and supporting the malware and helping other cybercriminals use the RAT for malicious purposes. The defendants, Daniel Meli (27) and Prince Onyeoziri Odinakachi (31) have been charged with unauthorized damage to protected computers, with the former also accused of "illegally selling and advertising an electronic interception device and participating in a conspiracy to commit several computer intrusion offenses." Meli is alleged to have offered malware se
After FBI Takedown, KV-Botnet Operators Shift Tactics in Attempt to Bounce Back

After FBI Takedown, KV-Botnet Operators Shift Tactics in Attempt to Bounce Back

Feb 07, 2024 Malware / Network Security
The threat actors behind the  KV-botnet  made "behavioral changes" to the malicious network as U.S. law enforcement began issuing commands to neutralize the activity. KV-botnet is the name given to a network of compromised small office and home office (SOHO) routers and firewall devices across the world, with one specific cluster acting as a covert data transfer system for other Chinese state-sponsored actors, including  Volt Typhoon  (aka Bronze Silhouette, Insidious Taurus, or Vanguard Panda). Active since at least February 2022, it was  first documented  by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The botnet is known to comprise two main sub-groups, viz. KV and JDY, with the latter principally used for scanning potential targets for reconnaissance. Late last month, the U.S. government  announced  a court-authorized disruption effort to take down the KV cluster, which is typically reserved for manual operations against high-profile targets c
cyber security

Protecting Your Organization From Insider Threats - All You Need to Know

websiteWing SecuritySaaS Security
Get practical insights and strategies to manage inadequate offboarding and insider risks effectively.
SHQ Response Platform and Risk Centre to Enable Management and Analysts Alike

SHQ Response Platform and Risk Centre to Enable Management and Analysts Alike

May 13, 2024Threat Detection / SoC / SIEM
In the last decade, there has been a growing disconnect between front-line analysts and senior management in IT and Cybersecurity. Well-documented challenges facing modern analysts revolve around a high volume of alerts, false positives, poor visibility of technical environments, and analysts spending too much time on manual tasks. The Impact of Alert Fatigue and False Positives  Analysts are overwhelmed with alerts. The knock-on effect of this is that fatigued analysts are at risk of missing key details in incidents, and often conduct time-consuming triaging tasks manually only to end up copying and pasting a generic closing comment into a false positive alert.  It is likely that there will always be false positives. And many would argue that a false positive is better than a false negative. But for proactive actions to be made, we must move closer to the heart of an incident. That requires diving into how analysts conduct the triage and investigation process. SHQ Response Platfo
Patchwork Using Romance Scam Lures to Infect Android Devices with VajraSpy Malware

Patchwork Using Romance Scam Lures to Infect Android Devices with VajraSpy Malware

Feb 05, 2024 Cyber Espionage / Cyber Extortion
The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called  VajraSpy . Slovak cybersecurity firm ESET said it uncovered 12 espionage apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between April 2021 and March 2023. "VajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled with its code," security researcher Lukáš Štefanko  said . "It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls, and take pictures with the camera." As many as 148 devices in Pakistan and India are estimated to have been compromised in the wild. The malicious apps distributed via Google Play and elsewhere primarily masqueraded
New Mispadu Banking Trojan Exploiting Windows SmartScreen Flaw

New Mispadu Banking Trojan Exploiting Windows SmartScreen Flaw

Feb 05, 2024 Malware / Financial Security
The threat actors behind the Mispadu banking Trojan have become the latest to exploit a now-patched Windows SmartScreen security bypass flaw to compromise users in Mexico. The attacks entail a new variant of the malware that was first observed in 2019, Palo Alto Networks Unit 42 said in a report published last week. Propagated via phishing mails, Mispadu is a Delphi-based information stealer known to specifically infect victims in the Latin American (LATAM) region. In March 2023, Metabase Q  revealed  that Mispadu spam campaigns harvested no less than 90,000 bank account credentials since August 2022. It's also part of the larger family of LATAM banking malware, including  Grandoreiro , which was dismantled by Brazilian law enforcement authorities last week. The latest infection chain identified by Unit 42 employs rogue internet shortcut files contained within bogus ZIP archive files that leverage CVE-2023-36025 (CVSS score: 8.8), a high-severity bypass flaw in Windows Smar
U.S. Sanctions 6 Iranian Officials for Critical Infrastructure Cyber Attacks

U.S. Sanctions 6 Iranian Officials for Critical Infrastructure Cyber Attacks

Feb 03, 2024 Intelligence Agency / Cyber Security
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions against six officials associated with the Iranian intelligence agency for attacking critical infrastructure entities in the U.S. and other countries. The  officials  include Hamid Reza Lashgarian, Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian, who are part of the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). Reza Lashgarian is also the head of the IRGC-CEC and a commander in the IRGC-Qods Force. He is alleged to have been involved in various IRGC cyber and intelligence operations. The Treasury Department  said  it's holding these individuals responsible for carrying out "cyber operations in which they hacked and posted images on the screens of programmable logic controllers manufactured by Unitronics, an Israeli company." In late November 2023, the U.S. Cybersecurity and Infras
AnyDesk Hacked: Popular Remote Desktop Software Mandates Password Reset

AnyDesk Hacked: Popular Remote Desktop Software Mandates Password Reset

Feb 03, 2024 Cyber Attack / Software Security
Remote desktop software maker AnyDesk disclosed on Friday that it suffered a cyber attack that led to a compromise of its production systems. The German company said the incident, which it discovered following a security audit, is not a ransomware attack and that it has notified relevant authorities. "We have revoked all security-related certificates and systems have been remediated or replaced where necessary," the company  said  in a statement. "We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one." Out of an abundance of caution, AnyDesk has also revoked all passwords to its web portal, my.anydesk[.]com, and it's urging users to change their passwords if the same passwords have been reused on other online services. It's also recommending that users download the latest version of the software, which comes with a new  code signing certificate . AnyDesk did not disclose
U.S. Feds Shut Down China-Linked "KV-Botnet" Targeting SOHO Routers

U.S. Feds Shut Down China-Linked "KV-Botnet" Targeting SOHO Routers

Feb 01, 2024 Cyber Threat / Network Security
The U.S. government on Wednesday said it took steps to neutralize a botnet comprising hundreds of U.S.-based small office and home office (SOHO) routers hijacked by a China-linked state-sponsored threat actor called Volt Typhoon and blunt the impact posed by the hacking campaign. The existence of the botnet, dubbed  KV-botnet , was  first disclosed  by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The law enforcement effort was  reported  by Reuters earlier this week. "The vast majority of routers that comprised the KV-botnet were Cisco and NetGear routers that were vulnerable because they had reached 'end of life' status; that is, they were no longer supported through their manufacturer's security patches or other software updates," the Department of Justice (DoJ)  said  in a press statement. Volt Typhoon  (aka DEV-0391, Bronze Silhouette, Insidious Taurus, or Vanguard Panda) is the moniker assigned to a China-based adversarial collect
Hackers Exploiting Ivanti VPN Flaws to Deploy KrustyLoader Malware

Hackers Exploiting Ivanti VPN Flaws to Deploy KrustyLoader Malware

Jan 31, 2024 Cyber Attack / Network Security
A pair of recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices have been exploited to deliver a Rust-based payload called  KrustyLoader  that's used to drop the open-source Sliver adversary simulation tool. The  security vulnerabilities , tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be abused in tandem to achieve unauthenticated remote code execution on susceptible appliances. As of January 26,  patches for the two flaws  have been delayed, although the software company has released a temporary mitigation through an XML file. Volexity, which first shed light on the shortcomings, said they have been weaponized as zero-days since December 3, 2023, by a Chinese nation-state threat actor it tracks under the name UTA0178. Google-owned Mandiant has assigned the moniker UNC5221 to the group. Following public disclosure earlier this month, the vulnerabilities have  come under broad exploitati
Brazilian Feds Dismantle Grandoreiro Banking Trojan, Arresting Top Operatives

Brazilian Feds Dismantle Grandoreiro Banking Trojan, Arresting Top Operatives

Jan 30, 2024 Cyber Crime / Malware
A Brazilian law enforcement operation has led to the arrest of several Brazilian operators in charge of the  Grandoreiro  malware. The Federal Police of Brazil  said  it served five temporary arrest warrants and 13 search and seizure warrants in the states of São Paulo, Santa Catarina, Pará, Goiás, and Mato Grosso. Slovak cybersecurity firm ESET, which provided additional assistance in the effort, said it uncovered a design flaw in Grandoreiro's network protocol that helped it to identify the victimology patterns. Grandoreiro  is one of the many Latin American banking trojans such as Javali, Melcoz, Casabeniero, Mekotio, and Vadokrist, primarily targeting countries like Spain, Mexico, Brazil, and Argentina. It's known to be active since 2017. In late October 2023, Proofpoint  revealed  details of a phishing campaign that distributed an updated version of the malware to targets in Mexico and Spain. The banking trojan has capabilities to both steal data through keyloggers
Microsoft Warns of Widening APT29 Espionage Attacks Targeting Global Orgs

Microsoft Warns of Widening APT29 Espionage Attacks Targeting Global Orgs

Jan 26, 2024 Threat Intelligence / Cyber Attack
Microsoft on Thursday said the Russian state-sponsored threat actors responsible for a  cyber attack on its systems  in late November 2023 have been targeting other organizations and that it's currently beginning to notify them. The development comes a day after Hewlett Packard Enterprise (HPE)  revealed  that it had been the victim of an attack perpetrated by a hacking crew tracked as  APT29 , which is also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. "This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers, primarily in the U.S. and Europe," the Microsoft Threat Intelligence team  said  in a new advisory. The primary goal of these espionage missions is to gather sensitive information that is of strategic interest to Russia by maintaining footholds for extended periods of time without attracting any attention. The latest disc
Kasseika Ransomware Using BYOVD Trick to Disarm Security Pre-Encryption

Kasseika Ransomware Using BYOVD Trick to Disarm Security Pre-Encryption

Jan 24, 2024 Ransomware / Endpoint Security
The ransomware group known as Kasseika has become the latest to leverage the Bring Your Own Vulnerable Driver ( BYOVD ) attack to disarm security-related processes on compromised Windows hosts, joining the likes of other groups like Akira , AvosLocker, BlackByte, and RobbinHood . The tactic allows "threat actors to terminate antivirus processes and services for the deployment of ransomware," Trend Micro said in a Tuesday analysis. Kasseika, first discovered by the cybersecurity firm in mid-December 2023, exhibits overlaps with the now-defunct BlackMatter , which emerged in the aftermath of DarkSide's shutdown. There is evidence to suggest that the ransomware strain could be the handiwork of an experienced threat actor that acquired or purchased access to BlackMatter, given that the latter's source code has never publicly leaked post its demise in November 2021. Attack chains involving Kasseika commence with a phishing email for initial access, subsequently
~40,000 Attacks in 3 Days: Critical Confluence RCE Under Active Exploitation

~40,000 Attacks in 3 Days: Critical Confluence RCE Under Active Exploitation

Jan 23, 2024 Vulnerability / Cyber Attack
Malicious actors have begun to actively exploit a recently disclosed critical security flaw impacting Atlassian Confluence Data Center and Confluence Server, within three days of public disclosure. Tracked as CVE-2023-22527 (CVSS score: 10.0), the vulnerability impacts out-of-date versions of the software, allowing unauthenticated attackers to achieve remote code execution on susceptible installations. The shortcoming affects Confluence Data Center and Server 8 versions released before December 5, 2023, as well as 8.4.5. But merely days after the flaw became public knowledge, nearly 40,000 exploitation attempts targeting CVE-2023-22527 have been recorded in the wild as early as January 19 from more than 600 unique IP addresses, according to both the Shadowserver Foundation and the DFIR Report . The activity is currently limited "testing callback attempts and 'whoami' execution," suggesting that threat actors are opportunistically scanning for vulnerable servers
CISA Issues Emergency Directive to Federal Agencies on Ivanti Zero-Day Exploits

CISA Issues Emergency Directive to Federal Agencies on Ivanti Zero-Day Exploits

Jan 20, 2024 Network Security / Threat Intelligence
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an  emergency directive  urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. The development arrives as the  vulnerabilities  – an authentication bypass (CVE-2023-46805) and a code injection bug (CVE-2024-21887) – have come under widespread exploitation by multiple threat actors. The flaws allow a malicious actor to craft malicious requests and execute arbitrary commands on the system. The U.S. company  acknowledged  in an advisory that it has witnessed a "sharp increase in threat actor activity" starting on January 11, 2024, after the shortcomings were publicly disclosed. "Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish per
Zero-Day Alert: Update Chrome Now to Fix New Actively Exploited Vulnerability

Zero-Day Alert: Update Chrome Now to Fix New Actively Exploited Vulnerability

Jan 17, 2024 Browser Security / Vulnerability
Google on Tuesday released updates to fix four security issues in its Chrome browser, including an actively exploited zero-day flaw. The issue, tracked as CVE-2024-0519 , concerns an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, which can be weaponized by threat actors to trigger a crash. "By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service," according to MITRE's Common Weakness Enumeration ( CWE ). Additional details about the nature of the attacks and the threat actors that may be exploiting it have been withheld in an attempt to prevent further exploitation. The issue was reported anonymously on January 11, 2024. "Out-of-bounds memory access in V8 in Google Chrome prior to 120.
DDoS Attacks on the Environmental Services Industry Surge by 61,839% in 2023

DDoS Attacks on the Environmental Services Industry Surge by 61,839% in 2023

Jan 15, 2024 Server Security / Cyber Attack
The environmental services industry witnessed an "unprecedented surge" in HTTP-based distributed denial-of-service (DDoS) attacks, accounting for half of all its HTTP traffic. This marks a 61,839% increase in DDoS attack traffic year-over-year, web infrastructure and security company Cloudflare said in its DDoS threat report for 2023 Q4 published last week. "This surge in cyber attacks coincided with  COP 28 , which ran from November 30th to December 12th, 2023," security researchers Omer Yoachimik and Jorge Pacheco  said , describing it as a "disturbing trend in the cyber threat landscape." The uptick in HTTP attacks targeting environmental services websites is part of a larger trend observed annually over the past few years, specifically during COP 26 and COP 27, as well as other United Nations environment-related resolutions or announcements. "This recurring pattern underscores the growing intersection between environmental issues and cyber security, a nexus that is increasingl
New Findings Challenge Attribution in Denmark's Energy Sector Cyberattacks

New Findings Challenge Attribution in Denmark's Energy Sector Cyberattacks

Jan 14, 2024 Cyber Attack / Vulnerability
The cyber attacks targeting the energy sector in Denmark last year may not have had the involvement of the Russia-linked Sandworm hacking group,  new findings  from Forescout show. The intrusions, which  targeted around 22 Danish energy organizations  in May 2023, occurred in two distinct waves, one which exploited a security flaw in Zyxel firewall (CVE-2023-28771) and a follow-on activity cluster that saw the attackers deploy Mirai botnet variants on infected hosts via an as-yet-unknown initial access vector. The first wave took place on May 11, while the second wave lasted from May 22 to 31, 2023. In one such attack detected on May 24, it was observed that the compromised system was communicating with IP addresses (217.57.80[.]18 and 70.62.153[.]174) that were previously used as command-and-control (C2) for the now-dismantled  Cyclops Blink  botnet. Forescout's closer examination of the attack campaign, however, has revealed that not only were the two waves unrelated, but also
Pro-Iranian Hacker Group Targeting Albania with No-Justice Wiper Malware

Pro-Iranian Hacker Group Targeting Albania with No-Justice Wiper Malware

Jan 06, 2024 Malware / Cyber Attack
The  recent wave of cyber attacks  targeting Albanian organizations involved the use of a wiper called  No-Justice . The  findings  come from cybersecurity company ClearSky, which said the Windows-based malware "crashes the operating system in a way that it cannot be rebooted." The intrusions have been attributed to an Iranian "psychological operation group" known as Homeland Justice, which has been active since July 2022, specifically orchestrating destructive attacks against Albania. On December 24, 2023, the adversary resurfaced after a hiatus, stating it's "back to destroy supporters of terrorists," describing its latest campaign as #DestroyDurresMilitaryCamp. The Albanian city of Durrës  currently hosts  the dissident group People's Mojahedin Organization of Iran (MEK). Targets of the attack included ONE Albania, Eagle Mobile Albania, Air Albania, and the Albanian parliament. Two of the primary tools deployed during the campaign include an executa
Cybersecurity
Expert Insights
Cybersecurity Resources