#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter

Google+ | Breaking Cybersecurity News | The Hacker News

Update Chrome Browser Now to Patch New Actively Exploited Zero-Day Flaw

Update Chrome Browser Now to Patch New Actively Exploited Zero-Day Flaw

Nov 25, 2022
Google on Thursday released software updates to address yet another zero-day flaw in its Chrome web browser. Tracked as  CVE-2022-4135 , the high-severity vulnerability has been described as a heap buffer overflow in the GPU component. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw on November 22, 2022. Heap-based buffer overflow bugs can be  weaponized  by threat actors to crash a program or execute arbitrary code, leading to unintended behavior. According to the NIST's National Vulnerability Database, the flaw could permit a "remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page." "Google is aware that an exploit for CVE-2022-4135 exists in the wild," the tech giant  acknowledged  in an advisory. But like other actively exploited issues, technical specifics have been withheld until a majority of the users are updated with a fix and t
Google Wins Lawsuit Against Russians Linked to Blockchain-based Glupteba Botnet

Google Wins Lawsuit Against Russians Linked to Blockchain-based Glupteba Botnet

Nov 21, 2022
Google has won a lawsuit filed against two Russian nationals in connection with the operation of a botnet called Glupteba , the company  said  last week. The U.S. District Court for the Southern District of New York imposed monetary sanctions against the defendants and their U.S.-based legal counsel. The defendants have also been asked to pay Google's attorney fees. The defendants' move to press sanctions against Google was denied. The development comes nearly a year after the tech giant  took down  the malware's command-and-control infrastructure and initiated legal proceedings against Dmitry Starovikov and Alexander Filippov , who are said to have been in charge of running the illegal botnet. The defendants, along with 15 others, have also been accused of using the malware to create a hacked network of devices to mine cryptocurrencies, harvest victims' personal and financial data, and place disruptive ads. Gluteba is distinguished from its botnet counterparts b
Google to Roll Out Privacy Sandbox Beta on Android 13 by Early 2023

Google to Roll Out Privacy Sandbox Beta on Android 13 by Early 2023

Nov 16, 2022
Internet behemoth Google on Tuesday said it plans to roll out Privacy Sandbox for Android in beta to mobile devices running Android 13 starting early next year. "The Privacy Sandbox Beta will be available for ad tech and app developers who wish to test the ads-related APIs as part of their solutions," the company  said . To that end, developers will need to complete an enrollment process in order to utilize the ads-related APIs, including  Topics ,  FLEDGE , and  Attribution Reporting . Topics, which  replaced  Federated Learning of Cohorts (FLoC) earlier this year, aims to categorize user interests under different "topics" based on their device web browsing history. These inferred interests are then shared with marketers to serve targeted ads. FLEDGE and Attribution reporting, on the other hand, enable custom audience targeting and help measure  ad conversions  without relying on cross-party user identifiers, respectively. Organizations can also request acce
Google to Pay $391 Million Privacy Fine for Secretly Tracking Users' Location

Google to Pay $391 Million Privacy Fine for Secretly Tracking Users' Location

Nov 15, 2022
Internet giant Google has agreed to pay a record $391.5 million to settle with 40 states in the U.S. over charges the company misled users about the collection of personal location data. "Google misled its users into thinking they had turned off location tracking in their account settings, when, in fact, Google continued to collect their location information," Oregon Attorney General Ellen Rosenblum  said  Monday. "For years Google has prioritized profit over their users' privacy. They have been crafty and deceptive," Rosenblum stated. The investigation was sparked by a  2018 report  from the Associated Press that revealed Google was continuing to track users' locations on Android and iOS even when they turned off "location history" in their account settings, effectively undermining the privacy controls. Rosenblum said the location data gathered by Google is combined with other personal and behavioral information it collects to flesh out deta
Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign

Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign

Nov 14, 2022
A new malicious campaign has compromised  over 15,000 WordPress websites  in an attempt to redirect visitors to bogus Q&A portals. "These malicious redirects appear to be designed to increase the authority of the attacker's sites for search engines," Sucuri researcher Ben Martin  said  in a report published last week, calling it a "clever black hat SEO trick." The search engine poisoning technique is designed to promote a "handful of fake low quality Q&A sites" that share similar website-building templates and are operated by the same threat actor. A notable aspect of the campaign is the ability of the hackers to modify over 100 files per website on average, an approach that contrasts dramatically from other attacks of this kind wherein only a limited number of files are tampered with to reduce footprint and escape detection. Some of the most commonly infected pages consist of wp-signup.php, wp-cron.php, wp-links-opml.php, wp-settings.php
Malicious Google Play Store App Spotted Distributing Xenomorph Banking Trojan

Malicious Google Play Store App Spotted Distributing Xenomorph Banking Trojan

Nov 11, 2022
Google has removed two new malicious dropper apps that have been detected on the Play Store for Android, one of which posed as a lifestyle app and was caught distributing the Xenomorph banking malware. "Xenomorph is a trojan that steals credentials from banking applications on users' devices," Zscaler ThreatLabz researchers Himanshu Sharma and Viral Gandhi  said  in an analysis published Thursday. "It is also capable of intercepting users' SMS messages and notifications, enabling it to steal one-time passwords and multi-factor authentication requests." The cybersecurity firm said it also found an expense tracker app that exhibited similar behavior, but noted that it couldn't extract the URL used to fetch the malware artifact. The two malicious apps are as follows - Todo: Day manager (com.todo.daymanager) 経費キーパー (com.setprice.expenses) Both the apps function as a dropper, meaning the apps themselves are harmless and are a conduit to retrieve t
Hacker Rewarded $70,000 for Finding Way to Bypass Google Pixel Phones' Lock Screens

Hacker Rewarded $70,000 for Finding Way to Bypass Google Pixel Phones' Lock Screens

Nov 10, 2022
Google has resolved a high-severity security issue affecting all Pixel smartphones that could be trivially exploited to unlock the devices. The vulnerability, tracked as  CVE-2022-20465  and reported by security researcher David Schütz in June 2022, was remediated as part of the search giant's  monthly Android update  for November 2022. "The issue allowed an attacker with physical access to bypass the lock screen protections (fingerprint, PIN, etc.) and gain complete access to the user's device," Schütz, who was awarded $70,000 for the lock screen bypass,  said  in a write-up of the flaw. The problem, per the researcher, is rooted in the fact that lock screen protections are completely defeated when following a specific sequence of steps - Supply incorrect fingerprint three times to disable biometric authentication on the locked device Hot swap  the SIM card in the device with an attacker-controlled SIM that has a PIN code set up Enter incorrect SIM pin thric
Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

Oct 28, 2022
Google on Thursday rolled out emergency fixes to contain an actively exploited zero-day flaw in its Chrome web browser. The vulnerability , tracked as  CVE-2022-3723 , has been described as a type confusion flaw in the V8 JavaScript engine. Security researchers Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast have been credited with reporting the flaw on October 25, 2022. "Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild," the internet giant acknowledged in an advisory without getting into more specifics about the nature of the attacks. CVE-2022-3723 is the third actively exploited type confusion bug in V8 this year after  CVE-2022-1096  and  CVE-2022-1364 . The latest fix also marks the resolution of the seventh zero-day in Google Chrome since the start of 2022 - CVE-2022-0609  - Use-after-free in Animation CVE-2022-1096  - Type confusion in V8 CVE-2022-1364  - Type confusion in V8 CVE-2022-2294  - Heap buffer overflow in WebRTC
Google Launches GUAC Open Source Project to Secure Software Supply Chain

Google Launches GUAC Open Source Project to Secure Software Supply Chain

Oct 20, 2022
Google on Thursday announced that it's seeking contributors to a new open source initiative called Graph for Understanding Artifact Composition , also known as GUAC, as part of its ongoing efforts to beef up the  software supply chain . "GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata," Brandon Lum, Mihai Maruseac, and Isaac Hepworth of Google said in a post shared with The Hacker News. "GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding." Software supply chain has  emerged  a  lucrative   attack vector  for threat actors, wherein exploiting just one weakness -- as seen in the case of  SolarWinds  and  Log4Shell  -- opens a pathway long enough to traverse down the supply chain and steal sensitive data, plant malware, a
Google Rolling Out Passkey Passwordless Login Support to Android and Chrome

Google Rolling Out Passkey Passwordless Login Support to Android and Chrome

Oct 12, 2022
Google on Wednesday officially rolled out support for passkeys, the next-generation authentication standard, to both Android and Chrome. "Passkeys are a significantly safer replacement for passwords and other phishable authentication factors," the tech giant  said . "They cannot be reused, don't leak in server breaches, and protect users from phishing attacks." The feature was  first announced  in May 2022 as part of a broader push to support a common passwordless sign-in standard. Passkeys, established by the FIDO Alliance and also backed by  Apple and Microsoft , aim to replace standard passwords with unique digital keys that are stored locally on the device. To that end, creating a passkey requires confirmation from the end-user about the account that will be used to log in to the online service, followed by using their biometric information or the  device   passcode . Signing in to a website on a mobile device is also a simple two-step process that en
New Malware Families Found Targeting VMware ESXi Hypervisors

New Malware Families Found Targeting VMware ESXi Hypervisors

Sep 30, 2022
Threat actors have been found deploying never-before-seen post-compromise implants in VMware's virtualization software to seize control of infected systems and evade detection. Google's Mandiant threat intelligence division referred to it as a "novel malware ecosystem" that impacts VMware ESXi, Linux vCenter servers, and Windows virtual machines, allowing attackers to maintain persistent access to the  hypervisor  as well as execute arbitrary commands. The  hyperjacking attacks , per the cybersecurity vendor, involved the use of malicious vSphere Installation Bundles ( VIBs ) to sneak in two implants, dubbed VIRTUALPITA and VIRTUALPIE, on the ESXi hypervisors. "It is important to highlight that this is not an external remote code execution vulnerability; the attacker needs admin-level privileges to the ESXi hypervisor before they can deploy malware," Mandiant researchers Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore said in an exhaus
Researchers Identify 3 Hacktivist Groups Supporting Russian Interests

Researchers Identify 3 Hacktivist Groups Supporting Russian Interests

Sep 26, 2022
At least three alleged hacktivist groups working in support of Russian interests are likely doing so in collaboration with state-sponsored cyber threat actors, according to Mandiant. The Google-owned threat intelligence and incident response firm  said  with moderate confidence that "moderators of the purported hacktivist Telegram channels 'XakNet Team,' 'Infoccentr,' and 'CyberArmyofRussia_Reborn' are coordinating their operations with Russian Main Intelligence Directorate (GRU)-sponsored cyber threat actors." Mandiant's assessment is based on evidence that the leakage of data stolen from Ukrainian organizations occurred within 24 hours of  malicious wiper incidents  undertaken by the Russian nation-state group tracked as  APT28  (aka Fancy Bear, Sofacy, or Strontium). To that end, four of the 16 data leaks from these groups coincided with  disk wiping malware attacks  by APT28 that involved the use of a strain dubbed  CaddyWiper . APT28 , a
Google to Make Account Login Mandatory for New Fitbit Users in 2023

Google to Make Account Login Mandatory for New Fitbit Users in 2023

Sep 26, 2022
Wearable technology company Fitbit has announced a new clause that requires users to switch to a Google account "sometime" in 2023. "In 2023, we plan to launch Google accounts on Fitbit, which will enable use of Fitbit with a Google account," the Google-owned fitness devices maker  said . The switch will not go live for all users in 2023. Rather, support for Fitbit accounts is expected to continue until at least the beginning of 2025, after which a Google account will be mandatory for using the devices. The deeper integration also means that a Google account will be compulsory to sign up for Fitbit and activate new features, including those that incorporate Google products and services such as Google Assistant. Also necessitated as part of the transition is the consent from the part of users to move their personal data from Fitbit to Google. The internet giant  stressed that  users' personal information will not be used to serve ads. The goal, Fitbit said
Void Balaur Hackers-for-Hire Targeting Russian Businesses and Politics Entities

Void Balaur Hackers-for-Hire Targeting Russian Businesses and Politics Entities

Sep 23, 2022
A hack-for-hire group that was  first exposed in 2019  has expanded its focus to set its sights on entities with business or political ties to Russia. Dubbed Void Balaur , the cyber mercenary collective has a history of launching cyberattacks against biotechnology and telecom companies since 2015. As many as 3,500 victims have been reported as of November 2021. "Void Balaur [...] primarily dabbles in cyber espionage and data theft, selling the stolen information to anyone willing to pay," Trend Micro  noted  at the time. Attacks conducted by the group are typically both generic and opportunistic and are aimed at gaining unauthorized access to widely-used email services, social media, messaging, and corporate accounts. Earlier this June, Google's Threat Analysis Group (TAG) took the wraps off a set of  credential theft attacks  targeting journalists, European politicians, and non-profit's mounted by the threat actor. "Void Balaur also goes after targets va
Google Releases Urgent Chrome Update to Patch New Zero-Day Vulnerability

Google Releases Urgent Chrome Update to Patch New Zero-Day Vulnerability

Sep 03, 2022
Google on Friday shipped emergency fixes to address a security vulnerability in the Chrome web browser that it said is being actively exploited in the wild. The issue, assigned the identifier  CVE-2022-3075 , concerns a case of insufficient data validation in  Mojo , which refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC). An anonymous researcher has been credited with reporting the high-severity flaw on August 30, 2022. "Google is aware of reports that an exploit for CVE-2022-3075 exists in the wild," the internet giant  said , without delving into additional specifics about the nature of the attacks to prevent additional threat actors from taking advantage of the flaw. The latest update makes it the sixth zero-day vulnerability in Chrome that Google has resolved since the start of the year - CVE-2022-0609  - Use-after-free in Animation CVE-2022-1096  - Type confusion in V8 CVE-2022-1364  -
Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks

Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks

Aug 31, 2022
Google on Monday introduced a new bug bounty program for its open source projects, offering payouts anywhere from $100 to $31,337 (a reference to  eleet or leet ) to secure the ecosystem from  supply chain attacks . Called the Open Source Software Vulnerability Rewards Program (OSS VRP), the offering is one of the first open source-specific vulnerability programs. With the tech giant the maintainer of major projects such as Angular, Bazel, Golang, Protocol Buffers, and Fuchsia, the program aims to reward vulnerability discoveries that could otherwise have a significant impact on the larger open source landscape.  Other projects managed by Google and hosted on public repositories such as GitHub as well as the third-party dependencies that are included in those projects are also eligible. Submissions  from bug hunters are expected to meet the following criteria - Vulnerabilities that lead to supply chain compromise Design issues that cause product vulnerabilities Other security
Google Uncovers Tool Used by Iranian Hackers to Steal Data from Email Accounts

Google Uncovers Tool Used by Iranian Hackers to Steal Data from Email Accounts

Aug 23, 2022
The Iranian government-backed actor known as Charming Kitten has added a new tool to its malware arsenal that allows it to retrieve user data from Gmail, Yahoo!, and Microsoft Outlook accounts. Dubbed  HYPERSCRAPE  by Google Threat Analysis Group (TAG), the actively in-development malicious software is said to have been used against less than two dozen accounts in Iran, with the oldest known sample dating back to 2020. The tool was first discovered in December 2021. Charming Kitten, a prolific advanced persistent threat (APT), is believed to be  associated  with Iran's Islamic Revolutionary Guard Corps (IRGC) and has a history of conducting espionage aligned with the interests of the government. Tracked as APT35, Cobalt Illusion, ITG18, Phosphorus, TA453, and Yellow Garuda, elements of the group have also carried out ransomware attacks, suggesting that the threat actor's motives are both espionage and financially driven. "HYPERSCRAPE requires the victim's account
Google Cloud Blocks Record DDoS attack of 46 Million Requests Per Second

Google Cloud Blocks Record DDoS attack of 46 Million Requests Per Second

Aug 19, 2022
Google's cloud division on Thursday disclosed it mitigated a series of HTTPS distributed denial-of-service (DDoS) attacks which peaked at 46 million requests per second (RPS), making it the largest such DDoS offensive recorded to date. The attack, which occurred on June 1, 2022, targeting an unnamed Google Cloud Armor customer, is 76% larger than the  26 million RPS DDoS attack  repealed by Cloudflare earlier this year, surpassing a then-record attack of 17.2 million RPS. "To give a sense of the scale of the attack, that is like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds," Google Cloud's Emil Kiner and Satya Konduru  said . It's said to have started around 9:45 a.m. PT with 10,000 RPS, before growing to 100,000 RPS eight minutes later and further ramping up within two minutes to hit a high of 46 million RPS at 10:18 a.m. PT. In all, the DDoS assault lasted for a total of 69 minutes.
New Google Chrome Zero-Day Vulnerability Being Exploited in the Wild

New Google Chrome Zero-Day Vulnerability Being Exploited in the Wild

Aug 17, 2022
Google on Tuesday rolled out patches for Chrome browser for desktops to contain an actively exploited high-severity zero-day flaw in the wild. Tracked as  CVE-2022-2856 , the issue has been described as a case of insufficient validation of untrusted input in  Intents . Security researchers Ashley Shen and Christian Resell of Google Threat Analysis Group have been credited with reporting the flaw on July 19, 2022. As is typically the case, the tech giant has refrained from sharing additional specifics about the shortcoming until a majority of the users are updated. "Google is aware that an exploit for CVE-2022-2856 exists in the wild," it  acknowledged  in a terse statement. The latest update further addresses 10 other security flaws, most of which relate to use-after-free bugs in various components such as FedCM, SwiftShader, ANGLE, and Blink, among others. Also fixed is a heap buffer overflow vulnerability in Downloads. The development marks the fifth zero-day vulnerab
Google Delays Blocking 3rd-Party Cookies in Chrome Browser Until 2024

Google Delays Blocking 3rd-Party Cookies in Chrome Browser Until 2024

Jul 28, 2022
Google on Wednesday said it's once again delaying its plans to turn off third-party cookies in the Chrome web browser from late 2023 to the second half of 2024. "The most consistent feedback we've received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome," Anthony Chavez, vice president of Privacy Sandbox,  said . In keeping this in mind, the internet and ad tech giant said it's taking a "deliberate approach" and  extending the testing window  for its ongoing Privacy Sandbox initiatives prior to phasing out third-party cookies. Cookies are pieces of data planted on a user's computer or other device by the web browser as a website is accessed, with third-party cookies fueling much of the digital advertising ecosystem and its ability to track users across different sites to show targeted ads. Privacy Sandbox is Google's umbrella term for a set of technologies
More Resources

Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.