#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

Threat Analysis | Breaking Cybersecurity News | The Hacker News

Category — Threat Analysis
Researchers Uncover Major Security Flaw in Illumina iSeq 100 DNA Sequencers

Researchers Uncover Major Security Flaw in Illumina iSeq 100 DNA Sequencers

Jan 07, 2025 Firmware Security / Malware
Cybersecurity researchers have uncovered firmware security vulnerabilities in the Illumina iSeq 100 DNA sequencing instrument that, if successfully exploited, could permit attackers to brick or plant persistent malware on susceptible devices. "The Illumina iSeq 100 used a very outdated implementation of BIOS firmware using CSM [Compatibility Support Mode] mode and without Secure Boot or standard firmware write protections," Eclypsium said in a report shared with The Hacker News. "This would allow an attacker on the system to overwrite the system firmware to either 'brick' the device or install a firmware implant for ongoing attacker persistence." While the Unified Extensible Firmware Interface ( UEFI ) is the modern replacement for the Basic Input/Output System (BIOS), the firmware security company said the iSeq 100 boots to an old version of BIOS (B480AM12 - 04/12/2018) that has known vulnerabilities. Also noticeably absent are protections to tell t...
New EAGERBEE Variant Targets ISPs and Governments with Advanced Backdoor Capabilities

New EAGERBEE Variant Targets ISPs and Governments with Advanced Backdoor Capabilities

Jan 07, 2025 Cyber Attack / Hacking
Internet service providers (ISPs) and governmental entities in the Middle East have been targeted using an updated variant of the EAGERBEE malware framework. The new variant of EAGERBEE (aka Thumtais ) comes fitted with various components that allow the backdoor to deploy additional payloads, enumerate file systems, and execute commands shells, demonstrating a significant evolution. "The key plugins can be categorized in terms of their functionality into the following groups: Plugin Orchestrator, File System Manipulation, Remote Access Manager, Process Exploration, Network Connection Listing, and Service Management," Kaspersky researchers Saurabh Sharma and Vasily Berdnikov said in an analysis. The backdoor has been assessed by the Russian cybersecurity company with medium confidence to a threat group called CoughingDown. EAGERBEE was first documented by the Elastic Security Labs, attributing it to a state-sponsored and espionage-focused intrusion set dubbed REF5961. ...
Farewell to the Fallen: The Cybersecurity Stars We Lost Last Year

Farewell to the Fallen: The Cybersecurity Stars We Lost Last Year

Jan 07, 2025Cybersecurity / Endpoint Security
It's time once again to pay our respects to the once-famous cybersecurity solutions whose usefulness died in the past year. The cybercriminal world collectively mourns the loss of these solutions and the easy access they provide to victim organizations. These solutions, though celebrated in their prime, succumbed to the twin forces of time and advancing threats. Much like a tribute to celebrities lost in the past year, this article will look back at a few of cybersecurity's brightest stars that went dark in the past year.  1. Legacy Multi-Factor Authentication (MFA) Cause of Death: Compromised by sophisticated phishing, man-in-the-middle (MitM), SIM-swapping, and MFA prompt bombing attacks. The superstar of access security for more than twenty years, legacy MFA solutions enjoyed broad adoption followed by almost-universal responsibility for cybersecurity failures leading to successful ransomware attacks. These outdated solutions relied heavily on SMS or email-based codes o...
AI Could Generate 10,000 Malware Variants, Evading Detection in 88% of Case

AI Could Generate 10,000 Malware Variants, Evading Detection in 88% of Case

Dec 23, 2024 Machine Learning / Threat Analysis
Cybersecurity researchers have found that it's possible to use large language models (LLMs) to generate new variants of malicious JavaScript code at scale in a manner that can better evade detection. "Although LLMs struggle to create malware from scratch, criminals can easily use them to rewrite or obfuscate existing malware, making it harder to detect," Palo Alto Networks Unit 42 researchers said in a new analysis. "Criminals can prompt LLMs to perform transformations that are much more natural-looking, which makes detecting this malware more challenging." With enough transformations over time, the approach could have the advantage of degrading the performance of malware classification systems, tricking them into believing that a piece of nefarious code is actually benign. While LLM providers have increasingly enforced security guardrails to prevent them from going off the rails and producing unintended output, bad actors have advertised tools like WormGPT...
cyber security

Secure Your Azure: Proactive Tips for Cloud Protection

websiteWizCloud Security
Discover how to boost your Azure cloud security with practical steps to help you maintain control and visibility.
New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection

New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection

Dec 13, 2024 Linux / Threat Analysis
Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection. "PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers," Elastic Security Lab researchers Remco Sprooten and Ruben Groenewoud said in a technical report published Thursday. The company's analysis comes from artifacts uploaded to the VirusTotal malware scanning platform earlier this September. The internals of the malware is based on a multi-stage architecture that comprises a dropper component named "cron," two memory-resident executables ("/memfd:tgt" and "/memfd:wpn"), an LKM rootkit ("puma.ko"), and a shared object (SO) userland rootkit called Kitsune ("li...
Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged

Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged

Dec 10, 2024 Vulnerability / Threat Analysis
Users of Cleo-managed file transfer software are being urged to ensure that their instances are not exposed to the internet following reports of mass exploitation of a vulnerability affecting fully patched systems. Cybersecurity company Huntress said it discovered evidence of threat actors exploiting the issue en masse on December 3, 2024. The vulnerability, which impacts Cleo's LexiCom, VLTransfer, and Harmony software, concerns a case of unauthenticated remote code execution. The security hole is tracked as CVE-2024-50623 (CVSS score: 9.8), with Cleo noting that the flaw is the result of an unrestricted file upload that could pave the way for the execution of arbitrary code. The Illinois-based company, which has over 4,200 customers across the world, has since issued another advisory (CVE-2024-55956), warning of a separate "unauthenticated malicious hosts vulnerability that could lead to remote code execution." The development comes after Huntress said the pat...
Malicious npm Packages Mimicking 'noblox.js' Compromise Roblox Developers’ Systems

Malicious npm Packages Mimicking 'noblox.js' Compromise Roblox Developers' Systems

Sep 02, 2024 Software Security / Malware
Roblox developers are the target of a persistent campaign that seeks to compromise systems through bogus npm packages, once again underscoring how threat actors continue to exploit the trust in the open-source ecosystem to deliver malware. "By mimicking the popular 'noblox.js' library, attackers have published dozens of packages designed to steal sensitive data and compromise systems," Checkmarx researcher Yehuda Gelb said in a technical report. Roblox is an online game platform and game creation system with nearly 80 million daily active users , and thus makes for an attractive target for threat actors. It was launched in September 2006 for Windows, before debuting in other platforms, including iOS, Android, Xbox One, Meta Quest, and PlayStation 4. Details about the activity were first documented by ReversingLabs in August 2023 as part of a campaign that delivered a stealer called Luna Token Grabber, which it said was a "replay of an attack uncovered two ...
Automated Security Validation: One (Very Important) Part of a Complete CTEM Framework

Automated Security Validation: One (Very Important) Part of a Complete CTEM Framework

Aug 08, 2024 Cyber Threat Management
The last few years have seen more than a few new categories of security solutions arise in hopes of stemming a never-ending tidal wave of risks. One of these categories is Automated Security Validation (ASV), which provides the attacker's perspective of exposures and equips security teams to continuously validate exposures, security measures, and remediation at scale. ASV is an important element of any cybersecurity strategy and by providing a clearer picture of potential vulnerabilities and exposures in the organization, security teams can identify weaknesses before they can be exploited.  However, relying solely on ASV can be limiting. In this article, we'll take a look into how combining the detailed vulnerability insights from  ASV  with the broader threat landscape analysis provided by the Continuous Threat Exposure Management Framework (CTEM) can empower your security teams to make more informed decisions and allocate resources effectively. (Want to learn more abo...
Chameleon Android Banking Trojan Targets Users Through Fake CRM App

Chameleon Android Banking Trojan Targets Users Through Fake CRM App

Aug 07, 2024 Android / Mobile Security,
Cybersecurity researchers have lifted the lid on a new technique adopted by threat actors behind the Chameleon Android banking trojan targeting users in Canada by masquerading as a Customer Relationship Management (CRM) app. "Chameleon was seen masquerading as a CRM app, targeting a Canadian restaurant chain operating internationally," Dutch security outfit ThreatFabric said in a technical report published Monday. The campaign, spotted in July 2024, targeted customers in Canada and Europe, indicating an expansion of its victimology footprint from Australia, Italy, Poland, and the U.K. The use of CRM-related themes for the malicious dropper apps containing the malware points to the targets being customers in the hospitality sector and Business-to-Consumer (B2C) employees. The dropper artifacts are also designed to bypass Restricted Settings imposed by Google in Android 13 and later in order to prevent sideloaded apps from requesting for dangerous permissions (e.g., acc...
Google Patches New Android Kernel Vulnerability Exploited in the Wild

Google Patches New Android Kernel Vulnerability Exploited in the Wild

Aug 06, 2024 Mobile Security / Vulnerability
Google has addressed a high-severity security flaw impacting the Android kernel that it said has been actively exploited in the wild. The vulnerability, tracked as CVE-2024-36971, has been described as a case of remote code execution impacting the kernel. "There are indications that CVE-2024-36971 may be under limited, targeted exploitation," the tech giant noted in its monthly Android security bulletin for August 2024. As is typically the case, the company did not share any additional specifics on the nature of the cyber attacks exploiting the flaw or attribute the activity to a particular threat actor or group. Google's own Pixel line is also impacted by the bug, according to its Pixel update bulletin . That said, Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw, suggesting that it's likely being exploited by commercial spyware vendors to infiltrate Android devices in narrowly targeted attacks. The Augus...
BianLian Threat Actors Exploiting JetBrains TeamCity Flaws in Ransomware Attacks

BianLian Threat Actors Exploiting JetBrains TeamCity Flaws in Ransomware Attacks

Mar 11, 2024 Ransomware / Vulnerability
The threat actors behind the BianLian ransomware have been observed exploiting security flaws in JetBrains TeamCity software to conduct their extortion-only attacks. According to a  new report  from GuidePoint Security, which responded to a recent intrusion, the incident "began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's Go backdoor." BianLian  emerged  in June 2022, and has since pivoted exclusively to exfiltration-based extortion following the  release of a decryptor  in January 2023. The attack chain observed by the cybersecurity firm entails the exploitation of a vulnerable TeamCity instance using  CVE-2024-27198  or  CVE-2023-42793  to gain initial access to the environment, followed by creating new users in the build server and executing malicious commands for post-exploitation and lateral movement. It's currently not clear which of the two flaws wer...
Chameleon Android Banking Trojan Variant Bypasses Biometric Authentication

Chameleon Android Banking Trojan Variant Bypasses Biometric Authentication

Dec 21, 2023 Mobile Security / Banking Trojan
Cybersecurity researchers have discovered an updated version of an Android banking malware called Chameleon that has expanded its targeting to include users in the U.K. and Italy. "Representing a restructured and enhanced iteration of its predecessor, this evolved Chameleon variant excels in executing Device Takeover (DTO) using the accessibility service, all while expanding its targeted region," Dutch mobile security firm ThreatFabric  said  in a report shared with The Hacker News. Chameleon was  previously documented  by Cyble in April 2023, noting that it had been used to single out users in Australia and Poland since at least January. Like other banking malware, it's known to abuse its permissions to Android's accessibility service to harvest sensitive data and conduct overlay attacks. The rogue apps containing the earlier version were hosted on phishing pages and found to impersonate genuine institutions in the countries, such as the Australian Taxation Offi...
New Pierogi++ Malware by Gaza Cyber Gang Targeting Palestinian Entities

New Pierogi++ Malware by Gaza Cyber Gang Targeting Palestinian Entities

Dec 14, 2023 Malware / Threat Analysis
A pro-Hamas threat actor known as  Gaza Cyber Gang  is targeting Palestinian entities using an updated version of a backdoor dubbed Pierogi. The findings come from SentinelOne, which has given the malware the name Pierogi++ owing to the fact that it's implemented in the C++ programming language unlike its Delphi- and Pascal-based predecessor. "Recent Gaza Cybergang activities show consistent targeting of Palestinian entities, with no observed significant changes in dynamics since the start of the Israel-Hamas war," security researcher Aleksandar Milenkoski  said  in a report shared with The Hacker News. Gaza Cyber Gang, believed to be  active since at least  2012, has a history of striking targets throughout the Middle East, particularly Israel and Palestine, often leveraging spear-phishing as a method of initial access. Some of the  notable   malware   families  in its  arsenal   include  BarbWire, DropBook, LastCon...
Iranian State-Sponsored OilRig Group Deploys 3 New Malware Downloaders

Iranian State-Sponsored OilRig Group Deploys 3 New Malware Downloaders

Dec 14, 2023 Malware / Cyber Espionage
The Iranian state-sponsored threat actor known as  OilRig  deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader dubbed  SampleCheck5000  (or SC5k). "These lightweight downloaders [...] are notable for using one of several legitimate cloud service APIs for [command-and-control] communication and data exfiltration: the Microsoft Graph OneDrive or Outlook APIs, and the Microsoft Office Exchange Web Services (EWS) API," security researchers Zuzana Hromcová and Adam Burgher  said  in a report shared with The Hacker News. By using well-known cloud service providers for command-and-control communication, the goal is to blend with authentic network traffic and cover up the group's attack...
Expert Insights / Articles Videos
Cybersecurity Resources