#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

Cyber Attack | Breaking Cybersecurity News | The Hacker News

Category — Cyber Attack
OVHcloud Hit with Record 840 Million PPS DDoS Attack Using MikroTik Routers

OVHcloud Hit with Record 840 Million PPS DDoS Attack Using MikroTik Routers

Jul 05, 2024 Network Security / DDoS Attack
French cloud computing firm OVHcloud said it mitigated a record-breaking distributed denial-of-service (DDoS) attack in April 2024 that reached a packet rate of 840 million packets per second (Mpps). This is just above the previous record of 809 million Mpps reported by Akamai as targeting a large European bank in June 2020. The 840 Mpps DDoS attack is said to have been a combination of a TCP ACK flood that originated from 5,000 source IPs and a DNS reflection attack leveraging about 15,000 DNS servers to amplify the traffic. "While the attack was distributed worldwide, 2/3 of total packets entered from only four [points of presence], all located in the U.S. with 3 of them being on the west coast," OVHcloud noted . "This highlights the capability of the adversary to send a huge packet rate through only a few peerings, which can prove very problematic." The company said it has observed a significant uptick in DDoS attacks in terms of both frequency and intensi
GootLoader Malware Still Active, Deploys New Versions for Enhanced Attacks

GootLoader Malware Still Active, Deploys New Versions for Enhanced Attacks

Jul 05, 2024 SEO Poisoning / Cyber Attack,
The malware known as GootLoader continues to be in active use by threat actors looking to deliver additional payloads to compromised hosts. "Updates to the GootLoader payload have resulted in several versions of GootLoader, with GootLoader 3 currently in active use," cybersecurity firm Cybereason said in an analysis published last week. "While some of the particulars of GootLoader payloads have changed over time, infection strategies and overall functionality remain similar to the malware's resurgence in 2020." GootLoader, a malware loader part of the Gootkit banking trojan, is linked to a threat actor named Hive0127 (aka UNC2565). It abuses JavaScript to download post-exploitation tools and is distributed via search engine optimization (SEO) poisoning tactics. It typically serves as a conduit for delivering various payloads such as Cobalt Strike, Gootkit, IcedID, Kronos, REvil, and SystemBC. In recent months, the threat actors behind GootLoader have
The New Effective Way to Prevent Account Takeovers

The New Effective Way to Prevent Account Takeovers

Sep 04, 2024SaaS Security / Browser Security
Account takeover attacks have emerged as one of the most persistent and damaging threats to cloud-based SaaS environments. Yet despite significant investments in traditional security measures, many organizations continue to struggle with preventing these attacks. A new report, " Why Account Takeover Attacks Still Succeed, and Why the Browser is Your Secret Weapon in Stopping Them " argues that the browser is the primary battleground where account takeover attacks unfold and, thus, where they should be neutralized. The report also provides effective guidance for mitigating the account takeover risk.  Below are some of the key points raised in the report: The Role of the Browser in Account Takeovers According to the report, the SaaS kill chain takes advantage of the fundamental components that are contained within the browser. For account takeover, these include: Executed Web Pages - Attackers can create phishing login pages or use MiTM over legitimate web pages to harve
New Golang-Based Zergeca Botnet Capable of Powerful DDoS Attacks

New Golang-Based Zergeca Botnet Capable of Powerful DDoS Attacks

Jul 05, 2024 Network Security / Cyber Attack
Cybersecurity researchers have uncovered a new botnet called Zergeca that's capable of conducting distributed denial-of-service (DDoS) attacks. Written in Golang, the botnet is so named for its reference to a string named "ootheca" present in the command-and-control (C2) servers ("ootheca[.]pw" and "ootheca[.]top"). "Functionally, Zergeca is not just a typical DDoS botnet; besides supporting six different attack methods, it also has capabilities for proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information," the QiAnXin XLab team said in a report. Zergeca is also notable for using DNS-over-HTTPS ( DoH ) to perform Domain Name System (DNS) resolution of the C2 server and using a lesser-known library known as Smux for C2 communications. There is evidence to suggest that the attackers behind the botnet are actively developing and updating the malware to support new commands
cyber security

Secure Your Network: 40% Face Full Takeover Risk

websitePicus SecurityEndpoint Security / Attack Surface
Understand and address the critical risks in your network to prevent takeovers.
Global Police Operation Shuts Down 600 Cybercrime Servers Linked to Cobalt Strike

Global Police Operation Shuts Down 600 Cybercrime Servers Linked to Cobalt Strike

Jul 04, 2024 Malware / Cyber Attack
A coordinated law enforcement operation codenamed MORPHEUS has felled close to 600 servers that were used by cybercriminal groups and were part of an attack infrastructure associated with the Cobalt Strike tool.  The crackdown targeted older, unlicensed versions of the Cobalt Strike red teaming framework between June 24 and 28, according to Europol. Of the 690 IP addresses that were flagged to online service providers in 27 countries as associated with criminal activity, 590 are no longer accessible. The joint operation, which commenced in 2021, was led by the U.K. National Crime Agency (NCA) and involved authorities from Australia, Canada, Germany, the Netherlands, Poland, and the U.S. Officials from Bulgaria, Estonia, Finland, Lithuania, Japan, and South Korea provided additional support. Cobalt Strike is a popular adversary simulation and penetration testing tool developed by Fortra (formerly Help Systems), offering IT security experts a way to identify weaknesses in security
Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool

Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool

Jul 03, 2024 Spyware / Vulnerability
Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S. "MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems," Fortinet FortiGuard Labs researcher Cara Lin said in a report published last week. The starting point of the attack chain is a Microsoft Word document that ostensibly contains a job description for a software engineer role. But opening the file triggers the exploitation of CVE-2021-40444 , a high-severity flaw in MSHTML that could result in remote code execution without requiring any user interaction. It was addressed by Microsoft as part of Patch Tuesday updates released in September 2021. In this case, it paves the way for the download of an HTML file ("olerender.html") from a remote s
Israeli Entities Targeted by Cyberattack Using Donut and Sliver Frameworks

Israeli Entities Targeted by Cyberattack Using Donut and Sliver Frameworks

Jul 03, 2024 Cyber Attack / Malware
Cybersecurity researchers have discovered an attack campaign that targets various Israeli entities with publicly-available frameworks like Donut and Sliver. The campaign, believed to be highly targeted in nature, "leverage target-specific infrastructure and custom WordPress websites as a payload delivery mechanism, but affect a variety of entities across unrelated verticals, and rely on well-known open-source malware," HarfangLab said in a report last week. The French company is tracking the activity under the name Supposed Grasshopper. It's a reference to an attacker-controlled server ("auth.economy-gov-il[.]com/SUPPOSED_GRASSHOPPER.bin"), to which a first-stage downloader connects to. This downloader, written in Nim, is rudimentary and is tasked with downloading the second-stage malware from the staging server. It's delivered by means of a virtual hard disk (VHD) file that's suspected to be propagated via custom WordPress sites as part of a drive-
Russian National Indicted for Cyber Attacks on Ukraine Before 2022 Invasion

Russian National Indicted for Cyber Attacks on Ukraine Before 2022 Invasion

Jun 27, 2024 Cyber Crime / Cyber Warfare
A 22-year-old Russian national has been indicted in the U.S. for his alleged role in staging destructive cyber attacks against Ukraine and its allies in the days leading to Russia's full-blown military invasion of Ukraine in early 2022. Amin Timovich Stigal, the defendant in question, is assessed to be affiliated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). He remains at large. If convicted, he faces a maximum penalty of five years in prison. Concurrent with the action, the U.S. Department of State's Rewards for Justice program is offering a reward of up to $10 million for information pertaining to his whereabouts or the malicious cyber attacks he is associated with. "The defendant conspired with Russian military intelligence on the eve of Russia's unjust and unprovoked invasion of Ukraine to launch cyberattacks targeting the Ukrainian government and later targeting its allies, including the United States,&quo
Oyster Backdoor Spreading via Trojanized Popular Software Downloads

Oyster Backdoor Spreading via Trojanized Popular Software Downloads

Jun 21, 2024 Malware / Malvertising
A malvertising campaign is leveraging trojanized installers for popular software such as Google Chrome and Microsoft Teams to drop a backdoor called Oyster (aka Broomstick and CleanUpLoader). That's according to findings from Rapid7, which identified lookalike websites hosting the malicious payloads that users are redirected to after searching for them on search engines like Google and Bing. The threat actors are luring unsuspecting users to fake websites purporting to contain legitimate software. But attempting to download the setup binary launches a malware infection chain instead. Specifically, the executable serves as a pathway for a backdoor called Oyster, which is capable of gathering information about the compromised host, communicating with a hard-coded command-and-control (C2) address, and supporting remote code execution. While Oyster has been observed in the past being delivered by means of a dedicated loader component known as Broomstick Loader (aka Oyster Instal
Chinese Cyber Espionage Targets Telecom Operators in Asia Since 2021

Chinese Cyber Espionage Targets Telecom Operators in Asia Since 2021

Jun 20, 2024 Cyber Espionage / Critical Infrastructure
Cyber espionage groups associated with China have been linked to a long-running campaign that has infiltrated several telecom operators located in a single Asian country at least since 2021. "The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. The cybersecurity firm did not reveal the country that was targeted, but said it found evidence to suggest that the malicious cyber activity may have started as far back as 2020. The attacks also targeted an unnamed services company that catered to the telecoms sector and a university in another Asian country, it added. The choice of tools used in this campaign overlaps with other missions conducted by Chinese espionage groups like Mustang Panda (aka Earth Preta and Fireant), RedFoxtrot (aka Neeedleminer and Nomad Panda), and Naikon (aka Firefly) in recent years. This incl
Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor

Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor

Jun 17, 2024 Web Security / Malware
Legitimate-but-compromised websites are being used as a conduit to deliver a Windows backdoor dubbed BadSpace under the guise of fake browser updates. "The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases a fake browser update, and a JScript downloader to deploy a backdoor into the victim's system," German cybersecurity company G DATA said in a report. Details of the malware were first shared by researchers kevross33 and Gi7w0rm last month. It all starts with a compromised website, including those built on WordPress, to inject code that incorporates logic to determine if a user has visited the site before.  Should it be the user's first visit, the code collects information about the device, IP address, user-agent, and location, and transmits it to a hard-coded domain via an HTTP GET request. The response from the server subsequently overlays the contents of the web page with a ph
NiceRAT Malware Targets South Korean Users via Cracked Software

NiceRAT Malware Targets South Korean Users via Cracked Software

Jun 17, 2024 Botnet / Cryptocurrency
Threat actors have been observed deploying a malware called NiceRAT to co-opt infected devices into a botnet. The attacks, which target South Korean users, are designed to propagate the malware under the guise of cracked software, such as Microsoft Windows, or tools that purport to offer license verification for Microsoft Office. "Due to the nature of crack programs, information sharing amongst ordinary users contributes to the malware's distribution independently from the initial distributor," the AhnLab Security Intelligence Center (ASEC) said . "Because threat actors typically explain ways to remove anti-malware programs during the distribution phase, it is difficult to detect the distributed malware." Alternate distribution vectors involve the use of a botnet comprising zombie computers that are infiltrated by a remote access trojan (RAT) known as NanoCore RAT , mirroring prior activity that leveraged the Nitol DDoS malware for propagating another malware
Pakistan-linked Malware Campaign Evolves to Target Windows, Android, and macOS

Pakistan-linked Malware Campaign Evolves to Target Windows, Android, and macOS

Jun 13, 2024 Threat Intelligence / Cyber Attack
Threat actors with ties to Pakistan have been linked to a long-running malware campaign dubbed Operation Celestial Force since at least 2018. The activity, still ongoing, entails the use of an Android malware called GravityRAT and a Windows-based malware loader codenamed HeavyLift, according to Cisco Talos, which are administered using another standalone tool referred to as GravityAdmin. The cybersecurity attributed the intrusion to an adversary it tracks under the moniker Cosmic Leopard (aka SpaceCobra), which it said exhibits some level of tactical overlap with Transparent Tribe . "Operation Celestial Force has been active since at least 2018 and continues to operate today — increasingly utilizing an expanding and evolving malware suite — indicating that the operation has likely seen a high degree of success targeting users in the Indian subcontinent," security researchers Asheer Malhotra and Vitor Ventura said in a technical report shared with The Hacker News. Grav
Ultimate Cyber Hygiene Guide: Learn How to Simplify Your Security Efforts

Ultimate Cyber Hygiene Guide: Learn How to Simplify Your Security Efforts

Jun 07, 2024 Cyber Hygiene / Webinar
2023 was a year of unprecedented cyberattacks. Ransomware crippled businesses, DDoS attacks disrupted critical services, and data breaches exposed millions of sensitive records. The cost of these attacks? Astronomical. The damage to reputations? Irreparable. But here's the shocking truth: many of these attacks could have been prevented with basic cyber hygiene . Are you ready to transform your cybersecurity strategy? Join us for an exclusive webinar, " Better Basics Win the Cybersecurity Threat War: Defend, Deter, and Save ," where we'll reveal how to optimize your cyber hygiene and compliance costs. What you'll learn: The latest trends shaping the cybersecurity landscape: Get ahead of the curve and understand the evolving tactics of cybercriminals. How the CIS Controls and CIS Benchmarks can simplify your security efforts: Discover the power of these proven security best practices and how they can fortify your defenses. How a CIS SecureSuite Membership
SPECTR Malware Targets Ukraine Defense Forces in SickSync Campaign

SPECTR Malware Targets Ukraine Defense Forces in SickSync Campaign

Jun 07, 2024 Cyber Attack / Malware
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks targeting defense forces in the country with a malware called SPECTR as part of an espionage campaign dubbed SickSync. The agency attributed the attacks to a threat actor it tracks under the moniker UAC-0020, which is also called Vermin and is assessed to be associated with security agencies of the Luhansk People's Republic (LPR). LPR was declared a sovereign state by Russia days prior to its military invasion of Ukraine in February 2022. Attack chains commence with spear-phishing emails containing a RAR self-extracting archive file containing a decoy PDF file, a trojanized version of the SyncThing application that incorporates the SPECTR payload, and a batch script that activates the infection by launching the executable. SPECTR serves as an information stealer by grabbing screenshots every 10 seconds, harvesting files, gathering data from removable USB drives, and stealing credentials and
Celebrity TikTok Accounts Compromised Using Zero-Click Attack via DMs

Celebrity TikTok Accounts Compromised Using Zero-Click Attack via DMs

Jun 05, 2024 Cyber Attack / Online Security
Popular video-sharing platform TikTok has acknowledged a security issue that has been exploited by threat actors to take control of high-profile accounts on the platform. The development was first reported by Semafor and Forbes , which detailed a zero-click account takeover campaign that allows malware propagated via direct messages to compromise brand and celebrity accounts without having to click or interact with it. The exploit has been found to take advantage of a zero-day vulnerability in the messaging component that allows malicious code to be executed as soon as the message is opened. It's currently unclear how many users have been affected, although a TikTok spokesperson said that the company has taken preventive measures to stop the attack and stop it from happening again in the future. The company further said that it's working directly with impacted account holders to restore access and that the attack only managed to compromise a "very small" number
Russian Power Companies, IT Firms, and Govt Agencies Hit by Decoy Dog Trojan

Russian Power Companies, IT Firms, and Govt Agencies Hit by Decoy Dog Trojan

Jun 04, 2024 Cyber Attack / Malware
Russian organizations are at the receiving end of cyber attacks that have been found to deliver a Windows version of a malware called Decoy Dog . Cybersecurity company Positive Technologies is tracking the activity cluster under the name Operation Lahat, attributing it to an advanced persistent threat (APT) group called HellHounds . "The Hellhounds group compromises organizations they select and gain a foothold on their networks, remaining undetected for years," security researchers Aleksandr Grigorian and Stanislav Pyzhov said . "In doing so, the group leverages primary compromise vectors, from vulnerable web services to trusted relationships." HellHounds was first documented by the firm in late November 2023 following the compromise of an unnamed power company with the Decoy Dog trojan. It's confirmed to have infiltrated 48 victims in Russia to date, including IT companies, governments, space industry firms, and telecom providers. There is evidence indi
Hackers Use MS Excel Macro to Launch Multi-Stage Malware Attack in Ukraine

Hackers Use MS Excel Macro to Launch Multi-Stage Malware Attack in Ukraine

Jun 04, 2024 Cyber Attack / Malware
A new sophisticated cyber attack has been observed targeting endpoints geolocated to Ukraine with an aim to deploy Cobalt Strike and seize control of the compromised hosts. The attack chain, per Fortinet FortiGuard Labs, involves a Microsoft Excel file that carries an embedded VBA macro to initiate the infection, "The attacker uses a multi-stage malware strategy to deliver the notorious 'Cobalt Strike' payload and establish communication with a command-and-control (C2) server," security researcher Cara Lin said in a Monday report. "This attack employs various evasion techniques to ensure successful payload delivery." Cobalt Strike , developed and maintained by Fortra, is a legitimate adversary simulation toolkit used for red teaming operations. However, over the years, cracked versions of the software have been extensively exploited by threat actors for malicious purposes. The starting point of the attack is the Excel document that, when launched, dis
Snowflake Warns: Targeted Credential Theft Campaign Hits Cloud Customers

Snowflake Warns: Targeted Credential Theft Campaign Hits Cloud Customers

Jun 04, 2024 Cloud Security / Data Protection
Cloud computing and analytics company Snowflake said a "limited number" of its customers have been singled out as part of a targeted campaign. "We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake's platform," the company said in a joint statement along with CrowdStrike and Google-owned Mandiant. "We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel." It further said the activity is directed against users with single-factor authentication, with the unidentified threat actors leveraging credentials previously purchased or obtained through information-stealing malware. "Threat actors are actively compromising organizations' Snowflake customer tenants by using stolen credentials obtained by infostealing malware and logging into databases that are configured with single factor authenticat
Andariel Hackers Target South Korean Institutes with New Dora RAT Malware

Andariel Hackers Target South Korean Institutes with New Dora RAT Malware

Jun 03, 2024 Malware / Cyber Attack
The North Korea-linked threat actor known as Andariel has been observed using a new Golang-based backdoor called Dora RAT in its attacks targeting educational institutes, manufacturing firms, and construction businesses in South Korea. "Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for the attacks," the AhnLab Security Intelligence Center (ASEC) said in a report published last week. "The threat actor probably used these malware strains to control and steal data from the infected systems." The attacks are characterized by the use of a vulnerable Apache Tomcat server to distribute the malware, the South Korean cybersecurity firm added, noting the system in question ran the 2013 version of Apache Tomcat, making it susceptible to several vulnerabilities. Andariel, also known by the names Nickel Hyatt, Onyx Sleet, and Silent Chollima, is an advanced persistent threat (APT) group that operates on behalf of North Korea's strategic
Mysterious Cyber Attack Took Down 600,000+ Routers in the U.S.

Mysterious Cyber Attack Took Down 600,000+ Routers in the U.S.

May 31, 2024 Network Security / Cyber Attack
More than 600,000 small office/home office (SOHO) routers are estimated to have been bricked and taken offline following a destructive cyber attack staged by unidentified cyber actors, disrupting users' access to the internet. The mysterious event, which took place between October 25 and 27, 2023, and impacted a single internet service provider (ISP) in the U.S., has been codenamed Pumpkin Eclipse by the Lumen Technologies Black Lotus Labs team. It specifically affected three router models issued by the ISP: ActionTec T3200, ActionTec T3260, and Sagemcom. "The incident took place over a 72-hour period between October 25-27, rendered the infected devices permanently inoperable, and required a hardware-based replacement," the company said in a technical report. The blackout is significant, not least because it led to the abrupt removal of 49% of all modems from the impacted ISP's autonomous system number (ASN) during the time-frame. While the name of the ISP was
Expert Insights / Articles Videos
Cybersecurity Resources