#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

critical infrastructure | Breaking Cybersecurity News | The Hacker News

Category — critical infrastructure
U.S. Offers $10 Million for Info on Russian Cadet Blizzard Hackers Behind Major Attacks

U.S. Offers $10 Million for Info on Russian Cadet Blizzard Hackers Behind Major Attacks

Sep 09, 2024 Cyber Espionage / Malware
The U.S. government and a coalition of international partners have officially attributed a Russian hacking group tracked as Cadet Blizzard to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center ( Unit 29155 ). "These cyber actors are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020," the agencies said . "Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine." Targets of the attacks have focused on critical infrastructure and key resource sectors, including the government services, financial services, transportation systems, energy, and healthcare sectors of North Atlantic Treaty Organization (NATO) members, the European Union, Central American, and Asian countries. The joint advisory, released last week as part of a coordinated exercise dubbed Operatio
RansomHub Ransomware Group Targets 210 Victims Across Critical Sectors

RansomHub Ransomware Group Targets 210 Victims Across Critical Sectors

Sep 02, 2024 Ransomware / Threat Intelligence
Threat actors linked to the RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims since its inception in February 2024, the U.S. government said. The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure. "RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV)," government agencies said . A ransomware-as-a-service (RaaS) platform that's a descendant of Cyclops and Knight, the e-crime operation has attracted high-profile affiliates from other prominent variants such as LockBit
Shining a Light on Shadow Apps: The Invisible Gateway to SaaS Data Breaches

Shining a Light on Shadow Apps: The Invisible Gateway to SaaS Data Breaches

Sep 10, 2024SaaS Security / Risk Management
Shadow apps, a segment of Shadow IT, are SaaS applications purchased without the knowledge of the security team. While these applications may be legitimate, they operate within the blind spots of the corporate security team and expose the company to attackers.  Shadow apps may include instances of software that the company is already using. For example, a dev team may onboard their own instance of GitHub to keep their work separate from other developers. They might justify the purchase by noting that GitHub is an approved application, as it is already in use by other teams. However, since the new instance is used outside of the security team's view, it lacks governance. It may store sensitive corporate data and not have essential protections like MFA enabled, SSO enforced, or it could suffer from weak access controls. These misconfigurations can easily lead to risks like stolen source code and other issues. Types of Shadow Apps  Shadow apps can be categorized based on their interac
SANS Institute Unveils Critical Infrastructure Strategy Guide for 2024: A Call to Action for Securing ICS/OT Environments

SANS Institute Unveils Critical Infrastructure Strategy Guide for 2024: A Call to Action for Securing ICS/OT Environments

Aug 30, 2024 ICS Security / OT Security
A comprehensive guide authored by Dean Parsons, SANS Certified Instructor and CEO / Principal Consultant of ICS Defense Force, emphasizes the growing need for specialized ICS security measures in the face of rising cyber threats. With a staggering 50% increase in ransomware attacks targeting industrial control systems (ICS) in 2023, the SANS Institute is taking decisive action by announcing the release of its essential new strategy guide, " ICS Is the Business: Why Securing ICS/OT Environments Is Business-Critical in 2024 ." Authored by Dean Parsons, CEO of ICS Defense Force and a SANS Certified Instructor, this guide offers a comprehensive analysis of the rapidly evolving threat landscape and provides critical steps that organizations must take to safeguard their operations and ensure public safety. As cyber threats grow in both frequency and sophistication, this guide is an indispensable resource for securing the vital systems that underpin our world. Key Insights from t
cyber security

DevOps Security Best Practices

websiteWizDevOps / Secure Coding
Develop securely from code to cloud with this DevOps Security Cheat Sheet from Wiz. Take a deep dive into secure coding, infrastructure security, and vigilant monitoring and response.
Unpatched AVTECH IP Camera Flaw Exploited by Hackers for Botnet Attacks

Unpatched AVTECH IP Camera Flaw Exploited by Hackers for Botnet Attacks

Aug 29, 2024 IoT Security / Vulnerability
A years-old high-severity flaw impacting AVTECH IP cameras has been weaponized by malicious actors as a zero-day to rope them into a botnet. CVE-2024-7029 (CVSS score: 8.7), the vulnerability in question, is a "command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE)," Akamai researchers Kyle Lefton, Larry Cashdollar, and Aline Eliovich said . Details of the security shortcoming were first made public earlier this month by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), highlighting its low attack complexity and the ability to exploit it remotely. "Successful exploitation of this vulnerability could allow an attacker to inject and execute commands as the owner of the running process," the agency noted in an alert published August 1, 2024. It's worth noting that the issue remains unpatched. It impacts AVM1203 camera devices using firmwar
Chinese Volt Typhoon Exploits Versa Director Flaw, Targets U.S. and Global IT Sectors

Chinese Volt Typhoon Exploits Versa Director Flaw, Targets U.S. and Global IT Sectors

Aug 27, 2024 Cyber Espionage / Network Security
The China-nexus cyber espionage group tracked as Volt Typhoon has been attributed with moderate confidence to the zero-day exploitation of a recently disclosed high-severity security flaw impacting Versa Director. The attacks targeted four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024, the Black Lotus Labs team at Lumen Technologies said in a technical report shared with The Hacker News. The campaign is believed to be ongoing against unpatched Versa Director systems. The security flaw in question is CVE-2024-39717 (CVSS score: 6.6), a file upload bug affecting Versa Director that was added to the Known Exploited Vulnerabilities (KEV) catalog last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). "This vulnerability allowed potentially malicious files to be uploaded by users with Provider-Data-Center-Admin or Provider-Data-Ce
Why Hardsec Matters: From Protecting Critical Services to Enhancing Resilience

Why Hardsec Matters: From Protecting Critical Services to Enhancing Resilience

Aug 13, 2024 Cyber Defense / Compliance
Traditionally, the focus has been on defending against digital threats such as malware, ransomware, and phishing attacks by detecting them and responding. However, as cyber threats become more sophisticated. There is a growing recognition of the importance of measures that stop new attacks before they are recognized. With high-value assets, it's not good enough to have the protection, it's essential to have some assurance that the protection is effective. With software, that assurance is hard work, and this has led to a complimentary approach, called hardsec. What is Hardsec? Short for " Hardware Security ." Hardsec is about using hardware logic and electronics to implement a security defence, rather than through software alone - thereby providing a higher level of security assurance and resilience against both external and insider threats . Making it an essential component of comprehensive cybersecurity strategies. The Rise of Sophisticated Attacks When the impact of an attack ag
Researchers Uncover Vulnerabilities in Solarman and Deye Solar Systems

Researchers Uncover Vulnerabilities in Solarman and Deye Solar Systems

Aug 12, 2024 Critical Infrastructure / Vulnerability
Cybersecurity researchers have identified a number of security shortcomings in photovoltaic system management platforms operated by Chinese companies Solarman and Deye that could enable malicious actors to cause disruption and power blackouts. "If exploited, these vulnerabilities could allow an attacker to control inverter settings that could take parts of the grid down, potentially causing blackouts," Bitdefender researchers said in an analysis published last week. The vulnerabilities have been addressed by Solarman and Deye as of July 2024, following responsible disclosure on May 22, 2024. The Romanian cybersecurity vendor, which analyzed the two PV monitoring and management platforms, said they suffer from a number of issues that, among others, could result in account takeover and information disclosure. A brief description of the issues is listed below - Full Account Takeover via Authorization Token Manipulation Using the /oauth2-s/oauth/token API endpoint  Deye
Industrial Remote Access Tool Ewon Cosy+ Vulnerable to Root Access Attacks

Industrial Remote Access Tool Ewon Cosy+ Vulnerable to Root Access Attacks

Aug 12, 2024 Operational Technology / Network Security
Security vulnerabilities have been disclosed in the industrial remote access solution Ewon Cosy+ that could be abused to gain root privileges to the devices and stage follow-on attacks. The elevated access could then be weaponized to decrypt encrypted firmware files and encrypted data such as passwords in configuration files, and even get correctly signed X.509 VPN certificates for foreign devices to take over their VPN sessions. "This allows attackers hijacking VPN sessions which results in significant security risks against users of the Cosy+ and the adjacent industrial infrastructure," SySS GmbH security researcher Moritz Abrell said in a new analysis. The findings were presented at the DEF CON 32 conference over the weekend. Following responsible disclosure, the issues have been addressed in firmware versions 21.2s10 and 22.1s3 as part of an advisory [PDF] issued by Ewon on July 29, 2024 - CVE-2024-33892 (CVSS score: 7.4) - Information leakage through cookies
FBI and CISA Warn of BlackSuit Ransomware That Demands Up to $500 Million

FBI and CISA Warn of BlackSuit Ransomware That Demands Up to $500 Million

Aug 08, 2024 Critical Infrastructure / Malware
The ransomware strain known as BlackSuit has demanded as much as $500 million in ransoms to date, with one individual ransom demand hitting $60 million. That's according to an updated advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). "BlackSuit actors have exhibited a willingness to negotiate payment amounts," the agencies said . "Ransom amounts are not part of the initial ransom note, but require direct interaction with the threat actor via a .onion URL (reachable through the Tor browser) provided after encryption." Attacks involving ransomware have targeted several critical infrastructure sectors spanning commercial facilities, healthcare and public health, government facilities, and critical manufacturing. An evolution of the Royal ransomware , it leverages the initial access obtained via phishing emails to disarm antivirus software and exfiltrate sensitive data before ultimately
New ICS Malware 'FrostyGoop' Targeting Critical Infrastructure

New ICS Malware 'FrostyGoop' Targeting Critical Infrastructure

Jul 23, 2024 ICS Malware / Critical Infrastructure
Cybersecurity researchers have discovered what they say is the ninth Industrial Control Systems (ICS)-focused malware that has been used in a disruptive cyber attack targeting an energy company in the Ukrainian city of Lviv earlier this January. Industrial cybersecurity firm Dragos has dubbed the malware FrostyGoop , describing it as the first malware strain to directly use Modbus TCP communications to sabotage operational technology (OT) networks. It was discovered by the company in April 2024. "FrostyGoop is an ICS-specific malware written in Golang that can interact directly with Industrial Control Systems (ICS) using Modbus TCP over port 502," researchers Kyle O'Meara, Magpie (Mark) Graham, and Carolyn Ahlers said in a technical report shared with The Hacker News. It's believed that the malware, mainly designed to target Windows systems, has been used to target ENCO controllers with TCP port 502 exposed to the internet. It has not been tied to any previously
APT41 Infiltrates Networks in Italy, Spain, Taiwan, Turkey, and the U.K.

APT41 Infiltrates Networks in Italy, Spain, Taiwan, Turkey, and the U.K.

Jul 19, 2024 Cyber Espionage / Threat Intelligence
Several organizations operating within global shipping and logistics, media and entertainment, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. have become the target of a "sustained campaign" by the prolific China-based APT41 hacking group. "APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims' networks since 2023, enabling them to extract sensitive data over an extended period," Google-owned Mandiant said in a new report published Thursday. The threat intelligence firm described the adversarial collective as unique among China-nexus actors owing to its use of "non-public malware typically reserved for espionage operations in activities that appear to fall outside the scope of state-sponsored missions." Attack chains involve the use of web shells (ANTSWORD and BLUEBEAM), custom droppers (DUSTPAN and DUSTTRAP), and publicly available tools (SQLULDR2 and PINEGROV
Microsoft Uncovers Critical Flaws in Rockwell Automation PanelView Plus

Microsoft Uncovers Critical Flaws in Rockwell Automation PanelView Plus

Jul 04, 2024 Vulnerability / Critical Infrastructure
Microsoft has revealed two security flaws in Rockwell Automation PanelView Plus that could be weaponized by remote, unauthenticated attackers to execute arbitrary code and trigger a denial-of-service (DoS) condition. "The [remote code execution] vulnerability in PanelView Plus involves two custom classes that can be abused to upload and load a malicious DLL into the device," security researcher Yuval Gordon said . "The DoS vulnerability takes advantage of the same custom class to send a crafted buffer that the device is unable to handle properly, thus leading to a DoS." The list of shortcomings is as follows - CVE-2023-2071 (CVSS score: 9.8) - An improper input validation vulnerability that allows unauthenticated attackers to achieve remote code executed via crafted malicious packets. CVE-2023-29464 (CVSS score: 8.2) - An improper input validation vulnerability that allows an unauthenticated threat actor to read data from memory via crafted malicious pac
Researchers Warn of Flaws in Widely Used Industrial Gas Analysis Equipment

Researchers Warn of Flaws in Widely Used Industrial Gas Analysis Equipment

Jun 28, 2024 Industrial Security / Critical Infrastructure
Multiple security flaws have been disclosed in Emerson Rosemount gas chromatographs that could be exploited by malicious actors to obtain sensitive information, induce a denial-of-service (DoS) condition, and even execute arbitrary commands. The flaws impact GC370XA, GC700XA, and GC1500XA and reside in versions 4.1.5 and prior. According to operational technology (OT) security firm Claroty, the vulnerabilities include two command injection flaws and two separate authentication and authorization vulnerabilities that could be weaponized by unauthenticated attackers to perform a wide range of malicious actions ranging from authentication bypass to command injection. "Successful exploitation of these vulnerabilities could allow an unauthenticated attacker with network access to run arbitrary commands, access sensitive information, cause a denial-of-service condition, and bypass authentication to acquire admin capabilities," the U.S. Cybersecurity and Infrastructure Security
Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware

Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware

Jun 26, 2024 Cyber Attack / Malware
Threat actors with suspected ties to China and North Korea have been linked to ransomware and data encryption attacks targeting government and critical infrastructure sectors across the world between 2021 and 2023. While one cluster of activity has been associated with the ChamelGang (aka CamoFei), the second cluster overlaps with activity previously attributed to Chinese and North Korean state-sponsored groups, cybersecurity firms SentinelOne and Recorded Future said in a joint report shared with The Hacker News. This includes ChamelGang's attacks aimed at the All India Institute of Medical Sciences (AIIMS) and the Presidency of Brazil in 2022 using CatB ransomware , as well as those targeting a government entity in East Asia and an aviation organization in the Indian subcontinent in 2023. "Threat actors in the cyber espionage ecosystem are engaging in an increasingly disturbing trend of using ransomware as a final stage in their operations for the purposes of financia
Chinese Cyber Espionage Targets Telecom Operators in Asia Since 2021

Chinese Cyber Espionage Targets Telecom Operators in Asia Since 2021

Jun 20, 2024 Cyber Espionage / Critical Infrastructure
Cyber espionage groups associated with China have been linked to a long-running campaign that has infiltrated several telecom operators located in a single Asian country at least since 2021. "The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. The cybersecurity firm did not reveal the country that was targeted, but said it found evidence to suggest that the malicious cyber activity may have started as far back as 2020. The attacks also targeted an unnamed services company that catered to the telecoms sector and a university in another Asian country, it added. The choice of tools used in this campaign overlaps with other missions conducted by Chinese espionage groups like Mustang Panda (aka Earth Preta and Fireant), RedFoxtrot (aka Neeedleminer and Nomad Panda), and Naikon (aka Firefly) in recent years. This incl
U.S. Government Releases New AI Security Guidelines for Critical Infrastructure

U.S. Government Releases New AI Security Guidelines for Critical Infrastructure

Apr 30, 2024 Machine Learning / National Security
The U.S. government has unveiled new security guidelines aimed at bolstering critical infrastructure against artificial intelligence (AI)-related threats. "These guidelines are informed by the whole-of-government effort to assess AI risks across all sixteen critical infrastructure sectors, and address threats both to and from, and involving AI systems," the Department of Homeland Security (DHS)  said  Monday. In addition, the agency said it's working to facilitate safe, responsible, and trustworthy use of the technology in a manner that does not infringe on individuals' privacy, civil rights, and civil liberties. The new guidance concerns the use of AI to augment and scale attacks on critical infrastructure, adversarial manipulation of AI systems, and shortcomings in such tools that could result in unintended consequences, necessitating the need for transparency and secure by design practices to evaluate and mitigate AI risks. Specifically, this spans four diffe
Expert Insights / Articles Videos
Cybersecurity Resources