#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

cybersecurity | Breaking Cybersecurity News | The Hacker News

Linux Version of DinodasRAT Spotted in Cyber Attacks Across Several Countries

Linux Version of DinodasRAT Spotted in Cyber Attacks Across Several Countries

Mar 28, 2024 Linux / Network Security
A Linux version of a multi-platform backdoor called  DinodasRAT  has been detected in the wild targeting China, Taiwan, Turkey, and Uzbekistan,  new findings  from Kaspersky reveal. DinodasRAT, also known as XDealer, is a C++-based malware that offers the ability to harvest a wide range of sensitive data from compromised hosts. In October 2023, Slovak cybersecurity firm ESET  revealed  that a governmental entity in Guyana has been targeted as part of a cyber espionage campaign dubbed Operation Jacana to deploy the Windows version of the implant. Then last week, Trend Micro  detailed  a threat activity cluster it tracks as Earth Krahang and which has shifted to using DinodasRAT since 2023 in its attacks aimed at several government entities worldwide. The use of DinodasRAT has been attributed to various China-nexus threat actors, including  LuoYu , once again reflecting the tool sharing prevalent among hacking crews identified as acting on behalf of the country. Kaspersky said it
Finland Blames Chinese Hacking Group APT31 for Parliament Cyber Attack

Finland Blames Chinese Hacking Group APT31 for Parliament Cyber Attack

Mar 28, 2024 Cyber Espionage / Malware
The Police of Finland (aka Poliisi) has formally accused a Chinese nation-state actor tracked as APT31 for orchestrating a cyber attack targeting the country's Parliament in 2020. The intrusion, per the authorities, is said to have occurred between fall 2020 and early 2021. The agency described the ongoing criminal probe as both demanding and time-consuming, involving extensive analysis of a "complex criminal infrastructure." The breach was  first disclosed  in December 2020, with the Finnish Security and Intelligence Service (Supo)  describing  it as a  state-backed cyber espionage operation  designed to penetrate the Parliament's information systems. "The police have previously informed that they are investigating the hacking group APT31's connections with the incident," Poliisi said. "These connections have now been confirmed by the investigation, and the police have also identified one suspect." APT31 , also called Altaire, Bronze Vin
Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu
New ZenHammer Attack Bypasses RowHammer Defenses on AMD CPUs

New ZenHammer Attack Bypasses RowHammer Defenses on AMD CPUs

Mar 28, 2024 Hardware Security / Vulnerability
Cybersecurity researchers from ETH Zurich have developed a new variant of the RowHammer DRAM (dynamic random-access memory) attack that, for the first time, successfully works against AMD Zen 2 and Zen 3 systems despite mitigations such as Target Row Refresh (TRR). "This result proves that AMD systems are equally vulnerable to Rowhammer as Intel systems, which greatly increases the attack surface, considering today's AMD market share of around 36% on x86 desktop CPUs," the researchers  said . The technique has been codenamed  ZenHammer , which can also trigger RowHammer bit flips on DDR5 devices for the first time. RowHammer , first publicly disclosed in 2014, is a  well-known attack  that exploits DRAM's memory cell architecture to alter data by repeatedly accessing a specific row (aka hammering) to cause the electrical charge of a cell to leak to adjacent cells. This can induce random bit flips in neighboring memory rows (from 0 to 1, or vice versa), which can
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
New Webinar: Avoiding Application Security Blind Spots with OPSWAT and F5

New Webinar: Avoiding Application Security Blind Spots with OPSWAT and F5

Mar 28, 2024 Application Security / Webinar
Considering the ever-changing state of cybersecurity, it's never too late to ask yourself, "am I doing what's necessary to keep my organization's web applications secure?" The continuous evolution of technology introduces new and increasingly sophisticated threats daily, posing challenges to organizations all over the world and across the broader spectrum of industries striving to maintain reliable defenses. 2024 promises to be no exception. Threat actors continue to adapt their tactics, techniques, and procedures to exploit vulnerabilities in innovative ways, injecting malicious content into files that bypass traditional antivirus solutions and advanced, AI and ML-powered solutions alike. Therefore, organizations must assess and continually reinforce their security measures. One critical aspect that organizations often grapple with is identifying and addressing security blind spots. These are areas within the infrastructure where vulnerabilities exist but may
Behind the Scenes: The Art of Safeguarding Non-Human Identities

Behind the Scenes: The Art of Safeguarding Non-Human Identities

Mar 28, 2024 Secrets Management / Zero Trust
In the whirlwind of modern software development, teams race against time, constantly pushing the boundaries of innovation and efficiency. This relentless pace is fueled by an evolving tech landscape, where SaaS domination, the proliferation of microservices, and the ubiquity of CI/CD pipelines are not just trends but the new norm. Amidst this backdrop, a critical aspect subtly weaves into the narrative — the handling of non-human identities. The need to manage API keys, passwords, and other sensitive data becomes more than a checklist item yet is often overshadowed by the sprint toward quicker releases and cutting-edge features. The challenge is clear: How do software teams maintain the sanctity of secrets without slowing down their stride? Challenges in the development stage of non-human identities The pressure to deliver rapidly in organizations today can lead developers to take shortcuts, compromising security. Secrets are the credentials used for non-human identities. Some stan
Darcula Phishing Network Leveraging RCS and iMessage to Evade Detection

Darcula Phishing Network Leveraging RCS and iMessage to Evade Detection

Mar 28, 2024 Cybercrime / Email Security
A sophisticated phishing-as-a-service (PhaaS) platform called  Darcula  has set its sights on organizations in over 100 countries by leveraging a massive network of more than 20,000 counterfeit domains to help cyber criminals launch attacks at scale. "Using iMessage and RCS rather than SMS to send text messages has the side effect of bypassing SMS firewalls, which is being used to great effect to target USPS along with postal services and other established organizations in 100+ countries," Netcraft  said . Darcula has been employed in several high-profile phishing attacks over the last year, wherein the smishing messages are sent to both Android and iOS users in the U.K., in addition to those that leverage package delivery lures by impersonating legitimate services like USPS. A Chinese-language PhaaS, Darcula is  advertised on Telegram  and offers support for  about 200 templates  impersonating legitimate brands that customers can avail for a monthly fee to set up phishin
Hackers Hit Indian Defense, Energy Sectors with Malware Posing as Air Force Invite

Hackers Hit Indian Defense, Energy Sectors with Malware Posing as Air Force Invite

Mar 27, 2024 Cyber Espionage / Data Breach
Indian government entities and energy companies have been targeted by unknown threat actors with an aim to deliver a modified version of an open-source information stealer malware called HackBrowserData and exfiltrate sensitive information in some cases by using Slack as command-and-control (C2). "The information stealer was delivered via a phishing email, masquerading as an invitation letter from the Indian Air Force," EclecticIQ researcher Arda Büyükkaya  said  in a report published today. "The attacker utilized Slack channels as exfiltration points to upload confidential internal documents, private email messages, and cached web browser data after the malware's execution." The campaign, observed by the Dutch cybersecurity firm beginning March 7, 2024, has been codenamed Operation FlightNight in reference to the Slack channels operated by the adversary. Targets of the malicious activity span multiple government entities in India, counting those related t
CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability

CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability

Mar 27, 2024 Threat Intelligence / Network Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has  added  a security flaw impacting Microsoft Sharepoint Server to its Known Exploited Vulnerabilities ( KEV ) catalog based on evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2023-24955 (CVSS score: 7.2), is a critical remote code execution flaw that allows an authenticated attacker with Site Owner privileges to execute arbitrary code. "In a network-based attack, an authenticated attacker as a Site Owner could execute code remotely on the SharePoint Server," Microsoft  said  in an advisory. The flaw was addressed by Microsoft as part of its  Patch Tuesday updates  for May 2023. The development comes more than two months after CISA  added  CVE-2023-29357, a privilege escalation flaw in SharePoint Server, to its KEV catalog. It's worth pointing out that an exploit chain combining CVE-2023-29357 and CVE-2023-24955 was demonstrated by StarLabs SG at the Pwn2Own Vancouver h
Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious Extensions

Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious Extensions

Mar 27, 2024 Vulnerability / API Security
A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users' systems and carry out malicious actions.  "This flaw could have allowed an attacker to exploit a private API, initially intended for marketing purposes, to covertly install additional browser extensions with broad permissions without the user's knowledge," Guardio Labs security researcher Oleg Zaytsev  said  in a new report shared with The Hacker News. Tracked as  CVE-2024-21388  (CVSS score: 6.5), it was addressed by Microsoft in Edge stable version 121.0.2277.83 released on January 25, 2024, following responsible disclosure in November 2023. The Windows maker credited both Zaytsev and Jun Kokatsu for reporting the issue. "An attacker who successfully exploited this vulnerability could gain the privileges needed to install an extension," Microsoft said in an advisory for the flaw, adding it "could lead to a browser sandbo
Sketchy NuGet Package Likely Linked to Industrial Espionage Targets Developers

Sketchy NuGet Package Likely Linked to Industrial Espionage Targets Developers

Mar 26, 2024 Industrial Espionage / Threat Intelligence
Threat hunters have identified a suspicious package in the  NuGet package manager  that's likely designed to target developers working with tools made by a Chinese firm that specializes in industrial- and digital equipment manufacturing. The package in question is  SqzrFramework480 , which ReversingLabs said was first published on January 24, 2024. It has been  downloaded  2,999 times as of writing. The software supply chain security firm said it did not find any other package that exhibited similar behavior. It, however, theorized the campaign could likely be used for orchestrating industrial espionage on systems equipped with cameras, machine vision, and robotic arms. The indication that SqzrFramework480 is seemingly tied to a Chinese firm named Bozhon Precision Industry Technology Co., Ltd. comes from the use of a version of the company's logo for the package's icon. It was uploaded by a Nuget user account called " zhaoyushun1999 ." Present within the l
U.S. Charges 7 Chinese Nationals in Major 14-Year Cyber Espionage Operation

U.S. Charges 7 Chinese Nationals in Major 14-Year Cyber Espionage Operation

Mar 26, 2024 Cyber Espionage / Malware
The U.S. Department of Justice (DoJ) on Monday unsealed indictments against seven Chinese nationals for their involvement in a hacking group that targeted U.S. and foreign critics, journalists, businesses, and political officials for about 14 years. The defendants include Ni Gaobin (倪高彬), Weng Ming (翁明), Cheng Feng (程锋), Peng Yaowen (彭耀文), Sun Xiaohui (孙小辉), Xiong Wang (熊旺), and Zhao Guangzong (赵光宗).  The suspected cyber spies have been charged with conspiracy to commit computer intrusions and conspiracy to commit wire fraud in connection with a state-sponsored threat group tracked as  APT31 , which is also known as Altaire,  Bronze Vinewood , Judgement Panda, and Violet Typhoon (formerly Zirconium). The hacking collective has been  active since at least 2010 . Specifically, their responsibilities entail testing and exploiting the malware used to conduct the intrusions, managing the attack infrastructure, and conducting surveillance of specific U.S. entities, federal prosecutors no
Crafting Shields: Defending Minecraft Servers Against DDoS Attacks

Crafting Shields: Defending Minecraft Servers Against DDoS Attacks

Mar 26, 2024 Online Gaming / DDoS Protection
Minecraft, with over 500 million registered users and 166 million monthly players, faces significant risks from distributed denial-of-service (DDoS) attacks, threatening server functionality, player experience, and the game's reputation. Despite the prevalence of DDoS attacks on the game, the majority of incidents go unreported, leaving a gap in awareness and protection. This article explains what happens to a Minecraft server during a DDoS attack and how to protect against such attacks. For an in-depth version of the article,  check out this white paper . When Creepers Breach: What Happens When an Attack Is Successful When a Minecraft server is hit with a DDoS attack, players may have problems with logging in to servers, loading worlds, navigating biomes, using tools, and chatting. They can also experience general lags, disconnections, timeouts, or server crashes. These in-game disruptions can ruin the gaming experience for players while causing financial and reputational losses to
U.S. Sanctions 3 Cryptocurrency Exchanges for Helping Russia Evade Sanctions

U.S. Sanctions 3 Cryptocurrency Exchanges for Helping Russia Evade Sanctions

Mar 26, 2024 Money Laundering / Digital Currency
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned three cryptocurrency exchanges for offering services used to evade economic restrictions imposed on Russia following its invasion of Ukraine in early 2022. This includes Bitpapa IC FZC LLC, Crypto Explorer DMCC (AWEX), and Obshchestvo S Ogranichennoy Otvetstvennostyu Tsentr Obrabotki Elektronnykh Platezhey (TOEP). In all, the designations cover thirteen entities and two individuals operating in the Russian financial services and technology sectors. "Many of the individuals and entities designated today facilitated transactions or offered other services that helped OFAC-designated entities evade sanctions," the Treasury  said , adding the action seeks to "target companies servicing Russia's core financial infrastructure and curtail Russia's use of the international financial system to further its war against Ukraine." Bitpapa, which offers virtual currency excha
CISA Alerts on Active Exploitation of Flaws in Fortinet, Ivanti, and Nice Products

CISA Alerts on Active Exploitation of Flaws in Fortinet, Ivanti, and Nice Products

Mar 26, 2024 Cyber Attack / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday  placed  three security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerabilities added are as follows - CVE-2023-48788  (CVSS score: 9.3) - Fortinet FortiClient EMS SQL Injection Vulnerability CVE-2021-44529  (CVSS score: 9.8) - Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability CVE-2019-7256  (CVSS score: 10.0) - Nice Linear eMerge E3-Series OS Command Injection Vulnerability The shortcoming impacting Fortinet FortiClient EMS  came to light  earlier this month, with the company describing it as a flaw that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests. Fortinet has since revised its advisory to confirm that it has been exploited in the wild, although no other details regarding the nature of the attacks are currently available. CVE-20
Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others

Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others

Mar 25, 2024 Supply Chain Attack / Cryptocurrency
Unidentified adversaries orchestrated a sophisticated attack campaign that has impacted several individual developers as well as the GitHub organization account associated with Top.gg, a Discord bot discovery site. "The threat actors used multiple TTPs in this attack, including account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom Python mirror, and publishing malicious packages to the PyPI registry," Checkmarx  said  in a technical report shared with The Hacker News. The software supply chain attack is said to have led to the theft of sensitive information, including passwords, credentials, and other valuable data. Some aspects of the campaign were  previously   disclosed  at the start of the month by an Egypt-based developer named Mohammed Dief. It chiefly entailed setting up a clever typosquat of the official PyPI domain known as "files. python hosted[.]org," giving it the name "files. pypi ho
Cybersecurity Resources