#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

Vulnerability | Breaking Cybersecurity News | The Hacker News

SolarWinds Serv-U Vulnerability Under Active Attack - Patch Immediately

SolarWinds Serv-U Vulnerability Under Active Attack - Patch Immediately

Jun 21, 2024 Vulnerability / Data Protection
A recently patched high-severity flaw impacting SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild. The vulnerability, tracked as CVE-2024-28995 (CVSS score: 8.6), concerns a directory transversal bug that could allow attackers to read sensitive files on the host machine. Affecting all versions of the software prior to and including Serv-U 15.4.2 HF 1, it was addressed by the company in version Serv-U 15.4.2 HF 2 (15.4.2.157) released earlier this month. The list of products susceptible to CVE-2024-28995 is below - Serv-U FTP Server 15.4 Serv-U Gateway 15.4 Serv-U MFT Server 15.4, and Serv-U File Server 15.4 Security researcher Hussein Daher of Web Immunify has been credited with discovering and reporting the flaw. Following the public disclosure, additional technical details and a proof-of-concept (PoC) exploit have since been made available. Cybersecurity firm Rapid7 described the vulnerability as trivial to exploit
Researchers Uncover UEFI Vulnerability Affecting Multiple Intel CPUs

Researchers Uncover UEFI Vulnerability Affecting Multiple Intel CPUs

Jun 20, 2024 Firmware Security / Vulnerability
Cybersecurity researchers have disclosed details of a now-patched security flaw in Phoenix SecureCore UEFI firmware that affects multiple families of Intel Core desktop and mobile processors. Tracked as CVE-2024-0762 (CVSS score: 7.5), the "UEFIcanhazbufferoverflow" vulnerability has been described as a case of a buffer overflow stemming from the use of an unsafe variable in the Trusted Platform Module (TPM) configuration that could result in the execution of malicious code. "The vulnerability allows a local attacker to escalate privileges and gain code execution within the UEFI firmware during runtime," supply chain security firm Eclypsium said in a report shared with The Hacker News. "This type of low-level exploitation is typical of firmware backdoors (e.g., BlackLotus ) that are increasingly observed in the wild. Such implants give attackers ongoing persistence within a device and often, the ability to evade higher-level security measures running in
Why SaaS Security is Suddenly Hot: Racing to Defend and Comply

Why SaaS Security is Suddenly Hot: Racing to Defend and Comply

Jun 13, 2024SaaS Security / Shadow IT
Recent supply chain cyber-attacks are prompting cyber security regulations in the financial sector to tighten compliance requirements, and other industries are expected to follow. Many companies still don't have efficient methods to manage related time-sensitive SaaS security and compliance tasks. Free SaaS risk assessment tools are an easy and practical way to bring visibility and initial control to SaaS sprawl and Shadow AI. These tools now offer incremental upgrades , helping security professionals meet their company budget or maturity level.  Regulatory pressure, SaaS and AI proliferation, and increased risk of breaches or data leaks through 3rd party apps, make SaaS security one of the hottest areas for practitioners to learn and adopt. New regulations will require robust third-party SaaS risk lifecycle management that begins with SaaS service discovery and third-party risk management (TPRM) and ends with the requirement from CISOs to report incidents in their supply chain
Kraken Crypto Exchange Hit by $3 Million Theft Exploiting Zero-Day Flaw

Kraken Crypto Exchange Hit by $3 Million Theft Exploiting Zero-Day Flaw

Jun 19, 2024 Cybercrime / Crypto Security
Crypto exchange Kraken revealed that an unnamed security researcher exploited an "extremely critical" zero-day flaw in its platform to steal $3 million in digital assets and refused to return them. Details of the incident were shared by Kraken's Chief Security Officer, Nick Percoco, on X (formerly Twitter), stating it received a Bug Bounty program alert from the researcher about a bug that "allowed them to artificially inflate their balance on our platform" without sharing any other details Within minutes of receiving the alert, the company said it identified a security issue that essentially permitted an attacker to "initiate a deposit onto our platform and receive funds in their account without fully completing the deposit." While Kraken emphasized that no client assets were at risk due to the issue, it could have enabled a threat actor to print assets in their accounts. The problem was addressed within 47 minutes, it said. It also said the fl
cyber security

Start With a Free Risk Assessment to Find, Fix, and Fly Through SaaS Security

websiteWing SecuritySaaS Security / Shadow IT
In just minutes, uncover and take action against hidden SaaS threats with Wing's advanced SSPM solution.
UNC3886 Uses Fortinet, VMware 0-Days and Stealth Tactics in Long-Term Spying

UNC3886 Uses Fortinet, VMware 0-Days and Stealth Tactics in Long-Term Spying

Jun 19, 2024 Zero-Day Exploits / Cyber Espionage
The China-nexus cyber espionage actor linked to the zero-day exploitation of security flaws in Fortinet , Ivanti , and VMware devices has been observed utilizing multiple persistence mechanisms in order to maintain unfettered access to compromised environments. "Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated," Mandiant researchers said in a new report. The threat actor in question is UNC3886 , which the Google-owned threat intelligence company branded as "sophisticated, cautious, and evasive." Attacks orchestrated by the adversary have leveraged zero-day flaws such as CVE-2022-41328 (Fortinet FortiOS), CVE-2022-22948 (VMware vCenter), and CVE-2023-20867 (VMware Tools) to perform various malicious actions, ranging from deploying backdoors to obtaining credentials for deeper access. It has also been observed exploiting
Mailcow Mail Server Flaws Expose Servers to Remote Code Execution

Mailcow Mail Server Flaws Expose Servers to Remote Code Execution

Jun 19, 2024 Email Security / Vulnerability
Two security vulnerabilities have been disclosed in the Mailcow open-source mail server suite that could be exploited by malicious actors to achieve arbitrary code execution on susceptible instances. Both shortcomings impact all versions of the software prior to version 2024-04 , which was released on April 4, 2024. The issues were responsibly disclosed by SonarSource on March 22, 2024. The flaws, rated Moderate in severity, are listed below - CVE-2024-30270 (CVSS score: 6.7) - A path traversal vulnerability impacting a function named "rspamd_maps()" that could result in the execution of arbitrary commands on the server by allowing a threat actor to overwrite any file that's can be modified with the "www-data" user CVE-2024-31204 (CVSS score: 6.8) - A cross-site scripting (XSS) vulnerability via the exception handling mechanism when not operating in the DEV_MODE The second of the two flaws is rooted in the fact that it saves details of the exception
New Malware Targets Exposed Docker APIs for Cryptocurrency Mining

New Malware Targets Exposed Docker APIs for Cryptocurrency Mining

Jun 18, 2024 Vulnerability / Cryptojacking
Cybersecurity researchers have uncovered a new malware campaign that targets publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads. Included among the tools deployed is a remote access tool that's capable of downloading and executing more malicious programs as well as a utility to propagate the malware via SSH, cloud analytics platform Datadog said in a report published last week. Analysis of the campaign has uncovered tactical overlaps with a previous activity dubbed Spinning YARN , which was observed targeting misconfigured Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services for cryptojacking purposes. The attack commences with the threat actors zeroing in on Docker servers with exposed ports (port number 2375 ) to initiate a series of steps, starting with reconnaissance and privilege escalation before proceeding to the exploitation phase. Payloads are retrieved from adversary-controlled infrastructure by
VMware Issues Patches for Cloud Foundation, vCenter Server, and vSphere ESXi

VMware Issues Patches for Cloud Foundation, vCenter Server, and vSphere ESXi

Jun 18, 2024 Network Security / Vulnerability
VMware has released updates to address critical flaws impacting Cloud Foundation, vCenter Server, and vSphere ESXi that could be exploited to achieve privilege escalation and remote code execution. The list of vulnerabilities is as follows - CVE-2024-37079 & CVE-2024-37080 (CVSS scores: 9.8) - Multiple heap-overflow vulnerabilities in the implementation of the DCE/RPC protocol that could allow a bad actor with network access to vCenter Server to achieve remote code execution by sending a specially crafted network packet CVE-2024-37081 (CVSS score: 7.8) - Multiple local privilege escalation vulnerabilities in VMware vCenter arising due to the misconfiguration of sudo that an authenticated local user with non-administrative privileges could exploit to obtain root permissions This is not the first time VMware has addressed shortcomings in the implementation of the DCE/RPC protocol. In October 2023, the Broadcom-owned virtualization services provider patched another criti
ASUS Patches Critical Authentication Bypass Flaw in Multiple Router Models

ASUS Patches Critical Authentication Bypass Flaw in Multiple Router Models

Jun 17, 2024 Router Security / Vulnerability
ASUS has shipped software updates to address a critical security flaw impacting its routers that could be exploited by malicious actors to bypass authentication. Tracked as CVE-2024-3080 , the vulnerability carries a CVSS score of 9.8 out of a maximum of 10.0. "Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device," according to a description of the flaw shared by the Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC). Also patched by the Taiwanese company is a high-severity buffer overflow flaw tracked as CVE-2024-3079 (CVSS score: 7.2) that could be weaponized by remote attackers with administrative privileges to execute arbitrary commands on the device. In a hypothetical attack scenario, a bad actor could fashion CVE-2024-3080 and CVE-2024-3079 into an exploit chain in order to sidestep authentication and execute malicious code on susceptible devices. Both the shor
China-Linked Hackers Infiltrate East Asian Firm for 3 Years Using F5 Devices

China-Linked Hackers Infiltrate East Asian Firm for 3 Years Using F5 Devices

Jun 17, 2024 Cyber Espionage / Vulnerability
A suspected China-nexus cyber espionage actor has been attributed as behind a prolonged attack against an unnamed organization located in East Asia for a period of about three years, with the adversary establishing persistence using legacy F5 BIG-IP appliances and using it as an internal command-and-control (C&C) for defense evasion purposes. Cybersecurity company Sygnia, which responded to the intrusion in late 2023, is tracking the activity under the name Velvet Ant , characterizing it as possessing robust capabilities to swiftly pivot and adapt their tactics to counter repeated eradication efforts. "Velvet Ant is a sophisticated and innovative threat actor," the Israeli company said in a technical report shared with The Hacker News. "They collected sensitive information over a long period of time, focusing on customer and financial information." The attack chains involve the use of a known backdoor called PlugX (aka Korplug), a modular remote access tr
New Attack Technique 'Sleepy Pickle' Targets Machine Learning Models

New Attack Technique 'Sleepy Pickle' Targets Machine Learning Models

Jun 13, 2024 Vulnerability / Software Security
The security risks posed by the Pickle format have once again come to the fore with the discovery of a new "hybrid machine learning (ML) model exploitation technique" dubbed Sleepy Pickle. The attack method, per Trail of Bits, weaponizes the ubiquitous format used to package and distribute machine learning (ML) models to corrupt the model itself, posing a severe supply chain risk to an organization's downstream customers. "Sleepy Pickle is a stealthy and novel attack technique that targets the ML model itself rather than the underlying system," security researcher Boyan Milanov said . While pickle is a widely used serialization format by ML libraries like PyTorch , it can be used to carry out arbitrary code execution attacks simply by loading a pickle file (i.e., during deserialization). "We suggest loading models from users and organizations you trust, relying on signed commits, and/or loading models from [TensorFlow] or Jax formats with the from_
Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day

Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day

Jun 13, 2024 Mobile Security / Vulnerability
Google has warned that a security flaw impacting Pixel Firmware has been exploited in the wild as a zero-day. The high-severity vulnerability, tagged as CVE-2024-32896 , has been described as an elevation of privilege issue in Pixel Firmware. The company did not share any additional details related to the nature of attacks exploiting it, but noted "there are indications that CVE-2024-32896 may be under limited, targeted exploitation." The June 2024 security update addresses a total of 50 security vulnerabilities, five of which relate to various components in Qualcomm chipsets. Some of the notable issues patched include denial-of-service (DoS) issue impacting Modem, and numerous information disclosure flaws affecting GsmSs, ACPM, and Trusty.  The updates are available for supported Pixel devices , such as Pixel 5a with 5G, Pixel 6a, Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, and Pixel Fold. Earlier this April, Google resolved
Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability

Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability

Jun 12, 2024 Patch Tuesday / Vulnerability
Microsoft has released security updates to address 51 flaws as part of its Patch Tuesday updates for June 2024. Of the 51 vulnerabilities, one is rated Critical and 50 are rated Important. This is in addition to 17 vulnerabilities resolved in the Chromium-based Edge browser over the past month. None of the security flaws have been actively exploited in the wild, with one of them listed as publicly known at the time of the release. This concerns a third-party advisory tracked as CVE-2023-50868 (CVSS score: 7.5), a denial-of-service issue impacting the DNSSEC validation process that could cause CPU exhaustion on a DNSSEC-validating resolver. It was reported by researchers from the National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt back in February, alongside KeyTrap ( CVE-2023-50387 , CVSS score: 7.5). "NSEC3 is an improved version of NSEC (Next Secure) that provides authenticated denial of existence," Tyler Reguly, associate director of Security
New PHP Vulnerability Exposes Windows Servers to Remote Code Execution

New PHP Vulnerability Exposes Windows Servers to Remote Code Execution

Jun 08, 2024 Vulnerability / Programming
Details have emerged about a new critical security flaw impacting PHP that could be exploited to achieve remote code execution under certain circumstances. The vulnerability, tracked as CVE-2024-4577 , has been described as a CGI argument injection vulnerability affecting all versions of PHP installed on the Windows operating system. According to DEVCORE security researchers, the shortcoming makes it possible to bypass protections put in place for another security flaw, CVE-2012-1823 . "While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system," security researcher Orange Tsai said . "This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack." Following responsible disclosure on May 7, 2024, a fix for the vulnerability has bee
Commando Cat Cryptojacking Attacks Target Misconfigured Docker Instances

Commando Cat Cryptojacking Attacks Target Misconfigured Docker Instances

Jun 07, 2024 Cryptojacking / Vulnerability
The threat actor known as Commando Cat has been linked to an ongoing cryptojacking attack campaign that leverages poorly secured Docker instances to deploy cryptocurrency miners for financial gain. "The attackers used the cmd.cat/chattr docker image container that retrieves the payload from their own command-and-control (C&C) infrastructure," Trend Micro researchers Sunil Bharti and Shubham Singh said in a Thursday analysis. Commando Cat, so named for its use of the open-source Commando project to generate a benign container, was first documented earlier this year by Cado Security. The attacks are characterized by the targeting of misconfigured Docker remote API servers to deploy a Docker image named cmd.cat/chattr, which is then used as a basis to instantiate a container and break out of its confines using the chroot command, and gain access to the host operating system. The final step entails retrieving the malicious miner binary using a curl or wget command fr
Muhstik Botnet Exploiting Apache RocketMQ Flaw to Expand DDoS Attacks

Muhstik Botnet Exploiting Apache RocketMQ Flaw to Expand DDoS Attacks

Jun 06, 2024 Botnet / DDoS Attack
Muhstik botnet exploits a critical Apache RocketMQ flaw (CVE-2023-33246) for remote code execution , targeting Linux servers and IoT devices for DDoS attacks and cryptocurrency mining . Infection involves executing a shell script from a remote IP, downloading the Muhstik malware binary ("pty3") , and ensuring persistence by copying to multiple directories and editing system files. With over 5,000 vulnerable Apache RocketMQ instances still exposed, organizations must update to the latest version to mitigate risks, while securing MS-SQL servers against brute-force attacks and ensuring regular password changes. The distributed denial-of-service (DDoS) botnet known as Muhstik has been observed leveraging a now-patched security flaw impacting Apache RocketMQ to co-opt susceptible servers and expand its scale. "Muhstik is a well-known threat targeting IoT devices and Linux-based servers, notorious for its ability to infect devices and utilize the
Third-Party Cyber Attacks: The Threat No One Sees Coming – Here's How to Stop Them

Third-Party Cyber Attacks: The Threat No One Sees Coming – Here's How to Stop Them

Jun 06, 2024 Cyber Hygiene / Threat Detection,
Learn about critical threats that can impact your organization and the bad actors behind them from Cybersixgill's threat experts. Each story shines a light on underground activities, the threat actors involved, and why you should care, along with what you can do to mitigate risk.  In an increasingly interconnected world, supply chain attacks have emerged as a formidable threat, compromising not just individual organizations but the broader digital ecosystem. The web of interdependencies among businesses, especially for software and IT vendors, provides fertile ground for cybercriminals to exploit vulnerabilities. By targeting one weak link in the supply chain, threat actors can gain unauthorized access to sensitive information and can conduct malicious activities with severe consequences on multiple organizations, from data breaches and financial losses to widespread disruption and reputational damage. Understanding the nature, impact, and mitigation strategies of supply chain att
Expert Insights
Cybersecurity Resources