The Hacker News Logo
Subscribe to Newsletter

The Hacker News — Cyber Security and Hacking News Website: Malware attack

Ransomware Attack Caused Power Outages in the Biggest South African City

Ransomware Attack Caused Power Outages in the Biggest South African City

July 26, 2019Mohit Kumar
Yesterday, some residents of Johannesburg, the largest city in South Africa, were left without electricity after the city's power company got attacked by a ransomware virus. City Power, the company responsible for powering South Africa's financial capital Johannesburg, confirmed Thursday on Twitter that it had been hit by a Ransomware virus that had encrypted all of its databases, applications, and network. The attack prevented prepaid customers from buying electricity units, upload invoices when making payments, or access the City Power's official website, eventually leaving them without power. "Please note that the virus hit us early Thursday morning, compromising our database and other software, impacting most of our applications and networks," the city government said in a tweet . However, the company has also ensured its customers that none of their details were compromised in the cyber attack. At the time of writing, the company confirmed they h
Watch Out! Microsoft Spotted Spike in Astaroth Fileless Malware Attacks

Watch Out! Microsoft Spotted Spike in Astaroth Fileless Malware Attacks

July 09, 2019Swati Khandelwal
Security researchers at Microsoft have released details of a new widespread campaign distributing an infamous piece of fileless malware that was primarily being found targeting European and Brazilian users earlier this year. Dubbed Astaroth , the malware trojan has been making the rounds since at least 2017 and designed to steal users' sensitive information like their credentials, keystrokes, and other data, without dropping any executable file on the disk or installing any software on the victim's machine. Initially discovered by researchers at Cybereason in February this year, Astaroath lived off the land by running the payload directly into the memory of a targeted computer or by leveraging legitimate system tools, such as WMIC, Certutil, Bitsadmin, and Regsvr32, to run the malicious code. While reviewing the Windows telemetry data, Andrea Lelli, a researcher at Microsoft Defender ATP Research Team, recently spotted a sudden unusual spike in the usage of Managemen
Two Florida Cities Paid $1.1 Million to Ransomware Hackers This Month

Two Florida Cities Paid $1.1 Million to Ransomware Hackers This Month

June 26, 2019Mohit Kumar
In the last two weeks, Florida has paid more than $1.1 million in bitcoin to cybercriminals to recover encrypted files from two separate ransomware attacks—one against Riviera Beach and the other against Lake City . Lake City, a city in northern Florida, agreed on Monday to pay hackers 42 Bitcoin (equivalent to $573,300 at the current value) to unlock phone and email systems following a ransomware attack that crippled its computer systems for two weeks. The ransomware attack, dubbed "Triple Threat" since it combines three different methods of attack to target network systems, infected Lake City systems on June 10 after an employee in city hall opened a malicious email. Though the IT staff disconnected computers within just 10 minutes of the cyber attack starting, it was too late. The attack locked down the city workers' email accounts and servers. Since the police and fire departments operate on a different server, they were the only ones not impacted by the a
Report Reveals TeamViewer Was Breached By Chinese Hackers In 2016

Report Reveals TeamViewer Was Breached By Chinese Hackers In 2016

May 17, 2019Wang Wei
The German software company behind TeamViewer, one of the most popular software in the world that allows users to access and share their desktops remotely, was reportedly compromised in 2016, the German newspaper Der Spiegel revealed today. TeamViewer is popular remote-support software that allows you to securely share your desktop or take full control of other's PC over the Internet from anywhere in the world. With millions of users making use of its service, TeamViewer has always been a target of interest for attackers. According to the publication , the cyber attack was launched by hackers with Chinese origin who used Winnti trojan malware, activities of which have previously been found linked to the Chinese state intelligence system. Active since at least 2010, Winnti advanced persistent threat (APT) group has previously launched a series of financial attacks against software and gaming organizations primarily in the United States, Japan, and South Korea. The group i
Baltimore City Shuts Down Most of Its Servers After Ransomware Attack

Baltimore City Shuts Down Most of Its Servers After Ransomware Attack

May 08, 2019Swati Khandelwal
For the second time in just over a year, the city of Baltimore has been hit by a ransomware attack, affecting its computer network and forcing officials to shut down a majority of its computer servers as a precaution. Ransomware works by encryption files and locking them up so users can't access them. The attackers then demand a ransom amount, typically in Bitcoin digital currency, in exchange for the decryption keys use to unlock the files. The ransomware attack on the Baltimore City Hall took place on Tuesday morning and infected the city's technology systems with an unknown ransomware virus, which according to government officials, is apparently spreading throughout their network. According to new Baltimore Mayor Bernard C. Jack Young, Baltimore City's critical public safety systems, such as 911, 311, emergency medical services and the fire department, are operational and not affected by the ransomware attack. Young also says the city technology officials are
Hackers Found Exploiting Oracle WebLogic RCE Flaw to Spread Ransomware

Hackers Found Exploiting Oracle WebLogic RCE Flaw to Spread Ransomware

May 01, 2019Mohit Kumar
Taking advantage of newly disclosed and even patched vulnerabilities has become common among cybercriminals, which makes it one of the primary attack vectors for everyday-threats, like crypto-mining, phishing, and ransomware. As suspected, a recently-disclosed critical vulnerability in the widely used Oracle WebLogic Server has now been spotted actively being exploited to distribute a never-before-seen ransomware variant, which researchers dubbed " Sodinokibi ." Last weekend, The Hacker News learned about a critical deserialization remote code execution vulnerability in Oracle WebLogic Server that could allow attackers to remotely run arbitrary commands on the affected servers just by sending a specially crafted HTTP request—without requiring any authorization. To address this vulnerability (CVE-2019-2725), which affected all versions of the Oracle WebLogic software and was given a severity score of 9.8 out of 10, Oracle rolled out an out-of-band security update on
'Karkoff' Is the New 'DNSpionage' With Selective Targeting Strategy

'Karkoff' Is the New 'DNSpionage' With Selective Targeting Strategy

April 24, 2019Swati Khandelwal
The cybercriminal group behind the infamous DNSpionage malware campaign has been found running a new sophisticated operation that infects selected victims with a new variant of the DNSpionage malware. First uncovered in November last year, the DNSpionage attacks used compromised sites and crafted malicious documents to infect victims' computers with DNSpionage —a custom remote administrative tool that uses HTTP and DNS communication to communicate with the attacker-controlled command and control server. According to a new report published by Cisco's Talos threat research team, the group has adopted some new tactics, techniques and procedures to improve the efficacy of their operations, making their cyber attacks more targeted, organised and sophisticated in nature. Unlike previous campaigns, attackers have now started performing reconnaissance on its victims before infecting them with a new piece of malware, dubbed Karkoff , allowing them to selectively choose which t
Sophisticated 'TajMahal APT Framework' Remained Undetected for 5 Years

Sophisticated 'TajMahal APT Framework' Remained Undetected for 5 Years

April 10, 2019Swati Khandelwal
Cybersecurity researchers yesterday unveiled the existence of a highly sophisticated spyware framework that has been in operation for at least last 5 years—but remained undetected until recently. Dubbed TajMahal by researchers at Kaspersky Lab, the APT framework is a high-tech modular-based malware toolkit that not only supports a vast number of malicious plugins for distinct espionage operations, but also comprises never-before-seen and obscure tricks. Kaspersky named the framework after Taj Mahal, one of the Seven Wonders of the World located in India, not because it found any connection between the malware and the country, but because the stolen data was transferred to the attackers' C&C server in an XML file named TajMahal. TajMahal toolkit was first discovered by security researchers late last year when hackers used it to spy on the computers of a diplomatic organization belonging to a Central Asian country whose nationality and location have not been disclosed
Elfin Hacking Group Targets Multiple U.S. and Saudi Arabian Firms

Elfin Hacking Group Targets Multiple U.S. and Saudi Arabian Firms

March 28, 2019Swati Khandelwal
An Iran-linked cyber-espionage group that has been found targeting critical infrastructure , energy and military sectors in Saudi Arabia and the United States two years ago continues targeting organizations in the two nations, Symantec reported on Wednesday. Widely known as APT33 , which Symantec calls Elfin , the cyber-espionage group has been active since as early as late 2015 and targeted a wide range of organizations, including government, research, chemical, engineering, manufacturing, consulting, finance, and telecommunications in the Middle East and other parts of the world. Symantec started monitoring Elfin's attacks since the beginning of 2016 and found that the group has launched a heavily targeted campaign against multiple organizations with 42% most recent attacks observed against Saudi Arabia and 34% against the United States. Elfin targeted a total of 18 American organizations in the engineering, chemical, research, energy consultancy, finance, IT and healthcar
Warning: ASUS Software Update Server Hacked to Distribute Malware

Warning: ASUS Software Update Server Hacked to Distribute Malware

March 25, 2019Swati Khandelwal
Remember the CCleaner hack ? CCleaner hack was one of the largest supply chain attacks that infected more than 2.3 million users with a backdoored version of the software in September 2017. Security researchers today revealed another massive supply chain attack that compromised over 1 million computers manufactured by Taiwan-based tech giant ASUS. A group of state-sponsored hackers last year managed to hijack ASUS Live automatic software update server between June and November 2018 and pushed malicious updates to install backdoors on over one million Windows computers worldwide. According to cybersecurity researchers from Russian firm Kaspersky Lab , who discovered the attack and dubbed it Operation ShadowHammer , Asus was informed about the ongoing supply chain attack on Jan 31, 2019. After analyzing over 200 samples of the malicious updates, researchers learned that hackers did not want to target all users, instead only a specific list of users identified by their uniq
Ransomware Attack Forces Aluminum Manufacturer to Shutdown Systems Worldwide

Ransomware Attack Forces Aluminum Manufacturer to Shutdown Systems Worldwide

March 19, 2019Mohit Kumar
Photo by Terje Pedersen / NTB scanpix One of the world's largest producers of aluminum has been forced to shut down several of its plants across Europe and the U.S. after an "extensive cyber attack" hit its operations, leaving companies' IT systems unusable. According to a press release shared by Aluminum giant Norsk Hydro today, the company has temporarily shut down several plants and switched to manual operations, "where possible," in countries including Norway, Qatar, and Brazil in an attempt to continue some of its operations. The cyber attack, that began in the U.S.,was first detected by the company's IT experts around late Monday evening CET and the company is working to neutralize the attack, as well as investigating to know the full extent of the incident. "Hydro's main priority is to continue to ensure safe operations and limit operational and financial impact. The problem has not led to any safety-related incidents," t
New malware found using Google Drive as its command-and-control server

New malware found using Google Drive as its command-and-control server

January 21, 2019Mohit Kumar
Since most security tools also keep an eye on the network traffic to detect malicious IP addresses, attackers are increasingly adopting infrastructure of legitimate services in their attacks to hide their malicious activities. Cybersecurity researchers have now spotted a new malware attack campaign linked to the notorious DarkHydrus APT group that uses Google Drive as its command-and-control (C2) server. DarkHydrus first came to light in August last year when the APT group was leveraging the open-source Phishery tool to carry out credential-harvesting campaign against government entities and educational institutions in the Middle East. The latest malicious campaign conducted by the DarkHydrus APT group was also observed against targets in the Middle East, according to reports published by the 360 Threat Intelligence Center ( 360TIC ) and Palo Alto Networks. This time the advanced threat attackers are using a new variant of their backdoor Trojan, called RogueRobin , which i
Microsoft Issues Emergency Patch For Under-Attack IE Zero Day

Microsoft Issues Emergency Patch For Under-Attack IE Zero Day

December 20, 2018Swati Khandelwal
Microsoft today issued an out-of-band security update to patch a critical zero-day vulnerability in Internet Explorer (IE) Web browser that attackers are already exploiting in the wild to hack into Windows computers. Discovered by security researcher Clement Lecigne of Google's Threat Analysis Group, the vulnerability, tracked as CVE-2018-8653, is a remote code execution (RCE) flaw in the IE browser's scripting engine. According to the advisory, an unspecified memory corruption vulnerability resides in the scripting engine JScript component of Microsoft Internet Explorer that handles execution of scripting languages. If exploited successfully, the vulnerability could allow attackers to execute arbitrary code in the context of the current user. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change,
New Ransomware Spreading Rapidly in China Infected Over 100,000 PCs

New Ransomware Spreading Rapidly in China Infected Over 100,000 PCs

December 04, 2018Swati Khandelwal
A new piece of ransomware is spreading rapidly across China that has already infected more than 100,000 computers in the last four days as a result of a supply-chain attack... and the number of infected users is continuously increasing every hour. What's Interesting? Unlike almost every ransomware malware, the new virus doesn't demand ransom payments in Bitcoin. Instead, the attacker is asking victims to pay 110 yuan (nearly USD 16) in ransom through WeChat Pay—the payment feature offered by China's most popular messaging app. Ransomware + Password Stealer — Unlike WannaCry and NotPetya ransomware outbreaks that caused worldwide chaos last year, the new Chinese ransomware has been targeting only Chinese users. It also includes an additional ability to steal users' account passwords for Alipay, NetEase 163 email service, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall , AliWangWang, and QQ websites. A Supply Chain Attack — According to Chinese cybers
U.S Charges Two Iranian Hackers for SamSam Ransomware Attacks

U.S Charges Two Iranian Hackers for SamSam Ransomware Attacks

November 28, 2018Mohit Kumar
The Department of Justice announced Wednesday charges against two Iranian nationals for their involvement in creating and deploying the notorious SamSam ransomware. The alleged hackers, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah, 27, have been charged on several counts of computer hacking and fraud charges, the indictment unsealed today at New Jersey court revealed. The duo used SamSam ransomware to extort over $6 million in ransom payments since 2015, and also caused more than $30 million in damages to over 200 victims, including hospitals , municipalities, and public institutions. According to the indictment, Savandi and Mansouri have been charged with a total of six counts, including one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two counts of intentional damage to a protected computer, and two counts of transmitting a demand in relation to damaging a protected computer. Si
Former Microsoft Engineer Gets Prison for Role in Reveton Ransomware

Former Microsoft Engineer Gets Prison for Role in Reveton Ransomware

August 15, 2018Wang Wei
A former Microsoft network engineer who was charged in April this year has now been sentenced to 18 months in prison after pleading guilty to money laundering in connection with the Reveton ransomware. Reveton malware is old ransomware, also known as scareware or police ransomware that instead of encrypting files locks the screen of victims’ computers and displays a message purporting to come from a national law enforcement agency. The splash screen of the malware was designed to falsely tell unsuspecting victims that they have been caught doing illegal or malicious activities online or the law enforcement had found illegal material on their computer, forcing users to make pay a "fine" of $200-300 within 48 hours to regain access to their computers. Raymond Odigie Uadiale, 41-year-old, who worked as a Microsoft network engineer, is not the actual author of the Reveton ransomware , but he helped the Reveton distributor, residing in the UK and identified as the online
Hacker Can Steal Data from Air-Gapped Computers through Power Lines

Hacker Can Steal Data from Air-Gapped Computers through Power Lines

April 12, 2018Swati Khandelwal
Do you think it is possible to extract data from a computer using its power cables? If no, then you should definitely read about this technique. Researchers from Israel's Ben Gurion University of the Negev—who majorly focus on finding clever ways to exfiltrate data from an isolated or air-gapped computer—have now shown how fluctuations in the current flow "propagated through the power lines" could be used to covertly steal highly sensitive data. Sound something like a James Bond movie? Well, the same group of researchers has previously demonstrated various out-of-band communication methods to steal data from a compromised air-gapped computer via light , sound , heat , electromagnetic , magnetic and ultrasonic waves . Air-gapped computers are those that are isolated from the Internet and local networks and therefore, are believed to be the most secure devices that are difficult to infiltrate or exfiltrate data. "As a part of the targeted attack, the adve
Hackers Can Now Steal Data Even From Faraday Cage Air-Gapped Computers

Hackers Can Now Steal Data Even From Faraday Cage Air-Gapped Computers

February 08, 2018Swati Khandelwal
A team of security researchers—which majorly focuses on finding clever ways to get into air-gapped computers by exploiting little-noticed emissions of a computer's components like light, sound and heat —have published another research showcasing that they can steal data not only from an air gap computer but also from a computer inside a Faraday cage. Air-gapped computers are those that are isolated from the Internet and local networks and so, are believed to be the most secure devices that are difficult to infiltrate. Whereas, Faraday cages are metallic enclosures that even blocks all electromagnetic signals, such as Wi-Fi, Bluetooth, cellular and other wireless communications, making any device kept inside the cage, even more, isolate from outside networks. However, Cybersecurity Research Center at Israel's Ben Gurion University, directed by 38-year-old Mordechai Guri, has developed two techniques that helped them exfiltrate data from computers placed inside a Faraday
Thousands of Hacked WordPress Sites Abused to Infect Millions of Visitors

Thousands of Hacked WordPress Sites Abused to Infect Millions of Visitors

September 18, 2015Khyati Jain
A Large number of WordPress websites were compromised in last two weeks with a new malware campaign spotted in the wild. WordPress , a Free and Open source content management system (CMS) and blogging tool, has been once again targeted by hackers at large scale. Researchers at Sucuri Labs have detected a “ Malware Campaign ” with an aim of getting access to as many devices they can by making innumerable WordPress websites as its prey. The Malware campaign was operational for more than 14 days ago, but it has experienced a massive increase in the spread of infection in last two days, resulted in affecting more than 5000 Wordpress websites. The Security researchers call this malware attack as “ VisitorTracker ”, as there exists a javascript function named visitorTracker_isMob() in the malicious code designed by cyber criminals. This new campaign seems to be utilizing the Nuclear Exploit Kit and uses a combination of hacked WordPress sites, hidden iframes and nu
Exclusive Deals

Get Daily News Updates By Email

Join over 350,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.