hacking news | Breaking Cybersecurity News | The Hacker News

A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show. Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as  Colibri loader  and  Warzone RAT . The attacks are said to be an expansion of the  same campaign  that previously distributed  DCRat  (or DarkCrystal RAT) using phishing emails with legal aid-themed lures against providers of telecommunications in Ukraine. Sandworm is a  destructive Russian threat group  that's best known for carrying out attacks such as the 2015 and 2016 targeting of Ukrainian electrical grid and 2017's NotPetya attacks. It's confirmed to be Unit 74455 of Russia's GRU military intelligence agency. The adversarial collective, also known as Voodoo Bear, sought to damage high-voltage electrical s

Uber on Monday disclosed more details related to the  security incident  that happened last week, pinning the attack on a threat actor it believes is affiliated to the notorious LAPSUS$ hacking group. "This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, NVIDIA, and Okta, among others," the San Francisco-based company  said  in an update. The financially-motivated extortionist gang was dealt a huge blow in March 2022 when the City of London Police  moved to arrest  seven individuals aged between 16 and 21 for their alleged connections to the group. Two of those juvenile defendants are facing fraud charges. The hacker behind the Uber breach, an 18-year-old teenager who goes by the moniker Tea Pot, has also claimed responsibility for breaking into video game maker  Rockstar Games  over the weekend. Uber said it's working with "several leading digital forensics firms" as the com

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

American video game publisher Rockstar Games on Monday revealed it was a victim of a "network intrusion" that allowed an unauthorized party to illegally download early footage for the Grand Theft Auto VI. "At this time, we do not anticipate any disruption to our live game services nor any long-term effect on the development of our ongoing projects," the company  said  in a notice shared on its social media handles. The company said that the third-party accessed "confidential information from our systems," although it's not immediately clear if it involved any other data beyond the game footage. The trove of data, contains some 90 videos of clips from the game, leaked over the weekend on  GTAForums  by a user with an alias "teapotuberhacker," hinting that the party is also the same person responsible for the  recent Uber breach . The Uber hacker, who is going by the name  Tea Pot , is believed to be an 18-year-old teenager. No other de

Microsoft said it's tracking an ongoing large-scale click fraud campaign targeting gamers by means of stealthily deployed browser extensions on compromised systems. "[The] attackers monetize clicks generated by a browser node-webkit or malicious browser extension secretly installed on devices," Microsoft Security Intelligence said in a sequence of tweets over the weekend. The tech giant's cybersecurity division is tracking the developing threat cluster under the name DEV-0796. Attack chains mounted by the adversary commence with an ISO file that's downloaded onto a victim's machine upon clicking on a malicious ad or comments on YouTube. The ISO file, when opened, is designed to install a browser node-webkit (aka  NW.js ) or rogue browser extension. It's worth noting that the  ISO file  masquerades as hacks and cheats for the Krunker first-person shooter game. Cheats are programs that help gamers gain an added advantage beyond the available capabili

Uber, in an update, said there is "no evidence" that users' private information was compromised in a breach of its internal computer systems that was discovered late Thursday. "We have no evidence that the incident involved access to sensitive user data (like trip history)," the company  said . "All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational." The ride-hailing company also said it's brought back online all the internal software tools it took down previously as a precaution, reiterating it's notified law enforcement of the matter. It's not immediately clear if the incident resulted in the theft of any other information or how long the intruder was inside Uber's network. Uber has not provided more specifics of how the incident played out beyond saying its investigation and response efforts are ongoing. But independent security researcher Bill Demirkapi characterized the company

Cybersecurity researchers have exposed new connections between a widely used pay-per-install (PPI) malware service known as PrivateLoader and another PPI platform offered by a cybercriminal actor dubbed ruzki. "The threat actor ruzki (aka les0k, zhigalsz) advertises their PPI service on underground Russian-speaking forums and their Telegram channels under the name ruzki or zhigalsz since at least May 2021," SEKOIA said. The cybersecurity firm said its investigations into the twin services led it to conclude that PrivateLoader is the proprietary loader of the ruzki PPI malware service. PrivateLoader, as the name implies, functions as a C++-based loader to download and deploy additional malicious payloads on infected Windows hosts. It's primarily distributed through SEO-optimized websites that claim to provide cracked software. Although it was  first documented  earlier this February by Intel471, it's said to have been put to use starting as early as May 2021. S

Ride hailing giant Uber  disclosed  Thursday it's responding to a cybersecurity incident involving a breach of its network and that it's in touch with law enforcement authorities. The New York Times first  reported  the incident.  The company pointed to its tweeted statement when asked for comment on the matter. The hack is said to have forced the company to take its internal communications and engineering systems offline as it investigated the extent of the breach. The publication said the malicious intruder compromised an employee's Slack account, and leveraged it to broadcast a message that the company had "suffered a data breach," in addition to listing internal databases that's supposed to have been compromised. "It appeared that the hacker was later able to gain access to other internal systems, posting an explicit photo on an internal information page for employees," the New York Times said. Uber has yet to offer additional details abou

Gamers looking for cheats on YouTube are being targeted with links to rogue password-protected archive files designed to install crypto miners and information-stealing malware such as RedLine Stealer on compromised machines. "The videos advertise cheats and cracks and provide instructions on hacking popular games and software," Kaspersky security researcher Oleg Kupreev  said  in a new report published today. Games mentioned in the videos are APB Reloaded, CrossFire, DayZ, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Sniper Elite, and Spider-Man, among others. Downloading the self-extracting RAR archive leads to the execution of Redline Stealer, a coin miner, as well as a number of other binaries that enable the bundle's self-propagation. Specifically, this is achieved by means of an open-source C#-based password stealer that's capable of extracting cookies from browsers, which is then used by the operators to gain un

An ongoing espionage campaign operated by the Russia-linked Gamaredon group is targeting employees of Ukrainian government, defense, and law enforcement agencies with a piece of custom-made information stealing malware. "The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine," Cisco Talos researchers Asheer Malhotra and Guilherme Venere  said  in a technical write-up shared with The Hacker News. "LNK files, PowerShell, and VBScript enable initial access, while malicious binaries are deployed in the post-infection phase." Active since 2013, Gamaredon – also known as Actinium, Armageddon, Primitive Bear, Shuckworm, and Trident Ursa – has been linked to numerous attacks aimed at Ukrainian entities in the aftermath of Russia's military invasion of Ukraine in late February 2022. The targeted phishing operation, observed as recently as August 2022, also follows similar intrusions  uncovered  by Symantec last month in

A threat actor tracked under the moniker Webworm is taking advantage of bespoke variants of already existing Windows-based remote access trojans to fly under the radar, some of which are said to be in pre-deployment or testing phases. "The group has developed customized versions of three older remote access trojans (RATs), including  Trochilus RAT ,  Gh0st RAT , and  9002 RAT ," the Symantec Threat Hunter team, part of Broadcom Software,  said  in a report shared with The Hacker News. The cybersecurity firm said at least one of the indicators of compromise (IOCs) was used in an attack against an IT service provider operating in multiple Asian countries. It's worth pointing out that all the three backdoors are primarily associated with Chinese threat actors such as Stone Panda (APT10), Aurora Panda (APT17), Emissary Panda (APT27), and Judgement Panda (APT31), among others, although they have been put to use by other hacking groups. Symantec said the Webworm threat ac

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked under the names APT35, Charming Kitten, Nemesis Kitten, Phosphorus, and TunnelVision. "This group has launched extensive campaigns against organizations and officials across the globe, particularly targeting U.S. and Middle Eastern defense, diplomatic, and government personnel, as well as private industries including media, energy, business services, and telecommunications," the Treasury  said . The Nemesis Kitten actor, which is also known as  Cobalt Mirage ,  DEV-0270 , and  UNC2448 , has come under the scanner in recent months for its pattern of ransomware attacks for o

The operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities. "Initial malicious activity originated from a Mitel appliance sitting on the network perimeter," researchers from cybersecurity firm Arctic Wolf  said  in a report published this week. "Lorenz exploited  CVE-2022-29499 , a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, to obtain a reverse shell and subsequently used  Chisel  as a tunneling tool to pivot into the environment." Lorenz, like many other ransomware groups, is known for double extortion by exfiltrating data prior to encrypting systems, with the actor targeting small and medium businesses (SMBs) located in the U.S., and to a lesser extent in China and Mexico, since at least February 2021. Calling it an "ever-evolvin

Palo Alto Networks Unit 42 has detailed the inner workings of a malware called  OriginLogger , which has been touted as a successor to the widely used information stealer and remote access trojan (RAT) known as  Agent Tesla . A .NET based keylogger and remote access, Agent Tesla has had a long-standing presence in the threat landscape, allowing malicious actors to gain remote access to targeted systems and beacon sensitive information to an actor-controlled domain. Known to be used in the wild since 2014, it's advertised for sale on dark web forums and is generally distributed through malicious spam emails as an attachment. In February 2021, cybersecurity firm Sophos  disclosed two new variants  of the commodity malware (version 2 and 3) that featured capabilities to steal credentials from web browsers, email apps, and VPN clients, as well as use Telegram API for command-and-control. Now according to Unit 42 researcher Jeff White, what has been tagged as Agent Tesla version 3

A zero-day flaw in the latest version of a WordPress premium plugin known as  WPGateway  is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites. Tracked as  CVE-2022-3180  (CVSS score: 9.8), the issue is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence noted. "Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator," Wordfence researcher Ram Gall  said  in an advisory. WPGateway is billed as a means for site administrators to install, backup, and clone WordPress plugins and themes from a unified dashboard. The most common indicator that a website running the plugin has been compromised is the presence of an administrator with the username "rangex." Additionally, the appearance of requests to "//wp-content/plugins/wpgateway/wpgateway-webse

Contemporary organizations understand the importance of data and its impact on improving interactions with customers, offering quality products or services, and building loyalty. Data is fundamental to business success. It allows companies to make the right decisions at the right time and deliver the high-quality, personalized products and services that customers expect. There is a challenge, though. Businesses are collecting more data than ever before, and new technologies have accelerated this process dramatically. As a result, organizations have significant volumes of data, making it hard to manage, protect, and get value from it. Here is where Governance, Risk, and Compliance (GRC) comes in. GRC enables companies to define and implement the best practices, procedures, and governance to ensure the data is clean, safe, and reliable across the board.  More importantly,  organizations can use GRC platforms like StandardFusion  to create an organizational culture around security.