The Hacker News - Cybersecurity News and Analysis: hacking news

Google's Threat Analysis Group (TAG) on Thursday  said  it's tracking more than 270 government-backed threat actors from more than 50 countries, adding it has approximately sent 50,000 alerts of state-sponsored phishing or malware attempts to customers since the start of 2021. The warnings mark a 33% increase from 2020, the internet giant said, with the spike largely  stemming  from "blocking an unusually large campaign from a Russian actor known as APT28 or Fancy Bear." Additionally, Google said it disrupted a number of campaigns mounted by an Iranian state-sponsored attacker group tracked as  APT35  (aka Charming Kitten, Phosphorous, or Newscaster), including a sophisticated social engineering attack dubbed "Operation SpoofedScholars" aimed at think tanks, journalists, and professors with an aim to solicit sensitive information by masquerading as scholars with the University of London's School of Oriental and African Studies (SOAS). Details of th

A large-scale unauthenticated scraping of publicly available and non-secured endpoints from older versions of Prometheus event monitoring and alerting solution could be leveraged to inadvertently leak sensitive information, according to the latest research. "Due to the fact that authentication and encryption support is relatively new, many organizations that use Prometheus haven't yet enabled these features and thus many Prometheus endpoints are completely exposed to the Internet (e.g. endpoints that run earlier versions), leaking metric and label dat," JFrog researchers Andrey Polkovnychenko and Shachar Menashe  said  in a report. Prometheus  is an open-source system monitoring and alerting toolkit used to collect and process metrics from different endpoints, alongside enabling easy observation of software metrics such as memory usage, network usage, and software-specific defined metrics, such as the number of failed logins to a web application. Support for Transport

The Software-as-a-service (SaaS) industry has gone from novelty to an integral part of today's business world in just a few years. While the benefits to most organizations are clear – more efficiency, greater productivity, and accessibility – the risks that the SaaS model poses are starting to become visible. It's not an overstatement to say that most companies today run on SaaS. This poses an increasing challenge to their security teams.  A new guide from XDR and SSPM provider Cynet, titled The Guide for Reducing SaaS Applications Risk for Lean IT Security Teams ( download here ), breaks down exactly why SaaS ecosystems are so risky, and how security teams can mitigate those dangers.  Today, the average midsize company uses 185 SaaS apps. What this means is that the number of app-to-person connections has risen exponentially. Most midsize companies have nearly 4,406 touch points, creating an attack surface that requires significant resources to simply monitor. The risk of a digital

Microsoft on Tuesday rolled out  security patches  to contain a total of 71 vulnerabilities in Microsoft Windows and other software, including a fix for an actively exploited privilege escalation vulnerability that could be exploited in conjunction with remote code execution bugs to take control over vulnerable systems. Two of the addressed security flaws are rated Critical, 68 are rated Important, and one is rated Low in severity, with three of the issues listed as publicly known at the time of the release. The four zero-days are as follows — CVE-2021-40449  (CVSS score: 7.8) - Win32k Elevation of Privilege Vulnerability CVE-2021-41335  (CVSS score: 7.8) - Windows Kernel Elevation of Privilege Vulnerability CVE-2021-40469  (CVSS score: 7.2) - Windows DNS Server Remote Code Execution Vulnerability CVE-2021-41338  (CVSS score: 5.5) - Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability At the top of the list is CVE-2021-40449, a use-after-free vulnerability

Microsoft on Monday revealed that its Azure cloud platform mitigated a 2.4 Tbps distributed denial-of-service (DDoS) attack in the last week of August targeting an unnamed customer in Europe, surpassing a  2.3 Tbps attack  stopped by Amazon Web Services in February 2020. "This is 140 percent higher than  2020's 1 Tbps attack  and higher than any network volumetric event previously detected on Azure," Amir Dahan, senior program manager for Azure Networking,  said  in a post, calling it a " UDP reflection " lasting for about 10 minutes. Reflected amplification attacks are a type of denial of service attacks wherein a threat actor takes advantage of the connectionless nature of UDP protocol with spoofed requests so as to overwhelm a target server or network with a flood of packets, causing disruption or rendering the server and its surrounding infrastructure unavailable. The attack is said to have originated from a botnet of approximately 70,000 compromised d

An emerging threat actor likely supporting Iranian national interests has been behind a password spraying campaign targeting US, EU, and Israeli defense technology companies, with additional activity observed against regional ports of entry in the Persian Gulf as well as maritime and cargo transportation companies focused in the Middle East. Microsoft is tracking the hacking crew under the moniker DEV-0343 . The intrusions, which were first observed in late July 2021, are believed to have targeted more than 250 Office 365 tenants, fewer than 20 of which were successfully compromised following a  password spray  attack — a type of brute force attack wherein the same password is cycled against different usernames to log into an application or a network in an effort to avoid account lockouts. Indications thus far allude to the possibility that the activity is part of an intellectual property theft campaign aimed at government partners producing military-grade radars, drone technology

Apple on Monday released a security update for iOS and iPad to address a critical vulnerability that it says is being exploited in the wild, making it the 17th zero-day flaw the company has addressed in its products since the start of the year.' The weakness, assigned the identifier  CVE-2021-30883 , concerns a memory corruption issue in the "IOMobileFrameBuffer" component that could allow an application to execute arbitrary code with kernel privileges. Crediting an anonymous researcher for reporting the vulnerability, Apple said it's "aware of a report that this issue may have been actively exploited." Technical specifics about the flaw and the nature of the attacks remain unavailable as yet, as is the identity of the threat actor, so as to allow a majority of the users to apply the patch and prevent other adversaries from weaponizing the vulnerability. The iPhone maker said it addressed the issue with improved memory handling. Security researcher Saar

A prominent Togolese human rights defender has been targeted with spyware by a threat actor known for striking victims in South Asia, marking the hacking group's first foray into digital surveillance in Africa. Amnesty International tied the covert attack campaign to a collective tracked as " Donot Team " (aka APT-C-35), which has been linked to cyber offensives in India and Pakistan, while also identifying apparent evidence coupling the group's infrastructure to an Indian company called Innefu Labs. The unnamed activist is believed to have targeted over a period of two months starting in December 2019 with the help of fake Android applications and spyware-loaded emails. "The persistent attacks over WhatsApp and email tried to trick the victim into installing a malicious application that masqueraded as a secure chat application," Amnesty International  said  in a report published last week. "The application was in fact a piece of custom Android spywa

Cybersecurity researchers have detailed a new campaign that likely targets entities in Southeast Asia with a previously unrecognized Linux malware that's engineered to enable remote access to its operators, in addition to amassing credentials and function as a proxy server. The malware family, dubbed " FontOnLake " by Slovak cybersecurity firm ESET, is said to feature "well-designed modules" that are continuously being upgraded with a broad range of abilities, indicating an active development phase. Samples uploaded to VirusTotal point to the possibility that the very first intrusions utilizing this threat have been happening as early as May 2020. Avast  and  Lacework Labs  are tracking the same malware under the moniker HCRootkit. "The sneaky nature of FontOnLake's tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks," ESET researcher Vladislav Hrčka  said . "To collect data or condu

The Apache Software Foundation on Thursday released additional security updates for its HTTP Server product to remediate what it says is an "incomplete fix" for an  actively exploited  path traversal and remote code execution flaw that it patched earlier this week. CVE-2021-42013 , as the new vulnerability is identified as, builds upon  CVE-2021-41773 , a flaw that impacts Apache web servers running version 2.4.49 and involves a  path normalization  bug that could enable an adversary to access and view arbitrary files stored on a vulnerable server. Although the flaw was addressed by the maintainers in version 2.4.50, a day after the patches were released it became known that the weakness could also be abused to gain remote code execution if the "mod_cgi" module was loaded and the configuration "require all denied" was absent, prompting Apache to issue another round of emergency updates. "It was found that the fix for CVE-2021-41773 in Apache HTT

The U.S. government on Wednesday announced the formation of a new Civil Cyber-Fraud Initiative that aims to hold contractors accountable for failing to meet required cybersecurity requirements in order to safeguard public sector information and infrastructure. "For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,"  said  Deputy Attorney General Monaco in a press statement. "Well that changes today, [and] we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk." The Civil Cyber-Fraud Initiative is part of the U.S. Justice Department's (DoJ) efforts to build resilience against cybersecurity intrusions and holding companies to task for deliberately providing deficient cybersecurity products or

Details have emerged about a new cyber espionage campaign directed against the aerospace and telecommunications industries, primarily in the Middle East, with the goal of stealing sensitive information about critical assets, organizations' infrastructure, and technology while remaining in the dark and successfully evading security solutions. Boston-based cybersecurity company Cybereason dubbed the attacks " Operation Ghostshell ," pointing out the use of a previously undocumented and stealthy remote access trojan (RAT) called ShellClient that's deployed as the main spy tool of choice. The first sign of the attacks was observed in July 2021 against a handpicked set of victims, indicating a highly targeted approach. "The ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown," researchers Tom Fak

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday  released  an advisory regarding multiple security vulnerabilities affecting all versions of Honeywell Experion Process Knowledge System C200, C200E, C300, and ACE controllers that could be exploited to achieve remote code execution and denial-of-service (DoS) conditions. "A Control Component Library (CCL) may be modified by a bad actor and loaded to a controller such that malicious code is executed by the controller," Honeywell  noted  in an independent security notification published earlier this February. Credited with discovering and reporting the flaws are Rei Henigman and Nadav Erez of industrial cybersecurity firm Claroty. Experion Process Knowledge System (PKS) is a distributed control system ( DCS ) that's designed to control large industrial processes spanning a variety of sectors ranging from petrochemical refineries to nuclear power plants where high reliability and security is imp

Chinese cyber espionage group APT41 has been linked to seemingly disparate malware campaigns, according to fresh research that has mapped together additional parts of the group's network infrastructure to hit upon a state-sponsored campaign that takes advantage of COVID-themed phishing lures to target victims in India.  "The image we uncovered was that of a state-sponsored campaign that plays on people's hopes for a swift end to the pandemic as a lure to entrap its victims," the BlackBerry Research and Intelligence team said in a report shared with The Hacker News. "And once on a user's machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic." APT41 (aka Barium or Winnti) is a moniker assigned to a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in conjunction with financially motivated operations for personal gain as far back as 2012. Calling the gro

A newly discovered data exfiltration mechanism employs Ethernet cables as a "transmitting antenna" to stealthily siphon highly-sensitive data from air-gapped systems, according to the latest research. "It's interesting that the wires that came to protect the air-gap become the vulnerability of the air gap in this attack," Dr. Mordechai Guri, the head of R&D in the Cyber Security Research Center in the Ben Gurion University of the Negev in Israel, told The Hacker News. Dubbed " LANtenna Attack ," the novel technique enables malicious code in air-gapped computers to amass sensitive data and then encode it over radio waves emanating from Ethernet cables just as if they are antennas. The transmitted signals can then be intercepted by a nearby software-defined radio (SDR) receiver wirelessly, the data decoded, and sent to an attacker who is in an adjacent room. "Notably, the malicious code can run in an ordinary user-mode process and successful

A previously undocumented threat actor has been identified as behind a string of attacks targeting fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan with the goal of stealing data from compromised networks. Cybersecurity company Positive Technologies dubbed the advanced persistent threat (APT) group ChamelGang — referring to their chameleellonic capabilities, including disguising "its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google."  "To achieve their goal, the attackers used a trending penetration method—supply chain," the researchers  said  of one of the incidents investigated by the firm. "The group compromised a subsidiary and penetrated the target company's network through it. Trusted relationship attacks are rare today due to the complexity of their execution. Using this method […], the ChamelGang group was able to achieve its goal a

Cybersecurity researchers have disclosed an unpatched flaw in Apple Pay that attackers could abuse to make an unauthorized Visa payment with a locked iPhone by taking advantage of the Express Travel mode set up in the device's wallet. "An attacker only needs a stolen, powered on iPhone. The transactions could also be relayed from an iPhone inside someone's bag, without their knowledge," a group of academics from the University of Birmingham and University of Surrey  said . "The attacker needs no assistance from the merchant and backend fraud detection checks have not stopped any of our test payments." Express Travel  is a feature that allows users of iPhone and Apple Watch to make quick contactless payments for public transit without having to wake or unlock the device, open an app, or even validate with Face ID, Touch ID or a passcode. The man-in-the-middle ( MitM ) replay and  relay attack , which involves bypassing the lock screen to make a payment t

Google on Thursday pushed urgent security fixes for its Chrome browser, including a pair of new security weaknesses that the company said are being exploited in the wild, making them the fourth and fifth actively zero-days plugged this month alone. The issues, designated as  CVE-2021-37975 and CVE-2021-37976 , are part of a total of four patches, and concern a  use-after-free flaw  in V8 JavaScript and WebAssembly engine as well as an information leak in core. As is usually the case, the tech giant has refrained from sharing any additional details regarding how these zero-day vulnerabilities were used in attacks so as to allow a majority of users to be updated with the patches, but noted that it's aware that "exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild." An anonymous researcher has been credited with reporting CVE-2021-37975. The discovery of CVE-2021-37976, on the other hand, involves Clément Lecigne from Google Threat Analysis Group, who was al

Cybersecurity researchers have disclosed an unpatched security vulnerability in the protocol used by Microsoft Azure Active Directory that potential adversaries could abuse to stage undetected brute-force attacks. "This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory ( Azure AD ) without generating sign-in events in the targeted organization's tenant," researchers from Secureworks Counter Threat Unit (CTU)  said  in a report published on Wednesday. Azure Active Directory is Microsoft's enterprise cloud-based identity and access management (IAM) solution designed for single sign-on (SSO) and multi-factor authentication. It's also a core component of Microsoft 365 (formerly Office 365), with capabilities to provide authentication to other applications via OAuth. The weakness resides in the  Seamless Single Sign-On  feature that allows employees to automatically sign in when using their corporate devices that

Cybersecurity researchers on Wednesday disclosed a previously undocumented backdoor likely designed and developed by the Nobelium advanced persistent threat (APT) behind last year's  SolarWinds supply chain attack , joining the threat actor's ever-expanding arsenal of hacking tools. Moscow-headquartered firm Kaspersky codenamed the malware " Tomiris ," calling out its similarities to another second-stage malware used during the campaign, SUNSHUTTLE (aka GoldMax), targeting the IT management software provider's Orion platform. Nobelium is also known by the monikers UNC2452, SolarStorm, StellarParticle, Dark Halo, and Iron Ritual. "While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims," Kaspersky researchers  said . "Evidence gathered so far indicates that Dark Halo spent si