Malware | Breaking Cybersecurity News | The Hacker News

A now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials. The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to "mysterious unattributed threat") by Datadog Security Labs, that involves phishing and several trojanized GitHub repositories hosting proof-of-concept (PoC) code for exploiting known security flaws. "Victims are believed to be offensive actors – including pentesters and security researchers, as well as malicious threat actors – and had sensitive data such as SSH private keys and AWS access keys exfiltrated," researchers Christophe Tafani-Dereeper, Matt Muir, and Adrian Korn said in an analysis shared with The Hacker News. It's no surprise that security researchers have been an attractive target for threat actors, including nation-stat...

Iran-affiliated threat actors have been linked to a new custom malware that's geared toward IoT and operational technology (OT) environments in Israel and the United States. The malware has been codenamed IOCONTROL by OT cybersecurity company Claroty, highlighting its ability to attack IoT and supervisory control and data acquisition (SCADA) devices such as IP cameras, routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms. "While the malware is believed to be custom-built by the threat actor, it seems that the malware is generic enough that it is able to run on a variety of platforms from different vendors due to its modular configuration," the company said . The development makes IOCONTROL the tenth malware family to specifically single out Industrial Control Systems (ICS) after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, PIPEDREAM (a...

Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...

Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection. "PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers," Elastic Security Lab researchers Remco Sprooten and Ruben Groenewoud said in a technical report published Thursday. The company's analysis comes from artifacts uploaded to the VirusTotal malware scanning platform earlier this September. The internals of the malware is based on a multi-stage architecture that comprises a dropper component named "cron," two memory-resident executables ("/memfd:tgt" and "/memfd:wpn"), an LKM rootkit ("puma.ko"), and a shared object (SO) userland rootkit called Kitsune ("li...

The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome , marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns. "BoneSpy and PlainGnome target former Soviet states and focus on Russian-speaking victims," Lookout said in an analysis. "Both BoneSpy and PlainGnome collect data such as SMS messages, call logs, phone call audio, photos from device cameras, device location, and contact lists." Gamaredon , also called Aqua Blizzard, Armageddon, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder, is a hacking group affiliated with Russia's Federal Security Service (FSB). Last week, Recorded Future's Insikt Group revealed the threat actor's use of Cloudflare Tunnels as a tactic to conceal its staging infrastructure hosting malicious payload...

The Russian nation-state actor tracked as Secret Blizzard has been observed leveraging malware associated with other threat actors to deploy a known backdoor called Kazuar on target devices located in Ukraine. The new findings come from the Microsoft threat intelligence team, which said it observed the adversary leveraging the Amadey bot malware to download custom malware onto "specifically selected" systems associated with the Ukrainian military between March and April 2024. The activity is assessed to be the second time since 2022 that Secret Blizzard, also known as Turla, has latched onto a cybercrime campaign to propagate its own tools in Ukraine. "Commandeering other threat actors' access highlights Secret Blizzard's approach to diversifying its attack vectors," the company said in a report shared with The Hacker News. Some of the other known methods employed by the hacking crew include adversary-in-the-middle ( AitM ) campaigns, strategic web compro...

A newly devised technique leverages a Windows accessibility framework called UI Automation (UIA) to perform a wide range of malicious activities without tipping off endpoint detection and response (EDR) solutions. "To exploit this technique, a user must be convinced to run a program that uses UI Automation," Akamai security researcher Tomer Peled said in a report shared with The Hacker News. "This can lead to stealthy command execution, which can harvest sensitive data, redirect browsers to phishing websites, and more." Even worse, local attackers could take advantage of this security blindspot to execute commands and read/write messages from/to messaging applications like Slack and WhatsApp. On top of that, it could also be potentially weaponized to manipulate UI elements over a network. First available in Windows XP as part of the Microsoft .NET Framework, UI Automation is designed to provide programmatic access to various user interface (UI) elements and h...

Cybersecurity researchers have discovered a new version of the ZLoader malware that employs a Domain Name System (DNS) tunnel for command-and-control (C2) communications, indicating that the threat actors are continuing to refine the tool after resurfacing a year ago. "Zloader 2.9.4.0 adds notable improvements including a custom DNS tunnel protocol for C2 communications and an interactive shell that supports more than a dozen commands, which may be valuable for ransomware attacks," Zscaler ThreatLabz said in a Tuesday report. "These modifications provide additional layers of resilience against detection and mitigation." ZLoader , also referred to as Terdot, DELoader, or Silent Night, is a malware loader that's equipped with the ability to deploy next-stage payloads. Malware campaigns distributing the malware were observed for the first time in almost two years in September 2023 after its infrastructure was taken down. In addition to incorporating various...

Cybersecurity researchers have discovered a novel surveillance program that's suspected to be used by Chinese police departments as a lawful intercept tool to gather a wide range of information from mobile devices. The Android tool, codenamed EagleMsgSpy by Lookout, has been operational since at least 2017, with artifacts uploaded to the VirusTotal malware scanning platform as recently as September 25, 2024. "The surveillanceware consists of two parts: an installer APK, and a surveillance client that runs headlessly on the device when installed," Kristina Balaam, senior staff threat intelligence researcher at Lookout, said in a technical report shared with The Hacker News. "EagleMsgSpy collects extensive data from the user: third-party chat messages, screen recording and screenshot capture, audio recordings, call logs, device contacts, SMS messages, location data, [and] network activity." EagleMsgSpy has been described by its developers as a "compreh...

Cyber attackers never stop inventing new ways to compromise their targets. That's why organizations must stay updated on the latest threats.  Here's a quick rundown of the current malware and phishing attacks you need to know about to safeguard your infrastructure before they reach you. Zero-day Attack: Corrupted Malicious Files Evade Detection by Most Security Systems  The analyst team at ANY.RUN recently shared their analysis of an ongoing zero-day attack . It has been active since at least August and still remains unaddressed by most detection software to this day. The attack involves the use of intentionally corrupted Word documents and ZIP archives with malicious files inside. VirusTotal shows 0 detections for one of the corrupted files Due to corruption, security systems cannot properly identify the type of these files and run analysis on them, which results in zero threat detections. Word will ask the user if they want to restore a corrupted file Once these fi...

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new set of cyber attacks that it said were aimed at defense companies in the country as well as its security and defense forces. The phishing attacks have been attributed to a Russia-linked threat actor called UAC-0185 (aka UNC4221), which has been active since at least 2022. "The phishing emails mimicked official messages from the Ukrainian League of Industrialists and Entrepreneurs," CERT-UA said . "The emails advertised a conference held on December 5th in Kyiv, aimed at aligning the products of domestic defense industry companies with NATO standards." The email messages come embedded with a malicious URL that urges the recipients to click on it to view "important information" related to their participation in the conference. But in reality, doing so results in the download of a Windows shortcut file that, upon opening, is designed to execute an HTML Application, which, in t...

The threat actors linked to the Black Basta ransomware have been observed switching up their social engineering tactics , distributing a different set of payloads such as Zbot and DarkGate since early October 2024. "Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user's email to numerous mailing lists simultaneously," Rapid7 said . "After the email bomb, the threat actor will reach out to the impacted users." As observed back in August, the attackers make initial contact with prospective targets on Microsoft Teams, pretending to be support personnel or IT staff of the organization. In some instances, they have also been observed impersonating IT staff members within the targeted organization. Users who end up interacting with the threat actors are urged to install legitimate remote access software such as AnyDesk, ScreenConnect, TeamViewer, and Microsoft's Quick Assist. The Window...

This week's cyber world is like a big spy movie. Hackers are breaking into other hackers' setups, sneaky malware is hiding in popular software, and AI-powered scams are tricking even the smartest of us. On the other side, the good guys are busting secret online markets and kicking out shady chat rooms, while big companies rush to fix new security holes before attackers can jump in. Want to know who's hacking who, how they're doing it, and what's being done to fight back? Stick around—this recap has the scoop. ⚡ Threat of the Week Turla Hackers Hijack Pakistan Hackers' Infrastructure — Imagine one hacker group sneaking into another hacker group 's secret hideout and using their stuff to carry out their own missions. That's basically what the Russia-linked Turla group has been doing since December 2022. They broke into the servers of a Pakistani hacking team called Storm-0156 and used those servers to spy on government and military targets in Afghanistan and India. By doing th...