#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

Threat Intelligence | Breaking Cybersecurity News | The Hacker News

Category — Threat Intelligence
CISA Warns of Threat Actors Exploiting F5 BIG-IP Cookies for Network Reconnaissance

CISA Warns of Threat Actors Exploiting F5 BIG-IP Cookies for Network Reconnaissance

Oct 11, 2024 Vulnerability / Network Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks. It said the module is being used to enumerate other non-internet-facing devices on the network. The agency, however, did not disclose who is behind the activity, or what the end goals of the campaign are. "A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network," CISA said in an advisory. It has also recommended organizations encrypt persistent cookies employed in F5 BIG-IP devices by configuring cookie encryption within the HTTP profile. Furthermore, it's urging users to verify the protection of their systems by running a diagnostic
Cybercriminals Use Unicode to Hide Mongolian Skimmer in E-Commerce Platforms

Cybercriminals Use Unicode to Hide Mongolian Skimmer in E-Commerce Platforms

Oct 10, 2024 Cybercrime / Malware
Cybersecurity researchers have shed light on a new digital skimmer campaign that leverages Unicode obfuscation techniques to conceal a skimmer dubbed Mongolian Skimmer. "At first glance, the thing that stood out was the script's obfuscation, which seemed a bit bizarre because of all the accented characters," Jscrambler researchers said in an analysis. "The heavy use of Unicode characters, many of them invisible, does make the code very hard to read for humans." The script, at its core, has been found to leverage JavaScript's capability to use any Unicode character in identifiers to hide the malicious functionality. The end goal of the malware is to steal sensitive data entered on e-commerce checkout or admin pages, including financial information, which are then exfiltrated to an attacker-controlled server. The skimmer, which typically manifests in the form of an inline script on compromised sites that fetches the actual payload from an external serv
How to Get Going with CTEM When You Don't Know Where to Start

How to Get Going with CTEM When You Don't Know Where to Start

Oct 04, 2024Vulnerability Management / Security Posture
Continuous Threat Exposure Management (CTEM) is a strategic framework that helps organizations continuously assess and manage cyber risk. It breaks down the complex task of managing security threats into five distinct stages: Scoping, Discovery, Prioritization, Validation, and Mobilization. Each of these stages plays a crucial role in identifying, addressing, and mitigating vulnerabilities - before they can be exploited by attackers.  On paper, CTEM sounds great . But where the rubber meets the road – especially for CTEM neophytes - implementing CTEM can seem overwhelming. The process of putting CTEM principles into practice can look prohibitively complex at first. However, with the right tools and a clear understanding of each stage, CTEM can be an effective method for strengthening your organization's security posture.  That's why I've put together a step-by-step guide on which tools to use for which stage. Want to learn more? Read on… Stage 1: Scoping  When you're defin
Firefox Zero-Day Under Attack: Update Your Browser Immediately

Firefox Zero-Day Under Attack: Update Your Browser Immediately

Oct 10, 2024 Vulnerability / Browser Security
Mozilla has revealed that a critical security flaw impacting Firefox and Firefox Extended Support Release (ESR) has come under active exploitation in the wild. The vulnerability, tracked as CVE-2024-9680 (CVSS score: 9.8), has been described as a use-after-free bug in the Animation timeline component. "An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines," Mozilla said in a Wednesday advisory.  "We have had reports of this vulnerability being exploited in the wild." Security researcher Damien Schaeffer from Slovakian company ESET has been credited with discovering and reporting the vulnerability. The issue has been addressed in the following versions of the web browser -  Firefox 131.0.2 Firefox ESR 128.3.1, and Firefox ESR 115.16.1. There are currently no details on how the vulnerability is being exploited in real-world attacks and the identity of the threat actors behind them. T
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
N. Korean Hackers Use Fake Interviews to Infect Developers with Cross-Platform Malware

N. Korean Hackers Use Fake Interviews to Infect Developers with Cross-Platform Malware

Oct 09, 2024 Phishing Attack / Malware
Threat actors with ties to North Korea have been observed targeting job seekers in the tech industry to deliver updated versions of known malware families tracked as BeaverTail and InvisibleFerret. The activity cluster, tracked as CL-STA-0240, is part of a campaign dubbed Contagious Interview that Palo Alto Networks Unit 42 first disclosed in November 2023. "The threat actor behind CL-STA-0240 contacts software developers through job search platforms by posing as a prospective employer," Unit 42 said in a new report. "The attackers invite the victim to participate in an online interview, where the threat actor attempts to convince the victim to download and install malware." The first stage of infection involves the BeaverTail downloader and information stealer that's designed for targeting both Windows and Apple macOS platforms. The malware acts as a conduit for the Python-based InvisibleFerret backdoor. There is evidence to suggest that the activity
Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild

Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild

Oct 09, 2024 Vulnerability / Zero-Day
Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild. Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn't include the 25 additional flaws that the tech giant addressed in its Chromium-based Edge browser over the past month. Five of the vulnerabilities are listed as publicly known at the time of release, with two of them coming under active exploitation as a zero-day - CVE-2024-43572 (CVSS score: 7.8) - Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected) CVE-2024-43573 (CVSS score: 6.5) - Windows MSHTML Platform Spoofing Vulnerability (Exploitation Detected) CVE-2024-43583 (CVSS score: 7.8) - Winlogon Elevation of Privilege Vulnerability CVE-2024-20659 (CVSS score: 7.1) - Windows Hyper-V Security Feature Bypass Vulnerability CVE
Microsoft Detects Growing Use of File Hosting Services in Business Email Compromise Attacks

Microsoft Detects Growing Use of File Hosting Services in Business Email Compromise Attacks

Oct 09, 2024 Enterprise Security / Identity Theft
Microsoft is warning of cyber attack campaigns that abuse legitimate file hosting services such as SharePoint, OneDrive, and Dropbox that are widely used in enterprise environments as a defense evasion tactic. The end goal of the campaigns are broad and varied, allowing threat actors to compromise identities and devices and conduct business email compromise ( BEC ) attacks, which ultimately result in financial fraud, data exfiltration, and lateral movement to other endpoints. The weaponization of legitimate internet services (LIS) is an increasingly popular risk vector adopted by adversaries to blend in with legitimate network traffic in a manner such that it often bypasses traditional security defenses and complicates attribution efforts. The approach is also called living-off-trusted-sites (LOTS), as it leverages the trust and familiarity of these services to sidestep email security guardrails and deliver malware. Microsoft said it has been observing a new trend in phishing c
New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries

New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries

Oct 07, 2024 IoT Security / Botnet
Cybersecurity researchers have discovered a new botnet malware family called Gorilla (aka GorillaBot) that draws its inspiration from the leaked Mirai botnet source code. Cybersecurity firm NSFOCUS, which identified the activity last month, said the botnet "issued over 300,000 attack commands, with a shocking attack density" between September 4 and September 27, 2024. No less than 20,000 commands designed to mount distributed denial-of-service (DDoS) attacks have been issued from the botnet every day on average. The botnet is said to have targeted more than 100 countries, attacking universities, government websites, telecoms, banks, gaming, and gambling sectors. China, the U.S., Canada, and Germany have emerged as the most attacked countries. The Beijing-headquartered company said Gorilla primarily uses UDP flood , ACK BYPASS flood, Valve Source Engine (VSE) flood , SYN flood , and ACK flood to conduct the DDoS attacks, adding the connectionless nature of the UDP prot
Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications

Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications

Oct 07, 2024 Open Source / Software Security
A critical security flaw has been disclosed in the Apache Avro Java Software Development Kit (SDK) that, if successfully exploited, could allow the execution of arbitrary code on susceptible instances. The flaw, tracked as CVE-2024-47561 (CVSS score: 9.3), impacts all versions of the software prior to 1.11.4. "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code," the project maintainers said in an advisory released last week. "Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue." Apache Avro, analogous to Google's Protocol Buffers ( protobuf ), is an open-source project that provides a language-neutral data serialization framework for large-scale data processing. The Avro team notes that the vulnerability affects any application if it allows users to provide their own Avro schemas for parsing. Kostya Kortchinsky from the Databricks security team has been cr
North Korean Hackers Using New VeilShell Backdoor in Stealthy Cyber Attacks

North Korean Hackers Using New VeilShell Backdoor in Stealthy Cyber Attacks

Oct 03, 2024 Cyber Espionage / Threat Intelligence
Threat actors with ties to North Korea have been observed delivering a previously undocumented backdoor and remote access trojan (RAT) called VeilShell as part of a campaign targeting Cambodia and likely other Southeast Asian countries. The activity, dubbed SHROUDED#SLEEP by Securonix, is believed to be the handiwork of APT37 , which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft. Active since at least 2012, the adversarial collective is assessed to be part of North Korea's Ministry of State Security (MSS). Like with other state-aligned groups, those affiliated with North Korea, including the Lazarus Group and Kimsuky, vary in their modus operandi and likely have ever-evolving objectives based on state interests. A key malware in its toolbox is RokRAT (aka Goldbackdoor), although the group has also developed custom tools to facilitate covert intelligence gathering. It's currently not known how the first stage payload, a ZIP arc
Fake Job Applications Deliver Dangerous More_eggs Malware to HR Professionals

Fake Job Applications Deliver Dangerous More_eggs Malware to HR Professionals

Oct 02, 2024 Cybercrime / Threat Intelligence
A spear-phishing email campaign has been observed targeting recruiters with a JavaScript backdoor called More_eggs, indicating persistent efforts to single out the sector under the guise of fake job applications. "A sophisticated spear-phishing lure tricked a recruitment officer into downloading and executing a malicious file disguised as a resume, leading to a more_eggs backdoor infection," Trend Micro researchers Ryan Soliven, Maria Emreen Viray, and Fe Cureg said in an analysis. More_eggs, sold as a malware-as-a-service (MaaS), is a malicious software that comes with capabilities to siphon credentials, including those related to online bank accounts, email accounts, and IT administrator accounts. It's attributed to a threat actor called the Golden Chickens group (aka Venom Spider), and has been put to use by several other e-crime groups like FIN6 (aka ITG08 ), Cobalt, and Evilnum. Earlier this June, eSentire disclosed details of a similar attack that leverages
AI-Powered Rhadamanthys Stealer Targets Crypto Wallets with Image Recognition

AI-Powered Rhadamanthys Stealer Targets Crypto Wallets with Image Recognition

Oct 01, 2024 Cryptocurrency / Threat Intelligence
The threat actors behind the Rhadamanthys information stealer have added new advanced features to the malware, including using artificial intelligence (AI) for optical character recognition (OCR) as part of what's called "Seed Phrase Image Recognition." "This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in cryptocurrencies," Recorded Future's Insikt Group said in an analysis of version 0.7.0 of the malware. "The malware can recognize seed phrase images on the client side and send them back to the command-and-control (C2) server for further exploitation." First discovered in the wild in September 2022, Rhadamanthys has emerged as one of the most potent information stealers that are advertised under the malware-as-a-service (MaaS) model, alongside Lumma and others. The malware continues to have an active presence despite suffering bans from underground forum
 Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials

Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials

Oct 01, 2024 Threat Intelligence / Malware
More than 140,000 phishing websites have been found linked to a phishing-as-a-service (PhaaS) platform named Sniper Dz over the past year, indicating that it's being used by a large number of cybercriminals to conduct credential theft. "For prospective phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages," Palo Alto Networks Unit 42 researchers Shehroze Farooqi, Howard Tong, and Alex Starov said in a technical report. "Phishers can either host these phishing pages on Sniper Dz-owned infrastructure or download Sniper Dz phishing templates to host on their own servers." Perhaps what makes it even more lucrative is that these services are provided for free. That said, the credentials harvested using the phishing sites are also exfiltrated to the operators of the PhaaS platform, a technique that Microsoft calls double theft . PhaaS platforms have become an increasingly common way for aspiring threat actors to enter the world of cy
New Cryptojacking Attack Targets Docker API to Create Malicious Swarm Botnet

New Cryptojacking Attack Targets Docker API to Create Malicious Swarm Botnet

Oct 01, 2024 Cryptojacking / Docker Security
Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor. This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis. The attacks leverage Docker for initial access to deploy a cryptocurrency miner on compromised containers, while also fetching and executing additional payloads that are responsible for conducting lateral movement to related hosts running Docker, Kubernetes, or SSH. Specifically, this involves identifying unauthenticated and exposed Docker API endpoints using Internet scanning tools, such as masscan and ZGrab . On vulnerable endpoints, the Docker API is used to spawn an Alpine container and then retrieve an initialization shell script (init.sh) from a remote server ("solscan[.]liv
A Hacker's Era: Why Microsoft 365 Protection Reigns Supreme

A Hacker's Era: Why Microsoft 365 Protection Reigns Supreme

Sep 30, 2024 SaaS Backup / Microsoft 365
Imagine a sophisticated cyberattack cripples your organization's most critical productivity and collaboration tool — the platform you rely on for daily operations. In the blink of an eye, hackers encrypt your emails, files, and crucial business data stored in Microsoft 365, holding it hostage using ransomware. Productivity grinds to a halt and your IT team races to assess the damage as the clock ticks down on a ransom demand that threatens to destroy your data forever. How did this happen, and more importantly, how can you prevent it from happening? Microsoft 365 (M365) is the lifeblood of countless organizations worldwide, offering a seamless, cloud-based platform for communication, collaboration and data management. Over 400 million users rely on Microsoft 365 for everything from document creation and management to video conferencing 1 . While M365 has empowered businesses to undergo digital transformation and remain competitive with its support for distributed, hybrid and remote w
Expert Insights / Articles Videos
Cybersecurity Resources