#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cloud Security

FortiGuard | Breaking Cybersecurity News | The Hacker News

Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware

Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware

Jul 17, 2023 Malware / Cyber Threat
Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called  LokiBot  on compromised systems. "LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin  said . "It primarily targets Windows systems and aims to gather sensitive information from infected machines." The cybersecurity company, which spotted the campaign in May 2023, said the attacks take advantage of  CVE-2021-40444  and  CVE-2022-30190  (aka Follina) to achieve code execution. The Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot. The injector also features evasion techniques to check for the presence of debuggers a
New All-in-One "EvilExtractor" Stealer for Windows Systems Surfaces on the Dark Web

New All-in-One "EvilExtractor" Stealer for Windows Systems Surfaces on the Dark Web

Apr 24, 2023 Cyber Risk / Dark Web
A new "all-in-one" stealer malware named  EvilExtractor  (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems. "It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin  said . "It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to steal browser data and information from compromised endpoints and then upload it to the attacker's FTP server." The network security company said it observed a surge in attacks spreading the malware in the wild in March 2023, with a majority of the victims located in Europe and the U.S. While marketed as an educational tool, EvilExtractor has been adopted by threat actors for use as an information stealer. The attack tool is being sold by an actor named Kodex on cybercrime forums like Cracked dating back to October 22, 2022. It's continually updated and
Hands-on Review: Cynomi AI-powered vCISO Platform

Hands-on Review: Cynomi AI-powered vCISO Platform

Apr 10, 2024vCISO / Risk Assessment
The need for vCISO services is growing. SMBs and SMEs are dealing with more third-party risks, tightening regulatory demands and stringent cyber insurance requirements than ever before. However, they often lack the resources and expertise to hire an in-house security executive team. By outsourcing security and compliance leadership to a vCISO, these organizations can more easily obtain cybersecurity expertise specialized for their industry and strengthen their cybersecurity posture. MSPs and MSSPs looking to meet this growing vCISO demand are often faced with the same challenge. The demand for cybersecurity talent far exceeds the supply. This has led to a competitive market where the costs of hiring and retaining skilled professionals can be prohibitive for MSSPs/MSPs as well. The need to maintain expertise of both security and compliance further exacerbates this challenge. Cynomi, the first AI-driven vCISO platform , can help. Cynomi enables you - MSPs, MSSPs and consulting firms
New GoTrim Botnet Attempting to Break into WordPress Sites' Admin Accounts

New GoTrim Botnet Attempting to Break into WordPress Sites' Admin Accounts

Dec 14, 2022 Website Security / Linux
A new Go-based botnet has been spotted scanning and brute-forcing self-hosted websites using the WordPress content management system (CMS) to seize control of targeted systems. "This new brute forcer is part of a new campaign we have named GoTrim because it was written in Go and uses ':::trim:::' to split data communicated to and from the C2 server," Fortinet FortiGuard Labs researchers Eduardo Altares, Joie Salvio, and Roy Tay  said . The active campaign, observed since September 2022, utilizes a bot network to perform distributed brute-force attacks in an attempt to login to the targeted web server. A successful break-in is followed by the operator installing a downloader PHP script in the newly compromised host that, in turn, is designed to deploy the "bot client" from a hard-coded URL, effectively adding the machine to the growing network. In its present form, GoTrim does not have self-propagation capabilities of its own, nor can it distribute oth
cyber security

WATCH: The SaaS Security Challenge in 90 Seconds

websiteAdaptive ShieldSaaS Security / Cyber Threat
Discover how you can overcome the SaaS security challenge by securing your entire SaaS stack with SSPM.
Royal Ransomware Threat Takes Aim at U.S. Healthcare System

Royal Ransomware Threat Takes Aim at U.S. Healthcare System

Dec 12, 2022 Healthcare IT / Ransomware
The U.S. Department of Health and Human Services (HHS) has cautioned of ongoing Royal ransomware attacks targeting healthcare entities in the country. "While most of the known ransomware operators have performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal," the agency's Health Sector Cybersecurity Coordination Center (HC3)  said  [PDF]. "The group does claim to steal data for double-extortion attacks, where they will also exfiltrate sensitive data." Royal ransomware, per  Fortinet FortiGuard Labs , is said to be active since at least the start of 2022. The malware is a 64-bit Windows executable written in C++ and is launched via the command line, indicating that it involves a human operator to trigger the infection after obtaining access to a targeted environment. Besides deleting volume shadow copies on the system, Royal utilizes the OpenSSL cryptographic library
New Go-based Botnet Exploiting Exploiting Dozens of IoT Vulnerabilities to Expand its Network

New Go-based Botnet Exploiting Exploiting Dozens of IoT Vulnerabilities to Expand its Network

Dec 07, 2022 Internet of Things / Botnet
NOTE: In this blog, Zerobot refers to a botnet that spreads primarily through IoT and web application vulnerabilities. It is not associated with the chatbot ZeroBot.ai. A novel Go-based botnet called  Zerobot  has been observed in the wild proliferating by taking advantage of nearly two dozen security vulnerabilities in the internet of things (IoT) devices and other software. The botnet "contains several modules, including self-replication, attacks for different protocols, and self-propagation," Fortinet FortiGuard Labs researcher Cara Lin  said . "It also communicates with its command-and-control server using the WebSocket protocol." The campaign, which is said to have commenced after November 18, 2022, primarily singles out Windows and Linux operating systems to gain control of vulnerable devices. Zerobot gets its name from a propagation script that's used to retrieve the malicious payload after gaining access to a host depending on its microarchitecture
Fortinet Warns of Active Exploitation of Newly Discovered Critical Auth Bypass Bug

Fortinet Warns of Active Exploitation of Newly Discovered Critical Auth Bypass Bug

Oct 11, 2022
Fortinet on Monday revealed that the newly patched critical security vulnerability impacting its firewall and proxy products is being actively exploited in the wild. Tracked as  CVE-2022-40684  (CVSS score: 9.6), the flaw relates to an authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager that could allow a remote attacker to perform unauthorized operations on the administrative interface via specially crafted HTTP(S) requests. "Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user='Local_Process_Access,'" the company  noted  in an advisory. The list of impacted devices is below - FortiOS version 7.2.0 through 7.2.1 FortiOS version 7.0.0 through 7.0.6 FortiProxy version 7.2.0 FortiProxy version 7.0.0 through 7.0.6 FortiSwitchManager version 7.2.0, and FortiSwitchManager version 7.0.0 Updates hav
Beastmode DDoS Botnet Exploiting New TOTOLINK Bugs to Enslave More Routers

Beastmode DDoS Botnet Exploiting New TOTOLINK Bugs to Enslave More Routers

Apr 04, 2022
A variant of the Mirai botnet called Beastmode has been observed adopting newly disclosed vulnerabilities in TOTOLINK routers between February and March 2022 to infect unpatched devices and expand its reach potentially. "The Beastmode (aka B3astmode) Mirai-based DDoS campaign has aggressively updated its arsenal of exploits," Fortinet's FortiGuard Labs Research team  said . "Five new exploits were added within a month, with three targeting various models of TOTOLINK routers." The list of exploited vulnerabilities in TOTOLINK routers is as follows - CVE-2022-26210  (CVSS score: 9.8) - A command injection vulnerability that could be exploited to gain arbitrary code execution CVE-2022-26186  (CVSS score: 9.8) - A command injection vulnerability affecting TOTOLINK N600R and A7100RU routers, and CVE-2022-25075 to CVE-2022-25084  (CVSS scores: 9.8) - A command injection vulnerability impacting multiple TOTOLINK routers, leading to code execution The other e
Cybersecurity Resources