#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cloud Security

SentinelOne | Breaking Cybersecurity News | The Hacker News

Suspected Russian Data-Wiping 'AcidPour' Malware Targeting Linux x86 Devices

Suspected Russian Data-Wiping 'AcidPour' Malware Targeting Linux x86 Devices

Mar 19, 2024 Linux / Cyber Espionage
A new variant of a data wiping malware called AcidRain has been detected in the wild that's specifically designed for targeting Linux x86 devices. The malware, dubbed AcidPour, is compiled for Linux x86 devices, SentinelOne's Juan Andres Guerrero-Saade said in a series of posts on X. "The new variant [...] is an ELF binary compiled for x86 (not MIPS) and while it refers to similar devices/strings, it's a largely different codebase," Guerrero-Saade  noted . AcidRain  first came to light  in the early days of the Russo-Ukrainian war, with the malware deployed against KA-SAT modems from U.S. satellite company Viasat. An ELF binary compiled for MIPS architectures, it is capable of wiping the filesystem and different known storage device files by recursively iterating over common directories for most Linux distributions. The cyber attack was  subsequently attributed  to Russia by the Five Eyes nations, along with Ukraine and the European Union. AcidPour, as the
North Korean Hackers Weaponize Research Lures to Deliver RokRAT Backdoor

North Korean Hackers Weaponize Research Lures to Deliver RokRAT Backdoor

Jan 22, 2024 Cyber Attack / Hacking
Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as  ScarCruft  in December 2023. "ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel  said  in a report shared with The Hacker News. The North Korea-linked adversary, also known by the name APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is  assessed  to be part of the Ministry of State Security (MSS), placing it apart from Lazarus Group and Kimsuky, which are elements within the Reconnaissance General Bureau (RGB). The group is  known  for its targeting of governments and defectors, leveraging  spear-phishing lures  to deliver  RokRAT and other backdoors  with the ultimate goal of  cove
Code Keepers: Mastering Non-Human Identity Management

Code Keepers: Mastering Non-Human Identity Management

Apr 12, 2024DevSecOps / Identity Management
Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or
N. Korean Hackers 'Mixing' macOS Malware Tactics to Evade Detection

N. Korean Hackers 'Mixing' macOS Malware Tactics to Evade Detection

Nov 28, 2023 Malware / Cyber Espionage
The North Korean threat actors behind macOS malware strains such as RustBucket and KANDYKORN have been observed "mixing and matching" different elements of the two disparate attack chains, leveraging RustBucket droppers to deliver KANDYKORN. The  findings  come from cybersecurity firm SentinelOne, which also tied a third macOS-specific malware called ObjCShellz to the RustBucket campaign. RustBucket  refers to an  activity cluster  linked to the Lazarus Group in which a backdoored version of a PDF reader app, dubbed SwiftLoader, is used as a conduit to load a next-stage malware written in Rust upon viewing a specially crafted lure document. The  KANDYKORN campaign , on the other hand, refers to a malicious cyber operation in which blockchain engineers of an unnamed crypto exchange platform were targeted via Discord to initiate a sophisticated multi-stage attack sequence that led to the deployment of the eponymous full-featured memory resident remote access trojan. The t
cyber security

WATCH: The SaaS Security Challenge in 90 Seconds

websiteAdaptive ShieldSaaS Security / Cyber Threat
Discover how you can overcome the SaaS security challenge by securing your entire SaaS stack with SSPM.
North Korean Hackers Targets Russian Missile Engineering Firm

North Korean Hackers Targets Russian Missile Engineering Firm

Aug 07, 2023 Cyber Attack
Two different North Korean nation-state actors have been linked to a cyber intrusion against NPO Mashinostroyeniya, a major Russian missile engineering company. Cybersecurity firm SentinelOne  said  it identified "two instances of North Korea related compromise of sensitive internal IT infrastructure," including a case of an email server compromise and the deployment of a Windows backdoor dubbed OpenCarrot. The breach of the Linux email server has been attributed to  ScarCruft . OpenCarrot, on the other hand, is a known implant  previously identified  as used by the Lazarus Group. The attacks were flagged in mid-May 2022. A rocket design bureau based in Reutov, NPO Mashinostroyeniya was  sanctioned  by the U.S. Treasury Department in July 2014 in  connection  to "Russia's continued attempts to destabilize eastern Ukraine and its ongoing occupation of Crimea." While both ScarCruft (aka APT37) and the Lazarus Group are affiliated to North Korea, it's  wo
Rust-based Realst Infostealer Targeting Apple macOS Users' Cryptocurrency Wallets

Rust-based Realst Infostealer Targeting Apple macOS Users' Cryptocurrency Wallets

Jul 26, 2023 Cryptocurrency / Endpoint Security
A new malware family called  Realst  has become the latest to target Apple macOS systems, with a third of the samples already designed to infect macOS 14 Sonoma, the upcoming major release of the operating system. Written in the Rust programming language, the malware is distributed in the form of bogus blockchain games and is capable of "emptying crypto wallets and stealing stored password and browser data" from both Windows and macOS machines. Realst was first discovered in the wild by security researcher  iamdeadlyz . "Realst Infostealer is distributed via malicious websites advertising fake blockchain games with names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend," SentinelOne security researcher Phil Stokes  said  in a report. "Each version of the fake blockchain game is hosted on its own website complete with associated Twitter and Discord accounts." The cybersecurity firm, which identif
DDoSia Attack Tool Evolves with Encryption, Targeting Multiple Sectors

DDoSia Attack Tool Evolves with Encryption, Targeting Multiple Sectors

Jul 04, 2023 Malware / Cyber Attack
The threat actors behind the  DDoSia  attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down. The updated variant, written in Golang, "implements an additional security mechanism to conceal the list of targets, which is transmitted from the [command-and-control] to the users," cybersecurity company Sekoia  said  in a technical write-up. DDoSia is attributed to a pro-Russian hacker group called  NoName(057)16 . Launched in 2022 and a successor of the  Bobik botnet , the attack tool is  designed  for staging distributed denial-of-service (DDoS) attacks against targets primarily located in Europe as well as Australia, Canada, and Japan. Lithuania, Ukraine, Poland, Italy, Czechia, Denmark, Latvia, France, the U.K., and Switzerland have emerged as the most targeted countries over a period ranging from May 8 to June 26, 2023. A total of 486 different w
Mexico-Based Hacker Targets Global Banks with Android Malware

Mexico-Based Hacker Targets Global Banks with Android Malware

Jul 04, 2023 Cyber Crime / Mobile Security
An e-crime actor of Mexican provenance has been linked to an Android mobile malware campaign targeting financial institutions globally, but with a specific focus on Spanish and Chilean banks, from June 2021 to April 2023. The activity is being attributed to an actor codenamed  Neo_Net , according to security researcher Pol Thill. The findings were published by SentinelOne following a Malware Research Challenge in collaboration with vx-underground. "Despite using relatively unsophisticated tools, Neo_Net has achieved a high success rate by tailoring their infrastructure to specific targets, resulting in the theft of over 350,000 EUR from victims' bank accounts and compromising Personally Identifiable Information (PII) of thousands of victims," Thill  said . Some of the major targets include banks such as Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole, and ING. Neo_Net, linked to a Spanish-speaking actor residing in Mexico, has established themselves as a
AlienFox Malware Targets API Keys and Secrets from AWS, Google, and Microsoft Cloud Services

AlienFox Malware Targets API Keys and Secrets from AWS, Google, and Microsoft Cloud Services

Mar 30, 2023 Cloud Security / Cyber Threat
A new "comprehensive toolset" called  AlienFox  is being distributed on Telegram as a way for threat actors to harvest credentials from API keys and secrets from popular cloud service providers. "The spread of AlienFox represents an unreported trend towards attacking more minimal cloud services, unsuitable for crypto mining, in order to enable and expand subsequent campaigns," SentinelOne security researcher Alex Delamotte  said  in a report shared with The Hacker News. The cybersecurity company characterized the malware as highly modular and constantly evolving to accommodate new features and performance improvements. The primary use of AlienFox is to enumerate misconfigured hosts via scanning platforms like  LeakIX  and  SecurityTrails , and subsequently leverage various scripts in the toolkit to extract credentials from configuration files exposed on the servers. Specifically, it entails searching for susceptible servers associated with popular web framewor
3CX Desktop App Supply Chain Attack Leaves Millions at Risk - Urgent Update on the Way!

3CX Desktop App Supply Chain Attack Leaves Millions at Risk - Urgent Update on the Way!

Mar 30, 2023 Supply Chain / Software Security
3CX said it's  working on a software update  for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers. "The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage infostealer DLL," SentinelOne researchers  said . The cybersecurity firm is tracking the activity under the name SmoothOperator , stating the threat actor registered a massive attack infrastructure as far back as February 2022. There are indications that the attack may have commenced around March 22, 2023. 3CX, the company behind 3CXDesktopApp,  claims  to have more than 600,000 customers and 12 million users in 190 countries, some of which include well-known names like American Expres
Chinese Hackers Utilize Golang Malware in DragonSpark Attacks to Evade Detection

Chinese Hackers Utilize Golang Malware in DragonSpark Attacks to Evade Detection

Jan 24, 2023 Cyber Espionage / Golang
Organizations in East Asia are being targeted by a likely Chinese-speaking actor dubbed DragonSpark while employing uncommon tactics to go past security layers. "The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation," SentinelOne  said  in an analysis published today. A striking aspect of the intrusions is the consistent use of SparkRAT to conduct a variety of activities, including stealing information, obtaining control of an infected host, or running additional PowerShell instructions. The threat actor's end goals remain unknown as yet, although espionage or cybercrime is likely to be the motive. DragonSpark's ties to China stem from the use of the  China Chopper  web shell to deploy malware – a widely used attack pathway among Chinese threat actors. Furthermore, not only do the open source tools used in the cyber assaults originate from develope
Researchers Discover Malicious PyPI Package Posing as SentinelOne SDK to Steal Data

Researchers Discover Malicious PyPI Package Posing as SentinelOne SDK to Steal Data

Dec 19, 2022 Software Security / Supply Chain
Cybersecurity researchers have discovered a new malicious package on the Python Package Index (PyPI) repository that impersonates a software development kit (SDK) for SentinelOne, a major cybersecurity company, as part of a campaign dubbed  SentinelSneak . The package, named  SentinelOne  and now taken down, is said to have been published between December 8 and 11, 2022, with nearly two dozen versions pushed in quick succession over a period of two days. It claims to offer an easier method to access the  company's APIs , but harbors a malicious backdoor that's engineered to amass sensitive information from development systems, including access credentials, SSH keys, and configuration data. What's more, the threat actor has also been observed releasing two more packages with similar naming variations –  SentinelOne-sdk  and  SentinelOneSDK  – underscoring the  continued threats  lurking in open source repositories. "The SentinelOne imposter package is just the lat
Iranian Hackers Strike Diamond Industry with Data-Wiping Malware in Supply-Chain Attack

Iranian Hackers Strike Diamond Industry with Data-Wiping Malware in Supply-Chain Attack

Dec 08, 2022 APT Attack / Data Security
An Iranian advanced persistent threat (APT) actor known as  Agrius  has been attributed as behind a set of data wiper attacks aimed at diamond industries in South Africa, Israel, and Hong Kong. The wiper, referred to as Fantasy by ESET, is believed to have been delivered via a supply-chain attack targeting an Israeli software suite developer as part of a campaign that began in February 2022. Victims include HR firms, IT consulting companies, and a diamond wholesaler in Israel; a South African entity working in the diamond industry; and a jeweler based in Hong Kong. "The Fantasy wiper is built on the foundations of the previously reported Apostle wiper but does not attempt to masquerade as ransomware, as Apostle originally did," ESET researcher Adam Burgher  disclosed  in a Wednesday analysis. "Instead, it goes right to work wiping data." Apostle was  first documented  by SentinelOne in May 2021 as a wiper-turned-ransomware that was deployed in destructive attac
Researchers Uncover New Metador APT Targeting Telcos, ISPs, and Universities

Researchers Uncover New Metador APT Targeting Telcos, ISPs, and Universities

Sep 23, 2022
A previously undocumented threat actor of unknown origin has been linked to attacks targeting telecom, internet service providers, and universities across multiple countries in the Middle East and Africa. "The operators are highly aware of operations security, managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions," researchers from SentinelOne  said  in a new report. The cybersecurity firm codenamed the "pragmatic" group Metador in reference to a string "I am meta" in one of their malware samples and because of Spanish-language responses from the command-and-control (C2) servers. The threat actor is said to have primarily focused on the development of cross-platform malware in its pursuit of espionage aims. Other hallmarks of the campaign are the limited number of intrusions and long-term access to targets. This includes two different Windows malware platforms ca
JuiceLedger Hackers Behind the Recent Phishing Attacks Against PyPI Users

JuiceLedger Hackers Behind the Recent Phishing Attacks Against PyPI Users

Sep 02, 2022
More details have emerged about the operators behind the  first-known phishing campaign  specifically aimed at the Python Package Index (PyPI), the official third-party software repository for the programming language. Connecting it to a threat actor tracked as  JuiceLedger , cybersecurity firm SentinelOne, along with Checkmarx, described the group as a relatively new entity that surfaced in early 2022. Initial "low-key" campaigns are said to have involved the use of rogue Python installer applications to deliver a .NET-based malware called JuiceStealer that's engineered to siphon passwords and other sensitive data from victims' web browsers. The attacks received a significant facelift last month when the JuiceLedger actors  targeted PyPi package contributors  in a phishing campaign, resulting in the compromise of three packages with malware. "The supply chain attack on PyPI package contributors appears to be an escalation of a campaign begun earlier in th
A Decade-Long Chinese Espionage Campaign Targets Southeast Asia and Australia

A Decade-Long Chinese Espionage Campaign Targets Southeast Asia and Australia

Jun 09, 2022
A previously undocumented Chinese-speaking advanced persistent threat (APT) actor dubbed  Aoqin Dragon  has been linked to a string of espionage-oriented attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013. "Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices," SentinelOne researcher Joey Chen  said  in a report shared with The Hacker News. "Other techniques the attacker has been observed using include DLL hijacking,  Themida-packed files , and DNS tunneling to evade post-compromise detection." The group is said to have some level of tactical association with another threat actor known as  Naikon  (aka Override Panda), with the campaigns primarily directed against targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Infections chains mounted by Aoqin Dragon have banked on Asia-Pacific political affairs and pornographi
Researchers Uncover Rust Supply Chain Attack Targeting Cloud CI Pipelines

Researchers Uncover Rust Supply Chain Attack Targeting Cloud CI Pipelines

May 20, 2022
A case of software supply chain attack has been observed in the Rust programming language's  crate registry  that leveraged typosquatting techniques to publish a rogue library containing malware. Cybersecurity firm SentinelOne dubbed the attack " CrateDepression ." Typosquatting attacks  take place  when an adversary mimics the name of a popular package on a public registry in hopes that developers will accidentally download the malicious package instead of the legitimate library. In this case, the crate in question is "rustdecimal," a typosquat of the real " rust_decimal " package that's been downloaded over 3.5 million times to date. The package was  flagged  earlier this month on May 3 by Askar Safin, a Moscow-based developer. According to an  advisory  published by the Rust maintainers, the crate is said to have been first pushed on March 25, 2022, attracting fewer than 500 downloads before it was permanently removed from the repository.
E.U. Blames Russia for Cyberattack on KA-SAT Satellite Network Operated by Viasat

E.U. Blames Russia for Cyberattack on KA-SAT Satellite Network Operated by Viasat

May 11, 2022
The Five Eyes nations comprising  Australia ,  Canada ,  New Zealand ,  the U.K. , and  the U.S. , along with Ukraine and the European Union, formally pinned Russia for masterminding an attack on an international satellite communication ( SATCOM ) provider that had "spillover" effects across Europe. The  cyber offensive , which took place one hour before the Kremlin's military invasion of Ukraine on February 24, targeted the KA-SAT satellite network operated by telecommunications company Viasat, crippling the operations of wind farms and internet users in central Europe. Viasat, in late March,  disclosed  that it had shipped nearly 30,000 modems to distributors to restore service to customers whose modems were rendered unusable. "This cyberattack had a significant impact causing indiscriminate communication outages and disruptions across several public authorities, businesses and users in Ukraine, as well as affecting several E.U. Member States," the Counci
Russian Wiper Malware Likely Behind Recent Cyberattack on Viasat KA-SAT Modems

Russian Wiper Malware Likely Behind Recent Cyberattack on Viasat KA-SAT Modems

Apr 01, 2022
The cyberattack aimed at Viasat that temporarily knocked KA-SAT modems offline on February 24, 2022, the same day Russian military forces invaded Ukraine, is believed to have been the consequence of wiper malware, according to the  latest research  from SentinelOne. The findings come a day after the U.S. telecom company  disclosed  that it was the target of a multifaceted and deliberate" cyberattack against its KA-SAT network, linking it to a "ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network." Upon gaining access, the adversary issued "destructive commands" on tens of thousands of modems belonging to the satellite broadband service that "overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable." But SentinelOne said it uncovered a new piece of malware (
Cybersecurity Resources