cybersecurity | Breaking Cybersecurity News | The Hacker News

Security researchers have uncovered a "credible" takeover attempt targeting the OpenJS Foundation in a manner that evokes similarities to the recently uncovered incident aimed at the open-source XZ Utils project. "The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails," OpenJS Foundation and Open Source Security Foundation (OpenSSF)  said  in a joint alert. According to Robin Bender Ginn, executive director of OpenJS Foundation, and Omkhar Arasaratnam, general manager at OpenSSF, the email messages urged OpenJS to take action to update one of its popular JavaScript projects to remediate critical vulnerabilities without providing any specifics. The email author(s) also called on OpenJS to designate them as a new maintainer of the project despite having little prior involvement. Two other popular JavaScript projects not hosted by OpenJS are also sai

The maintainers of the  PuTTY Secure Shell (SSH) and Telnet client  are alerting users of a critical vulnerability impacting versions from 0.68 through 0.80 that could be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys. The flaw has been assigned the CVE identifier  CVE-2024-31497 , with the discovery credited to researchers Fabian Bäumer and Marcus Brinkmann from the Ruhr University Bochum. "The effect of the vulnerability is to compromise the private key," the PuTTY project  said  in an advisory. "An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for." However, in order to obtain the signatures, an attacker will have to compromise the server for which the key is used to authenticate to. In a message posted on the Open Source

In today's digital world, where connectivity is rules all, endpoints serve as the gateway to a business's digital kingdom. And because of this, endpoints are one of hackers' favorite targets.  According to the IDC,  70% of successful breaches start at the endpoint . Unprotected endpoints provide vulnerable entry points to launch devastating cyberattacks. With IT teams needing to protect more endpoints—and more kinds of endpoints—than ever before, that perimeter has become more challenging to defend. You need to improve your endpoint security, but where do you start? That's where this guide comes in.  We've curated the top 10 must-know endpoint security tips that every IT and security professional should have in their arsenal. From identifying entry points to implementing EDR solutions, we'll dive into the insights you need to defend your endpoints with confidence.  1. Know Thy Endpoints: Identifying and Understanding Your Entry Points Understanding your network's

In today's rapidly evolving digital landscape, organizations face an increasingly complex array of cybersecurity threats. The proliferation of cloud services and remote work arrangements has heightened the vulnerability of digital identities to exploitation, making it imperative for businesses to fortify their identity security measures. Our recent research report,  The Identity Underground Report , offers valuable insights into the challenges and vulnerabilities organizations encounter in managing digital identities. The report paints a vivid picture of the "hidden" identity security liabilities where attackers leverage Identity Threat Exposures (ITEs) such as forgotten user accounts and misconfigurations to breach organizations' defenses, with each ITE posing a significant threat to organizations' security posture. Discover the most common identity security gaps that lead to compromises in the first-ever threat report focused entirely on the prevalence of

A security flaw impacting the Lighttpd web server used in baseboard management controllers ( BMCs ) has remained unpatched by device vendors like Intel and Lenovo, new findings from Binarly reveal. While the original shortcoming was  discovered and patched  by the Lighttpd maintainers way back in August 2018 with  version 1.4.51 , the lack of a CVE identifier or an advisory meant that it was overlooked by developers of AMI MegaRAC BMC, ultimately ending up in products made by Intel and Lenovo. Lighttpd  (pronounced "Lighty") is an open-source high-performance web server software designed for speed, security, and flexibility, while optimized for high-performance environments without consuming a lot of system resources. The silent fix for Lighttpd concerns an out-of-bounds read vulnerability that could be exploited to exfiltrate sensitive data, such as process memory addresses, thereby allowing threat actors to bypass crucial security mechanisms like address space layout ra

Imagine a world where the software that powers your favorite apps, secures your online transactions, and keeps your digital life could be outsmarted and taken over by a cleverly disguised piece of code. This isn't a plot from the latest cyber-thriller; it's actually been a reality for years now. How this will change – in a positive or negative direction – as artificial intelligence (AI) takes on a larger role in software development is one of the big uncertainties related to this brave new world. In an era where AI promises to revolutionize how we live and work, the conversation about its security implications cannot be sidelined. As we increasingly rely on AI for tasks ranging from mundane to mission-critical, the question is no longer just, "Can AI  boost cybersecurity ?" (sure!), but also "Can AI  be hacked? " (yes!), "Can one use AI  to hack? " (of course!), and "Will AI  produce secure software ?" (well…). This thought leadership article is about the latter. Cydrill  (a

To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to  privileged identity management  aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with continuous high-level privileges. By adopting this strategy, organizations can enhance security, minimize the window of opportunity for potential attackers and ensure that users access privileged resources only when necessary.  What is JIT and why is it important?   JIT privileged access provisioning  involves granting privileged access to users on a temporary basis, aligning with the concept of least privilege. This principle provides users with only the minimum level of access required to perform their tasks, and only for the amount of time required to do so. One of the key advantages of JIT provisioning

Cybersecurity researchers have discovered a "renewed" cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called  LightSpy . "The latest iteration of LightSpy, dubbed 'F_Warehouse,' boasts a modular framework with extensive spying features," the BlackBerry Threat Research and Intelligence Team  said  in a report published last week. There is evidence to suggest that the campaign may have targeted India based on  VirusTotal   submissions  from within its borders. First documented in 2020 by Trend Micro and Kaspersky,  LightSpy  refers to an advanced iOS backdoor that's distributed via watering hole attacks through compromised news sites. A subsequent analysis from ThreatFabric in October 2023  uncovered  infrastructure and functionality overlaps between the malware and DragonEgg, a fully-featured Android spyware attributed to the Chinese nation-state group APT41 (aka Winnti). The initial in

Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild. Tracked as  CVE-2024-3400  (CVSS score: 10.0), the critical vulnerability is a case of command injection in the GlobalProtect feature that an unauthenticated attacker could weaponize to execute arbitrary code with root privileges on the firewall. Fixes for the shortcoming are available in the following versions - PAN-OS 10.2.9-h1 PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3 Patches for other commonly deployed maintenance releases are expected to be released over the next few days. "This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled," the company  clarified  in its updated advisory. It also said that while Cloud NGFW firewalls are not impacted by CVE-2024-3400, specific PAN-OS

A former security engineer has been  sentenced  to three years in prison in the U.S. for charges relating to hacking two decentralized cryptocurrency exchanges in July 2022 and stealing over $12.3 million. Shakeeb Ahmed, the defendant in question,  pled guilty  to one count of computer fraud in December 2023  following his arrest  in July. "At the time of both attacks, Ahmed, a U.S. citizen, was a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills Ahmed used to execute the hacks," the U.S. Department of Justice (DoJ) noted at the time. While the name of the company was not disclosed, he was residing in Manhattan, New York, and  working for Amazon  before he was apprehended. Court documents show that Ahmed exploited a security flaw in an unnamed cryptocurrency exchange's smart contracts to insert "

"Test files" associated with the  XZ Utils backdoor  have made their way to a Rust crate known as  liblzma-sys , new  findings  from Phylum reveal. liblzma-sys, which has been downloaded over 21,000 times to date, provides Rust developers with bindings to the liblzma implementation, an underlying library that is part of the  XZ Utils  data compression software. The impacted version in question is 0.3.2. "The current distribution (v0.3.2) on Crates.io contains the test files for XZ that contain the backdoor," Phylum  noted  in a GitHub issue raised on April 9, 2024. "The test files themselves are not included in either the .tar.gz nor the .zip tags  here on GitHub  and are only present in liblzma-sys_0.3.2.crate that is installed from Crates.io." Following responsible disclosure, the files in question ("tests/files/bad-3-corrupt_lzma2.xz" and "tests/files/good-large_compressed.lzma") have since been removed from liblzma-sys version

The Iranian threat actor known as MuddyWater has been attributed to a new command-and-control (C2) infrastructure called  DarkBeatC2 , becoming the latest such tool in its arsenal after  SimpleHarm ,  MuddyC3, PhonyC2 , and  MuddyC2Go . "While occasionally switching to a new remote administration tool or changing their C2 framework, MuddyWater's methods remain constant," Deep Instinct security researcher Simon Kenin  said  in a technical report published last week. MuddyWater, also called Boggy Serpens, Mango Sandstorm, and TA450, is assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS). It's known to be active since at least 2017, orchestrating spear-phishing attacks that lead to the deployment of various legitimate Remote Monitoring and Management (RMM) solutions on compromised systems. Prior findings from Microsoft show that the group has ties with another Iranian threat activity cluster tracked as  Storm-1084  (aka DarkBit), with t

Palo Alto Networks is warning that a critical flaw impacting PAN-OS software used in its GlobalProtect gateways is being actively exploited in the wild. Tracked as  CVE-2024-3400 , the issue has a CVSS score of 10.0, indicating maximum severity. "A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall," the company  said  in an advisory published today. The flaw impacts the following versions of PAN-OS, with fixes expected to be released on April 14, 2024 - PAN-OS < 11.1.2-h3 PAN-OS < 11.0.4-h1 PAN-OS < 10.2.9-h1 The company also said that the issue is applicable only to firewalls that have the configurations for both  GlobalProtect gateway  (Network > GlobalProtect > Gateways) and  device telemetry  (Device > Setup > Telemetry) enabled.

Cybersecurity researchers have discovered a credit card skimmer that's concealed within a fake  Meta Pixel tracker script  in an attempt to evade detection. Sucuri said that the malware is injected into websites through tools that allow for custom code, such as WordPress plugins like  Simple Custom CSS and JS  or the " Miscellaneous Scripts " section of the Magento admin panel. "Custom script editors are popular with bad actors because they allow for external third party (and malicious) JavaScript and can easily pretend to be benign by leveraging naming conventions that match popular scripts like Google Analytics or libraries like JQuery," security researcher Matt Morrow  said . The bogus Meta Pixel tracker script identified by the web security company contains similar elements as its legitimate counterpart, but a closer examination reveals the addition of JavaScript code that substitutes references to the domain "connect.facebook[.]net" with "

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an emergency directive (ED 24-02) urging federal agencies to hunt for signs of compromise and enact preventive measures following the recent compromise of Microsoft's systems that led to the theft of email correspondence with the company. The attack, which  came to light  earlier this year, has been attributed to a Russian nation-state group tracked as Midnight Blizzard (aka APT29 or Cozy Bear). Last month, Microsoft revealed that the adversary managed to access some of its source code repositories but noted that there is no evidence of a breach of customer-facing systems. The emergency directive, which was originally issued privately to federal agencies on April 2, was  first reported  on by CyberScoop two days later. "The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Micros

A threat actor tracked as  TA547  has targeted dozens of German organizations with an information stealer called  Rhadamanthys  as part of an invoice-themed phishing campaign. "This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used by multiple cybercriminal threat actors," Proofpoint  said . "Additionally, the actor appeared to use a PowerShell script that researchers suspect was generated by a large language model (LLM)." TA547 is a prolific, financially motivated threat actor that's known to be active since at least November 2017, using email phishing lures to deliver a variety of Android and Windows malware such as ZLoader, Gootkit, DanaBot, Ursnif, and even Adhubllka ransomware. In recent years, the group has  evolved  into an initial access broker (IAB) for ransomware attacks. It has also been observed employing geofencing tricks to restrict payloads to specific regions. The email messages observed as p

Apple on Wednesday  revised  its documentation pertaining to its mercenary spyware threat notification system to mention that it alerts users when they may have been individually targeted by such attacks. It also specifically called out companies like NSO Group for developing commercial surveillance tools such as Pegasus that are used by state actors to pull off "individually targeted attacks of such exceptional cost and complexity." "Though deployed against a very small number of individuals — often journalists, activists, politicians, and diplomats — mercenary spyware attacks are ongoing and global," Apple  said . "The extreme cost, sophistication, and worldwide nature of mercenary spyware attacks makes them some of the most advanced digital threats in existence today." The update marks a change in wording that previously said these "threat notifications" are designed to inform and assist users who may have been targeted by state-sponsored