#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

Cyber Threat | Breaking Cybersecurity News | The Hacker News

Category — Cyber Threat
GitHub, Telegram Bots, and ASCII QR Codes Abused in New Wave of Phishing Attacks

GitHub, Telegram Bots, and ASCII QR Codes Abused in New Wave of Phishing Attacks

Oct 11, 2024 Malware / Financial Security
A new tax-themed malware campaign targeting insurance and finance sectors has been observed leveraging GitHub links in phishing email messages as a way to bypass security measures and deliver Remcos RAT, indicating that the method is gaining traction among threat actors. "In this campaign, legitimate repositories such as the open-source tax filing software, UsTaxes, HMRC, and InlandRevenue were used instead of unknown, low-star repositories," Cofense researcher Jacob Malimban said . "Using trusted repositories to deliver malware is relatively new compared to threat actors creating their own malicious GitHub repositories. These malicious GitHub links can be associated with any repository that allows comments." Central to the attack chain is the abuse of GitHub infrastructure for staging the malicious payloads. One variation of the technique, first disclosed by OALABS Research in March 2024, involves threat actors opening a GitHub issue on well-known repositories
Cyberattack Group 'Awaken Likho' Targets Russian Government with Advanced Tools

Cyberattack Group 'Awaken Likho' Targets Russian Government with Advanced Tools

Oct 08, 2024 Cyber Threat / APT Attack
Russian government agencies and industrial entities are the target of an ongoing activity cluster dubbed Awaken Likho . "The attackers now prefer using the agent for the legitimate MeshCentral platform instead of the UltraVNC module, which they had previously used to gain remote access to systems," Kaspersky said , detailing a new campaign that began in June 2024 and continued at least until August. The Russian cybersecurity company said the campaign primarily targeted Russian government agencies, their contractors, and industrial enterprises. Awaken Likho, also tracked as Core Werewolf and PseudoGamaredon, was first documented by BI.ZONE in June 2023 in connection with cyber attacks directed against defense and critical infrastructure sectors. The group is believed to be active since at least August 2021. The spear-phishing attacks involve distributing malicious executables disguised as Microsoft Word or PDF documents by assigning them double extensions like "doc
How to Get Going with CTEM When You Don't Know Where to Start

How to Get Going with CTEM When You Don't Know Where to Start

Oct 04, 2024Vulnerability Management / Security Posture
Continuous Threat Exposure Management (CTEM) is a strategic framework that helps organizations continuously assess and manage cyber risk. It breaks down the complex task of managing security threats into five distinct stages: Scoping, Discovery, Prioritization, Validation, and Mobilization. Each of these stages plays a crucial role in identifying, addressing, and mitigating vulnerabilities - before they can be exploited by attackers.  On paper, CTEM sounds great . But where the rubber meets the road – especially for CTEM neophytes - implementing CTEM can seem overwhelming. The process of putting CTEM principles into practice can look prohibitively complex at first. However, with the right tools and a clear understanding of each stage, CTEM can be an effective method for strengthening your organization's security posture.  That's why I've put together a step-by-step guide on which tools to use for which stage. Want to learn more? Read on… Stage 1: Scoping  When you're defin
GoldenJackal Target Embassies and Air-Gapped Systems Using Malware Toolsets

GoldenJackal Target Embassies and Air-Gapped Systems Using Malware Toolsets

Oct 08, 2024 Cyber Attack / Malware
A little-known threat actor tracked as GoldenJackal has been linked to a series of cyber attacks targeting embassies and governmental organizations with an aim to infiltrate air-gapped systems using two disparate bespoke toolsets. Victims included a South Asian embassy in Belarus and a European Union (E.U.) government organization, Slovak cybersecurity company ESET said. "The ultimate goal of GoldenJackal seems to be stealing confidential information, especially from high-profile machines that might not be connected to the internet," security researcher Matías Porolli noted in an exhaustive analysis. GoldenJackal first came to light in May 2023, when Russian security vendor Kaspersky detailed the threat cluster's attacks on government and diplomatic entities in the Middle East and South Asia. The adversary's origins stretch back to at least 2019. An important characteristic of the intrusions is the use of a worm named JackalWorm that's capable of infectin
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
The Value of AI-Powered Identity

The Value of AI-Powered Identity

Oct 08, 2024 Machine Learning / Data Security
Introduction Artificial intelligence (AI) deepfakes and misinformation may cause worry in the world of technology and investment, but this powerful, foundational technology has the potential to benefit organizations of all kinds when harnessed appropriately. In the world of cybersecurity, one of the most important areas of application of AI is augmenting and enhancing identity management systems. AI-powered identity lifecycle management is at the vanguard of digital identity and is used to enhance security, streamline governance and improve the UX of an identity system. Benefits of an AI-powered identity AI is a technology that crosses barriers between traditionally opposing business area drivers, bringing previously conflicting areas together: AI enables better operational efficiency by reducing risk and improving security AI enables businesses to achieve goals by securing cyber-resilience AI facilitates agile and secure access by ensuring regulatory compliance AI and unifi
The Secret Weakness Execs Are Overlooking: Non-Human Identities

The Secret Weakness Execs Are Overlooking: Non-Human Identities

Oct 03, 2024 Enterprise Security / Cloud Security
For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,
Andariel Hacking Group Shifts Focus to Financial Attacks on U.S. Organizations

Andariel Hacking Group Shifts Focus to Financial Attacks on U.S. Organizations

Oct 02, 2024 Cyber Threat / Malware
Three different organizations in the U.S. were targeted in August 2024 by a North Korean state-sponsored threat actor called Andariel as part of a likely financially motivated attack. "While the attackers didn't succeed in deploying ransomware on the networks of any of the organizations affected, it is likely that the attacks were financially motivated," Symantec, part of Broadcom, said in a report shared with The Hacker News. Andariel is a threat actor that's assessed to be a sub-cluster within the infamous Lazarus Group. It's also tracked as APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly. It's been active since at least 2009. An element within North Korea's Reconnaissance General Bureau (RGB), the hacking crew has a track record of deploying ransomware strains such as SHATTEREDGLASS and Maui , while also developing an arsenal of custom backdoors like Dtrack (aka Valefor and Preft),
Cybersecurity Researchers Warn of New Rust-Based Splinter Post-Exploitation Tool

Cybersecurity Researchers Warn of New Rust-Based Splinter Post-Exploitation Tool

Sep 25, 2024 Penetration Testing / Cyber Threat
Cybersecurity researchers have flagged the discovery of a new post-exploitation red team tool called Splinter in the wild. Palo Alto Networks Unit 42 shared its findings after it discovered the program on several customers' systems. "It has a standard set of features commonly found in penetration testing tools and its developer created it using the Rust programming language," Unit 42's Dominik Reichel said . "While Splinter is not as advanced as other well-known post-exploitation tools like Cobalt Strike, it still presents a potential threat to organizations if it is misused." Penetration testing tools are often used for red team operations to flag potential security issues in a company's network. However, such adversary simulation tools can also be weaponized by threat actors to their advantage.  Unit 42 said it has not detected any threat actor activity associated with the Splinter tool set. There is no information as yet on who developed the t
ChatGPT macOS Flaw Could've Enabled Long-Term Spyware via Memory Function

ChatGPT macOS Flaw Could've Enabled Long-Term Spyware via Memory Function

Sep 25, 2024 Artificial Intelligence / Vulnerability
A now-patched security vulnerability in OpenAI's ChatGPT app for macOS could have made it possible for attackers to plant long-term persistent spyware into the artificial intelligence (AI) tool's memory. The technique, dubbed SpAIware , could be abused to facilitate "continuous data exfiltration of any information the user typed or responses received by ChatGPT, including any future chat sessions," security researcher Johann Rehberger said . The issue, at its core, abuses a feature called memory , which OpenAI introduced earlier this February before rolling it out to ChatGPT Free, Plus, Team, and Enterprise users at the start of the month. What it does is essentially allow ChatGPT to remember certain things across chats so that it saves users the effort of repeating the same information over and over again. Users also have the option to instruct the program to forget something. "ChatGPT's memories evolve with your interactions and aren't linked to s
Why 'Never Expire' Passwords Can Be a Risky Decision

Why 'Never Expire' Passwords Can Be a Risky Decision

Sep 23, 2024 Password Management / Data Breach
Password resets can be frustrating for end users. Nobody likes being interrupted by the 'time to change your password' notification – and they like it even less when the new passwords they create are rejected by their organization's password policy. IT teams share the pain, with resetting passwords via service desk tickets and support calls being an everyday burden. Despite this, it's commonly accepted that all passwords should expire after a set period of time.  Why is this the case? Do you need password expiries at all? Explore the reason expiries exist and why setting passwords to 'never expire' might save some headaches, but not be the best idea for cybersecurity.  Why do we have password expiries? The traditional 90-day password reset policy stems from the need to protect against brute-force attacks . Organizations typically store passwords as hashes, which are scrambled versions of the actual passwords created using cryptographic hash functions (CHFs). When a user enters thei
Iranian APT UNC1860 Linked to MOIS Facilitates Cyber Intrusions in Middle East

Iranian APT UNC1860 Linked to MOIS Facilitates Cyber Intrusions in Middle East

Sep 20, 2024 Malware / Cyber Threat
An Iranian advanced persistent threat (APT) threat actor likely affiliated with the Ministry of Intelligence and Security (MOIS) is now acting as an initial access facilitator that provides remote access to target networks. Google-owned Mandiant is tracking the activity cluster under the moniker UNC1860 , which it said shares similarities with intrusion sets tracked by Microsoft, Cisco Talos, and Check Point as Storm-0861 (formerly DEV-0861), ShroudedSnooper , and Scarred Manticore , respectively. "A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that [...] supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East," the company said . The group first came to light in July 2022 in connection with destructive cyber attacks targeting Albania with a rans
Hackers Exploit Default Credentials in FOUNDATION Software to Breach Construction Firms

Hackers Exploit Default Credentials in FOUNDATION Software to Breach Construction Firms

Sep 19, 2024 Cyber Attack / Hacking
Threat actors have been observed targeting the construction sector by infiltrating the FOUNDATION Accounting Software , according to new findings from Huntress. "Attackers have been observed brute-forcing the software at scale, and gaining access simply by using the product's default credentials," the cybersecurity company said . Targets of the emerging threat include plumbing, HVAC (heating, ventilation, and air conditioning), concrete, and other related sub-industries. The FOUNDATION software comes with a Microsoft SQL (MS SQL) Server to handle database operations, and, in some cases, has the TCP port 4243 open to directly access the database via a mobile app. Huntress said the server includes two high-privileged accounts, including "sa," a default system administrator account, and "dba," an account created by FOUNDATION, that are often left with unchanged default credentials. A consequence of this action is that threat actors could brute-force th
Binance Warns of Rising Clipper Malware Attacks Targeting Cryptocurrency Users

Binance Warns of Rising Clipper Malware Attacks Targeting Cryptocurrency Users

Sep 17, 2024 Cryptocurrency / Malware
Cryptocurrency exchange Binance is warning of an "ongoing" global threat that's targeting cryptocurrency users with clipper malware with the goal of facilitating financial fraud. Clipper malware, also called ClipBankers , is a type of malware that Microsoft calls cryware , which comes with capabilities to monitor a victim's clipboard activity and steal sensitive data a user copies, including replacing cryptocurrency addresses with those under an attacker's control. In doing so, digital asset transfers initiated on a compromised system are routed to a rogue wallet instead of the intended destination address. "In clipping and switching, a cryware monitors the contents of a user's clipboard and uses string search patterns to look for and identify a string resembling a hot wallet address," the tech giant noted way back in 2022. "If the target user pastes or uses CTRL + V into an application window, the cryware replaces the object in the clipbo
Apple Drops Spyware Case Against NSO Group, Citing Risk of Threat Intelligence Exposure

Apple Drops Spyware Case Against NSO Group, Citing Risk of Threat Intelligence Exposure

Sep 16, 2024 Spyware / Threat Intelligence
Apple has filed a motion to "voluntarily" dismiss its lawsuit against commercial spyware vendor NSO Group, citing a shifting risk landscape that could lead to exposure of critical "threat intelligence" information. The development was first reported by The Washington Post on Friday. The iPhone maker said its efforts, coupled with those of others in the industry and national governments to tackle the rise of commercial spyware, have "substantially weakened" the defendants. "At the same time, unfortunately, other malicious actors have arisen in the commercial spyware industry," the company said. "It is because of this combination of factors that Apple now seeks voluntary dismissal of this case." "While Apple continues to believe in the merits of its claims, it has also determined that proceeding further with this case has the potential to put vital security information at risk." Apple originally filed the lawsuit again
Quad7 Botnet Expands to Target SOHO Routers and VPN Appliances

Quad7 Botnet Expands to Target SOHO Routers and VPN Appliances

Sep 11, 2024 Network Security / Hacking
The operators of the mysterious Quad7 botnet are actively evolving by compromising several brands of SOHO routers and VPN appliances by leveraging a combination of both known and unknown security flaws. Targets include devices from TP-LINK, Zyxel, Asus, Axentra, D-Link, and NETGEAR, according to a new report by French cybersecurity company Sekoia. "The Quad7 botnet operators appear to be evolving their toolset, introducing a new backdoor and exploring new protocols, with the aim of enhancing stealth and evading the tracking capabilities of their operational relay boxes (ORBs)," researchers Felix Aimé, Pierre-Antoine D., and Charles M. said .  Quad7, also called 7777, was first publicly documented by independent researcher Gi7w0rm in October 2023, highlighting the activity cluster's pattern of ensnaring TP-Link routers and Dahua digital video recorders (DVRs) into a botnet. The botnet, which gets its name from the fact it opens TCP port 7777 on compromised devices,
Expert Insights / Articles Videos
Cybersecurity Resources