data exfiltration | Breaking Cybersecurity News | The Hacker News

A Linux version of a multi-platform backdoor called  DinodasRAT  has been detected in the wild targeting China, Taiwan, Turkey, and Uzbekistan,  new findings  from Kaspersky reveal. DinodasRAT, also known as XDealer, is a C++-based malware that offers the ability to harvest a wide range of sensitive data from compromised hosts. In October 2023, Slovak cybersecurity firm ESET  revealed  that a governmental entity in Guyana had been targeted as part of a cyber espionage campaign dubbed Operation Jacana to deploy the Windows version of the implant. Then last week, Trend Micro  detailed  a threat activity cluster it tracks as Earth Krahang and which has shifted to using DinodasRAT since 2023 in its attacks aimed at several government entities worldwide. The use of DinodasRAT has been attributed to various China-nexus threat actors, including  LuoYu , once again reflecting the tool sharing prevalent among hacking crews identified as acting o...

Indian government entities and energy companies have been targeted by unknown threat actors with an aim to deliver a modified version of an open-source information stealer malware called HackBrowserData and exfiltrate sensitive information in some cases by using Slack as command-and-control (C2). "The information stealer was delivered via a phishing email, masquerading as an invitation letter from the Indian Air Force," EclecticIQ researcher Arda Büyükkaya  said  in a report published today. "The attacker utilized Slack channels as exfiltration points to upload confidential internal documents, private email messages, and cached web browser data after the malware's execution." The campaign, observed by the Dutch cybersecurity firm beginning March 7, 2024, has been codenamed Operation FlightNight in reference to the Slack channels operated by the adversary. Targets of the malicious activity span multiple government entities in India, counting those related t...

Intro: Why hack in when you can log in? SaaS applications are the backbone of modern organizations, powering productivity and operational efficiency. But every new app introduces critical security risks through app integrations and multiple users, creating easy access points for threat actors. As a result, SaaS breaches have increased, and according to a May 2024 XM Cyber report, identity and credential misconfigurations caused 80% of security exposures. Subtle signs of a compromise get lost in the noise, and then multi-stage attacks unfold undetected due to siloed solutions. Think of an account takeover in Entra ID, then privilege escalation in GitHub, along with data exfiltration from Slack. Each seems unrelated when viewed in isolation, but in a connected timeline of events, it's a dangerous breach. Wing Security's SaaS platform is a multi-layered solution that combines posture management with real-time identity threat detection and response. This allows organizations to get a ...

The Russia-linked threat actor known as Turla infected several systems belonging to an unnamed European non-governmental organization (NGO) in order to deploy a backdoor called TinyTurla-NG (TTNG) . "The attackers compromised the first system, established persistence and added exclusions to antivirus products running on these endpoints as part of their preliminary post-compromise actions," Cisco Talos  said  in a new report published today. "Turla then opened additional channels of communication via Chisel for data exfiltration and to pivot to additional accessible systems in the network." There is evidence indicating that the infected systems were breached as early as October 2023, with Chisel deployed in December 2023 and data exfiltration taking place via the tool a month later, around January 12, 2024. TinyTurla-NG was  first documented  by the cybersecurity company last month after it was found to be used in connection with a cyber attack targeting a Poli...

A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information. Cybersecurity company Securonix, which dubbed the campaign DEEP#GOSU, said it's likely associated with the North Korean state-sponsored group tracked as Kimsuky (aka Emerald Sleet, Springtail, or Velvet Chollima). "The malware payloads used in the  DEEP#GOSU  represent a sophisticated, multi-stage threat designed to operate stealthily on Windows systems especially from a network-monitoring standpoint," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical analysis shared with The Hacker News. "Its capabilities included keylogging, clipboard monitoring, dynamic payload execution, and data exfiltration, and persistence using both RAT software for full remote access, scheduled tasks as well as self-executing PowerShell scripts using jobs." A notable aspect of the infection proced...

Cybersecurity researchers have found a number of GitHub repositories offering cracked software that are used to deliver an information stealer called RisePro. The campaign, codenamed  gitgub , includes 17 repositories associated with 11 different accounts, according to G DATA. The repositories in question have since been taken down by the Microsoft-owned subsidiary. "The repositories look similar, featuring a README.md file with the promise of free cracked software," the German cybersecurity company  said . "Green and red circles are commonly used on Github to display the status of automatic builds. Gitgub threat actors added four green Unicode circles to their README.md that pretend to display a status alongside a current date and provide a sense of legitimacy and recency." The list of repositories is as follows, with each of them pointing to a download link ("digitalxnetwork[.]com") containing a RAR archive file - andreastanaj/AVAST andreastanaj...

An Iran-nexus threat actor known as  UNC1549  has been attributed with medium confidence to a new set of attacks targeting aerospace, aviation, and defense industries in the Middle East, including Israel and the U.A.E. Other targets of the cyber espionage activity likely include Turkey, India, and Albania, Google-owned Mandiant said in a new analysis. UNC1549 is said to overlap with  Smoke Sandstorm  (previously Bohrium) and  Crimson Sandstorm  (previously Curium), the latter of which is an Islamic Revolutionary Guard Corps (IRGC) affiliated group also known as Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc. "This suspected UNC1549 activity has been active since at least June 2022 and is still ongoing as of February 2024," the company  said . "While regional in nature and focused mostly in the Middle East, the targeting includes entities operating worldwide." The attacks entail the use of Microsoft Azure cloud infrastructure for command...

Details have emerged about a now-patched high-severity security flaw in Apple's Shortcuts app that could permit a shortcut to access sensitive information on the device without users' consent. The vulnerability, tracked as  CVE-2024-23204  (CVSS score: 7.5), was addressed by Apple on January 22, 2024, with the release of  iOS 17.3, iPadOS 17.3 ,  macOS Sonoma 14.3 , and  watchOS 10.3 . "A shortcut may be able to use sensitive data with certain actions without prompting the user," the iPhone maker said in an advisory, stating it was fixed with "additional permissions checks." Apple Shortcuts is a  scripting application  that allows users to create personalized workflows (aka macros) for  executing   specific tasks  on their devices. It comes installed by default on iOS, iPadOS, macOS, and watchOS operating systems. Bitdefender security researcher Jubaer Alnazi Jabin, who discovered and reported the Shortcuts bug, said it could be we...

The Midnight Blizzard and Cloudflare-Atlassian cybersecurity incidents raised alarms about the vulnerabilities inherent in major SaaS platforms. These incidents illustrate the stakes involved in SaaS breaches — safeguarding the integrity of SaaS apps and their sensitive data is critical but is not easy. Common threat vectors such as sophisticated spear-phishing, misconfigurations and vulnerabilities in third-party app integrations demonstrate the complex security challenges facing IT systems. In the case of Midnight Blizzard, password spraying against a test environment was the initial attack vector. For Cloudflare-Atlassian, threat actors initiated the attack via compromised  OAuth tokens  from a prior breach at Okta, a SaaS identity security provider.  What Exactly Happened? Microsoft Midnight Blizzard Breach Microsoft was targeted by the Russian "Midnight Blizzard" hackers (also known as Nobelium, APT29, or Cozy Bear) who are linked to the SVR, the Kremlin's forei...

Cloudflare has revealed that it was the target of a likely nation-state attack in which the threat actor leveraged stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code. The intrusion, which took place between November 14 and 24, 2023, and detected on November 23, was carried out "with the goal of obtaining persistent and widespread access to Cloudflare's global network," the web infrastructure company  said , describing the actor as "sophisticated" and one who "operated in a thoughtful and methodical manner." As a precautionary measure, the company further said it rotated more than 5,000 production credentials, physically segmented test and staging systems, carried out forensic triages on 4,893 systems, reimaged and rebooted every machine across its global network. The incident involved a four-day reconnaissance period to access Atlassian Confluence and J...

Google-owned Mandiant said it identified new malware employed by a China-nexus espionage threat actor known as UNC5221 and other threat groups during post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices. This includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of  LIGHTWIRE . "CHAINLINE is a Python web shell backdoor that is embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution," the company  said , attributing it to UNC5221, adding it also detected multiple new versions of  WARPWIRE , a JavaScript-based credential stealer. The infection chains entail a successful exploitation of  CVE-2023-46805 and CVE-2024-21887 , which allow an unauthenticated threat actor to execute arbitrary commands on the Ivanti appliance with elevated privileges. The flaws have been abused as zero-days since early December 2023. Germany's Federal Office for Information Security (BSI)...

Microsoft on Thursday said the Russian state-sponsored threat actors responsible for a  cyber attack on its systems  in late November 2023 have been targeting other organizations and that it's currently beginning to notify them. The development comes a day after Hewlett Packard Enterprise (HPE)  revealed  that it had been the victim of an attack perpetrated by a hacking crew tracked as  APT29 , which is also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. "This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers, primarily in the U.S. and Europe," the Microsoft Threat Intelligence team  said  in a new advisory. The primary goal of these espionage missions is to gather sensitive information that is of strategic interest to Russia by maintaining footholds for extended periods of time without attracting any attenti...

Cybersecurity researchers have uncovered an updated version of a backdoor called  LODEINFO  that's distributed via spear-phishing attacks. The findings come from Japanese company ITOCHU Cyber & Intelligence, which  said  the malware "has been updated with new features, as well as changes to the anti-analysis (analysis avoidance) techniques." LODEINFO (versions 0.6.6 and 0.6.7) was  first documented  by Kaspersky in November 2022, detailing its capabilities to execute arbitrary shellcode, take screenshots, and exfiltrate files back to an actor-controlled server. A month later, ESET  disclosed attacks  targeting Japanese political establishments that led to the deployment of LODEINFO. The backdoor is the work of a Chinese nation-state actor known as Stone Panda (aka APT10, Bronze Riverside, Cicada, Earth Tengshe, MirrorFace, and Potassium), which has a history of orchestrating attacks targeting Japan since 2021. Attack chains commence wit...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an  emergency directive  urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. The development arrives as the  vulnerabilities  – an authentication bypass (CVE-2023-46805) and a code injection bug (CVE-2024-21887) – have come under widespread exploitation by multiple threat actors. The flaws allow a malicious actor to craft malicious requests and execute arbitrary commands on the system. The U.S. company  acknowledged  in an advisory that it has witnessed a "sharp increase in threat actor activity" starting on January 11, 2024, after the shortcomings were publicly disclosed. "Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and...

The ubiquity of GitHub in information technology (IT) environments has made it a lucrative choice for threat actors to host and deliver malicious payloads and act as  dead drop resolvers , command-and-control, and data exfiltration points. "Using GitHub services for malicious infrastructure allows adversaries to blend in with legitimate network traffic, often bypassing traditional security defenses and making upstream infrastructure tracking and actor attribution more difficult," Recorded Future  said  in a report shared with The Hacker News. The cybersecurity firm described the approach as "living-off-trusted-sites" (LOTS), a spin on the living-off-the-land (LotL) techniques often adopted by threat actors to conceal rogue activity and fly under the radar. Prominent among the methods by which GitHub is  abused   relates  to  payload   delivery , with some actors leveraging its features for command-and-control (C2) obfuscation. Last month, Reve...

Threat actors affiliated with the Russian Foreign Intelligence Service (SVR) have targeted unpatched JetBrains TeamCity servers in widespread attacks since September 2023. The activity has been tied to a nation-state group known as  APT29 , which is also tracked as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. It's notable for the supply chain attack  targeting SolarWinds  and its customers in 2020. "The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments," cybersecurity agencies from Poland, the U.K., and the U.S.  said . The vulnerability in question is  CVE-2023-42793  (CVSS score: 9.8), a critical security flaw that could be weaponized by unauthenticated attackers to achieve remote code exe...

Malware analysis encompasses a broad range of activities, including examining the malware's network traffic. To be effective at it, it's crucial to understand the common challenges and how to overcome them. Here are three prevalent issues you may encounter and the tools you'll need to address them. Decrypting HTTPS traffic Hypertext Transfer Protocol Secure (HTTPS), the protocol for secure online communication, has become a tool for malware to conceal their malicious activities. By cloaking data exchange between infected devices and command-and-control (C&C) servers, malware can operate undetected, exfiltrating sensitive data, installing additional payloads, and receiving instructions from the operators. Yet, with the right tool, decrypting HTTPS traffic is an easy task. For this purpose, we can use a man-in-the-middle (MITM) proxy. The MITM proxy works as an intermediary between the client and the server, intercepting their communication. The MITM proxy aids analy...