cyberattack | Breaking Cybersecurity News | The Hacker News

A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users' systems and carry out malicious actions.  "This flaw could have allowed an attacker to exploit a private API, initially intended for marketing purposes, to covertly install additional browser extensions with broad permissions without the user's knowledge," Guardio Labs security researcher Oleg Zaytsev  said  in a new report shared with The Hacker News. Tracked as  CVE-2024-21388  (CVSS score: 6.5), it was addressed by Microsoft in Edge stable version 121.0.2277.83 released on January 25, 2024, following responsible disclosure in November 2023. The Windows maker credited both Zaytsev and Jun Kokatsu for reporting the issue. "An attacker who successfully exploited this vulnerability could gain the privileges needed to install an extension," Microsoft said in an advisory for the flaw, adding it "could lead to a browser sandbo

Microsoft on Tuesday released its monthly security update,  addressing 61 different security flaws  spanning its software, including two critical issues impacting Windows Hyper-V that could lead to denial-of-service (DoS) and remote code execution. Of the 61 vulnerabilities, two are rated Critical, 58 are rated Important, and one is rated Low in severity. None of the flaws are listed as publicly known or under active attack at the time of the release, but six of them have been tagged with an "Exploitation More Likely" assessment. The fixes are in addition to  17 security flaws  that have been patched in the company's Chromium-based Edge browser since the release of the  February 2024 Patch Tuesday updates . Topping the list of critical shortcomings are  CVE-2024-21407  and  CVE-2024-21408 , which affect Hyper-V and could result in remote code execution and a DoS condition, respectively. Microsoft's update also addresses privilege escalation flaws in the Azure Kub

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

Cisco has released patches to address a high-severity security flaw impacting its Secure Client software that could be exploited by a threat actor to open a VPN session with that of a targeted user. The networking equipment company described the vulnerability, tracked as CVE-2024-20337 (CVSS score: 8.2), as allowing an unauthenticated, remote attacker to conduct a carriage return line feed ( CRLF ) injection attack against a user. Arising as a result of insufficient validation of user-supplied input, a threat actor could leverage the flaw to trick a user into clicking on a specially crafted link while establishing a VPN session. "A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token," the company  said  in an advisory. "The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and servi

The U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) sanctioned two individuals and five entities associated with the Intellexa Alliance for their role in "developing, operating, and distributing" commercial spyware designed to target government officials, journalists, and policy experts in the country. "The proliferation of commercial spyware poses distinct and growing security risks to the United States and has been misused by foreign actors to enable human rights abuses and the targeting of dissidents around the world for repression and reprisal," the agency  said . "The Intellexa Consortium, which has a global customer base, has enabled the proliferation of commercial spyware and surveillance technologies around the world, including to authoritarian regimes." The Intellexa Alliance is a consortium of several companies, including Cytrox, linked to a mercenary spyware solution called Predator . In July 2023, the U.S. government  added  Cytrox and Intellexa, a

The cybercrime group called GhostSec has been linked to a Golang variant of a ransomware family called  GhostLocker . "TheGhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries," Cisco Talos researcher Chetan Raghuprasad  said  in a report shared with The Hacker News. "GhostLocker and Stormous ransomware have started a new ransomware-as-a-service (RaaS) program STMX_GhostLocker, providing various options for their affiliates." Attacks mounted by the group have targeted victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand, and Indonesia. Some of the most impacted business verticals include technology, education, manufacturing, government, transportation, energy, medicolegal, real estate, and telecom. GhostSec – not to be confused with  Ghost Security Group  (which is also called  GhostSec

A financial entity in Vietnam was the target of a previously undocumented threat actor called  Lotus Bane  as part of a cyber attack that was first detected in March 2023. Singapore-headquartered Group-IB described the hacking outfit as an advanced persistent threat group that's believed to have been active since at least 2022. The exact specifics of the infection chain remain unknown as yet, but it involves the use of various malicious artifacts that serve as the stepping stone for the next-stage. "The cybercriminals used methods such as DLL side-loading and data exchange via named pipes to run malicious executables and create remote scheduled tasks for lateral movement," the company  said . Group-IB told The Hacker News that the techniques used by Lotus Bane overlap with that of  OceanLotus , a Vietnam-aligned threat actor also known as APT32, Canvas Cyclone (formerly Bismuth), and Cobalt Kitty. This stems from the use of malware like PIPEDANCE for named pipes co

North Korean threat actors have exploited the recently disclosed security flaws in ConnectWise ScreenConnect to deploy a new malware called  TODDLERSHARK . According to a report shared by Kroll with The Hacker News, TODDLERSHARK overlaps with known Kimsuky malware such as BabyShark and ReconShark. "The threat actor gained access to the victim workstation by exploiting the exposed setup wizard of the ScreenConnect application," security researchers Keith Wojcieszek, George Glass, and Dave Truman said . "They then leveraged their now 'hands on keyboard' access to use cmd.exe to execute mshta.exe with a URL to the Visual Basic (VB) based malware." The ConnectWise flaws in question are  CVE-2024-1708 and CVE-2024-1709 , which came to light last month and have since come under heavy exploitation by multiple threat actors to deliver cryptocurrency miners, ransomware, remote access trojans, and stealer malware. Kimsuky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (pr

A new pair of security vulnerabilities have been disclosed in JetBrains TeamCity On-Premises software that could be exploited by a threat actor to take control of affected systems. The flaws, tracked as CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score: 7.3), have been addressed in version 2023.11.4. They impact all TeamCity On-Premises versions through 2023.11.3. "The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server," JetBrains  said  in an advisory released Monday. TeamCity Cloud instances have already been patched against the two flaws. Cybersecurity firm Rapid7, which discovered and reported the issues on February 20, 2024, said CVE-2024-27198 is a case of authentication bypass that allows for a complete compromise of a susceptible server by a remote unauthenticated attacker. "Compromising a TeamCity server allows an attacker fu

Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines. "These applications are being hosted on Chinese pirating websites in order to gain victims," Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley  said . "Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victim's machine." The backdoored disk image (DMG) files, which have been modified to establish communications with actor-controlled infrastructure, include legitimate software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop. The unsigned applications, besides being hosted on a Chinese website named macyy[.]cn, incorporate a dropper component called "dylib" that's executed every time the application is opened. The dropper then acts as a conduit to fetch a backdoor

Continuous integration and continuous delivery (CI/CD) misconfigurations discovered in the open-source  TensorFlow  machine learning framework could have been exploited to orchestrate  supply chain attacks . The misconfigurations could be abused by an attacker to "conduct a supply chain compromise of TensorFlow releases on GitHub and PyPi by compromising TensorFlow's build agents via a malicious pull request," Praetorian researchers Adnan Khan and John Stawinski  said  in a report published this week. Successful exploitation of these issues could permit an external attacker to upload malicious releases to the GitHub repository, gain remote code execution on the self-hosted GitHub runner, and even retrieve a GitHub Personal Access Token (PAT) for the  tensorflow-jenkins user . TensorFlow uses GitHub Actions to automate the software build, test, and deployment pipeline. Runners, which refer to machines that execute jobs in a GitHub Actions workflow, can be either self-

Barracuda has revealed that Chinese threat actors exploited a new zero-day in its Email Security Gateway (ESG) appliances to deploy backdoors on a "limited number" of devices. Tracked as  CVE-2023-7102 , the issue relates to a case of  arbitrary code execution  that resides within a third-party and open-source library named Spreadsheet::ParseExcel that's used by the Amavis scanner within the gateway to screen Microsoft Excel email attachments for malware. The company attributed the activity to a threat actor tracked by Google-owned Mandiant as  UNC4841 , which was previously linked to the  active exploitation  of another zero-day in Barracuda devices (CVE-2023-2868, CVSS score: 9.8) earlier this year. Successful exploitation of the new flaw is accomplished by means of a specially crafted Microsoft Excel email attachment. This is followed by the deployment of new variants of known implants called  SEASPY and SALTWATER  that are equipped to offer persistence and comman

MongoDB on Saturday disclosed it's actively investigating a security incident that has led to unauthorized access to "certain" corporate systems, resulting in the exposure of customer account metadata and contact information. The American database software company  said  it first detected anomalous activity on December 13, 2023, and that it immediately activated its incident response efforts. It further noted that "this unauthorized access has been going on for some period of time before discovery," but emphasized it's not "aware of any exposure to the data that customers store in MongoDB Atlas." It did not disclose the exact time period of the compromise. In light of the breach, MongoDB recommends that all customers be on the lookout for social engineering and phishing attacks, enforce phishing-resistant multi-factor authentication (MFA), as well as rotate their MongoDB Atlas passwords. That's not all. The company said it's also expe

A phishing campaign has been observed delivering an information stealer malware called  MrAnon Stealer  to unsuspecting victims via seemingly benign booking-themed PDF lures. "This malware is a Python-based information stealer compressed with cx-Freeze to evade detection," Fortinet FortiGuard Labs researcher Cara Lin  said . "MrAnon Stealer steals its victims' credentials, system information, browser sessions, and cryptocurrency extensions." There is evidence to suggest that Germany is the primary target of the attack as of November 2023, owing to the number of times the downloader URL hosting the payload has been queried. Masquerading as a company looking to book hotel rooms, the phishing email bears a PDF file that, upon opening, activates the infection by prompting the recipient to download an updated version of Adobe Flash. Doing so results in the execution of .NET executables and PowerShell scripts to ultimately run a pernicious Python script, which i

Threat hunters have unmasked the latest tricks adopted by a malware strain called  GuLoader  in an effort to make analysis more challenging. "While GuLoader's core functionality hasn't changed drastically over the past few years, these constant updates in their obfuscation techniques make analyzing GuLoader a time-consuming and resource-intensive process," Elastic Security Labs researcher Daniel Stepanic  said  in a report published this week. First spotted in late 2019, GuLoader (aka CloudEyE) is an advanced shellcode-based malware downloader that's used to distribute a wide range of payloads, such as information stealers, while incorporating a bevy of sophisticated anti-analysis techniques to dodge traditional security solutions. A  steady stream  of  open-source reporting  into the malware in recent months has revealed the threat actors behind it have continued to improve its ability to bypass existing or new security features alongside other implemented fe

Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023. The  vulnerabilities  are as follows - CVE-2023-33063  (CVSS score: 7.8) - Memory corruption in DSP Services during a remote call from HLOS to DSP. CVE-2023-33106  (CVSS score: 8.4) - Memory corruption in Graphics while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND. CVE-2023-33107  (CVSS score: 8.4) - Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call. Google's Threat Analysis Group and Google Project Zero  revealed  back in October 2023 that the three flaws, along with  CVE-2022-22071  (CVSS score: 8.4), have been exploited in the wild as part of limited, targeted attacks. A security researcher named luckyrb, the Google Android Security team, and TAG researcher Benoît Sevens and Jann Horn of Google Proje

Organizations in the Middle East, Africa, and the U.S. have been targeted by an unknown threat actor to distribute a new backdoor called  Agent Racoon . "This malware family is written using the .NET framework and leverages the domain name service (DNS) protocol to create a covert channel and provide different backdoor functionalities," Palo Alto Networks Unit 42 researcher Chema Garcia  said  in a Friday analysis. Targets of the attacks span various sectors such as education, real estate, retail, non-profits, telecom, and governments. The activity has not been attributed to a known threat actor, although it's assessed to be nation-state aligned owing to the victimology pattern and the detection and defense evasion techniques used. The cybersecurity firm is tracking the cluster under the moniker CL-STA-0002. It's currently not clear how these organizations were breached, and when the attacks took place. Some of the other tools deployed by the adversary include a

An unknown threat actor has been observed publishing typosquat packages to the Python Package Index (PyPI) repository for nearly six months with an aim to deliver malware capable of gaining persistence, stealing sensitive data, and accessing cryptocurrency wallets for financial gain. The 27 packages, which masqueraded as popular legitimate Python libraries, attracted thousands of downloads, Checkmarx said in a new report. A majority of the downloads originated from the U.S., China, France, Hong Kong, Germany, Russia, Ireland, Singapore, the U.K., and Japan. "A defining characteristic of this attack was the utilization of steganography to hide a malicious payload within an innocent-looking image file, which increased the stealthiness of the attack," the software supply chain security firm  said . Some of the packages are pyefflorer, pyminor, pyowler, pystallerer, pystob, and pywool, the last of which was planted on May 13, 2023. A common denominator to these packages is t

The open-source remote access trojan known as  Quasar RAT  has been observed leveraging DLL side-loading to fly under the radar and stealthily siphon data from compromised Windows hosts. "This technique capitalizes on the inherent trust these files command within the Windows environment," Uptycs researchers Tejaswini Sandapolla and Karthickkumar Kathiresan  said  in a report published last week, detailing the malware's reliance on ctfmon.exe and calc.exe as part of the attack chain. Also known by the names CinaRAT or Yggdrasil, Quasar RAT is a C#-based remote administration tool capable of gathering system information, a list of running applications, files, keystrokes, screenshots, and executing arbitrary shell commands. DLL side-loading  is a  popular   technique  adopted by  many threat actors  to execute their own payloads by planting a spoofed DLL file with a name that a benign executable is known to be looking for. "Adversaries likely use side-loading as a