#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Malware | Breaking Cybersecurity News | The Hacker News

Microsoft Warns CrowdStrike of Hackers Targeting Azure Cloud Customers

Microsoft Warns CrowdStrike of Hackers Targeting Azure Cloud Customers
Dec 25, 2020
New evidence amidst the ongoing probe into the  espionage campaign  targeting SolarWinds has uncovered an unsuccessful attempt to compromise cybersecurity firm Crowdstrike and access the company's email. The hacking endeavor was reported to the company by Microsoft's Threat Intelligence Center on December 15, which identified a third-party reseller's Microsoft Azure account to be making "abnormal calls" to Microsoft cloud APIs during a 17-hour period several months ago. The undisclosed affected reseller's Azure account handles Microsoft Office licensing for its Azure customers, including CrowdStrike. Although there was an attempt by unidentified threat actors to read the emails, it was ultimately foiled as the firm does not use Microsoft's Office 365 email service, CrowdStrike  said . The incident comes in the wake of the  supply chain attack  of SolarWinds revealed earlier this month, resulting in the deployment of a covert backdoor (aka "Sunbu

North Korean Hackers Trying to Steal COVID-19 Vaccine Research

North Korean Hackers Trying to Steal COVID-19 Vaccine Research
Dec 24, 2020
Threat actors such as the notorious Lazarus group are continuing to tap into the ongoing COVID-19 vaccine research to steal sensitive information to speed up their countries' vaccine-development efforts. Cybersecurity firm Kaspersky  detailed  two incidents at a pharmaceutical company and a government ministry in September and October leveraging different tools and techniques but exhibiting similarities in the post-exploitation process, leading the researchers to connect the two attacks to the North Korean government-linked hackers. "These two incidents reveal the Lazarus group's interest in intelligence related to COVID-19," Seongsu Park, a senior security researcher at Kaspersky, said. "While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well." Kaspersky did not name the targeted entities but said the pharmaceutical firm was breached on September 25, 2020, with the attack again

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future
Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu

How to Defend Against Malware, Phishing, and Scams During COVID-19 Crisis

How to Defend Against Malware, Phishing, and Scams During COVID-19 Crisis
Dec 23, 2020
As if the exponential rise in phishing scams and malware attacks in the last five years wasn't enough, the COVID-19 crisis has worsened it further. The current scenario has given a viable opportunity to cybercriminals to find a way to target individuals, small and large enterprises, government corporations. According to Interpol's  COVID-19 Cybercrime Analysis Report , based on the feedback of 194 countries, phishing/scam/fraud, malware/ransomware, malicious domains, and fake news have emerged as the biggest digital threats across the world in the wake of the pandemic. Image source: interpol.int There are primarily two reasons for emerging cyber threats in 2020: Most of the population is working, learning, shopping, or running their business from home, where they're using personal devices from the home/public internet connection, which are usually unsafe and hence highly vulnerable to cybercrimes. The cybercriminals are using the COVID-19 theme to exploit people and

Automated remediation solutions are crucial for security

cyber security
websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.

A Second Hacker Group May Have Also Breached SolarWinds, Microsoft Says

A Second Hacker Group May Have Also Breached SolarWinds, Microsoft Says
Dec 22, 2020
As the probe into the  SolarWinds supply chain attack  continues, new digital forensic evidence has brought to light that a separate threat actor may have been abusing the IT infrastructure provider's Orion software to drop a similar persistent backdoor on target systems. "The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," Microsoft 365 research team  said  on Friday in a post detailing the Sunburst malware. What makes the newly revealed malware, dubbed "Supernova," different is that unlike the Sunburst DLL,  Supernova  ("app_web_logoimagehandler.ashx.b6031896.dll") is not signed with a legitimate SolarWinds digital certificate, signaling that the compromise may be unrelated to the previously disclosed supply chain attack. In a  standalone write-up ,

Software Supply-Chain Attack Hits Vietnam Government Certification Authority

Software Supply-Chain Attack Hits Vietnam Government Certification Authority
Dec 17, 2020
Cybersecurity researchers today disclosed a new supply-chain attack targeting the Vietnam Government Certification Authority (VGCA) that compromised the agency's digital signature toolkit to install a backdoor on victim systems. Uncovered by Slovak internet security company ESET early this month, the "SignSight" attack involved modifying software installers hosted on the CA's  website  ("ca.gov.vn") to insert a spyware tool called  PhantomNet  or Smanager. According to ESET's telemetry, the breach happened from at least July 23 to August 16, 2020, with the  two installers  in question — "gca01-client-v2-x32-8.3.msi" and "gca01-client-v2-x64-8.3.msi" for 32-bit and 64-bit Windows systems — tampered to include the backdoor. "The compromise of a certification authority website is a good opportunity for APT groups, since visitors are likely to have a high level of trust in a state organization responsible for digital signatures

New Evidence Suggests SolarWinds' Codebase Was Hacked to Inject Backdoor

New Evidence Suggests SolarWinds' Codebase Was Hacked to Inject Backdoor
Dec 16, 2020
The investigation into how the attackers managed to compromise SolarWinds' internal network and poison the company's software updates is still underway, but we may be one step closer to understanding what appears to be a very meticulously planned and highly-sophisticated supply chain attack. A new report published by ReversingLabs today and shared in advance with The Hacker News has revealed that the operators behind the  espionage campaign  likely managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the malicious backdoor through its software release process. "The source code of the affected library was directly modified to include malicious backdoor code, which was compiled, signed, and delivered through the existing software patch release management system," ReversingLabs' Tomislav Pericin said. Cybersecurity firm FireEye earlier this week  detailed  how multiple SolarWin

SolarWinds Issues Second Hotfix for Orion Platform Supply Chain Attack

SolarWinds Issues Second Hotfix for Orion Platform Supply Chain Attack
Dec 16, 2020
Network monitoring services provider SolarWinds officially released a second hotfix to address a critical vulnerability in its Orion platform that was  exploited to insert malware  and breach public and private entities in a wide-ranging espionage campaign. In a new update posted to its  advisory  page, the company urged its customers to update Orion Platform to version 2020.2.1 HF 2 immediately to secure their environments. The malware, dubbed SUNBURST (aka Solorigate), affects Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020. "Based on our investigation, we are not aware that this vulnerability affects other versions—including future versions—of Orion Platform products," the company said. "We have scanned the code of all our software products for markers similar to those used in the attack on our Orion Platform products identified above, and we have found no evidence that other versions of our Orion Platform products or our ot

Wormable Gitpaste-12 Botnet Returns to Target Linux Servers, IoT Devices

Wormable Gitpaste-12 Botnet Returns to Target Linux Servers, IoT Devices
Dec 15, 2020
A new wormable botnet that spreads via GitHub and Pastebin to install cryptocurrency miners and backdoors on target systems has returned with expanded capabilities to compromise web applications, IP cameras, and routers. Early last month, researchers from Juniper Threat Labs documented a crypto-mining campaign called " Gitpaste-12 ," which used GitHub to host malicious code containing as many as 12 known attack modules that are executed via commands downloaded from a Pastebin URL. The attacks occurred during a 12-day period starting from October 15, 2020, before both the Pastebin URL and repository were shut down on October 30, 2020. Now according to Juniper, the  second wave of attacks  began on November 10 using payloads from a different GitHub repository, which, among others, contains a Linux crypto-miner ("ls"), a file with a list of passwords for brute-force attempts ("pass"), and a local privilege escalation exploit for x86_64 Linux systems. Th

Nearly 18,000 SolarWinds Customers Installed Backdoored Software

Nearly 18,000 SolarWinds Customers Installed Backdoored Software
Dec 15, 2020
SolarWinds, the enterprise monitoring software provider which found itself at the epicenter of the most  consequential supply chain attacks , said as many as 18,000 of its high-profile customers might have installed a tainted version of its Orion products. The acknowledgment comes as part of a new filing made by the company to the US Securities and Exchange Commission on Monday. The Texas-based company serves more than 300,000 customers worldwide, including every branch of the US military and four-fifths of the Fortune 500 companies. The "incident was likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation state," SolarWinds said in the  regulatory disclosure , adding it "currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000." The company also reiterated in its  security advisory  that besides 2019.4 HF

Exfiltrating Data from Air-Gapped Computers via Wi-Fi Signals (Without Wi-Fi Hardware)

Exfiltrating Data from Air-Gapped Computers via Wi-Fi Signals (Without Wi-Fi Hardware)
Dec 15, 2020
A security researcher has demonstrated that sensitive data could be exfiltrated from air-gapped computers via a novel technique that leverages Wi-Fi signals as a covert channel—surprisingly, without requiring the presence of Wi-Fi hardware on the targeted systems. Dubbed " AIR-FI ," the attack hinges on deploying a specially designed malware in a compromised system that exploits "DDR SDRAM buses to generate electromagnetic emissions in the 2.4 GHz Wi-Fi bands" and transmitting information atop these frequencies that can then be intercepted and decoded by nearby Wi-Fi capable devices such as smartphones, laptops, and IoT devices before sending the data to remote servers controlled by an attacker. The findings were published today in a paper titled "AIR-FI: Generating Covert Wi-Fi Signals from Air-Gapped Computers" by Dr. Mordechai Guri , the head of R&D at Ben-Gurion University of the Negev's Cyber-Security Research Center, Israel. "The AI

SoReL-20M: A Huge Dataset of 20 Million Malware Samples Released Online

SoReL-20M: A Huge Dataset of 20 Million Malware Samples Released Online
Dec 14, 2020
Cybersecurity firms Sophos and ReversingLabs on Monday jointly released the first-ever production-scale malware research dataset to be made available to the general public that aims to build effective defenses and drive industry-wide improvements in security detection and response. " SoReL-20M " (short for  So phos- Re versing L abs –  20   M illion), as it's called, is a dataset containing metadata, labels, and features for 20 million Windows Portable Executable (.PE) files, including 10 million disarmed malware samples, with the goal of devising machine-learning approaches for better malware detection capabilities. "Open knowledge and understanding about cyber threats also leads to more predictive cybersecurity," Sophos AI group said. "Defenders will be able to anticipate what attackers are doing and be better prepared for their next move." Accompanying the release are a set of  PyTorch  and  LightGBM -based machine learning  models pre-trained

Mount Locker Ransomware Offering Double Extortion Scheme to Other Hackers

Mount Locker Ransomware Offering Double Extortion Scheme to Other Hackers
Dec 11, 2020
A relatively new ransomware strain behind a series of breaches on corporate networks has developed new capabilities that allow it to broaden the scope of its targeting and evade security software—as well as with ability for its affiliates to launch double extortion attacks. The MountLocker ransomware, which only began making the rounds in July 2020, has already gained notoriety for stealing files before encryption and demanding ransom amounts in the millions to prevent public disclosure of stolen data, a tactic known as  double extortion . "The MountLocker Operators are clearly just warming up. After a slow start in July they are rapidly gaining ground, as the high-profile nature of extortion and data leaks drive ransom demands ever higher," researchers from BlackBerry Research and Intelligence Team said. "MountLocker affiliates are typically fast operators, rapidly exfiltrating sensitive documents and encrypting them across key targets in a matter of hours."

Watch Out! Adrozek Malware Hijacking Chrome, Firefox, Edge, Yandex Browsers

Watch Out! Adrozek Malware Hijacking Chrome, Firefox, Edge, Yandex Browsers
Dec 11, 2020
Microsoft on Thursday took the wraps off an ongoing campaign impacting popular web browsers that stealthily injects malware-infested ads into search results to earn money via affiliate advertising. "Adrozek," as it's called by the Microsoft 365 Defender Research Team, employs an "expansive, dynamic attacker infrastructure" consisting of 159 unique domains, each of which hosts an average of 17,300 unique URLs, which in turn host more than 15,300 unique malware samples. The campaign — which impacts Microsoft Edge, Google Chrome, Yandex Browser, and Mozilla Firefox browsers on Windows — aims to insert additional, unauthorized ads on top of legitimate ads displayed on search engine results pages, leading users to click on these ads inadvertently. Microsoft said the persistent browser modifier malware has been observed since May this year, with over 30,000 devices affected every day at its peak in August. "Cybercriminals abusing affiliate programs is not

Russian APT28 Hackers Using COVID-19 as Bait to Deliver Zebrocy Malware

Russian APT28 Hackers Using COVID-19 as Bait to Deliver Zebrocy Malware
Dec 09, 2020
A Russian threat actor known for its malware campaigns has reappeared in the threat landscape with yet another attack leveraging COVID-19 as phishing lures, once again indicating how adversaries are adept at repurposing the current world events to their advantage. Linking the operation to a sub-group of APT28 (aka Sofacy, Sednit, Fancy Bear, or STRONTIUM), cybersecurity firm Intezer said the pandemic-themed phishing emails were employed to deliver the Go version of Zebrocy (or Zekapab) malware. The cybersecurity firm told The Hacker News that the campaigns were observed late last month. Zebrocy is delivered primarily via phishing attacks that contain decoy Microsoft Office documents with macros as well as executable file attachments. First spotted in the wild in 2015 , the operators behind the malware have been found to overlap with GreyEnergy , a threat group believed to be the successor of BlackEnergy aka Sandworm , suggesting its role as a sub-group with links to Sofacy and

Amnesia:33 — Critical TCP/IP Flaws Affect Millions of IoT Devices

Amnesia:33 — Critical TCP/IP Flaws Affect Millions of IoT Devices
Dec 09, 2020
Cybersecurity researchers disclosed a dozen new flaws in multiple widely-used embedded TCP/IP stacks impacting millions of devices ranging from networking equipment and medical devices to industrial control systems that could be exploited by an attacker to take control of a vulnerable system. Collectively called " AMNESIA:33 " by Forescout researchers, it is a set of 33 vulnerabilities that impact four open-source TCP/IP protocol stacks — uIP, FNET, picoTCP, and Nut/Net — that are commonly used in Internet-of-Things (IoT) and embedded devices. As a consequence of improper memory management,  successful exploitation  of these flaws could cause memory corruption, allowing attackers to compromise devices, execute malicious code, perform denial-of-service (DoS) attacks, steal sensitive information, and even poison DNS cache. In the real world, these attacks could play out in various ways: disrupting the functioning of a power station to result in a blackout or taking smoke a
Cybersecurity Resources