#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

hacking news | Breaking Cybersecurity News | The Hacker News

Category — hacking news
THN Cybersecurity Recap: Last Week's Top Threats and Trends (September 16-22)

THN Cybersecurity Recap: Last Week's Top Threats and Trends (September 16-22)

Sep 23, 2024 Cybersecurity / Cyber Threat
Hold on tight, folks, because last week's cybersecurity landscape was a rollercoaster! We witnessed everything from North Korean hackers dangling "dream jobs" to expose a new malware, to a surprising twist in the Apple vs. NSO Group saga. Even the seemingly mundane world of domain names and cloud configurations had its share of drama. Let's dive into the details and see what lessons we can glean from the past week. ⚡ Threat of the Week Raptor Train Botnet Dismantled: The U.S. government announced the takedown of the Raptor Train botnet controlled by a China-linked threat actor known as Flax Typhoon. The botnet consisted of over 260,000 devices in June 2024, with victims scattered across North America, Europe, Asia, Africa, and Oceania, and South America. It also attributed the Flax Typhoon threat actor to a publicly-traded, Beijing-based company known as Integrity Technology Group. 🔔 Top News Lazarus Group's New Malware: The North Korea-linked cyber espionag
From Breach to Recovery: Designing an Identity-Focused Incident Response Playbook

From Breach to Recovery: Designing an Identity-Focused Incident Response Playbook

Sep 16, 2024 Identity Protection / Incident Response
Imagine this... You arrive at work to a chaotic scene. Systems are down, panic is in the air. The culprit? Not a rogue virus, but a compromised identity. The attacker is inside your walls, masquerading as a trusted user. This isn't a horror movie, it's the new reality of cybercrime. The question is, are you prepared? Traditional incident response plans are like old maps in a new world. They focus on malware and network breaches, but today's criminals are after your identities. Stolen credentials, and weak access points - these are the keys to your kingdom. While there's a playbook for handling malware outbreaks, the 'identity' chapter is often missing. Organizations struggle to identify compromised accounts and stop attackers from moving laterally within their systems. The result? A breach that spirals out of control, causing massive damage. The Solution: An Identity-Focused Incident Response Playbook This isn't just another security buzzword, it'
How to Get Going with CTEM When You Don't Know Where to Start

How to Get Going with CTEM When You Don't Know Where to Start

Oct 04, 2024Vulnerability Management / Security Posture
Continuous Threat Exposure Management (CTEM) is a strategic framework that helps organizations continuously assess and manage cyber risk. It breaks down the complex task of managing security threats into five distinct stages: Scoping, Discovery, Prioritization, Validation, and Mobilization. Each of these stages plays a crucial role in identifying, addressing, and mitigating vulnerabilities - before they can be exploited by attackers.  On paper, CTEM sounds great . But where the rubber meets the road – especially for CTEM neophytes - implementing CTEM can seem overwhelming. The process of putting CTEM principles into practice can look prohibitively complex at first. However, with the right tools and a clear understanding of each stage, CTEM can be an effective method for strengthening your organization's security posture.  That's why I've put together a step-by-step guide on which tools to use for which stage. Want to learn more? Read on… Stage 1: Scoping  When you're defin
Pro-Houthi Group Targets Yemen Aid Organizations with Android Spyware

Pro-Houthi Group Targets Yemen Aid Organizations with Android Spyware

Jul 19, 2024 Malware / Mobile Security
A suspected pro-Houthi threat group targeted at least three humanitarian organizations in Yemen with Android spyware designed to harvest sensitive information. These attacks, attributed to an activity cluster codenamed OilAlpha , entail a new set of malicious mobile apps that come with their own supporting infrastructure, Recorded Future's Insikt Group said . Targets of the ongoing campaign include, CARE International, the Norwegian Refugee Council (NRC), and the Saudi Arabian King Salman Humanitarian Aid and Relief Centre. "The OilAlpha threat group is highly likely active and executing targeted activity against humanitarian and human rights organizations operating in Yemen, and potentially throughout the Middle East," the cybersecurity company said. OilAlpha was first documented in May 2023 in connection with an espionage campaign targeting development, humanitarian, media, and non-governmental organizations in the Arabian peninsula. These attacks leveraged What
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
Critical Apache HugeGraph Vulnerability Under Attack - Patch ASAP

Critical Apache HugeGraph Vulnerability Under Attack - Patch ASAP

Jul 17, 2024 Vulnerability / Data Security
Threat actors are actively exploiting a recently disclosed critical security flaw impacting Apache HugeGraph-Server that could lead to remote code execution attacks. Tracked as CVE-2024-27348 (CVSS score: 9.8), the vulnerability impacts all versions of the software before 1.3.0. It has been described as a remote command execution flaw in the Gremlin graph traversal language API. "Users are recommended to upgrade to version 1.3.0 with Java11 and enable the Auth system, which fixes the issue," the Apache Software Foundation noted in late April 2024. "Also you could enable the 'Whitelist-IP/port' function to improve the security of RESTful-API execution." Additional technical specifics about the flaw were released by penetration testing company SecureLayer7 in early June, stating it enables an attacker to bypass sandbox restrictions and achieve code execution, giving them complete control over a susceptible server. This week, the Shadowserver Foundat
Iranian Hackers Deploy New BugSleep Backdoor in Middle East Cyber Attacks

Iranian Hackers Deploy New BugSleep Backdoor in Middle East Cyber Attacks

Jul 16, 2024 Cyber Espionage / Network Security
The Iranian nation-state actor known as MuddyWater has been observed using a never-before-seen backdoor as part of a recent attack campaign, shifting away from its well-known tactic of deploying legitimate remote monitoring and management (RMM) software for maintaining persistent access. That's according to independent findings from cybersecurity firms Check Point and Sekoia, which have codenamed the malware strain BugSleep and MuddyRot , respectively. "Compared to previous campaigns, this time MuddyWater changed their infection chain and did not rely on the legitimate Atera remote monitoring and management tool (RRM) as a validator," Sekoia said in a report shared with The Hacker News. "Instead, we observed that they used a new and undocumented implant." Some elements of the campaign were first shared by Israeli cybersecurity company ClearSky on June 9, 2024. Targets include countries like Turkey, Azerbaijan, Jordan, Saudi Arabia, Israel, and Portugal.
Russian Power Companies, IT Firms, and Govt Agencies Hit by Decoy Dog Trojan

Russian Power Companies, IT Firms, and Govt Agencies Hit by Decoy Dog Trojan

Jun 04, 2024 Cyber Attack / Malware
Russian organizations are at the receiving end of cyber attacks that have been found to deliver a Windows version of a malware called Decoy Dog . Cybersecurity company Positive Technologies is tracking the activity cluster under the name Operation Lahat, attributing it to an advanced persistent threat (APT) group called HellHounds . "The Hellhounds group compromises organizations they select and gain a foothold on their networks, remaining undetected for years," security researchers Aleksandr Grigorian and Stanislav Pyzhov said . "In doing so, the group leverages primary compromise vectors, from vulnerable web services to trusted relationships." HellHounds was first documented by the firm in late November 2023 following the compromise of an unnamed power company with the Decoy Dog trojan. It's confirmed to have infiltrated 48 victims in Russia to date, including IT companies, governments, space industry firms, and telecom providers. There is evidence indi
Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

May 17, 2024 Cryptojacking / Malware
The cryptojacking group known as  Kinsing  has demonstrated an ability to continuously evolve and adapt, proving to be a persistent threat by swiftly integrating newly disclosed vulnerabilities to the exploit arsenal and expand its botnet. The  findings  come from cloud security firm Aqua, which described the threat actor as actively orchestrating illicit cryptocurrency mining campaigns since 2019. Kinsing (aka  H2Miner ), a name given to both the malware and the adversary behind it, has consistently expanded its toolkit with new exploits to enroll infected systems in a crypto-mining botnet. It was  first documented  by TrustedSec in January 2020. In recent years, campaigns involving the Golang-based malware have weaponized  various flaws  in  Apache ActiveMQ ,  Apache Log4j ,  Apache NiFi ,  Apache Tomcat ,  Atlassian Confluence ,  Citrix ,  Liferay Portal ,  Linux ,  Openfire ,  Oracle WebLogic Server , and  SaltStack  to breach vulnerable systems. Other methods have also invol
Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

May 17, 2024 Linux / Malware
The  Kimsuky  (aka Springtail) advanced persistent threat (APT) group, which is linked to North Korea's Reconnaissance General Bureau (RGB), has been observed deploying a Linux version of its GoBear backdoor as part of a campaign targeting South Korean organizations. The backdoor, codenamed  Gomir , is "structurally almost identical to GoBear, with extensive sharing of code between malware variants," the Symantec Threat Hunter Team, part of Broadcom,  said  in a new report. "Any functionality from GoBear that is operating system-dependent is either missing or reimplemented in Gomir." GoBear was  first documented  by South Korean security firm S2W in early February 2024 in connection with a campaign that delivered a malware called Troll Stealer (aka TrollAgent), which overlaps with known Kimsuky malware families like AppleSeed and AlphaSeed. A subsequent analysis by the AhnLab Security Intelligence Center (ASEC) revealed that the malware is distributed via t
FBI Seizes BreachForums Again, Urges Users to Report Criminal Activity

FBI Seizes BreachForums Again, Urges Users to Report Criminal Activity

May 15, 2024 Data Breach / Cyber Crime
Law enforcement agencies have officially seized control of the notorious  BreachForums  platform, an online bazaar known for peddling stolen data, for the second time within a year. The website ("breachforums[.]st") has been replaced by a seizure banner stating the clearnet cybercrime forum is under the control of the U.S. Federal Bureau of Investigation (FBI).  The operation is the result of a collaborative effort from authorities in Australia, Iceland, New Zealand, Switzerland, the U.K., the U.S., and Ukraine. The FBI has also taken control of the  Telegram channel  operated by Baphomet, who became the administrator of the forum following the  arrest  of his predecessor Conor Brian Fitzpatrick (aka  pompompurin ) in March last year. It's worth noting a prior iteration of BreachForums, hosted at breached.vc/.to/.co and managed by pompompurin, was seized by law enforcement in late June 2023. "This Telegram chat is under the control of the FBI," a message
VMware Patches Severe Security Flaws in Workstation and Fusion Products

VMware Patches Severe Security Flaws in Workstation and Fusion Products

May 14, 2024 Bluetooth / Vulnerability
Multiple security flaws have been  disclosed  in VMware Workstation and Fusion products that could be exploited by threat actors to access sensitive information, trigger a denial-of-service (DoS) condition, and execute code under certain circumstances. The four vulnerabilities impact Workstation versions 17.x and Fusion versions 13.x, with fixes available in version 17.5.2 and 13.5.2, respectively, the Broadcom-owned virtualization services provider said. A brief description of each of the flaws is below - CVE-2024-22267  (CVSS score: 9.3) - A use-after-free vulnerability in the Bluetooth device that could be exploited by a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host CVE-2024-22268  (CVSS score: 7.1) - A heap buffer-overflow vulnerability in the Shader functionality that could be exploited by a malicious actor with non-administrative access to a virtual machine with 3D gr
Google Simplifies 2-Factor Authentication Setup (It's More Important Than Ever)

Google Simplifies 2-Factor Authentication Setup (It's More Important Than Ever)

May 07, 2024 Online Security / Data Breach
Google on Monday announced that it's simplifying the process of enabling two-factor authentication (2FA) for users with personal and Workspace accounts. Also called 2-Step Verification ( 2SV ), it aims to add an extra layer of security to users' accounts to prevent takeover attacks in case the passwords are stolen. The new change entails adding a second step method, such as an authenticator app or a hardware security key, before turning on 2FA, thus eliminating the need for using the less secure SMS-based authentication. "This is particularly helpful for organizations using Google Authenticator (or other equivalent time-based one-time password (TOTP) apps)," the company  said . "Previously, users had to enable 2SV with a phone number before being able to add Authenticator." Users with hardware security keys have two options to add them to their accounts, including by registering a FIDO1 credential on the hardware key or by assigning a passkey (i.e., a F
China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices

China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices

May 06, 2024 Network Security / Malware
The recently uncovered cyber espionage campaign targeting perimeter network devices from several vendors, including Cisco, may have been the work of China-linked actors, according to  new findings  from attack surface management firm Censys. Dubbed  ArcaneDoor , the activity is said to have commenced around July 2023, with the first confirmed attack against an unnamed victim detected in early January 2024. The targeted attacks, orchestrated by a previously undocumented and suspected sophisticated state-sponsored actor tracked as  UAT4356  (aka Storm-1849), entailed the deployment of two custom malware dubbed Line Runner and Line Dancer. The initial access pathway used to facilitate the intrusions has yet to be discovered, although the adversary has been observed leveraging two now-patched flaws in Cisco Adaptive Security Appliances ( CVE-2024-20353  and  CVE-2024-20359 ) to persist Line Runner. Telemetry data gathered as part of the investigation has revealed the threat actor&
Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack

Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack

Apr 13, 2024
Threat actors have been exploiting the newly disclosed zero-day flaw in Palo Alto Networks PAN-OS software dating back to March 26, 2024, nearly three weeks before it came to light yesterday. The network security company's Unit 42 division is  tracking  the activity under the name  Operation MidnightEclipse , attributing it as the work of a single threat actor of unknown provenance. The security vulnerability, tracked as  CVE-2024-3400  (CVSS score: 10.0), is a command injection flaw that enables unauthenticated attackers to execute arbitrary code with root privileges on the firewall. It's worth noting that the issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall configurations that have GlobalProtect gateway and device telemetry enabled. Operation MidnightEclipse entails the exploitation of the flaw to create a cron job that runs every minute to fetch commands hosted on an external server ("172.233.228[
10-Year-Old 'RUBYCARP' Romanian Hacker Group Surfaces with Botnet

10-Year-Old 'RUBYCARP' Romanian Hacker Group Surfaces with Botnet

Apr 09, 2024 Botnet / Crypto Mining
A threat group of suspected Romanian origin called  RUBYCARP  has been observed maintaining a long-running botnet for carrying out crypto mining, distributed denial-of-service (DDoS), and phishing attacks. The group, believed to be active for at least 10 years, employs the botnet for financial gain, Sysdig said in a report shared with The Hacker News. "Its primary method of operation leverages a botnet deployed using a variety of public exploits and brute-force attacks," the cloud security firm said . "This group communicates via public and private IRC networks." Evidence  gathered  so far suggests that RUBYCARP may have crossover with another threat cluster tracked by Albanian cybersecurity firm Alphatechs under the moniker Outlaw , which has a history of conducting crypto mining and brute-force attacks and has since pivoted to phishing and spear-phishing campaigns to cast a wide net. "These phishing emails often lure victims into revealing sensitive i
U.S. Charges 7 Chinese Nationals in Major 14-Year Cyber Espionage Operation

U.S. Charges 7 Chinese Nationals in Major 14-Year Cyber Espionage Operation

Mar 26, 2024 Cyber Espionage / Malware
The U.S. Department of Justice (DoJ) on Monday unsealed indictments against seven Chinese nationals for their involvement in a hacking group that targeted U.S. and foreign critics, journalists, businesses, and political officials for about 14 years. The defendants include Ni Gaobin (倪高彬), Weng Ming (翁明), Cheng Feng (程锋), Peng Yaowen (彭耀文), Sun Xiaohui (孙小辉), Xiong Wang (熊旺), and Zhao Guangzong (赵光宗).  The suspected cyber spies have been charged with conspiracy to commit computer intrusions and conspiracy to commit wire fraud in connection with a state-sponsored threat group tracked as  APT31 , which is also known as Altaire,  Bronze Vinewood , Judgement Panda, and Violet Typhoon (formerly Zirconium). The hacking collective has been  active since at least 2010 . Specifically, their responsibilities entail testing and exploiting the malware used to conduct the intrusions, managing the attack infrastructure, and conducting surveillance of specific U.S. entities, federal prosecutors no
Ukraine Arrests Trio for Hijacking Over 100 Million Email and Instagram Accounts

Ukraine Arrests Trio for Hijacking Over 100 Million Email and Instagram Accounts

Mar 20, 2024 Cybercrime / Dark Web
The Cyber Police of Ukraine has  arrested  three individuals on suspicion of hijacking more than 100 million emails and Instagram accounts from users across the world. The suspects, aged between 20 and 40, are said to be part of an organized criminal group living in different parts of the country. If convicted, they face up to 15 years in prison. The accounts, authorities said, were taken over by carrying out brute-force attacks, which employ trial-and-error methods to guess login credentials. The group operated under the direction of a leader, who distributed the hacking tasks to other members. The cybercrime group subsequently monetized their ill-gotten credentials by putting them up for sale on dark web forums. Other threat actors who purchased the information used the compromised accounts to conduct a variety of  fraudulent schemes , including those in which scammers reach out to the victim's friends to urgently transfer money to their bank account. "You can protect
Expert Insights / Articles Videos
Cybersecurity Resources