Intrusion detection | Breaking Cybersecurity News | The Hacker News

Exposed PostgreSQL instances are the target of an ongoing campaign designed to gain unauthorized access and deploy cryptocurrency miners. Cloud security firm Wiz said the activity is a variant of an intrusion set that was first flagged by Aqua Security in August 2024 that involved the use of a malware strain dubbed PG_MEM . The campaign has been attributed to a threat actor Wiz tracks as JINX-0126. "The threat actor has since evolved, implementing defense evasion techniques such as deploying binaries with a unique hash per target and executing the miner payload filelessly – likely to evade detection by [cloud workload protection platform] solutions that rely solely on file hash reputation," researchers Avigayil Mechtinger, Yaara Shriki, and Gili Tikochinski said . Wiz has also revealed that the campaign has likely claimed over 1,500 victims to date, indicating that publicly-exposed PostgreSQL instances with weak or predictable credentials are prevalent enough to become ...

If you're using AWS, it's easy to assume your cloud security is handled - but that's a dangerous misconception. AWS secures its own infrastructure, but security within a cloud environment remains the customer's responsibility. Think of AWS security like protecting a building: AWS provides strong walls and a solid roof, but it's up to the customer to handle the locks, install the alarm systems, and ensure valuables aren't left exposed. In this blog, we'll clarify what AWS doesn't secure, highlight real-world vulnerabilities, and how cloud security scanners like Intruder can help. Understanding the AWS Shared Responsibility Model AWS operates on a Shared Responsibility Model . In simple terms: AWS is responsible for securing the underlying infrastructure (e.g., hardware, networking, data centers) - the "walls and roof." The customer is responsible for securing their data, applications, and configurations within AWS - the "locks and al...

U.S. telecom service provider T-Mobile said it recently detected attempts made by bad actors to infiltrate its systems in recent weeks but noted that no sensitive data was accessed. These intrusion attempts "originated from a wireline provider's network that was connected to ours," Jeff Simon, chief security officer at T-Mobile, said in a statement. "We see no instances of prior attempts like this." The company further said its security defenses prevented the threat actors from disrupting its services or obtaining customer information. It has since confirmed that it cut off connectivity to the unnamed provider's network. It did not explicitly attribute the activity to any known threat actor or group, but noted that it has shared its findings with the U.S. government. Speaking to Bloomberg, Simon said the company observed the attackers running discovery-related commands on routers to probe the topography of the network, adding the attacks were containe...

One of the most effective ways for information technology (IT) professionals to uncover a company's weaknesses before the bad guys do is penetration testing. By simulating real-world cyberattacks, penetration testing, sometimes called pentests, provides invaluable insights into an organization's security posture, revealing weaknesses that could potentially lead to data breaches or other security incidents.  Vonahi Security , the creators of vPenTest, an automated network penetration testing platform, just released their annual report, " The Top 10 Critical Pentest Findings 2024 ." In this report, Vonahi Security conducted over 10,000 automated network pentests, uncovering the top 10 internal network pentest findings at over 1,200 organizations. Let's dive into each of these critical findings to better understand the common exploitable vulnerabilities organizations face and how to address them effectively. Top 10 Pentest Findings & Recommendations 1. Multicast DNS (MDNS) S...

We all know passwords and firewalls are important, but what about the invisible threats lurking beneath the surface of your systems? Identity Threat Exposures (ITEs) are like secret tunnels for hackers – they make your security way more vulnerable than you think. Think of it like this: misconfigurations, forgotten accounts, and old settings are like cracks in your digital fortress walls. Hackers exploit these weaknesses to steal login information, gain sneaky access, and move around your systems unnoticed, whether they're in the cloud or on-site. This upcoming webinar,  " Today's Top 4 Identity Security Threat Exposures: Are You Vulnerable? "  isn't just for tech experts—it's about protecting your business.  We'll use real-world examples and insights from Silverfort's latest report to show you the hidden dangers of ITEs. You'll learn about: The Top 4 Identity Threats You Might Be Overlooking:  We'll name them and explain why they're ...

Each New Year introduces a new set of challenges and opportunities for strengthening our cybersecurity posture. It's the nature of the field – the speed at which malicious actors carry out advanced persistent threats brings a constant, evolving battle for cyber resilience. The excitement in cybersecurity lies in this continuous adaptation and learning, always staying one step ahead of potential threats. As practitioners in an industry that operates around-the-clock, this hypervigilance becomes second nature. We are always in a constant state of readiness, anticipating the next move, adapting strategies, and counteracting threats. However, it remains just as crucial to have our fingers on the pulse of the most common vulnerabilities impacting security postures  right now . Why? Knowing these weak points is not just about defense; it's about ensuring robust, uninterrupted business continuity in an environment where risks are always around the corner. The Importance of Regularl...

Download the free guide , "It's a Generative AI World: How vCISOs, MSPs and MSSPs Can Keep their Customers Safe from Gen AI Risks." ChatGPT now boasts anywhere from 1.5 to 2 billion visits per month. Countless sales, marketing, HR, IT executive, technical support, operations, finance and other functions are feeding data prompts and queries into generative AI engines. They use these tools to write articles, create content, compose emails, answer customer questions and generate plans and strategies.  However, gen AI usage is happening far in advance of efforts to implement safeguards and cybersecurity constraints. Three primary areas of security concern associated with generative AI are: sensitive data included in gen AI scripts, outcomes produced by these tools that may put an organization at risk, and potential hazards related to utilizing third-party generative AI tools. Unchecked AI usage in organizations can lead to:  Major data breaches.  Compromised identities...

A few weeks ago, the 32nd edition of RSA, one of the world's largest cybersecurity conferences, wrapped up in San Francisco. Among the highlights, Kevin Mandia, CEO of Mandiant at Google Cloud, presented a retrospective on  the state of cybersecurity . During his keynote, Mandia stated: "There are clear steps organizations can take beyond common safeguards and security tools to strengthen their defenses and increase their chances of detecting, thwarting or minimizing attack [...] Honeypots , or fake accounts deliberately left untouched by authorized users,  are effective at helping organizations detect intrusions or malicious activities that security products can't stop ". "Build honeypots" was one of his seven pieces of advice to help organizations avoid some of the attacks that might require engagement with Mandiant or other incident response firms. As a reminder, honeypots are  decoy systems  that are set up to lure attackers and divert their attentio...

Details have emerged about a now-patched security vulnerability in the Snort intrusion detection and prevention system that could trigger a denial-of-service (DoS) condition and render it powerless against malicious traffic. Tracked as  CVE-2022-20685 , the vulnerability is rated 7.5 for severity and resides in the Modbus preprocessor of the Snort detection engine. It affects all open-source Snort project releases earlier than 2.9.19 as well as version 3.1.11.0. Maintained by Cisco,  Snort  is an open-source intrusion detection system (IDS) and intrusion prevention system (IPS) that offers real-time network traffic analysis to spot potential signs of malicious activity based on predefined rules. "The vulnerability, CVE-2022-20685, is an integer-overflow issue that can cause the Snort Modbus OT preprocessor to enter an infinite  while loop ," Uri Katz, a security researcher with Claroty,  said  in a report published last week. "A successful exploit keep...

What could be even worse than getting hacked? It's the "failure to detect intrusions" that always results in huge losses to the organizations. Utah-based technology company InfoTrax Systems is the latest example of such a security blunder, as the company was breached more than 20 times from May 2014 until March 2016. What's ironic is that the company detected the breach only after it received an alert that its servers had reached maximum storage capacity due to a data archive file that the hacker created. InfoTrax Systems is an American company based in Utah that provides backend operations systems to multi-level marketers, which also includes an extensive amount of sensitive data on their users' compensation, inventory, orders, and accounting. The breach reportedly occurred in May 2014 when the hacker exploited vulnerabilities in InfoTrax's server and its client's website to gain remote control over its server, allowing him to gain access t...

What's the worst that could happen when a Ransomware malware hits University? Last month, the IT department of the University from where I have done my graduation called me for helping them get rid of a Ransomware infection that locked down all its student's results just a day before the announcement. Unfortunately, there was no decrypter available for that specific ransomware sample, but luckily they had the digital backup for the examination results in the form of hundreds of excel sheets. So, somehow backup helped administrator to re-compile complete result once again into the database, but this delayed the announcement for over 30 days. However, the situation is not same every time. Recently, the University of Calgary in Alberta  paid a ransom of $20,000 to decrypt their computer systems' files and regain access to its own email system after getting hit by a ransomware infection. The University fell victim to ransomware last month, when the malware instal...

Network security practitioners rely heavily on intrusion detection systems (IDS) to identify malicious activity on their networks by examining network traffic in real time. IDS are available in Network (NIDS) and Host (HIDS) forms, as well as for Wireless (WIDS). Host IDS is installed via an agent on the system you are monitoring and analyzes system behavior and configuration status. Network IDS inspects the traffic between hosts to find signatures of suspicious behavior and anomalies. Wireless IDS identifies rogue network access points, unauthorized login attempts, encryption-level in use, and other anomalous behavior. There are many options for open source IDS tools if your budget for buying new tools is tight. Asset inventory and vulnerability management go hand in hand with IDS. Knowing the role, function, and vulnerabilities of your assets will add valuable context to your investigations. AlienVault Unified Security Management (USM) includes IDS integrated with asset di...

Cyber criminals have explored one more way to exploit Heartbleed OpenSSL bug against organisations to hijack multiple active web sessions conducted over a virtual private network connection. The consulting and incident response Mandiant investigated targeted attack against an unnamed organization and said the hackers have exploited the " Heartbleed " security vulnerability in OpenSSL running in the client's SSL VPN concentrator to remotely access active sessions of an organization's internal network. The incident is the result of attacks leveraging the OpenSSL Heartbleed vulnerabilities, which resides in the OpenSSL's heartbeat functionality, if enabled would return 64KB of random memory in plaintext to any client or server requesting for a connection. The vulnerability infected almost two-third of internet web servers, including the popular websites. Recently, there has been an arrest of a Canadian teen of stealing usernames, credentials, session IDs and other da...

Security experts at Mandiant intelligence firm have discovered a new intrusion into the network of The Washington Post , it is the third time in the last three years. In time I'm writing it is still not clear the extension of the attack neither an estimation of the losses. Mandiant reported the incident to The Washington Post this week, confirming that exposed data include employees' credentials hash. " Hackers broke into The Washington Post's servers and gained access to employee user names and passwords, marking at least the third intrusion over the past three years, company officials said Wednesday. " a post of the news agency said. Early 2013 the New York Times has announced that during the previous months it was a victim of cyber espionage coordinated by Chinese hacker s, similar attacks was conducted against principal Americans news agencies. The hackers have tried to compromise the email account of journalists to steal sensitive information, they tried ...

If you think that a computer which is not connected to a network, doesn't have any USB sticks attached to it and doesn't accept any kind of electronic connection requests are reasonably safe against hackers and from all the malware, then you are Wrong. Here we have something shocking update that Some German Scientists have developed a proof of concept Malware prototype, could allow a hacker to infect your computers and other digital devices just using  Inaudible Audio signals . The ability to bridge an air gap could be a potent infection vector. Just imagine, a cyber attack using high-frequency sound waves to infect machines, where stolen data also can be transferred back to attacker without a network connection, Sounds very terrifying ? When a few weeks ago, a security researcher Dragos Ruiu claimed malware dubbed badBIOS  allowed infected machines to communicate using sound waves alone, means that the devices are physically disconnected from any networks, including...