#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter

Google+ | Breaking Cybersecurity News | The Hacker News

Gootkit Malware Continues to Evolve with New Components and Obfuscations

Gootkit Malware Continues to Evolve with New Components and Obfuscations

Jan 29, 2023 Cyber Threat / Malware
The threat actors associated with the Gootkit malware have made "notable changes" to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is  monitoring  the activity cluster under the moniker  UNC2565 , noting that the usage of the malware is "exclusive to this group." Gootkit , also called Gootloader, is spread through compromised websites that victims are tricked into visiting when searching for business-related documents like agreements and contracts via a technique called search engine optimization (SEO) poisoning. The purported documents take the form of ZIP archives that harbor the JavaScript malware, which, when launched, paves the way for additional payloads such as  Cobalt Strike Beacon , FONELAUNCH, and SNOWCONE. FONELAUNCH is a .NET-based loader designed to load an encoded payload into memory, and SNOWCONE is a downloader that's tasked with retrieving next-stage payloads, typically  IcedID , via
Google Takes Down 50,000 Instances of Pro-Chinese DRAGONBRIDGE Influence Operation

Google Takes Down 50,000 Instances of Pro-Chinese DRAGONBRIDGE Influence Operation

Jan 26, 2023 Threat Analysis
Google on Thursday disclosed it took steps to dismantle over 50,000 instances of activity orchestrated by a pro-Chinese influence operation known as DRAGONBRIDGE in 2022. "Most DRAGONBRIDGE activity is low quality content without a political message, populated across many channels and blogs," the company's Threat Analysis Group (TAG)  said  in a  report  shared with The Hacker News. "However, a small fraction of DRAGONBRIDGE accounts also post about current events with messaging that pushes pro-China talking points." DRAGONBRIDGE  was first exposed by Google-owned Mandiant in July 2022, calling out its unsuccessful efforts in targeting rare earth mining companies in Australia, Canada, and the U.S. with the goal of triggering environmental protests against the firms. Also known by the name Spamouflage Dragon, the spammy influence network is known to have a presence across multiple platforms, including YouTube, Blogger, Facebook, and Twitter, primarily dissem
Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

Jan 08, 2023 Cyberespionage / Threat Analysis
The Russian cyberespionage group known as Turla has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine. Google-owned Mandiant, which is tracking the operation under the uncategorized cluster moniker  UNC4210 , said the hijacked servers correspond to a variant of a commodity malware called  ANDROMEDA  (aka Gamarue) that was uploaded to VirusTotal in 2013. "UNC4210 re-registered at least three expired ANDROMEDA command-and-control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022," Mandiant researchers  said  in an analysis published last week. Turla, also known by the names Iron Hunter, Krypton, Uroburos, Venomous Bear, and Waterbug, is an elite nation-state outfit that primarily targets government, diplomatic, and military organizations using a large set of custom malware. Since the onset of Russia's  milit
Google to Pay $29.5 Million to Settle Lawsuits Over User Location Tracking

Google to Pay $29.5 Million to Settle Lawsuits Over User Location Tracking

Jan 02, 2023 Privacy / Location Tracking
Google has agreed to pay a total of $29.5 million to settle two different lawsuits brought by Indiana and Washington, D.C., over its "deceptive" location tracking practices. The search and advertising giant is required to pay  $9.5 million to D.C.  and  $20 million to Indiana  after the states sued the company for charges that the company tracked users' locations without their express consent. The settlement adds to the  $391.5 million  Google agreed to pay to 40 states over similar allegations two months ago. The company is still facing two more location-tracking lawsuits in  Texas  and  Washington . The lawsuits came in response to revelations in 2018 that the internet company continued to track users' whereabouts on Android and iOS through a setting called  Web & App Activity  despite turning  Location History  options off. Google was also accused of employing  dark patterns , which refer to design choices intended to deceive users into carrying out actio
FrodoPIR: New Privacy-Focused Database Querying System

FrodoPIR: New Privacy-Focused Database Querying System

Dec 23, 2022 Encryption / Privacy / Browser
The developers behind the Brave open-source web browser have revealed a new privacy-preserving data querying and retrieval system called  FrodoPIR . The idea, the company  said , is to use the technology to build out a wide range of use cases such as safe browsing, scanning passwords against breached databases, certificate revocation checks, and streaming, among others. The scheme is called  FrodoPIR  because "the client can perform hidden queries to the server, just as Frodo remained hidden from Sauron," a reference to the characters from J. R. R. Tolkien's  The Lord of the Rings . PIR, short for  private information retrieval , is a cryptographic protocol that enables users (aka clients) to retrieve a piece of information from a database server without revealing to its owner which element was selected. In other words, the goal is to be able to query a platform for information (say, cooking videos) without letting the service provider infer from a user's search
Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It

Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It

Dec 19, 2022 Blockchain / Botnet
The operators of the Glupteba botnet resurfaced in June 2022 as part of a renewed and "upscaled" campaign, months after Google disrupted the malicious activity. The ongoing attack is suggestive of the malware's resilience in the face of takedowns, cybersecurity company Nozomi Networks said in a write-up. "In addition, there was a tenfold increase in TOR hidden services being used as C2 servers since the 2021 campaign," it  noted . The malware, which is distributed through fraudulent ads or software cracks, is also equipped to retrieve additional payloads that enable it to steal credentials, mine cryptocurrencies, and expand its reach by exploiting vulnerabilities in IoT devices from  MikroTik  and  Netgear . It's also an instance of an unusual malware that leverages blockchain as a mechanism for command-and-control (C2)  since at least 2019 , rendering its infrastructure resistant to takedown efforts as in the case of a traditional server. Specifically
Google Takes Gmail Security to the Next Level with Client-Side Encryption

Google Takes Gmail Security to the Next Level with Client-Side Encryption

Dec 18, 2022 Encryption / Email Security
Google on Friday announced that its client-side encryption for Gmail is in beta for Workspace and education customers as part of its efforts to secure emails sent using the web version of the platform. The development comes at a time when concerns about online privacy and data security are at an all-time high, making it a welcome change for users who value the protection of their personal data. To that end, Google Workspace Enterprise Plus, Education Plus, and Education Standard customers can apply to sign up for the beta until January 20, 2023. It's not available to personal Google Accounts. "Using client-side encryption in Gmail ensures sensitive data in the email body and attachments are indecipherable to Google servers," the company  said  in a post. "Customers retain control over encryption keys and the identity service to access those keys." It is important to know that the latest safeguards offered by Gmail is different from end-to-end encryption.
Google Launches OSV-Scanner Tool to Identify Open Source Vulnerabilities

Google Launches OSV-Scanner Tool to Identify Open Source Vulnerabilities

Dec 13, 2022 Open Source / Vulnerability Database
Google on Tuesday announced the open source availability of  OSV-Scanner , a scanner that aims to offer easy access to vulnerability information about various projects. The  Go-based tool , powered by the Open Source Vulnerabilities ( OSV ) database, is designed to connect "a project's list of dependencies with the vulnerabilities that affect them," Google software engineer Rex Pan in a post shared with The Hacker News. "The OSV-Scanner generates reliable, high-quality vulnerability information that closes the gap between a developer's list of packages and the information in vulnerability databases," Pan added. The idea is to identify all the transitive dependencies of a project and highlight relevant vulnerabilities using data pulled from OSV.dev database. Google further stated that the open source platform supports 16 ecosystems, counting all major languages, Linux distributions (Debian and Alpine), as well as Android, Linux Kernel, and  OSS-Fuzz .
Google Adds Passkey Support to Chrome for Windows, macOS and Android

Google Adds Passkey Support to Chrome for Windows, macOS and Android

Dec 12, 2022 Password Management
Google has officially begun rolling out support for  passkeys , the next-generation passwordless login standard, to its stable version of Chrome web browser. "Passkeys are a significantly safer replacement for passwords and other phishable authentication factors," the tech giant's Ali Sarraf  said . "They cannot be reused, don't leak in server breaches, and protect users from phishing attacks." The improved security feature, which is available in version 108, comes nearly two months after Google  began testing the option  across Android, macOS, and Windows 11. Passkeys  obviate the need for passwords by requiring users to authenticate themselves during sign in by unlocking their nearby Android or iOS device using biometrics. This, however, calls for websites to build passkey support on their sites using the  WebAuthn API . Essentially, the technology works by creating a unique cryptographic key pair to associate with an account for the app or website d
Google Warns of Internet Explorer Zero-Day Vulnerability Exploited by ScarCruft Hackers

Google Warns of Internet Explorer Zero-Day Vulnerability Exploited by ScarCruft Hackers

Dec 08, 2022 Patch Management / Zero-Day
An Internet Explorer zero-day vulnerability was actively exploited by a North Korean threat actor to target South Korean users by capitalizing on the recent  Itaewon Halloween crowd crush  to trick users into downloading malware. The discovery, reported by Google Threat Analysis Group researchers Benoît Sevens and Clément Lecigne, is the latest set of attacks perpetrated by  ScarCruft , which is also called APT37, InkySquid, Reaper, and Ricochet Chollima. "The group has historically focused their targeting on South Korean users, North Korean defectors, policy makers, journalists, and human rights activists," TAG  said  in a Thursday analysis. The new findings illustrate the threat actor's continued abuse of Internet Explorer flaws such as CVE-2020-1380 and CVE-2021-26411 to drop backdoors like  BLUELIGHT and Dolphin , the latter of which was disclosed by Slovak cybersecurity firm ESET late last month. Another key tool in its arsenal is  RokRat , a Windows-based remo
Update Chrome Browser Now to Patch New Actively Exploited Zero-Day Flaw

Update Chrome Browser Now to Patch New Actively Exploited Zero-Day Flaw

Nov 25, 2022
Google on Thursday released software updates to address yet another zero-day flaw in its Chrome web browser. Tracked as  CVE-2022-4135 , the high-severity vulnerability has been described as a heap buffer overflow in the GPU component. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw on November 22, 2022. Heap-based buffer overflow bugs can be  weaponized  by threat actors to crash a program or execute arbitrary code, leading to unintended behavior. According to the NIST's National Vulnerability Database, the flaw could permit a "remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page." "Google is aware that an exploit for CVE-2022-4135 exists in the wild," the tech giant  acknowledged  in an advisory. But like other actively exploited issues, technical specifics have been withheld until a majority of the users are updated with a fix and t
Google Wins Lawsuit Against Russians Linked to Blockchain-based Glupteba Botnet

Google Wins Lawsuit Against Russians Linked to Blockchain-based Glupteba Botnet

Nov 21, 2022
Google has won a lawsuit filed against two Russian nationals in connection with the operation of a botnet called Glupteba , the company  said  last week. The U.S. District Court for the Southern District of New York imposed monetary sanctions against the defendants and their U.S.-based legal counsel. The defendants have also been asked to pay Google's attorney fees. The defendants' move to press sanctions against Google was denied. The development comes nearly a year after the tech giant  took down  the malware's command-and-control infrastructure and initiated legal proceedings against Dmitry Starovikov and Alexander Filippov , who are said to have been in charge of running the illegal botnet. The defendants, along with 15 others, have also been accused of using the malware to create a hacked network of devices to mine cryptocurrencies, harvest victims' personal and financial data, and place disruptive ads. Gluteba is distinguished from its botnet counterparts b
Google to Roll Out Privacy Sandbox Beta on Android 13 by Early 2023

Google to Roll Out Privacy Sandbox Beta on Android 13 by Early 2023

Nov 16, 2022
Internet behemoth Google on Tuesday said it plans to roll out Privacy Sandbox for Android in beta to mobile devices running Android 13 starting early next year. "The Privacy Sandbox Beta will be available for ad tech and app developers who wish to test the ads-related APIs as part of their solutions," the company  said . To that end, developers will need to complete an enrollment process in order to utilize the ads-related APIs, including  Topics ,  FLEDGE , and  Attribution Reporting . Topics, which  replaced  Federated Learning of Cohorts (FLoC) earlier this year, aims to categorize user interests under different "topics" based on their device web browsing history. These inferred interests are then shared with marketers to serve targeted ads. FLEDGE and Attribution reporting, on the other hand, enable custom audience targeting and help measure  ad conversions  without relying on cross-party user identifiers, respectively. Organizations can also request acce
Google to Pay $391 Million Privacy Fine for Secretly Tracking Users' Location

Google to Pay $391 Million Privacy Fine for Secretly Tracking Users' Location

Nov 15, 2022
Internet giant Google has agreed to pay a record $391.5 million to settle with 40 states in the U.S. over charges the company misled users about the collection of personal location data. "Google misled its users into thinking they had turned off location tracking in their account settings, when, in fact, Google continued to collect their location information," Oregon Attorney General Ellen Rosenblum  said  Monday. "For years Google has prioritized profit over their users' privacy. They have been crafty and deceptive," Rosenblum stated. The investigation was sparked by a  2018 report  from the Associated Press that revealed Google was continuing to track users' locations on Android and iOS even when they turned off "location history" in their account settings, effectively undermining the privacy controls. Rosenblum said the location data gathered by Google is combined with other personal and behavioral information it collects to flesh out deta
Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign

Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign

Nov 14, 2022
A new malicious campaign has compromised  over 15,000 WordPress websites  in an attempt to redirect visitors to bogus Q&A portals. "These malicious redirects appear to be designed to increase the authority of the attacker's sites for search engines," Sucuri researcher Ben Martin  said  in a report published last week, calling it a "clever black hat SEO trick." The search engine poisoning technique is designed to promote a "handful of fake low quality Q&A sites" that share similar website-building templates and are operated by the same threat actor. A notable aspect of the campaign is the ability of the hackers to modify over 100 files per website on average, an approach that contrasts dramatically from other attacks of this kind wherein only a limited number of files are tampered with to reduce footprint and escape detection. Some of the most commonly infected pages consist of wp-signup.php, wp-cron.php, wp-links-opml.php, wp-settings.php
Malicious Google Play Store App Spotted Distributing Xenomorph Banking Trojan

Malicious Google Play Store App Spotted Distributing Xenomorph Banking Trojan

Nov 11, 2022
Google has removed two new malicious dropper apps that have been detected on the Play Store for Android, one of which posed as a lifestyle app and was caught distributing the Xenomorph banking malware. "Xenomorph is a trojan that steals credentials from banking applications on users' devices," Zscaler ThreatLabz researchers Himanshu Sharma and Viral Gandhi  said  in an analysis published Thursday. "It is also capable of intercepting users' SMS messages and notifications, enabling it to steal one-time passwords and multi-factor authentication requests." The cybersecurity firm said it also found an expense tracker app that exhibited similar behavior, but noted that it couldn't extract the URL used to fetch the malware artifact. The two malicious apps are as follows - Todo: Day manager (com.todo.daymanager) 経費キーパー (com.setprice.expenses) Both the apps function as a dropper, meaning the apps themselves are harmless and are a conduit to retrieve t
Hacker Rewarded $70,000 for Finding Way to Bypass Google Pixel Phones' Lock Screens

Hacker Rewarded $70,000 for Finding Way to Bypass Google Pixel Phones' Lock Screens

Nov 10, 2022
Google has resolved a high-severity security issue affecting all Pixel smartphones that could be trivially exploited to unlock the devices. The vulnerability, tracked as  CVE-2022-20465  and reported by security researcher David Schütz in June 2022, was remediated as part of the search giant's  monthly Android update  for November 2022. "The issue allowed an attacker with physical access to bypass the lock screen protections (fingerprint, PIN, etc.) and gain complete access to the user's device," Schütz, who was awarded $70,000 for the lock screen bypass,  said  in a write-up of the flaw. The problem, per the researcher, is rooted in the fact that lock screen protections are completely defeated when following a specific sequence of steps - Supply incorrect fingerprint three times to disable biometric authentication on the locked device Hot swap  the SIM card in the device with an attacker-controlled SIM that has a PIN code set up Enter incorrect SIM pin thric
Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

Oct 28, 2022
Google on Thursday rolled out emergency fixes to contain an actively exploited zero-day flaw in its Chrome web browser. The vulnerability , tracked as  CVE-2022-3723 , has been described as a type confusion flaw in the V8 JavaScript engine. Security researchers Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast have been credited with reporting the flaw on October 25, 2022. "Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild," the internet giant acknowledged in an advisory without getting into more specifics about the nature of the attacks. CVE-2022-3723 is the third actively exploited type confusion bug in V8 this year after  CVE-2022-1096  and  CVE-2022-1364 . The latest fix also marks the resolution of the seventh zero-day in Google Chrome since the start of 2022 - CVE-2022-0609  - Use-after-free in Animation CVE-2022-1096  - Type confusion in V8 CVE-2022-1364  - Type confusion in V8 CVE-2022-2294  - Heap buffer overflow in WebRTC
Google Launches GUAC Open Source Project to Secure Software Supply Chain

Google Launches GUAC Open Source Project to Secure Software Supply Chain

Oct 20, 2022
Google on Thursday announced that it's seeking contributors to a new open source initiative called Graph for Understanding Artifact Composition , also known as GUAC, as part of its ongoing efforts to beef up the  software supply chain . "GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata," Brandon Lum, Mihai Maruseac, and Isaac Hepworth of Google said in a post shared with The Hacker News. "GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding." Software supply chain has  emerged  a  lucrative   attack vector  for threat actors, wherein exploiting just one weakness -- as seen in the case of  SolarWinds  and  Log4Shell  -- opens a pathway long enough to traverse down the supply chain and steal sensitive data, plant malware, a
More Resources