#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

hacking news | Breaking Cybersecurity News | The Hacker News

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking
May 17, 2024 Cryptojacking / Malware
The cryptojacking group known as  Kinsing  has demonstrated an ability to continuously evolve and adapt, proving to be a persistent threat by swiftly integrating newly disclosed vulnerabilities to the exploit arsenal and expand its botnet. The  findings  come from cloud security firm Aqua, which described the threat actor as actively orchestrating illicit cryptocurrency mining campaigns since 2019. Kinsing (aka  H2Miner ), a name given to both the malware and the adversary behind it, has consistently expanded its toolkit with new exploits to enroll infected systems in a crypto-mining botnet. It was  first documented  by TrustedSec in January 2020. In recent years, campaigns involving the Golang-based malware have weaponized  various flaws  in  Apache ActiveMQ ,  Apache Log4j ,  Apache NiFi ,  Apache Tomcat ,  Atlassian Confluence ,  Citrix ,  Liferay Portal ,  Linux ,  Openfire ,  Oracle WebLogic Server , and  SaltStack  to breach vulnerable systems. Other methods have also invol

Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks
May 17, 2024 Linux / Malware
The  Kimsuky  (aka Springtail) advanced persistent threat (APT) group, which is linked to North Korea's Reconnaissance General Bureau (RGB), has been observed deploying a Linux version of its GoBear backdoor as part of a campaign targeting South Korean organizations. The backdoor, codenamed  Gomir , is "structurally almost identical to GoBear, with extensive sharing of code between malware variants," the Symantec Threat Hunter Team, part of Broadcom,  said  in a new report. "Any functionality from GoBear that is operating system-dependent is either missing or reimplemented in Gomir." GoBear was  first documented  by South Korean security firm S2W in early February 2024 in connection with a campaign that delivered a malware called Troll Stealer (aka TrollAgent), which overlaps with known Kimsuky malware families like AppleSeed and AlphaSeed. A subsequent analysis by the AhnLab Security Intelligence Center (ASEC) revealed that the malware is distributed via t

FBI Seizes BreachForums Again, Urges Users to Report Criminal Activity

FBI Seizes BreachForums Again, Urges Users to Report Criminal Activity
May 15, 2024 Data Breach / Cyber Crime
Law enforcement agencies have officially seized control of the notorious  BreachForums  platform, an online bazaar known for peddling stolen data, for the second time within a year. The website ("breachforums[.]st") has been replaced by a seizure banner stating the clearnet cybercrime forum is under the control of the U.S. Federal Bureau of Investigation (FBI).  The operation is the result of a collaborative effort from authorities in Australia, Iceland, New Zealand, Switzerland, the U.K., the U.S., and Ukraine. The FBI has also taken control of the  Telegram channel  operated by Baphomet, who became the administrator of the forum following the  arrest  of his predecessor Conor Brian Fitzpatrick (aka  pompompurin ) in March last year. It's worth noting a prior iteration of BreachForums, hosted at breached.vc/.to/.co and managed by pompompurin, was seized by law enforcement in late June 2023. "This Telegram chat is under the control of the FBI," a message

Protecting Your Organization From Insider Threats - All You Need to Know

cyber security
websiteWing SecuritySaaS Security
Get practical insights and strategies to manage inadequate offboarding and insider risks effectively.

What's the Right EDR for You?

What's the Right EDR for You?
May 10, 2024Endpoint Security / Threat Detection
A guide to finding the right endpoint detection and response (EDR) solution for your business' unique needs. Cybersecurity has become an ongoing battle between hackers and small- and mid-sized businesses. Though perimeter security measures like antivirus and firewalls have traditionally served as the frontlines of defense, the battleground has shifted to endpoints. This is why endpoint detection and response (EDR) solutions now serve as critical weapons in the fight, empowering you and your organization to detect known and unknown threats, respond to them quickly, and extend the cybersecurity fight across all phases of an attack.  With the growing need to defend your devices from today's cyber threats, however, choosing the right EDR solution can be a daunting task. There are so many options and features to choose from, and not all EDR solutions are made with everyday businesses and IT teams in mind. So how do you pick the best solution for your needs? Why EDR Is a Must Because of

VMware Patches Severe Security Flaws in Workstation and Fusion Products

VMware Patches Severe Security Flaws in Workstation and Fusion Products
May 14, 2024 Bluetooth / Vulnerability
Multiple security flaws have been  disclosed  in VMware Workstation and Fusion products that could be exploited by threat actors to access sensitive information, trigger a denial-of-service (DoS) condition, and execute code under certain circumstances. The four vulnerabilities impact Workstation versions 17.x and Fusion versions 13.x, with fixes available in version 17.5.2 and 13.5.2, respectively, the Broadcom-owned virtualization services provider said. A brief description of each of the flaws is below - CVE-2024-22267  (CVSS score: 9.3) - A use-after-free vulnerability in the Bluetooth device that could be exploited by a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host CVE-2024-22268  (CVSS score: 7.1) - A heap buffer-overflow vulnerability in the Shader functionality that could be exploited by a malicious actor with non-administrative access to a virtual machine with 3D gr

Google Simplifies 2-Factor Authentication Setup (It's More Important Than Ever)

Google Simplifies 2-Factor Authentication Setup (It's More Important Than Ever)
May 07, 2024 Online Security / Data Breach
Google on Monday announced that it's simplifying the process of enabling two-factor authentication (2FA) for users with personal and Workspace accounts. Also called 2-Step Verification ( 2SV ), it aims to add an extra layer of security to users' accounts to prevent takeover attacks in case the passwords are stolen. The new change entails adding a second step method, such as an authenticator app or a hardware security key, before turning on 2FA, thus eliminating the need for using the less secure SMS-based authentication. "This is particularly helpful for organizations using Google Authenticator (or other equivalent time-based one-time password (TOTP) apps)," the company  said . "Previously, users had to enable 2SV with a phone number before being able to add Authenticator." Users with hardware security keys have two options to add them to their accounts, including by registering a FIDO1 credential on the hardware key or by assigning a passkey (i.e., a F

China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices

China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices
May 06, 2024 Network Security / Malware
The recently uncovered cyber espionage campaign targeting perimeter network devices from several vendors, including Cisco, may have been the work of China-linked actors, according to  new findings  from attack surface management firm Censys. Dubbed  ArcaneDoor , the activity is said to have commenced around July 2023, with the first confirmed attack against an unnamed victim detected in early January 2024. The targeted attacks, orchestrated by a previously undocumented and suspected sophisticated state-sponsored actor tracked as  UAT4356  (aka Storm-1849), entailed the deployment of two custom malware dubbed Line Runner and Line Dancer. The initial access pathway used to facilitate the intrusions has yet to be discovered, although the adversary has been observed leveraging two now-patched flaws in Cisco Adaptive Security Appliances ( CVE-2024-20353  and  CVE-2024-20359 ) to persist Line Runner. Telemetry data gathered as part of the investigation has revealed the threat actor&

Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack

Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack
Apr 13, 2024
Threat actors have been exploiting the newly disclosed zero-day flaw in Palo Alto Networks PAN-OS software dating back to March 26, 2024, nearly three weeks before it came to light yesterday. The network security company's Unit 42 division is  tracking  the activity under the name  Operation MidnightEclipse , attributing it as the work of a single threat actor of unknown provenance. The security vulnerability, tracked as  CVE-2024-3400  (CVSS score: 10.0), is a command injection flaw that enables unauthenticated attackers to execute arbitrary code with root privileges on the firewall. It's worth noting that the issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations that have GlobalProtect gateway and device telemetry enabled. Operation MidnightEclipse entails the exploitation of the flaw to create a cron job that runs every minute to fetch commands hosted on an external server ("172.233.228[

10-Year-Old 'RUBYCARP' Romanian Hacker Group Surfaces with Botnet

10-Year-Old 'RUBYCARP' Romanian Hacker Group Surfaces with Botnet
Apr 09, 2024 Botnet / Crypto Mining
A threat group of suspected Romanian origin called  RUBYCARP  has been observed maintaining a long-running botnet for carrying out crypto mining, distributed denial-of-service (DDoS), and phishing attacks. The group, believed to be active for at least 10 years, employs the botnet for financial gain, Sysdig said in a report shared with The Hacker News. "Its primary method of operation leverages a botnet deployed using a variety of public exploits and brute-force attacks," the cloud security firm said . "This group communicates via public and private IRC networks." Evidence  gathered  so far suggests that RUBYCARP may have crossover with another threat cluster tracked by Albanian cybersecurity firm Alphatechs under the moniker Outlaw , which has a history of conducting crypto mining and brute-force attacks and has since pivoted to phishing and spear-phishing campaigns to cast a wide net. "These phishing emails often lure victims into revealing sensitive i

U.S. Charges 7 Chinese Nationals in Major 14-Year Cyber Espionage Operation

U.S. Charges 7 Chinese Nationals in Major 14-Year Cyber Espionage Operation
Mar 26, 2024 Cyber Espionage / Malware
The U.S. Department of Justice (DoJ) on Monday unsealed indictments against seven Chinese nationals for their involvement in a hacking group that targeted U.S. and foreign critics, journalists, businesses, and political officials for about 14 years. The defendants include Ni Gaobin (倪高彬), Weng Ming (翁明), Cheng Feng (程锋), Peng Yaowen (彭耀文), Sun Xiaohui (孙小辉), Xiong Wang (熊旺), and Zhao Guangzong (赵光宗).  The suspected cyber spies have been charged with conspiracy to commit computer intrusions and conspiracy to commit wire fraud in connection with a state-sponsored threat group tracked as  APT31 , which is also known as Altaire,  Bronze Vinewood , Judgement Panda, and Violet Typhoon (formerly Zirconium). The hacking collective has been  active since at least 2010 . Specifically, their responsibilities entail testing and exploiting the malware used to conduct the intrusions, managing the attack infrastructure, and conducting surveillance of specific U.S. entities, federal prosecutors no

Ukraine Arrests Trio for Hijacking Over 100 Million Email and Instagram Accounts

Ukraine Arrests Trio for Hijacking Over 100 Million Email and Instagram Accounts
Mar 20, 2024 Cybercrime / Dark Web
The Cyber Police of Ukraine has  arrested  three individuals on suspicion of hijacking more than 100 million emails and Instagram accounts from users across the world. The suspects, aged between 20 and 40, are said to be part of an organized criminal group living in different parts of the country. If convicted, they face up to 15 years in prison. The accounts, authorities said, were taken over by carrying out brute-force attacks, which employ trial-and-error methods to guess login credentials. The group operated under the direction of a leader, who distributed the hacking tasks to other members. The cybercrime group subsequently monetized their ill-gotten credentials by putting them up for sale on dark web forums. Other threat actors who purchased the information used the compromised accounts to conduct a variety of  fraudulent schemes , including those in which scammers reach out to the victim's friends to urgently transfer money to their bank account. "You can protect

New APT Group 'Lotus Bane' Behind Recent Attacks on Vietnam's Financial Entities

New APT Group 'Lotus Bane' Behind Recent Attacks on Vietnam's Financial Entities
Mar 06, 2024 Cyber Attack / Malware
A financial entity in Vietnam was the target of a previously undocumented threat actor called  Lotus Bane  as part of a cyber attack that was first detected in March 2023. Singapore-headquartered Group-IB described the hacking outfit as an advanced persistent threat group that's believed to have been active since at least 2022. The exact specifics of the infection chain remain unknown as yet, but it involves the use of various malicious artifacts that serve as the stepping stone for the next-stage. "The cybercriminals used methods such as DLL side-loading and data exchange via named pipes to run malicious executables and create remote scheduled tasks for lateral movement," the company  said . Group-IB told The Hacker News that the techniques used by Lotus Bane overlap with that of  OceanLotus , a Vietnam-aligned threat actor also known as APT32, Canvas Cyclone (formerly Bismuth), and Cobalt Kitty. This stems from the use of malware like PIPEDANCE for named pipes co

Cybercriminals Weaponizing Open-Source SSH-Snake Tool for Network Attacks

Cybercriminals Weaponizing Open-Source SSH-Snake Tool for Network Attacks
Feb 22, 2024 Network Security / Penetration Testing
A recently open-sourced network mapping tool called  SSH-Snake  has been repurposed by threat actors to conduct malicious activities. "SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network," Sysdig researcher Miguel Hernández  said . "The worm automatically searches through known credential locations and shell history files to determine its next move." SSH-Snake was first released on GitHub in early January 2024, and is described by its developer as a "powerful tool" to carry out  automatic network traversal  using SSH private keys discovered on systems. In doing so, it creates a comprehensive map of a network and its dependencies, helping determine the extent to which a network can be compromised using SSH and SSH private keys starting from a particular host. It also supports  resolution of domains  which have multiple IPv4 addresses. "It's comp

Anatsa Android Trojan Bypasses Google Play Security, Expands Reach to New Countries

Anatsa Android Trojan Bypasses Google Play Security, Expands Reach to New Countries
Feb 19, 2024 Malware / Mobile Security
The Android banking trojan known as  Anatsa  has expanded its focus to include Slovakia, Slovenia, and Czechia as part of a new campaign observed in November 2023. "Some of the droppers in the campaign successfully exploited the accessibility service, despite Google Play's enhanced detection and protection mechanisms," ThreatFabric  said  in a report shared with The Hacker News. "All droppers in this campaign have demonstrated the capability to bypass the restricted settings for accessibility service in Android 13." The campaign, in total, involves five droppers with more than 100,000 total installations. Also known by the name TeaBot and Toddler, Anatsa is known to be distributed under the guise of seemingly innocuous apps on the Google Play Store. These apps, called droppers, facilitate the installation of the malware by circumventing security measures imposed by Google that seek to grant sensitive permissions. In June 2023, the Dutch mobile security firm

MoqHao Android Malware Evolves with Auto-Execution Capability

MoqHao Android Malware Evolves with Auto-Execution Capability
Feb 09, 2024 Mobile Security / Cyber Threat
Threat hunters have identified a new variant of Android malware called  MoqHao  that automatically executes on infected devices without requiring any user interaction. "Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution," McAfee Labs  said  in a report published this week. "While the app is installed, their malicious activity starts automatically." The campaign's targets include Android users located in France, Germany, India, Japan, and South Korea. MoqHao, also called Wroba and XLoader (not to be confused with the  Windows and macOS malware  of the same name), is an Android-based mobile threat that's associated with a Chinese financially motivated cluster dubbed  Roaming Mantis  (aka Shaoye). Typical  attack chains  commence with package delivery-themed SMS messages bearing fraudulent links that, when clicked from Android devices, lead to the deployment of the malware b

Hands-On Review: SASE-based XDR from Cato Networks

Hands-On Review: SASE-based XDR from Cato Networks
Feb 05, 2024 Extended Detection and Response
Companies are engaged in a seemingly endless cat-and-mouse game when it comes to cybersecurity and cyber threats. As organizations put up one defensive block after another, malicious actors kick their game up a notch to get around those blocks. Part of the challenge is to coordinate the defensive abilities of disparate security tools, even as organizations have limited resources and a dearth of skilled cybersecurity experts. XDR, or Extended Detection and Response, addresses this challenge. XDR platforms correlate indicators from across security domains to detect threats and then provide the tools to remediate incidents.  While XDR has many benefits, legacy approaches have been hampered by the lack of good-quality data. You might end up having a very good view of a threat from events generated by your EPP/EDR system but lack events about the network perspective (or vice versa). XDR products will import data from third-party sensors, but data comes in different formats. The XDR platf
Expert Insights
Cybersecurity Resources