The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: hacking

Apple Releases Urgent 0-Day Bug Patch for Mac, iPhone and iPad Devices

Apple Releases Urgent 0-Day Bug Patch for Mac, iPhone and iPad Devices
July 27, 2021Ravie Lakshmanan
Apple on Monday rolled out an urgent security update for  iOS, iPadOS , and  macOS  to address a zero-day flaw that it said may have been actively exploited, making it the thirteenth such vulnerability Apple has patched since the start of this year. The updates, which arrive less than a week after the company released iOS 14.7, iPadOS 14.7, and macOS Big Sur 11.5 to the public, fixes a memory corruption issue ( CVE-2021-30807 ) in the IOMobileFrameBuffer component, a kernel extension for managing the screen  framebuffer , that could be abused to execute arbitrary code with kernel privileges. The company said it addressed the issue with improved memory handling, noting it's "aware of a report that this issue may have been actively exploited." As is typically the case, additional details about the flaw have not been disclosed to prevent the weaponization of the vulnerability for additional attacks. Apple credited an anonymous researcher for discovering and reporting the

Dutch Police Arrest Two Hackers Tied to "Fraud Family" Cybercrime Ring

Dutch Police Arrest Two Hackers Tied to "Fraud Family" Cybercrime Ring
July 23, 2021Ravie Lakshmanan
Law enforcement authorities in the Netherlands have  arrested  two alleged individuals belonging to a Dutch cybercriminal collective who were involved in developing, selling, and renting sophisticated phishing frameworks to other threat actors in what's known as a "Fraud-as-a-Service" operation. The apprehended suspects, a 24-year-old software engineer and a 15-year-old boy, are said to have been the main developer and seller of the phishing frameworks that were employed to collect login data from bank customers. The attacks primarily singled out users in the Netherlands and Belgium. The 15-year-old suspect has since been released from custody "pending further investigation," Dutch police said. Believed to be active since at least 2020, the cybercriminal syndicate has been codenamed " Fraud Family " by cybersecurity firm Group-IB. The frameworks come with phishing kits, tools designed to steal information, and web panels, which allow the fraudsters

China's Cyberspies Targeting Southeast Asian Government Entities

China's Cyberspies Targeting Southeast Asian Government Entities
July 15, 2021Ravie Lakshmanan
A sweeping and "highly active campaign" that originally set its sights on Myanmar has broadened its focus to strike a number of targets located in the Philippines, according to new research. Russian cybersecurity firm Kaspersky, which first spotted the infections in October 2020, attributed them to a threat actor it tracks as " LuminousMoth ," which it connected with medium to high confidence to a Chinese state-sponsored hacking group called HoneyMyte or  Mustang Panda , given its observed victimology, tactics, and procedures. About 100 affected victims have been identified in Myanmar, while the number of victims jumped to nearly 1,400 in the Philippines, although the researchers noted that the actual targets were only a fraction of the initial numbers, including government entities located both within the two countries and abroad. The goal of the attacks is to affect a wide perimeter of targets with the aim of hitting a select few that are of strategic interes

Hackers Spread BIOPASS Malware via Chinese Online Gambling Sites

Hackers Spread BIOPASS Malware via Chinese Online Gambling Sites
July 12, 2021Ravie Lakshmanan
Cybersecurity researchers are warning about a new malware that's striking online gambling companies in China via a watering hole attack to deploy either Cobalt Strike beacons or a previously undocumented Python-based backdoor called BIOPASS RAT that takes advantage of Open Broadcaster Software (OBS) Studio's live-streaming app to capture the screen of its victims. The attack involves deceiving gaming website visitors into downloading a malware loader camouflaged as a legitimate installer for popular-but-deprecated apps such as Adobe Flash Player or Microsoft Silverlight, only for the loader to act as a conduit for fetching next-stage payloads. Specifically, the websites' online support chat pages are booby-trapped with malicious JavaScript code, which is used to deliver the malware to the victims. "BIOPASS RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration, and shell command execution,&quo

Dozens of Vulnerable NuGet Packages Allow Attackers to Target .NET Platform

Dozens of Vulnerable NuGet Packages Allow Attackers to Target .NET Platform
July 07, 2021Ravie Lakshmanan
An analysis of off-the-shelf packages hosted on the NuGet repository has revealed 51 unique software components to be vulnerable to actively exploited, high-severity vulnerabilities, once again underscoring the threat posed by third-party dependencies to the software development process. In light of the growing number of cyber incidents that target the software supply chain, there is an urgent need to assess such third-party modules for any security risks and minimize the attack surface, ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News. NuGet  is a Microsoft-supported mechanism for the .NET platform and functions as a package manager designed to enable developers to share reusable code. The framework maintains a central repository of over 264,000 unique packages that have collectively produced more than 109 billion package downloads. "All identified precompiled software components in our research were different versions of 7Zip, WinSCP and PuT

[Whitepaper] XDR vs. NDR/NTA – What do Organizations Truly Need to Stay Safe?

[Whitepaper] XDR vs. NDR/NTA – What do Organizations Truly Need to Stay Safe?
July 07, 2021The Hacker News
Security teams whose organizations are outside the Fortune 500 are faced with a dilemma. Most teams will have to choose between deploying either a network traffic analysis (NTA) or network detection and response (NDR) tool or an endpoint detection and response (EDR) tool to supplement their existing stacks. On the other hand, some organizations are getting the best of both options by switching to extended detection and response (XDR) tools which often provide all these tools in one solution. This is the key takeaway of a new whitepaper by security provider Cynet ( download it here ). NDR tools have become more popular, and for a good reason. They offer organizations a variety of benefits and can help further secure an environment from lateral movement attacks and further infiltration if an initial attack succeeds. NDR tools can detect a wide range of malicious activities and anomalous behaviors.  The question is whether the strengths of an NDR tool outweigh its limitations.  The

Interpol Arrests Moroccan Hacker Engaged in Nefarious Cyber Activities

Interpol Arrests Moroccan Hacker Engaged in Nefarious Cyber Activities
July 06, 2021Ravie Lakshmanan
Law enforcement authorities with the Interpol have apprehended a threat actor responsible for targeting thousands of unwitting victims over several years and staging malware attacks on telecom companies, major banks, and multinational corporations in France as part of a global phishing and credit card fraud scheme. The two-year investigation, dubbed  Operation Lyrebird  by the international, intergovernmental organization, resulted in the arrest of a Moroccan citizen nicknamed Dr HeX, cybersecurity firm Group-IB disclosed today in a report shared with The Hacker News. Dr HeX is said to have been "active since at least 2009 and is responsible for a number of cybercrimes, including phishing, defacing, malware development, fraud, and carding that resulted in thousands of unsuspecting victims," the Singapore-headquartered company said . The cyber attacks involved deploying a phishing kit consisting of web pages that spoofed banking entities in the country, followed by sendin

Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software

Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software
July 02, 2021Ravie Lakshmanan
In yet another instance of software supply chain attack, unidentified hackers breached the website of  MonPass , one of Mongolia's major certificate authorities, to backdoor its installer software with Cobalt Strike binaries. The trojanized client was available for download between February 8, 2021, and March 3, 2021, said Czech cybersecurity software company Avast in a  report  published Thursday. In addition, a public webserver hosted by MonPass was infiltrated potentially as many as eight separate times, with the researchers uncovering eight different web shells and backdoors on the compromised server. Avast's investigation into the incident began after it discovered the backdoored installer and the implant on one of its customers' systems. "The malicious installer is an unsigned [Portable Executable] file," the researchers said. "It starts by downloading the legitimate version of the installer from the MonPass official website. This legitimate versi

3 Steps to Strengthen Your Ransomware Defenses

3 Steps to Strengthen Your Ransomware Defenses
July 01, 2021The Hacker News
The recent tsunami of ransomware has brought to life the fears of downtime and data loss cybersecurity pros have warned about, as attacks on the energy sector, food supply chain, healthcare industry, and other critical infrastructure have grabbed headlines. For the industry experts who track the evolution of this threat, the increased frequency, sophistication, and destructiveness of ransomware suggests that businesses still have some major gaps in their defense strategies. It's no surprise that a new, multi-layered approach to protection is needed to stem the damage caused by ransomware. But what changes should an IT team implement to close those gaps? During a recent panel, a team of cybersecurity experts outlined a three-step plan to do just that -- centered around embracing new technologies, improving security processes, and ensuring their people know how to help curb the threat. 1  —  New Strains Overwhelm Old Defenses Many new ransomware strains now act like advanced pe

Cisco ASA Flaw Under Active Attack After PoC Exploit Posted Online

Cisco ASA Flaw Under Active Attack After PoC Exploit Posted Online
June 27, 2021Ravie Lakshmanan
A security vulnerability in Cisco Adaptive Security Appliance (ASA) that was addressed by the company last October, and again earlier this April, has been subjected to active in-the-wild attacks following the release of proof-of-concept (PoC) exploit code. The PoC was  published  by researchers from cybersecurity firm Positive Technologies on June 24, following which reports emerged that attackers are chasing after an exploit for the bug. "Tenable has also received a report that attackers are exploiting CVE-2020-3580 in the wild," the cyber exposure company  said . Tracked as  CVE-2020-3580  (CVSS score: 6.1), the issue concerns multiple vulnerabilities in the web services interface of Cisco ASA software and Cisco Firepower Threat Defense (FTD) software that could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks on an affected device. As of July 2020, there were a little over  85,000 ASA/FTD devices , 398 of which are spread acros

Watch Out! Zyxel Firewalls and VPNs Under Active Cyberattack

Watch Out! Zyxel Firewalls and VPNs Under Active Cyberattack
June 25, 2021Ravie Lakshmanan
Taiwanese networking equipment company Zyxel is warning customers of an ongoing attack targeting a "small subset" of its security products such as firewall and VPN servers. Attributing the attacks to a "sophisticated threat actor," the firm noted that the attacks single out appliances that have remote management or SSL VPN enabled, namely in the USG/ZyWALL, USG FLEX, ATP, and VPN series running on-premise ZLD firmware, implying that the targeted devices are publicly accessible over the internet. "The threat actor attempts to access a device through WAN; if successful, they then bypass authentication and establish SSL VPN tunnels with unknown user accounts, such as 'zyxel_slIvpn', 'zyxel_ts', or 'zyxel_vpn_test', to manipulate the device's configuration," Zyxel said in an  email message , which was shared on Twitter. As of writing, it's not immediately known if the attacks are exploiting previously known vulnerabilities

NVIDIA Jetson Chipsets Found Vulnerable to High-severity Flaws

NVIDIA Jetson Chipsets Found Vulnerable to High-severity Flaws
June 22, 2021Ravie Lakshmanan
U.S. graphics chip specialist NVIDIA has released  software updates  to address a total of 26 vulnerabilities impacting its Jetson system-on-module (SOM) series that could be abused by adversaries to escalate privileges and even lead to denial-of-service and information disclosure. Tracked from CVE‑2021‑34372 through CVE‑2021‑34397, the flaws affect products Jetson TX1, TX2 series, TX2 NX, AGX Xavier series, Xavier NX, and Nano and Nano 2GB running all Jetson Linux versions prior to 32.5.1. The company credited Frédéric Perriot of Apple Media Products for reporting all the issues. The  NVIDIA Jetson  line consists of embedded Linux AI and computer vision compute modules and developer kits that primarily caters to AI-based computer vision applications and autonomous systems such as mobile robots and drones. Chief among the vulnerabilities is CVE‑2021‑34372 (CVSS score: 8.2), a buffer overflow flaw in its  Trusty  trusted execution environment (TEE) that could result in informatio

North Korea Exploited VPN Flaw to Hack South's Nuclear Research Institute

North Korea Exploited VPN Flaw to Hack South's Nuclear Research Institute
June 18, 2021Ravie Lakshmanan
South Korea's state-run Korea Atomic Energy Research Institute (KAERI) on Friday disclosed that its internal network was infiltrated by suspected attackers operating out of its northern counterpart. The intrusion is said to have taken place on May 14 through a vulnerability in an unnamed virtual private network (VPN) vendor and involved a  total of 13 IP addresses , one of which — "27.102.114[.]89" — has been previously linked to a state-sponsored threat actor dubbed  Kimsuky . KAERI, established in 1959 and situated in the city of Daejeon, is a government-funded research institute that designs and develops nuclear technologies related to reactors, fuel rods, radiation fusion, and nuclear safety. Following the intrusion, the think tank said it took steps to block the attacker's IP addresses in question and applied necessary security patches to the vulnerable VPN solution. "Currently, the Atomic Energy Research Institute is investigating the subject of the ha

Google Releases New Framework to Prevent Software Supply Chain Attacks

Google Releases New Framework to Prevent Software Supply Chain Attacks
June 18, 2021Ravie Lakshmanan
As software supply chain attacks emerge as a point of concern in the wake of SolarWinds and Codecov  security incidents, Google is proposing a solution to ensure the integrity of software packages and prevent unauthorized modifications.  Called " Supply chain Levels for Software Artifacts " (SLSA, and pronounced "salsa"), the end-to-end framework aims to secure the software development and deployment pipeline — i.e., the source ➞ build ➞ publish workflow — and  mitigate threats  that arise out of tampering with the source code, the build platform, and the artifact repository at every link in the chain. Google said SLSA is inspired by the company's own internal enforcement mechanism called Binary Authorization for Borg , a set of auditing tools that verifies code provenance and implements code identity to ascertain that the deployed production software is properly reviewed and authorized. "In its current state, SLSA is a set of incrementally adoptable

[eBook] 7 Signs You Might Need a New Detection and Response Tool

[eBook] 7 Signs You Might Need a New Detection and Response Tool
June 17, 2021The Hacker News
It's natural to get complacent with the status quo when things seem to be working. The familiar is comfortable, and even if something better comes along, it brings with it many unknowns. In cybersecurity, this tendency is countered by the fast pace of innovation and how quickly technology becomes obsolete, often overnight. This combination usually results in one of two things – organizations make less than ideal choices about the software and tools they're adding, or security leaders simply cannot stay abreast of new developments and opt to stay put with their existing stack. The problem is that once you let one update pass you by, you're suddenly miles behind. A new eBook from XDR provider Cynet ( download here ) offers insights into factors that are clear signs organizations need to upgrade their detection and response tools to stay with the times. The eBook highlights several factors and questions that companies can ask themselves to determine whether they are okay

Researchers Uncover 'Process Ghosting' — A New Malware Evasion Technique

Researchers Uncover 'Process Ghosting' — A New Malware Evasion Technique
June 17, 2021Ravie Lakshmanan
Cybersecurity researchers have disclosed a new executable image tampering attack dubbed "Process Ghosting" that could be potentially abused by an attacker to circumvent protections and stealthily run malicious code on a Windows system. "With this technique, an attacker can write a piece of malware to disk in such a way that it's difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk," Elastic Security researcher Gabriel Landau  said . "This technique does not involve code injection, Process Hollowing, or Transactional NTFS (TxF)." Process Ghosting expands on previously documented  endpoint bypass  methods such as  Process Doppelgänging  and  Process Herpaderping , thereby enabling the veiled execution of malicious code that may evade anti-malware defenses and detection. Process Doppelgänging, analogous to  Process Hollowing , involves injecting arbitrary code in the address space of

Critical ThroughTek Flaw Opens Millions of Connected Cameras to Eavesdropping

Critical ThroughTek Flaw Opens Millions of Connected Cameras to Eavesdropping
June 16, 2021Ravie Lakshmanan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday issued an advisory regarding a critical software supply-chain flaw impacting ThroughTek's software development kit (SDK) that could be abused by an adversary to gain improper access to audio and video streams. "Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds," CISA  said  in the alert. ThroughTek's point-to-point ( P2P ) SDK is widely used by IoT devices with video surveillance or audio/video transmission capability such as IP cameras, baby and pet monitoring cameras, smart home appliances, and sensors to provide remote access to the media content over the internet. Tracked as CVE-2021-32934 (CVSS score: 9.1), the shortcoming affects ThroughTek P2P products, versions 3.1.5 and before as well as SDK versions with nossl tag, and stems from a lack of sufficient protection when transferring data between

Experts Shed Light On Distinctive Tactics Used by Hades Ransomware

Experts Shed Light On Distinctive Tactics Used by Hades Ransomware
June 15, 2021Ravie Lakshmanan
Cybersecurity researchers on Tuesday disclosed "distinctive" tactics, techniques, and procedures (TTPs) adopted by operators of Hades ransomware that set it apart from the rest of the pack, attributing it to a financially motivated threat group called  GOLD WINTER . "In many ways, the GOLD WINTER threat group is a typical post-intrusion ransomware threat group that pursues high-value targets to maximize how much money it can extort from its victims," researchers from SecureWorks Counter Threat Unit (CTU) said in an analysis shared with The Hacker News. "However, GOLD WINTER's operations have quirks that distinguish it from other groups." The findings come from a study of incident response efforts the Atlanta-based cybersecurity firm engaged in the first quarter of 2021. Since first emerging in the threat landscape in December 2020, Hades has been classified as INDRIK SPIDER's successor to  WastedLocker  ransomware with "additional code o

Hackers Can Exploit Samsung Pre-Installed Apps to Spy On Users

Hackers Can Exploit Samsung Pre-Installed Apps to Spy On Users
June 11, 2021Ravie Lakshmanan
Multiple critical security flaws have been disclosed in Samsung's pre-installed Android apps, which, if successfully exploited, could have allowed adversaries access to personal data without users' consent and take control of the devices.  "The impact of these bugs could have allowed an attacker to access and edit the victim's contacts, calls, SMS/MMS, install arbitrary apps with device administrator rights, or read and write arbitrary files on behalf of a system user which could change the device's settings," Sergey Toshin, founder of mobile security startup Oversecured,  said  in an analysis published Thursday. Toshin reported the flaws to Samsung in February 2021, following which  patches were issued  by the manufacturer as part of its monthly security updates for April and May. The list of the seven vulnerabilities is as follows - CVE-2021-25356  - Third-party authentication bypass in Managed Provisioning CVE-2021-25388  - Arbitrary app installation

7-Year-Old Polkit Flaw Lets Unprivileged Linux Users Gain Root Access

7-Year-Old Polkit Flaw Lets Unprivileged Linux Users Gain Root Access
June 11, 2021Ravie Lakshmanan
A seven-year-old privilege escalation vulnerability discovered in the polkit system service could be exploited by a malicious unprivileged local attacker to bypass authorization and escalate permissions to the root user. Tracked as  CVE-2021-3560  (CVSS score: 7.8), the flaw affects polkit versions between 0.113 and 0.118 and was discovered by GitHub security researcher Kevin Backhouse, who said the issue was  introduced in a code commit  made on Nov. 9, 2013. Red Hat's Cedric Buissart  noted  that Debian-based distributions, based on polkit 0.105, are also vulnerable. Polkit  (née PolicyKit) is a toolkit for defining and handling authorizations in Linux distributions, and is used for allowing unprivileged processes to communicate with privileged processes. "When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileg
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.