#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Cybereason | Breaking Cybersecurity News | The Hacker News

New Pierogi++ Malware by Gaza Cyber Gang Targeting Palestinian Entities

New Pierogi++ Malware by Gaza Cyber Gang Targeting Palestinian Entities

Dec 14, 2023 Malware / Threat Analysis
A pro-Hamas threat actor known as  Gaza Cyber Gang  is targeting Palestinian entities using an updated version of a backdoor dubbed Pierogi. The findings come from SentinelOne, which has given the malware the name Pierogi++ owing to the fact that it's implemented in the C++ programming language unlike its Delphi- and Pascal-based predecessor. "Recent Gaza Cybergang activities show consistent targeting of Palestinian entities, with no observed significant changes in dynamics since the start of the Israel-Hamas war," security researcher Aleksandar Milenkoski  said  in a report shared with The Hacker News. Gaza Cyber Gang, believed to be  active since at least  2012, has a history of striking targets throughout the Middle East, particularly Israel and Palestine, often leveraging spear-phishing as a method of initial access. Some of the  notable   malware   families  in its  arsenal   include  BarbWire, DropBook, LastConn, Molerat Loader, Micropsia, NimbleMamba, SharpSt
Iranian Hackers Launch Sophisticated Attacks Targeting Israel with PowerLess Backdoor

Iranian Hackers Launch Sophisticated Attacks Targeting Israel with PowerLess Backdoor

Apr 25, 2023 Cyber Threat / PowerShell
An Iranian nation-state threat actor has been linked to a new wave of phishing attacks targeting Israel that's designed to deploy an updated version of a Windows backdoor called PowerLess . Cybersecurity firm Check Point is tracking the activity cluster under its mythical creature handle  Educated Manticore , which exhibits "strong overlaps" with a hacking crew known as APT35, Charming Kitten, Cobalt Illusion, ITG18, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda. "Like many other actors, Educated Manticore has adopted recent trends and started using ISO images and possibly other archive files to initiate infection chains," the Israeli company  said  in a technical report published today. Active since at least 2011, APT35 has cast a  wide net of targets  by leveraging  fake social media personas ,  spear-phishing techniques , and  N-day vulnerabilities in internet-exposed applications  to gain initial access and drop various payloads, includi
Midnight Blizzard and Cloudflare-Atlassian Cybersecurity Incidents: What to Know

Midnight Blizzard and Cloudflare-Atlassian Cybersecurity Incidents: What to Know

Feb 13, 2024SaaS Security / Data Breach
The Midnight Blizzard and Cloudflare-Atlassian cybersecurity incidents raised alarms about the vulnerabilities inherent in major SaaS platforms. These incidents illustrate the stakes involved in SaaS breaches — safeguarding the integrity of SaaS apps and their sensitive data is critical but is not easy. Common threat vectors such as sophisticated spear-phishing, misconfigurations and vulnerabilities in third-party app integrations demonstrate the complex security challenges facing IT systems. In the case of Midnight Blizzard, password spraying against a test environment was the initial attack vector. For Cloudflare-Atlassian, threat actors initiated the attack via compromised  OAuth tokens  from a prior breach at Okta, a SaaS identity security provider.  What Exactly Happened? Microsoft Midnight Blizzard Breach Microsoft was targeted by the Russian "Midnight Blizzard" hackers (also known as Nobelium, APT29, or Cozy Bear) who are linked to the SVR, the Kremlin's forei
Gootkit Malware Adopts New Tactics to Attack Healthcare and Finance Firms

Gootkit Malware Adopts New Tactics to Attack Healthcare and Finance Firms

Feb 09, 2023 Threat Intelligence / Malware
The Gootkit malware is prominently going after healthcare and finance organizations in the U.S., U.K., and Australia, according to new findings from Cybereason. The cybersecurity firm said it investigated a Gootkit incident in December 2022 that adopted a new method of deployment, with the actors abusing the foothold to deliver  Cobalt Strike  and  SystemBC  for post-exploitation. "The threat actor displayed fast-moving behaviors, quickly heading to control the network it infected, and getting elevated privileges in less than four hours," Cybereason  said  in an analysis published February 8, 2023. Gootkit, also called Gootloader, is exclusively attributed to a threat actor tracked by Mandiant as UNC2565. Starting its life in 2014 as a banking trojan, the malware has since morphed into a loader capable of delivering next-stage payloads. The shift in tactics was  first uncovered  by Sophos in March 2021. Gootloader takes the form of heavily-obfuscated JavaScript files th
cyber security

The Critical State of AI in the Cloud

websiteWiz.ioArtificial Intelligence / Cloud Security
Wiz Research reveals the explosive growth of AI adoption and what 150,000+ cloud accounts revealed about the AI surge.
Black Basta Ransomware Gang Actively Infiltrating U.S. Companies with Qakbot Malware

Black Basta Ransomware Gang Actively Infiltrating U.S. Companies with Qakbot Malware

Nov 24, 2022
Companies based in the U.S. have been at the receiving end of an "aggressive" Qakbot malware campaign that leads to Black Basta ransomware infections on compromised networks. "In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization's network," Cybereason researchers Joakim Kandefelt and Danielle Frankel  said  in a report shared with The Hacker News. Black Basta, which emerged in April 2022, follows the tried-and-tested approach of double extortion to steal sensitive data from targeted companies and use it as a leverage to extort cryptocurrency payments by threatening to release the stolen information. This is not the first time the ransomware crew has been observed using Qakbot (aka QBot, QuackBot, or Pinkslipbot). Last month, Trend Micro  disclosed  similar attacks that entailed the use of Qakbot to deliver the  Brute Ratel C4  framework, which, in turn,
Hackers Using Bumblebee Loader to Compromise Active Directory Services

Hackers Using Bumblebee Loader to Compromise Active Directory Services

Aug 18, 2022
The malware loader known as Bumblebee is being increasingly co-opted by threat actors associated with BazarLoader, TrickBot, and IcedID in their campaigns to breach target networks for post-exploitation activities. "Bumblebee operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration," Cybereason researchers Meroujan Antonyan and Alon Laufer  said  in a technical write-up. Bumblebee  first came to light in March 2022 when Google's Threat Analysis Group (TAG) unmasked the activities of an initial access broker dubbed  Exotic Lily  with ties to the  TrickBot  and the larger  Conti  collectives. Typically delivered via initial access acquired through spear-phishing campaigns, the modus operandi has since been tweaked by eschewing macro-laced documents in favor of ISO and LNK files, primarily in response to Microsoft's decision to  block macros by default . "Distribution of the malware is done
Researchers Detail Techniques LockBit Ransomware Using to Infect its Targets

Researchers Detail Techniques LockBit Ransomware Using to Infect its Targets

Jul 08, 2022
LockBit ransomware attacks are constantly evolving by making use of a wide range of techniques to infect targets while also taking steps to disable endpoint security solutions. "The affiliates that use LockBit's services conduct their attacks according to their preference and use different tools and techniques to achieve their goal," Cybereason security analysts Loïc Castel and Gal Romano  said . "As the attack progresses further along the kill chain, the activities from different cases tend to converge to similar activities." LockBit, which operates on a ransomware-as-a-service (RaaS) model like most groups, was first observed in September 2019 and has since emerged as the most dominant ransomware strain this year, surpassing other well-known groups like  Conti ,  Hive , and  BlackCat . This involves the malware authors licensing access to affiliates, who execute the attacks in exchange for using their tools and infrastructure and earn as much as 80% of ea
Cybersecurity Experts Warn of Emerging Threat of "Black Basta" Ransomware

Cybersecurity Experts Warn of Emerging Threat of "Black Basta" Ransomware

Jun 27, 2022
The Black Basta ransomware-as-a-service (RaaS) syndicate has amassed nearly 50 victims in the U.S., Canada, the U.K., Australia, and New Zealand within two months of its emergence in the wild, making it a prominent threat in a short window. "Black Basta has been observed targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarments manufacturers, and more," Cybereason  said  in a report. Evidence indicates the ransomware strain was still in development as recently as February 2022, and only started to be used in attacks starting April after it was advertised on underground forums with an intent to buy and monetize corporate network access for a share of the profits. Similar to other ransomware operations, Black Basta is known to employ the tried-and-tested tactic of double extortion to plunder sensitive information from the targets and threaten to publish
Cybersecurity Resources