#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

cryptocurrency | Breaking Cybersecurity News | The Hacker News

WordPress Plugin Alert - Critical SQLi Vulnerability Threatens 200K+ Websites

WordPress Plugin Alert - Critical SQLi Vulnerability Threatens 200K+ Websites

Feb 27, 2024 Website Security / Cryptojacking
A critical security flaw has been disclosed in a popular WordPress plugin called  Ultimate Member  that has more than 200,000 active installations. The vulnerability, tracked as CVE-2024-1071, carries a CVSS score of 9.8 out of a maximum of 10. Security researcher Christiaan Swiers has been credited with discovering and reporting the flaw. In an advisory published last week, WordPress security company Wordfence  said  the plugin is "vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query." As a result, unauthenticated attackers could take advantage of the flaw to append additional SQL queries into already existing queries and extract sensitive data from the database. It's worth noting that the issue only affects users who have checked the "Enable custom table for usermeta" option in the plugin settings.
North Korean Hackers Targeting Developers with Malicious npm Packages

North Korean Hackers Targeting Developers with Malicious npm Packages

Feb 26, 2024 Software Security / Cryptocurrency
A set of fake npm packages discovered on the Node.js repository has been found to share ties with North Korean state-sponsored actors, new findings from Phylum show. The packages are named execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils. One of the packages in question,  execution-time-async , masquerades as its legitimate counterpart  execution-time , a library with more than 27,000 weekly downloads. Execution-time is a Node.js utility used to measure execution time in code. It "actually installs several malicious scripts including a cryptocurrency and credential stealer," Phylum  said , describing the campaign as a software supply chain attack targeting developers. The package was  downloaded 302 times  since February 4, 2024, before being taken down. In an interesting twist, the threat actors made efforts to conceal the obfuscated malicious code in a test file, which is designed to fetch next-stage payloa
How Nation-State Actors Target Your Business: New Research Exposes Major SaaS Vulnerabilities

How Nation-State Actors Target Your Business: New Research Exposes Major SaaS Vulnerabilities

Feb 15, 2024SaaS Security / Risk Management
With many of the highly publicized 2023 cyber attacks revolving around one or more SaaS applications, SaaS has become a cause for genuine concern in many boardroom discussions. More so than ever, considering that GenAI applications are, in fact, SaaS applications. Wing Security (Wing), a SaaS security company, conducted an analysis of 493 SaaS-using companies in Q4 of 2023.  Their study reveals  how companies use SaaS today, and the wide variety of threats that result from that usage. This unique analysis provides rare and important insights into the breadth and depth of SaaS-related risks, but also provides practical tips to mitigate them and ensure SaaS can be widely used without compromising security posture.  The TL;DR Version Of SaaS Security 2023 brought some now infamous examples of malicious players leveraging or directly targeting SaaS, including the North Korean group UNC4899, 0ktapus ransomware group, and Russian Midnight Blizzard APT, which targeted well-known organizat
New Migo Malware Targeting Redis Servers for Cryptocurrency Mining

New Migo Malware Targeting Redis Servers for Cryptocurrency Mining

Feb 20, 2024 Server Security / Cryptojacking
A novel malware campaign has been observed targeting Redis servers for initial access with the ultimate goal of mining cryptocurrency on compromised Linux hosts. "This particular campaign involves the use of a number of novel system weakening techniques against the data store itself," Cado security researcher Matt Muir  said  in a technical report. The cryptojacking attack is facilitated by a malware codenamed Migo, a Golang ELF binary that comes fitted with compile-time obfuscation and the ability to persist on Linux machines. The cloud security company said it detected the campaign after it identified an "unusual series of commands" targeting its Redis honeypots that are engineered to lower security defenses by disabling the following configuration options - protected-mode   replica-read-only aof-rewrite-incremental-fsync , and rdb-save-incremental-fsync It's suspected that these options are turned off in order to send additional commands to the Re
cyber security

Are You Vulnerable to Third-Party Breaches Through Interconnected SaaS Apps?

websiteWing SecuritySaaS Security / Risk Management
Protect against cascading risks by identifying and mitigating app2app and third-party SaaS vulnerabilities.
LockBit Ransomware Operation Shut Down; Criminals Arrested; Decryption Keys Released

LockBit Ransomware Operation Shut Down; Criminals Arrested; Decryption Keys Released

Feb 20, 2024 Ransomware / Data Protection
The U.K. National Crime Agency (NCA) on Tuesday confirmed that it obtained LockBit's source code as well as a wealth of intelligence pertaining to its activities and their affiliates as part of a dedicated task force called  Operation Cronos . "Some of the data on LockBit's systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised," the agency  said . It also announced the arrest of two LockBit actors in Poland and Ukraine. Over 200 cryptocurrency accounts linked to the group have been frozen. Indictments and sanctions have also been unsealed in the U.S. against two other Russian nationals who are alleged to have carried out LockBit attacks. Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord) have been accused of deploying LockBit against numerous victims throughout the U.S., including businesses nationw
CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

Feb 16, 2024 Ransomware / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday  added  a now-patched security flaw impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to its Known Exploited Vulnerabilities ( KEV ) catalog, following reports that it's being likely exploited in Akira ransomware attacks. The vulnerability in question is  CVE-2020-3259  (CVSS score: 7.5), a high-severity information disclosure issue that could allow an attacker to retrieve memory contents on an affected device. It was  patched  by Cisco as part of updates released in May 2020. Late last month, cybersecurity firm Truesec said it found evidence suggesting that it has been weaponized by Akira ransomware actors to compromise multiple susceptible Cisco Anyconnect SSL VPN appliances over the past year. "There is no publicly available exploit code for [...] CVE-2020-3259, meaning that a threat actor, such as Akira, exploiting that vulnerability would need to b
Glupteba Botnet Evades Detection with Undocumented UEFI Bootkit

Glupteba Botnet Evades Detection with Undocumented UEFI Bootkit

Feb 13, 2024 Cryptocurrency / Rootkit
The  Glupteba  botnet has been found to incorporate a previously undocumented Unified Extensible Firmware Interface ( UEFI ) bootkit feature, adding another layer of sophistication and stealth to the malware. "This bootkit can intervene and control the [operating system] boot process, enabling Glupteba to hide itself and create a stealthy persistence that can be extremely difficult to detect and remove," Palo Alto Networks Unit 42 researchers Lior Rochberger and Dan Yashnik  said  in a Monday analysis. Glupteba is a fully-featured information stealer and backdoor capable of facilitating illicit cryptocurrency mining and deploying proxy components on infected hosts. It's also known to leverage the Bitcoin blockchain as a backup command-and-control (C2) system, making it  resilient to takedown efforts . Some of the other functions allow it to deliver additional payloads, siphon credentials, and credit card data, perform ad fraud, and even exploit routers to gain credent
U.S. Offers $10 Million Bounty for Info Leading to Arrest of Hive Ransomware Leaders

U.S. Offers $10 Million Bounty for Info Leading to Arrest of Hive Ransomware Leaders

Feb 12, 2024 Dark Web / Cryptocurrency
The U.S. Department of State has  announced  monetary rewards of up to $10 million for information about individuals holding key positions within the Hive ransomware operation. It is also giving away an additional $5 million for specifics that could lead to the arrest and/or conviction of any person "conspiring to participate in or attempting to participate in Hive ransomware activity." The multi-million-dollar rewards come a little over a year after a coordinated law enforcement effort  covertly infiltrated and dismantled  the darknet infrastructure associated with the Hive ransomware-as-a-service (RaaS) gang. One person with suspected ties to the group was  arrested  in Paris in December 2023. Hive, which emerged in mid-2021, targeted more than 1,500 victims in over 80 countries, netting about $100 million in illegal revenues. In November 2023, Bitdefender  revealed  that a new ransomware group called Hunters International had acquired the source code and infrastructure
New Coyote Trojan Targets 61 Brazilian Banks with Nim-Powered Attack

New Coyote Trojan Targets 61 Brazilian Banks with Nim-Powered Attack

Feb 09, 2024 Endpoint Security / Cryptocurrency
Sixty-one banking institutions, all of them originating from Brazil, are the target of a new banking trojan called  Coyote . "This malware utilizes the Squirrel installer for distribution, leveraging Node.js and a relatively new multi-platform programming language called Nim as a loader to complete its infection," Russian cybersecurity firm Kaspersky  said  in a Thursday report. What makes Coyote a different breed from  other banking trojans  of its kind is the use of the open-source  Squirrel framework  for installing and updating Windows apps. Another notable departure is the shift from Delphi – which is prevalent among banking malware families targeting Latin America – to an uncommon programming language like Nim. In the attack chain documented by Kaspersky, a Squirrel installer executable is used as a launchpad for a Node.js application compiled with Electron, which, in turn, runs a Nim-based loader to trigger the execution of the malicious Coyote payload by means of
Belarusian National Linked to BTC-e Faces 25 Years for $4 Billion Crypto Money Laundering

Belarusian National Linked to BTC-e Faces 25 Years for $4 Billion Crypto Money Laundering

Feb 05, 2024 Cryptocurrency / Financial Fraud
A 42-year-old Belarusian and Cypriot national with alleged connections to the now-defunct cryptocurrency exchange BTC-e is facing charges related to money laundering and operating an unlicensed money services business. Aliaksandr Klimenka , who was arrested in Latvia on December 21, 2023, was extradited to the U.S. and is currently being held in custody. If convicted, he faces a maximum penalty of 25 years in prison. BTC-e, which had been operating since 2011, was seized by law enforcement authorities in late July 2017 following the arrest of another key member  Alexander Vinnik , in Greece. The exchange is alleged to have received deposits valued at over $4 billion, with Vinnik laundering funds received from the hack of another digital exchange, Mt. Gox, through various online exchanges, including BTC-e. Court documents  allege  that the exchange was a "significant cybercrime and online money laundering entity," allowing its users to trade in bitcoin with high levels of
FritzFrog Returns with Log4Shell and PwnKit, Spreading Malware Inside Your Network

FritzFrog Returns with Log4Shell and PwnKit, Spreading Malware Inside Your Network

Feb 01, 2024 Cyber Attack / Botnet
The threat actor behind a peer-to-peer (P2P) botnet known as  FritzFrog  has made a return with a new variant that leverages the  Log4Shell vulnerability  to propagate internally within an already compromised network. "The vulnerability is exploited in a brute-force manner that attempts to target as many vulnerable Java applications as possible," web infrastructure and security company Akamai said in a report shared with The Hacker News. FritzFrog,  first documented  by Guardicore (now part of Akamai) in August 2020, is a Golang-based malware that primarily targets internet-facing servers with weak SSH credentials. It's known to be active since January 2020. It has  since evolved  to strike healthcare, education, and government sectors as well as improved its capabilities to ultimately deploy cryptocurrency miners on infected hosts, claiming more than 1,500 victims over the years. What's novel about the latest version is the use of the Log4Shell vulnerability a
HeadCrab 2.0 Goes Fileless, Targeting Redis Servers for Crypto Mining

HeadCrab 2.0 Goes Fileless, Targeting Redis Servers for Crypto Mining

Feb 01, 2024 Cryptocurrency / Botnet
Cybersecurity researchers have detailed an updated version of the malware  HeadCrab  that's known to target Redis database servers across the world since early September 2021. The development, which comes exactly a year after the malware was first  publicly disclosed  by Aqua, is a sign that the financially-motivated threat actor behind the campaign is actively adapting and refining their tactics and techniques to stay ahead of the detection curve. The cloud security firm  said  that "the campaign has almost doubled the number of infected Redis servers," with an additional 1,100 compromised servers, up from 1,200 reported at the start of 2023. HeadCrab is designed to infiltrate internet-exposed Redis servers and wrangle them into a botnet for illicitly mining cryptocurrency, while also leveraging the access in a manner that allows the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data to a remote server. While the origins of th
Italian Businesses Hit by Weaponized USBs Spreading Cryptojacking Malware

Italian Businesses Hit by Weaponized USBs Spreading Cryptojacking Malware

Jan 31, 2024 Cryptocurrency / Cybersecurity
A financially motivated threat actor known as  UNC4990  is leveraging weaponized USB devices as an initial infection vector to target organizations in Italy. Google-owned Mandiant said the attacks single out multiple industries, including health, transportation, construction, and logistics. "UNC4990 operations generally involve widespread USB infection followed by the deployment of the EMPTYSPACE downloader," the company  said  in a Tuesday report. "During these operations, the cluster relies on third-party websites such as GitHub, Vimeo, and Ars Technica to host encoded additional stages, which it downloads and decodes via PowerShell early in the execution chain." UNC4990, active since late 2020, is assessed to be operating out of Italy based on the extensive use of Italian infrastructure for command-and-control (C2) purposes. It's currently not known if UNC4990 functions only as an initial access facilitator for other actors. The end goal of the threat
U.S., U.K., Australia Sanction Russian REvil Hacker Behind Medibank Breach

U.S., U.K., Australia Sanction Russian REvil Hacker Behind Medibank Breach

Jan 24, 2024 Cryptocurrency / Cybercrime
Governments from Australia, the U.K., and the U.S. have imposed financial sanctions on a Russian national for his alleged role in the 2022 ransomware attack against health insurance provider Medibank. Alexander Ermakov (aka blade_runner, GistaveDore, GustaveDore, or JimJones), 33, has been tied to the breach of the Medibank network as well as the theft and release of Personally Identifiable Information (PII) belonging to the Australian company. The ransomware attack, which  took place in late October 2022  and attributed to the  now-defunct REvil ransomware crew , led to the unauthorized access of approximately 9.7 million of its current and former customers. The stolen information included names, dates of birth, Medicare numbers, and sensitive medical information, including records on mental health, sexual health and drug use. Some of these records were leaked on the dark web. As part of the trilateral action, the sanctions  make  it a criminal offense to provide assets to Erma
"Activator" Alert: MacOS Malware Hides in Cracked Apps, Targeting Crypto Wallets

"Activator" Alert: MacOS Malware Hides in Cracked Apps, Targeting Crypto Wallets

Jan 23, 2024 Malware / Cryptocurrency
Cracked software have been observed infecting Apple macOS users with a previously undocumented stealer malware capable of harvesting system information and cryptocurrency wallet data. Kaspersky, which identified the artifacts in the wild,  said  they are designed to target machines running macOS Ventura 13.6 and later, indicating the malware's ability to infect Macs on both Intel and Apple silicon processor architectures. The attack chains leverage booby-trapped disk image (DMG) files that include a program named "Activator" and a pirated version of legitimate software such as xScope. Users who end up opening the DMG files are urged to move both files to the Applications folder and run the Activator component to apply a supposed patch and run the xScope app. Launching Activator, however, displays a prompt asking the victim to enter the system administrator password, thereby allowing it to execute a Mach-O binary with elevated permissions in order to launch the modif
MFA Spamming and Fatigue: When Security Measures Go Wrong

MFA Spamming and Fatigue: When Security Measures Go Wrong

Jan 18, 2024 Authentication Security / Passwords
In today's digital landscape, traditional password-only authentication systems have proven to be vulnerable to a wide range of cyberattacks. To safeguard critical business resources, organizations are increasingly turning to multi-factor authentication (MFA) as a more robust security measure. MFA requires users to provide multiple authentication factors to verify their identity, providing an additional layer of protection against unauthorized access. However, cybercriminals are relentless in their pursuit of finding ways to  bypass MFA systems . One such method gaining traction is MFA spamming attacks, also known as MFA fatigue, or  MFA bombing . This article delves into MFA spamming attacks, including the best practices to mitigate this growing threat. What is MFA spamming? MFA spamming refers to the malicious act of inundating a target user's email, phone, or other registered devices with numerous MFA prompts or confirmation codes. The objective behind this tactic is to o
Cybersecurity Resources