The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: hacking news

PwnedPiper PTS Security Flaws Threaten 80% of Hospitals in the U.S.

PwnedPiper PTS Security Flaws Threaten 80% of Hospitals in the U.S.
August 02, 2021Ravie Lakshmanan
Cybersecurity researchers on Monday disclosed a set of nine vulnerabilities known as " PwnedPiper " that left a widely-used pneumatic tube system (PTS) vulnerable to critical attacks, including a possibility of complete takeover. The security weaknesses, disclosed by American cybersecurity firm Armis, impact the Translogic PTS system by Swisslog Healthcare, which is installed in about 80% of all major hospitals in North America and in no fewer than 3,000 hospitals worldwide. "These vulnerabilities can enable an unauthenticated attacker to take over Translogic PTS stations and essentially gain complete control over the PTS network of a target hospital," Armis researchers Ben Seri and Barak Hadad said. "This type of control could enable sophisticated and worrisome ransomware attacks, as well as allow attackers to leak sensitive hospital information." Pneumatic tube systems are internal logistics and transport solutions that are used to transport blood s

New APT Hacking Group Targets Microsoft IIS Servers with ASP.NET Exploits

New APT Hacking Group Targets Microsoft IIS Servers with ASP.NET Exploits
August 02, 2021Ravie Lakshmanan
A new highly capable and persistent threat actor has been targeting major high-profile public and private entities in the U.S. as part of a series of targeted cyber intrusion attacks by exploiting internet-facing Microsoft Internet Information Services ( IIS ) servers to infiltrate their networks. Israeli cybersecurity firm Sygnia, which identified the campaign, is tracking the advanced, stealthy adversary under the moniker "Praying Mantis" or "TG2021." "TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine's memory and leaves little-to-no trace on infected targets," the researchers  said . "The threat actor also uses an additional stealthy backdoor and several post-exploitations modules to perform network reconnaissance, elevate privileges, and move laterally within networks."  Besides exhibiting capabilities

PyPI Python Package Repository Patches Critical Supply Chain Flaw

PyPI Python Package Repository Patches Critical Supply Chain Flaw
August 02, 2021Ravie Lakshmanan
The maintainers of Python Package Index (PyPI) last week issued fixes for three vulnerabilities, one among which could be abused to achieve arbitrary code execution and take full control of the official third-party software repository. The security weaknesses were  discovered  and reported by Japanese security researcher RyotaK, who in the past has disclosed critical vulnerabilities in the  Homebrew Cask repository  and Cloudflare's  CDNJS library . He was awarded a total of $3,000 as part of the bug bounty program. The list of three vulnerabilities is as follows - Vulnerability in Legacy Document Deletion on PyPI  - An exploitable vulnerability in the mechanisms for deleting legacy documentation hosting deployment tooling on PyPI, which would allow an attacker to remove documentation for projects not under their control. Vulnerability in Role Deletion on PyPI  - An exploitable vulnerability in the mechanisms for deleting roles on PyPI was discovered by a security researcher

Solarmarker InfoStealer Malware Once Again Making its Way Into the Wild

Solarmarker InfoStealer Malware Once Again Making its Way Into the Wild
August 02, 2021Ravie Lakshmanan
Healthcare and education sectors are the frequent targets of a new surge in credential harvesting activity from what's a "highly modular" .NET-based information stealer and keylogger, charting the course for the threat actor's continued evolution while simultaneously remaining under the radar. Dubbed " Solarmarker ," the malware campaign is believed to be active since September 2020, with telemetry data pointing to malicious actions as early as April 2020, according to Cisco Talos. "At its core, the Solarmarker campaign appears to be conducted by a fairly sophisticated actor largely focused on credential and residual information theft," Talos researchers Andrew Windsor and Chris Neal  said  in a technical write-up published last week. Infections consist of multiple moving parts, chief among them being a .NET assembly module that serves as a system profiler and staging ground on the victim host for command-and-control (C2) communications and fur

Experts Uncover Several C&C Servers Linked to WellMess Malware

Experts Uncover Several C&C Servers Linked to WellMess Malware
July 30, 2021Ravie Lakshmanan
Cybersecurity researchers on Friday unmasked new command-and-control (C2) infrastructure belonging to the Russian threat actor tracked as APT29, aka Cozy Bear, that has been spotted actively serving WellMess malware as part of an ongoing attack campaign. More than 30 C2 servers operated by the Russian foreign intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ  said  in a report shared with The Hacker News. APT29, the moniker assigned to government operatives working for Russia's Foreign Intelligence Service (SVR), is believed to have been the  mastermind behind the massive SolarWinds supply chain attack  that came to light late last year, with the U.K. and U.S. governments formally pinning the intrusions on Russia earlier this April. The activity is being tracked by the cybersecurity community under various codenames, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and

Several Malicious Typosquatted Python Libraries Found On PyPI Repository

Several Malicious Typosquatted Python Libraries Found On PyPI Repository
July 30, 2021Ravie Lakshmanan
As many as eight Python packages that were downloaded more than 30,000 times have been removed from the PyPI portal for containing malicious code, once again highlighting how software package repositories are evolving into a popular target for supply chain attacks. "Lack of moderation and automated security controls in public software repositories allow even inexperienced attackers to use them as a platform to spread malware, whether through typosquatting, dependency confusion, or simple social engineering attacks," JFrog researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe  said  Thursday. PyPI, short for Python Package Index, is the official third-party software repository for Python, with package manager utilities like  pip  relying on it as the default source for packages and their dependencies. The Python packages in question, which were found to be obfuscated using Base64 encoding, are listed below - pytagora (uploaded by leonora123) pytagora2 (upl

A New Wiper Malware Was Behind Recent Cyberattack On Iranian Train System

A New Wiper Malware Was Behind Recent Cyberattack On Iranian Train System
July 30, 2021Ravie Lakshmanan
A cyber attack that derailed websites of Iran's transport ministry and its national railway system earlier this month, causing widespread disruptions in train services, was the result of a never-before-seen reusable wiper malware called "Meteor." The campaign — dubbed " MeteorExpress " — has not been linked to any previously identified threat group or to additional attacks, making it the first incident involving the deployment of this malware, according to researchers from Iranian antivirus firm  Amn Pardaz  and SentinelOne. Meteor is believed to have been in the works over the past three years. "Despite a lack of specific indicators of compromise, we were able to recover most of the attack components," SentinelOne's Principal Threat Researcher, Juan Andres Guerrero-Saade, noted. "Behind this outlandish tale of stopped trains and glib trolls, we found the fingerprints of an unfamiliar attacker," adding the offensive is "designed t

Phony Call Centers Tricking Users Into Installing Ransomware and Data-Stealers

Phony Call Centers Tricking Users Into Installing Ransomware and Data-Stealers
July 29, 2021Ravie Lakshmanan
An ongoing malicious campaign that employs phony call centers has been found to trick victims into downloading malware capable of data exfiltration as well as deploying ransomware on infected systems. The attacks — dubbed "BazaCall" — eschew traditional social engineering techniques that rely on rogue URLs and malware-laced documents in favor of a vishing-like method wherein targeted users are sent email messages informing them of a forthcoming subscription charge unless they call a specific phone number. By tricking the recipients into calling the number, the unsuspecting victims are connected with an actual human operator at a fraudulent call center, who then provides them with instructions to download the BazaLoader malware. BazaLoader (aka BazarBackdoor) is a C++-based downloader with the ability to install various types of malicious programs on infected computers, including deploying ransomware and other malware to steal sensitive data from victimized systems. First

New Ransomware Gangs — Haron and BlackMatter — Emerge on Cybercrime Forums

New Ransomware Gangs — Haron and BlackMatter — Emerge on Cybercrime Forums
July 29, 2021Ravie Lakshmanan
Two new ransomware-as-service (RaaS) programs have appeared on the threat radar this month, with one group professing to be a successor to  DarkSide  and  REvil , the two infamous ransomware syndicates that went off the grid following major attacks on Colonial Pipeline and Kaseya over the past few months. "The project has incorporated in itself the best features of DarkSide, REvil, and LockBit," the operators behind the new BlackMatter group said in their darknet public blog, making promises to not strike organizations in several industries, including healthcare, critical infrastructure, oil and gas, defense, non-profit, and government sectors. According to Flashpoint, the BlackMatter threat actor registered an account on Russian-language forums XSS and Exploit on July 19, quickly following it up with a post stating they are looking to purchase access to infected corporate networks comprising anywhere between 500 and 15,000 hosts in the U.S., Canada, Australia, and the U.

Best Practices to Thwart Business Email Compromise (BEC) Attacks

Best Practices to Thwart Business Email Compromise (BEC) Attacks
July 29, 2021The Hacker News
Business email compromise (BEC) refers to all types of email attacks that do not have payloads. Although there are numerous types, there are essentially two main mechanisms through which attackers penetrate organizations utilizing BEC techniques, spoofing and account take-over attacks. In a recent  study , 71% of organizations acknowledged they had seen a business email compromise (BEC) attack during the past year. Forty-three percent of organizations experienced a security incident in the last 12 months, with 35% stating that BEC/phishing attacks account for more than 50% of the incidents. The  FBI's Internet Crime Complaint Center  (IC3) reports that BEC scams were the most expensive of cyberattacks in 2020, with 19,369 complaints and adjusted losses of approximately $1.8 billion. Recent BEC attacks include spoofing attacks on Shark Tank Host Barbara Corcoran, who lost  $380,000 ; the Puerto Rican government attacks that amounted to $4 million, and Japanese media giant, Nikkei

New Android Malware Uses VNC to Spy and Steal Passwords from Victims

New Android Malware Uses VNC to Spy and Steal Passwords from Victims
July 29, 2021Ravie Lakshmanan
A previously undocumented Android-based remote access trojan (RAT) has been found to use screen recording features to steal sensitive information on the device, including banking credentials, and open the door for on-device fraud. Dubbed "Vultur" due to its use of Virtual Network Computing (VNC)'s remote screen-sharing technology to gain full visibility on targeted users, the mobile malware was distributed via the official Google Play Store and masqueraded as an app named "Protection Guard," attracting over 5,000 installations. Banking and crypto-wallet apps from entities located in Italy, Australia, and Spain were the primary targets. "For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way," researchers from ThreatFabric  said  in a write-up shared with The Hacker News. "The actors chose to steer away from the commo

Top 30 Critical Security Vulnerabilities Most Exploited by Hackers

Top 30 Critical Security Vulnerabilities Most Exploited by Hackers
July 29, 2021Ravie Lakshmanan
Intelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage. "Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide," the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI)  noted . "However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system." The top 30 vulnerabilities span a wide range of software, including remote work, virtual pri

UBEL is the New Oscorp — Android Credential Stealing Malware Active in the Wild

UBEL is the New Oscorp — Android Credential Stealing Malware Active in the Wild
July 28, 2021Ravie Lakshmanan
An Android malware that was observed abusing accessibility services in the device to hijack user credentials from European banking applications has morphed into an entirely new botnet as part of a renewed campaign that began in May 2021. Italy's CERT-AGID, in late January, disclosed details about  Oscorp , a mobile malware developed to attack multiple financial targets with the goal of stealing funds from unsuspecting victims. Its features include the ability to intercept SMS messages and make phone calls, and carry out overlay attacks for more than 150 mobile applications by making use of lookalike login screens to siphon valuable data. The malware was distributed through malicious SMS messages, with the attacks often conducted in real-time by posing as bank operators to dupe targets over the phone and surreptitiously gain access to the infected device via WebRTC protocol and ultimately conduct unauthorized bank transfers. While no new activities were reported since then, it a

Chinese Hackers Implant PlugX Variant on Compromised MS Exchange Servers

Chinese Hackers Implant PlugX Variant on Compromised MS Exchange Servers
July 28, 2021Ravie Lakshmanan
A Chinese cyberespionage group known for targeting Southeast Asia leveraged flaws in the Microsoft Exchange Server that came to light earlier this March to deploy a previously undocumented variant of a remote access trojan (RAT) on compromised systems. Attributing the intrusions to a threat actor named  PKPLUG  (aka  Mustang Panda  and HoneyMyte), Palo Alto Networks' Unit 42 threat intelligence team said it identified a new version of the modular PlugX malware, called Thor, that was delivered as a post-exploitation tool to one of the breached servers. Dating back to as early as 2008,  PlugX  is a fully-featured second-stage implant with capabilities such as file upload, download, and modification, keystroke logging, webcam control, and access to a remote command shell. "The variant observed [...] is unique in that it contains a change to its core source code: the replacement of its trademark word 'PLUG' to 'THOR,'" Unit 42 researchers Mike Harbison an

Hackers Posed as Aerobics Instructors for Years to Target Aerospace Employees

Hackers Posed as Aerobics Instructors for Years to Target Aerospace Employees
July 28, 2021Ravie Lakshmanan
An Iranian cyberespionage group masqueraded as an aerobics instructor on Facebook in an attempt to infect the machine of an employee of an aerospace defense contractor with malware as part of a years-long social engineering and targeted malware campaign. Enterprise security firm Proofpoint attributed the covert operation to a state-aligned threat actor it tracks as TA456, and by the wider cybersecurity community under the monikers Tortoiseshell and Imperial Kitten. "Using the social media persona 'Marcella Flores,' TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor," Proofpoint  said  in a report shared with The Hacker News. "In early June 2021, the threat actor attempted to capitalize on this relationship by sending the target malware via an ongoing email communication chain." Earlier this month, Facebook  revealed  it took steps to dismantle a &quo

New Bug Could Let Attackers Hijack Zimbra Server by Sending Malicious Email

New Bug Could Let Attackers Hijack Zimbra Server by Sending Malicious Email
July 27, 2021Ravie Lakshmanan
Cybersecurity researchers have discovered multiple security vulnerabilities in Zimbra email collaboration software that could be potentially exploited to compromise email accounts by sending a malicious message and even achieve a full takeover of the mail server when hosted on a cloud infrastructure. The flaws — tracked as CVE-2021-35208 and CVE-2021-35208 — were discovered and reported in Zimbra 8.8.15 by researchers from code quality and security solutions provider SonarSource in May 2021. Mitigations have since been  released  in Zimbra versions 8.8.15 Patch 23 and 9.0.0 Patch 16. CVE-2021-35208  (CVSS score: 5.4) - Stored XSS Vulnerability in ZmMailMsgView.java CVE-2021-35209  (CVSS score: 6.1) - Proxy Servlet Open Redirect Vulnerability "A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a complete Zimbra webmail server of a targeted organization,"  said  SonarSource vulnerability researcher, Simon Scannell, who identif

Several Bugs Found in 3 Open-Source Software Used by Several Businesses

Several Bugs Found in 3 Open-Source Software Used by Several Businesses
July 27, 2021Ravie Lakshmanan
Cybersecurity researchers on Tuesday disclosed nine security vulnerabilities affecting three open-source projects —  EspoCRM ,  Pimcore , and  Akaunting  — that are widely used by several small to medium businesses and, if successfully exploited, could provide a pathway to more sophisticated attacks. All the security flaws in question, which impact EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12, were fixed within a day of responsible disclosure, researchers Wiktor Sędkowski of Nokia and Trevor Christiansen of Rapid7  noted. Six of the nine flaws were uncovered in the Akaunting project. EspoCRM is an open-source customer relationship management (CRM) application, while Pimcore is an open-source enterprise software platform for customer data management, digital asset management, content management, and digital commerce. Akaunting, on the other hand, is an open-source and online accounting software designed for invoice and exp

Microsoft Warns of LemonDuck Malware Targeting Windows and Linux Systems

Microsoft Warns of LemonDuck Malware Targeting Windows and Linux Systems
July 26, 2021Ravie Lakshmanan
An infamous cross-platform crypto-mining malware has continued to refine and improve upon its techniques to strike both Windows and Linux operating systems by setting its sights on older vulnerabilities, while simultaneously latching on to a variety of spreading mechanisms to maximize the effectiveness of its campaigns. "LemonDuck, an actively updated and robust malware that's primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations," Microsoft  said  in a technical write-up published last week. "Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity." The malware is notorious for its ability to propagate rapidly across an infected network to facilitate information theft an
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.