#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

Cyber Attack | Breaking Cybersecurity News | The Hacker News

Category — Cyber Attack
Rogue PyPI Library Solana Users, Steals Blockchain Wallet Keys

Rogue PyPI Library Solana Users, Steals Blockchain Wallet Keys

Aug 11, 2024 Supply Chain / Software Security
Cybersecurity researchers have discovered a new malicious package on the Python Package Index (PyPI) repository that masquerades as a library from the Solana blockchain platform but is actually designed to steal victims' secrets. "The legitimate Solana Python API project is known as 'solana-py' on GitHub, but simply ' solana ' on the Python software registry, PyPI," Sonatype researcher Ax Sharma said in a report published last week. "This slight naming discrepancy has been leveraged by a threat actor who published a 'solana-py' project on PyPI." The malicious "solana-py" package attracted a total of 1,122 downloads since it was published on August 4, 2024. It's no longer available for download from PyPI. The most striking aspect of the library is that it carried the version numbers 0.34.3, 0.34.4, and 0.34.5. The latest version of the legitimate "solana" package is 0.34.3. This clearly indicates an attempt o
New Phishing Scam Uses Google Drawings and WhatsApp Shortened Links

New Phishing Scam Uses Google Drawings and WhatsApp Shortened Links

Aug 08, 2024 Network Security / Cloud Security
Cybersecurity researchers have discovered a novel phishing campaign that leverages Google Drawings and shortened links generated via WhatsApp to evade detection and trick users into clicking on bogus links designed to steal sensitive information. "The attackers chose a group of the best-known websites in computing to craft the threat, including Google and WhatsApp to host the attack elements, and an Amazon look-alike to harvest the victim's information," Menlo Security researcher Ashwin Vamshi said . "This attack is a great example of a Living Off Trusted Sites ( LoTS ) threat." The starting point of the attack is a phishing email that directs the recipients to a graphic that appears to be an Amazon account verification link. This graphic, for its part, is hosted on Google Drawings, in an apparent effort to evade detection. Abusing legitimate services has obvious benefits for attackers in that they're not only a low-cost solution, but more importantly,
5 Actionable Steps to Prevent GenAI Data Leaks Without Fully Blocking AI Usage

5 Actionable Steps to Prevent GenAI Data Leaks Without Fully Blocking AI Usage

Oct 01, 2024Generative AI / Data Protection
Since its emergence, Generative AI has revolutionized enterprise productivity. GenAI tools enable faster and more effective software development, financial analysis, business planning, and customer engagement. However, this business agility comes with significant risks, particularly the potential for sensitive data leakage. As organizations attempt to balance productivity gains with security concerns, many have been forced to choose between unrestricted GenAI usage to banning it altogether. A new e-guide by LayerX titled 5 Actionable Measures to Prevent Data Leakage Through Generative AI Tools is designed to help organizations navigate the challenges of GenAI usage in the workplace. The guide offers practical steps for security managers to protect sensitive corporate data while still reaping the productivity benefits of GenAI tools like ChatGPT. This approach is intended to allow companies to strike the right balance between innovation and security. Why Worry About ChatGPT? The e
Chinese Hackers Target Japanese Firms with LODEINFO and NOOPDOOR Malware

Chinese Hackers Target Japanese Firms with LODEINFO and NOOPDOOR Malware

Jul 31, 2024 Cyber Attack / Threat Intelligence
Japanese organizations are the target of a Chinese nation-state threat actor that leverages malware families like LODEINFO and NOOPDOOR to harvest sensitive information from compromised hosts while stealthily remaining under the radar in some cases for a time period ranging from two to three years. Israeli cybersecurity company Cybereason is tracking the campaign under the name Cuckoo Spear , attributing it as related to a known intrusion set dubbed APT10, which is also known as Bronze Riverside, ChessMaster, Cicada, Cloudhopper, MenuPass, MirrorFace, Purple Typhoon (formerly Potassium), and Stone Panda. "The actors behind NOOPDOOR not only utilized LODEINFO during the campaign, but also utilized the new backdoor to exfiltrate data from compromised enterprise networks," it said . The findings come weeks after JPCERT/CC warned of cyber attacks mounted by the threat actor targeting Japanese entities using the two malware strains. Earlier this January, ITOCHU Cyber & I
cyber security

2024 State of SaaS Security Report eBook

websiteWing SecuritySaaS Security / Insider Threat
A research report featuring astonishing statistics on the security risks of third-party SaaS applications.
Cybercriminals Target Polish Businesses with Agent Tesla and Formbook Malware

Cybercriminals Target Polish Businesses with Agent Tesla and Formbook Malware

Jul 30, 2024 Malware / Cyber Threat
Cybersecurity researchers have detailed widespread phishing campaigns targeting small and medium-sized businesses (SMBs) in Poland during May 2024 that led to the deployment of several malware families like Agent Tesla , Formbook , and Remcos RAT . Some of the other regions targeted by the campaigns include Italy and Romania, according to cybersecurity firm ESET. "Attackers used previously compromised email accounts and company servers, not only to spread malicious emails but also to host malware and collect stolen data," ESET researcher Jakub Kaloč said in a report published today. These campaigns, spread across nine waves, are notable for the use of a malware loader called DBatLoader (aka ModiLoader and NatsoLoader) to deliver the final payloads. This, the Slovakian cybersecurity company said, marks a departure from previous attacks observed in the second half of 2023 that leveraged a cryptors-as-a-service (CaaS) dubbed AceCryptor to propagate Remcos RAT (aka Resc
New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries

New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries

Jul 30, 2024 Cyber Espionage / Malware
The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives. SideWinder , which is also known by the names APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, and Razor Tiger, is assessed to be affiliated with India. It has been operational since 2012, often making use of spear-phishing as a vector to deliver malicious payloads that trigger the attack chains. "SideWinder makes use of email spear-phishing, document exploitation and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants," the Canadian cybersecurity company said in an analysis published last week. The latest
CrowdStrike Warns of New Phishing Scam Targeting German Customers

CrowdStrike Warns of New Phishing Scam Targeting German Customers

Jul 26, 2024 Enterprise Security / Network Security
CrowdStrike is alerting about an unfamiliar threat actor attempting to capitalize on the Falcon Sensor update fiasco to distribute dubious installers targeting German customers as part of a highly targeted campaign. The cybersecurity company said it identified what it described as an unattributed spear-phishing attempt on July 24, 2024, distributing an inauthentic CrowdStrike Crash Reporter installer via a website impersonating an unnamed German entity. The imposter website is said to have been created on July 20, a day after the botched update crashed nearly 9 million Windows devices, causing extensive IT disruptions across the world. "After the user clicks the Download button, the website leverages JavaScript (JS) that masquerades as JQuery v3.7.1 to download and deobfuscate the installer," CrowdStrike's Counter Adversary Operations team said . "The installer contains CrowdStrike branding, German localization, and a password [is] required to continue install
Microsoft Defender Flaw Exploited to Deliver ACR, Lumma, and Meduza Stealers

Microsoft Defender Flaw Exploited to Deliver ACR, Lumma, and Meduza Stealers

Jul 24, 2024 Malvertising / Threat Intelligence
A now-patched security flaw in the Microsoft Defender SmartScreen has been exploited as part of a new campaign designed to deliver information stealers such as ACR Stealer, Lumma , and Meduza . Fortinet FortiGuard Labs said it detected the stealer campaign targeting Spain, Thailand, and the U.S. using booby-trapped files that exploit CVE-2024-21412 (CVSS score: 8.1). The high-severity vulnerability allows an attacker to sidestep SmartScreen protection and drop malicious payloads. Microsoft addressed this issue as part of its monthly security updates released in February 2024. "Initially, attackers lure victims into clicking a crafted link to a URL file designed to download an LNK file," security researcher Cara Lin said . "The LNK file then downloads an executable file containing an [HTML Application] script." The HTA file serves as a conduit to decode and decrypt PowerShell code responsible for fetching a decoy PDF file and a shellcode injector that, in tur
New ICS Malware 'FrostyGoop' Targeting Critical Infrastructure

New ICS Malware 'FrostyGoop' Targeting Critical Infrastructure

Jul 23, 2024 ICS Malware / Critical Infrastructure
Cybersecurity researchers have discovered what they say is the ninth Industrial Control Systems (ICS)-focused malware that has been used in a disruptive cyber attack targeting an energy company in the Ukrainian city of Lviv earlier this January. Industrial cybersecurity firm Dragos has dubbed the malware FrostyGoop , describing it as the first malware strain to directly use Modbus TCP communications to sabotage operational technology (OT) networks. It was discovered by the company in April 2024. "FrostyGoop is an ICS-specific malware written in Golang that can interact directly with Industrial Control Systems (ICS) using Modbus TCP over port 502," researchers Kyle O'Meara, Magpie (Mark) Graham, and Carolyn Ahlers said in a technical report shared with The Hacker News. It's believed that the malware, mainly designed to target Windows systems, has been used to target ENCO controllers with TCP port 502 exposed to the internet. It has not been tied to any previously
Magento Sites Targeted with Sneaky Credit Card Skimmer via Swap Files

Magento Sites Targeted with Sneaky Credit Card Skimmer via Swap Files

Jul 23, 2024 Threat Detection / Website Security
Threat actors have been observed using swap files in compromised websites to conceal a persistent credit card skimmer and harvest payment information. The sneaky technique, observed by Sucuri on a Magento e-commerce site's checkout page, allowed the malware to survive multiple cleanup attempts, the company said. The skimmer is designed to capture all the data into the credit card form on the website and exfiltrate the details to an attacker-controlled domain named "amazon-analytic[.]com," which was registered in February 2024. "Note the use of the brand name; this tactic of leveraging popular products and services in domain names is often used by bad actors in an attempt to evade detection," security researcher Matt Morrow said . This is just one of many defense evasion methods employed by the threat actor, which also includes the use of swap files ("bootstrap.php-swapme") to load the malicious code while keeping the original file ("bootstra
Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware

Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware

Jul 20, 2024 Malware / IT Outage
Cybersecurity firm CrowdStrike, which is facing the heat for causing worldwide IT disruptions by pushing out a flawed update to Windows devices, is now warning that threat actors are exploiting the situation to distribute Remcos RAT to its customers in Latin America under the guise of providing a hotfix. The attack chains involve distributing a ZIP archive file named " crowdstrike-hotfix.zip ," which contains a malware loader named Hijack Loader (aka DOILoader or IDAT Loader) that, in turn, launches the Remcos RAT payload. Specifically, the archive file also includes a text file ("instrucciones.txt") with Spanish-language instructions that urges targets to run an executable file ("setup.exe") to recover from the issue. "Notably, Spanish filenames and instructions within the ZIP archive indicate this campaign is likely targeting Latin America-based (LATAM) CrowdStrike customers," the company said , attributing the campaign to a suspected e-
WazirX Cryptocurrency Exchange Loses $230 Million in Major Security Breach

WazirX Cryptocurrency Exchange Loses $230 Million in Major Security Breach

Jul 19, 2024 Cryptocurrency / Cybercrime
Indian cryptocurrency exchange WazirX has confirmed that it was the target of a security breach that led to the theft of $230 million in cryptocurrency assets. "A cyber attack occurred in one of our [multi-signature] wallets involving a loss of funds exceeding $230 million," the company said in a statement. "This wallet was operated utilizing the services of Liminal's digital asset custody and wallet infrastructure from February 2023." The Mumbai-based company said the attack stemmed from a mismatch between the information that was displayed on Liminal's interface and what was actually signed. It said the payload was replaced to transfer wallet control to an attacker. Crypto custody firm Liminal is one of the six signatories on the wallet and is responsible for transaction verifications. "Our preliminary investigations show that one of the self custody multi-sig smart contract wallets created outside of the Liminal ecosystem has been compromised
DarkGate Malware Exploits Samba File Shares in Short-Lived Campaign

DarkGate Malware Exploits Samba File Shares in Short-Lived Campaign

Jul 12, 2024 Malware / Cyber Attack
Cybersecurity researchers have shed light on a short-lived DarkGate malware campaign that leveraged Samba file shares to initiate the infections. Palo Alto Networks Unit 42 said the activity spanned the months of March and April 2024, with the infection chains using servers running public-facing Samba file shares hosting Visual Basic Script (VBS) and JavaScript files. Targets included North America, Europe, and parts of Asia. "This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware," security researchers Vishwa Thothathri, Yijie Sui, Anmol Maurya, Uday Pratap Singh, and Brad Duncan said . DarkGate, which first emerged in 2018, has evolved into a malware-as-a-service (MaaS) offering used by a tightly controlled number of customers. It comes with capabilities to remotely control compromised hosts, execute code, mine cryptocurrency, launch reverse shells, and drop addit
PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks

PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks

Jul 11, 2024 Cyber Attack / Vulnerability
Multiple threat actors have been observed exploiting a recently disclosed security flaw in PHP to deliver remote access trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) botnets. The vulnerability in question is CVE-2024-4577 (CVSS score: 9.8), which allows an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. It was publicly disclosed in early June 2024. "CVE-2024-4577 is a flaw that allows an attacker to escape the command line and pass arguments to be interpreted directly by PHP," Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg said in a Wednesday analysis. "The vulnerability itself lies in how Unicode characters are converted into ASCII." The web infrastructure company said it began observing exploit attempts against its honeypot servers targeting the PHP flaw within 24 hours of it being public knowledge. This included exploits designed to deliver a remote
Smash-and-Grab Extortion

Smash-and-Grab Extortion

Jul 10, 2024 IoT Security / Firmware Security
The Problem The "2024 Attack Intelligence Report" from the staff at Rapid7 [1] is a well-researched, well-written report that is worthy of careful study. Some key takeaways are:  53% of the over 30 new vulnerabilities that were widely exploited in 2023 and at the start of 2024 were zero-days . More mass compromise events arose from zero-day vulnerabilities than from n-day vulnerabilities. Nearly a quarter of widespread attacks were zero-day attacks where a single adversary compromised dozens to hundreds of organizations simultaneously. Attackers are moving from initial access to exploitation in minutes or hours rather than days or weeks. So the conventional patch and put strategy is as effective as a firetruck showing up after a building has burned to the ground! Of course, patch and put could prevent future attacks, but taking into account that patch development takes from days to weeks [2] and that the average time to apply critical patches is 16 days [3], devices are vulner
ViperSoftX Malware Disguises as eBooks on Torrents to Spread Stealthy Attacks

ViperSoftX Malware Disguises as eBooks on Torrents to Spread Stealthy Attacks

Jul 10, 2024 Endpoint Security / Threat Intelligence
The sophisticated malware known as ViperSoftX has been observed being distributed as eBooks over torrents. "A notable aspect of the current variant of ViperSoftX is that it uses the Common Language Runtime ( CLR ) to dynamically load and run PowerShell commands, thereby creating a PowerShell environment within AutoIt for operations," Trellix security researchers Mathanraj Thangaraju and Sijo Jacob said . "By utilizing CLR, ViperSoftX can seamlessly integrate PowerShell functionality, allowing it to execute malicious functions while evading detection mechanisms that might otherwise flag standalone PowerShell activity." Initially detected by Fortinet in 2020, ViperSoftX is known for its ability to exfiltrate sensitive information from compromised Windows hosts. Over the years, the malware has become a relevant example of threat actors continuously innovating their tactics in an attempt to stay stealthy and circumvent defenses. This is exemplified by the increas
Hackers Exploiting Jenkins Script Console for Cryptocurrency Mining Attacks

Hackers Exploiting Jenkins Script Console for Cryptocurrency Mining Attacks

Jul 09, 2024 CI/CD Security / Server Security
Cybersecurity researchers have found that it's possible for attackers to weaponize improperly configured Jenkins Script Console instances to further criminal activities such as cryptocurrency mining. "Misconfigurations such as improperly set up authentication mechanisms expose the '/script' endpoint to attackers," Trend Micro's Shubham Singh and Sunil Bharti said in a technical write-up published last week. "This can lead to remote code execution (RCE) and misuse by malicious actors." Jenkins, a popular continuous integration and continuous delivery ( CI/CD ) platform, features a Groovy script console that allows users to run arbitrary Groovy scripts within the Jenkins controller runtime. The project maintainers, in the official documentation, explicitly note that the web-based Groovy shell can be used to read files containing sensitive data (e.g., "/etc/passwd"), decrypt credentials configured within Jenkins, and even reconfigure sec
New Ransomware-as-a-Service 'Eldorado' Targets Windows and Linux Systems

New Ransomware-as-a-Service 'Eldorado' Targets Windows and Linux Systems

Jul 08, 2024 Ransomware / Encryption
An emerging ransomware-as-a-service (RaaS) operation called Eldorado comes with locker variants to encrypt files on Windows and Linux systems. Eldorado first appeared on March 16, 2024, when an advertisement for the affiliate program was posted on the ransomware forum RAMP, Singapore-headquartered Group-IB said. The cybersecurity firm, which infiltrated the ransomware group, noted that its representative is a Russian speaker and that the malware does not overlap with previously leaked strains such as LockBit or Babuk. "The Eldorado ransomware uses Golang for cross-platform capabilities, employing Chacha20 for file encryption and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption," researchers Nikolay Kichatov and Sharmine Low said . "It can encrypt files on shared networks using Server Message Block (SMB) protocol." The encryptor for Eldorado comes in four formats, namely esxi, esxi_64, win, and win_64, with its data leak
Cybersecurity
Expert Insights / Articles Videos
Cybersecurity Resources