#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cloud Security

Living-Off-The-Land | Breaking Cybersecurity News | The Hacker News

Stealthy Zardoor Backdoor Targets Saudi Islamic Charity Organization

Stealthy Zardoor Backdoor Targets Saudi Islamic Charity Organization
Feb 09, 2024 Cyber Espionage / Threat Intelligence
An unnamed Islamic non-profit organization in Saudi Arabia has been targeted as part of a stealthy cyber espionage campaign designed to drop a previously undocumented backdoor called  Zardoor . Cisco Talos, which discovered the activity in May 2023, said the campaign has likely persisted since at least March 2021, adding it has identified only one compromised target to date, although it's suspected that there could be other victims. "Throughout the campaign, the adversary used living-off-the-land binaries (LoLBins) to deploy backdoors, establish command-and-control (C2), and maintain persistence," security researchers Jungsoo An, Wayne Lee, and Vanja Svajcer  said , calling out the threat actor's ability to maintain long-term access to victim environments without attracting attention. The intrusion targeting the Islamic charitable organization involved the periodic exfiltration of data roughly twice a month. The exact initial access vector used to infiltrate the

Medusa Ransomware on the Rise: From Data Leaks to Multi-Extortion

Medusa Ransomware on the Rise: From Data Leaks to Multi-Extortion
Jan 12, 2024 Ransomware / Dark Web
The threat actors associated with the  Medusa ransomware  have ramped up their activities following the debut of a dedicated data leak site on the dark web in February 2023 to publish sensitive data of victims who are unwilling to agree to their demands. "As part of their multi-extortion strategy, this group will provide victims with multiple options when their data is posted on their leak site, such as time extension, data deletion or download of all the data," Palo Alto Networks Unit 42 researchers Anthony Galiette and Doel Santos  said  in a report shared with The Hacker News. "All of these options have a price tag depending on the organization impacted by this group." Medusa (not to be confused with Medusa Locker) refers to a ransomware family that appeared in late 2022 before coming into prominence in 2023. It's known for opportunistically targeting a wide range of industries such as high technology, education, manufacturing, healthcare, and retail. As many as 74 organization

Timing is Everything: The Role of Just-in-Time Privileged Access in Security Evolution

Timing is Everything: The Role of Just-in-Time Privileged Access in Security Evolution
Apr 15, 2024Active Directory / Attack Surface
To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to  privileged identity management  aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with continuous high-level privileges. By adopting this strategy, organizations can enhance security, minimize the window of opportunity for potential attackers and ensure that users access privileged resources only when necessary.  What is JIT and why is it important?   JIT privileged access provisioning  involves granting privileged access to users on a temporary basis, aligning with the concept of least privilege. This principle provides users with only the minimum level of access required to perform their tasks, and only for the amount of time required to do so. One of the key advantages of JIT provisioning

U.S. Cybersecurity Agencies Warn of Scattered Spider's Gen Z Cybercrime Ecosystem

U.S. Cybersecurity Agencies Warn of Scattered Spider's Gen Z Cybercrime Ecosystem
Nov 17, 2023 Ransomware / Cybercrime
U.S. cybersecurity and intelligence agencies have released a joint advisory about a cybercriminal group known as  Scattered Spider  that's known to employ sophisticated phishing tactics to infiltrate targets. "Scattered Spider threat actors typically engage in data theft for extortion using multiple social engineering techniques and have recently leveraged BlackCat/ALPHV ransomware alongside their usual TTPs," the agencies  said . The threat actor, also tracked under the monikers Muddled Libra, Octo Tempest, 0ktapus, Scatter Swine, Star Fraud, and UNC3944, was the subject of an  extensive profile  from Microsoft last month, with the tech giant calling it "one of the most dangerous financial criminal groups." Considered as experts in social engineering, Scattered Spider is known to rely on phishing, prompt bombing, and SIM swapping attacks to obtain credentials, install remote access tools, and bypass multi-factor authentication (MFA). Scattered Spider, li

Today's Top 4 Identity Threat Exposures: Where To Find Them and How To Stop Them

cyber security
websiteSilverfort Identity Protection / Attack Surface
Explore the first ever threat report 100% focused on the prevalence of identity security gaps you may not be aware of.

CISA and FBI Issue Warning About Rhysida Ransomware Double Extortion Attacks

CISA and FBI Issue Warning About Rhysida Ransomware Double Extortion Attacks
Nov 16, 2023 Cyber Threats / Data Security
The threat actors behind the  Rhysida ransomware  engage in opportunistic attacks targeting organizations spanning various industry sectors. The advisory comes courtesy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). "Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates," the agencies  said . " Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network." First detected in May 2023,  Rhysida  makes use of the time-tested tactic of double extortion, demanding a ransom payment to decrypt victim

China-Linked Flax Typhoon Cyber Espionage Targets Taiwan's Key Sectors

China-Linked Flax Typhoon Cyber Espionage Targets Taiwan's Key Sectors
Aug 25, 2023 Cyber Espionage
A nation-state activity group originating from China has been linked to cyber attacks on dozens of organizations in Taiwan as part of a suspected espionage campaign. The Microsoft Threat Intelligence team is tracking the activity under the name  Flax Typhoon , which is also known as Ethereal Panda. "Flax Typhoon gains and maintains long-term access to Taiwanese organizations' networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks," the company  said . It further said it hasn't observed the group weaponize the access to conduct data-collection and exfiltration. A majority of the targets include government agencies, educational institutions, critical manufacturing, and information technology organizations in Taiwan. A smaller number of victims have also been detected in Southeast Asia, North America, and Africa. The group is suspected to have been active si

LOLBAS in the Wild: 11 Living-Off-The-Land Binaries That Could Be Used for Malicious Purposes

LOLBAS in the Wild: 11 Living-Off-The-Land Binaries That Could Be Used for Malicious Purposes
Aug 08, 2023 Malware / Cyber Threat
Cybersecurity researchers have discovered a set of 11 living-off-the-land binaries-and-scripts ( LOLBAS ) that could be maliciously abused by threat actors to conduct post-exploitation activities.  "LOLBAS is an attack method that uses binaries and scripts that are already part of the system for malicious purposes," Pentera security researcher Nir Chako  said . "This makes it hard for security teams to distinguish between legitimate and malicious activities, since they are all performed by trusted system utilities." To that end, the Israeli cybersecurity company said it uncovered nine LOLBAS downloaders and three executors that could enable adversaries to download and execute "more robust malware" on infected hosts. This includes: MsoHtmEd.exe, Mspub.exe, ProtocolHandler.exe, ConfigSecurityPolicy.exe, InstallUtil.exe, Mshta.exe, Presentationhost.exe, Outlook.exe, MSAccess.exe, scp.exe, and sftp.exe.  "In a complete attack chain, a hacker will us
Cybersecurity Resources