hacking | Breaking Cybersecurity News | The Hacker News

Latest research has demonstrated a new exploit that enables arbitrary data to be uploaded from devices that are not connected to the Internet by simply sending "Find My" Bluetooth broadcasts to nearby Apple devices. "It's possible to upload arbitrary data from non-internet-connected devices by sending Find My [Bluetooth Low Energy] broadcasts to nearby Apple devices that then upload the data for you," Positive Security researcher Fabian Bräunlein  said  in a technical write-up disclosed last week. The study builds on a previous analysis by TU Darmstadt  published  in March 2021, which disclosed two distinct design and implementation flaws in Apple's crowdsourced Bluetooth location tracking system that could lead to a location correlation attack and unauthorized access to a user's location history of the past seven days. The investigation was augmented by the release of a framework called  OpenHaystack  that's designed to let any user create an &

Cybersecurity researchers have uncovered an ongoing malware campaign that heavily relies on AutoHotkey (AHK) scripting language to deliver multiple remote access trojans (RAT) such as Revenge RAT, LimeRAT, AsyncRAT, Houdini, and Vjw0rm on target Windows systems. At least four different versions of the campaign have been spotted starting February 2021, according to researchers from Morphisec Labs. "The RAT delivery campaign starts from an AutoHotKey (AHK) compiled script," the researchers  noted . "This is a standalone executable that contains the following: the AHK interpreter, the AHK script, and any files it has incorporated via the  FileInstall  command. In this campaign, the attackers incorporate malicious scripts/executables alongside a legitimate application to disguise their intentions." AutoHotkey is an open-source custom scripting language for Microsoft Windows that's meant to provide easy hotkeys for macro-creation and software automation, enablin

In today's digital world, where connectivity is rules all, endpoints serve as the gateway to a business's digital kingdom. And because of this, endpoints are one of hackers' favorite targets.  According to the IDC,  70% of successful breaches start at the endpoint . Unprotected endpoints provide vulnerable entry points to launch devastating cyberattacks. With IT teams needing to protect more endpoints—and more kinds of endpoints—than ever before, that perimeter has become more challenging to defend. You need to improve your endpoint security, but where do you start? That's where this guide comes in.  We've curated the top 10 must-know endpoint security tips that every IT and security professional should have in their arsenal. From identifying entry points to implementing EDR solutions, we'll dive into the insights you need to defend your endpoints with confidence.  1. Know Thy Endpoints: Identifying and Understanding Your Entry Points Understanding your network's

Colonial Pipeline on Thursday restored operations to its entire pipeline system nearly a week following a ransomware infection targeting its IT systems, forcing it to reportedly shell out nearly $5 million to regain control of its computer networks. "Following this restart, it will take several days for the product delivery supply chain to return to normal," the company said in a statement on Thursday evening. "Some markets served by Colonial Pipeline may experience, or continue to experience, intermittent service interruptions during this start-up period. Colonial will move as much gasoline, diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal." The company's official website , however, has been taken offline as of writing with an access denied message "This request was blocked by the security rules." Bloomberg, citing "two people familiar with the transaction," said the company made th

Microsoft on Tuesday rolled out its scheduled  monthly security update  with patches for 55 security flaws affecting Windows, Exchange Server, Internet Explorer, Office, Hyper-V, Visual Studio, and Skype for Business. Of these 55 bugs, four are rated as Critical, 50 are rated as Important, and one is listed as Moderate in severity. Three of the vulnerabilities are publicly known, although, unlike  last month , none of them are under active exploitation at the time of release. The most critical of the flaws addressed is  CVE-2021-31166 , a wormable remote code execution vulnerability in the HTTP protocol stack. The issue, which could allow an unauthenticated attacker to send a specially crafted packet to a targeted server, is rated 9.8 out of a maximum of 10 on the CVSS scale. Another vulnerability of note is a remote code execution flaw in Hyper-V ( CVE-2021-28476 ), which also scores the highest severity among all flaws patched this month with a CVSS rating of 9.9. "This i

The cybercrime syndicate behind Babuk ransomware has leaked more personal files belonging to the Metropolitan Police Department (MPD) after negotiations with the DC Police broke down, warning that they intend to publish all data if their ransom demands are not met. "The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers, you can download this archive, the password will be released tomorrow. if during tomorrow they do not raise the price, we will release all the data," the gang said in a statement on their data leak site. "You still have the ability to stop it," it added. The Babuk group is said to have  stolen 250GB of data , including investigation reports, arrests, disciplinary actions, and other intelligence briefings. Like other ransomware platforms, DarkSide adheres to a practice called double extortion, which involves demanding money in return for unlocking files and servers en

Adobe has released  Patch Tuesday updates  for the month of May with fixes for multiple vulnerabilities spanning 12 different products, including a zero-day flaw affecting Adobe Reader that's actively exploited in the wild. The list of updated applications includes Adobe Experience Manager , Adobe InDesign , Adobe Illustrator , Adobe InCopy , Adobe Genuine Service , Adobe Acrobat and Reader, Magento , Adobe Creative Cloud Desktop Application, Adobe Media Encoder , Adobe After Effects , Adobe Medium, and Adobe Animate. In a security bulletin, the company  acknowledged  it received reports that the flaw "has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows." Tracked as CVE-2021-28550, the zero-day concerns an arbitrary code execution flaw that could allow adversaries to execute virtually any command on target systems. While the targeted attacks took aim at Windows users of Adobe Reader, the issue affects both Windows and macOS ver

Cybersecurity researchers on Monday disclosed a new Android trojan that hijacks users' credentials and SMS messages to facilitate fraudulent activities against banks in Spain, Germany, Italy, Belgium, and the Netherlands. Called " TeaBot " (or Anatsa), the malware is said to be in its early stages of development, with malicious attacks targeting financial apps commencing in late March 2021, followed by a rash of infections in the first week of May against Belgium and Netherlands banks. The first signs of TeaBot activity emerged in January. "The main goal of TeaBot is stealing victim's credentials and SMS messages for enabling frauds scenarios against a predefined list of banks," Italian cybersecurity and online fraud prevention firm Cleafy said in a Monday write-up. "Once TeaBot is successfully installed in the victim's device, attackers can obtain a live streaming of the device screen (on demand) and also interact with it via Accessibility Serv

Four Eastern European nationals face 20 years in prison for Racketeer Influenced Corrupt Organization (RICO) charges after pleading guilty to providing bulletproof hosting services between 2008 and 2015, which were used by cybercriminals to distribute malware to financial entities across the U.S. The individuals, Aleksandr Grichishkin, 34, and Andrei Skvortsov, 34, of Russia; Aleksandr Skorodumov, 33, of Lithuania; and Pavel Stassi, 30, of Estonia, have been accused of renting their wares to cybercriminal clients, who used the infrastructure to disseminate malware such as Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit that were capable of co-opting victim machines into a botnet, and stealing sensitive information. The deployment of malware caused or attempted to cause millions of dollars in losses to U.S. victims, the U.S. Department of Justice (DoJ) said in a statement on Friday. "A key service provided by the defendants was helping their clients to evade detection by

Cybersecurity researchers have disclosed a new security vulnerability in Qualcomm's mobile station modems (MSM) that could potentially allow an attacker to leverage the underlying Android operating system to slip malicious code into mobile phones, undetected. "If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones, granting them access to SMS messages and audio of phone conversations," researchers from Israeli security firm Check Point  said  in an analysis published today. The heap overflow vulnerability, tracked as CVE-2020-11292 , resides in the QMI voice service API exposed by the modem to the high level operating system, and could be exploited by a malicious app to conceal its activities "underneath" the OS in the modem chip itself, thus making it invisible to the security protections built into the device. Designed since the 1990s, Qualcomm  MSM  chip

The maintainers of Exim have  released patches  to remediate as many as 21 security vulnerabilities in its software that could enable unauthenticated attackers to achieve complete remote code execution and gain root privileges. Collectively named  '21Nails ,' the flaws include 11 vulnerabilities that require local access to the server and 10 other weaknesses that could be exploited remotely. The issues were discovered by Qualys and reported to Exim on Oct. 20, 2020. "Some of the vulnerabilities can be chained together to obtain a full remote unauthenticated code execution and gain root privileges on the Exim Server," Bharat Jogi, senior manager at Qualys, said in a public disclosure. "Most of the vulnerabilities discovered by the Qualys Research Team for e.g. CVE-2020-28017 affects all versions of Exim going back all the way to 2004." Exim is a popular mail transfer agent (MTA) used on Unix-like operating systems, with over 60% of the publicly reachable

Apple on Monday released security updates for  iOS ,  macOS , and  watchOS  to address three zero-day flaws and expand patches for a fourth vulnerability that the company said might have been exploited in the wild. The weaknesses all concern WebKit, the browser engine which powers Safari and other third-party web browsers in iOS, allowing an adversary to execute arbitrary code on target devices. A summary of the three security bugs are as follows - CVE-2021-30663:  An integer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addressed with improved input validation. CVE-2021-30665:  A memory corruption issue that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addressed with improved state management. CVE-2021-30666:  A buffer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addr

Cybersecurity researchers on Monday disclosed a new malspam campaign distributing a fresh variant of a malware loader called "Buer" written in Rust, illustrating how adversaries are constantly honing their malware toolsets to evade analysis. Dubbed "RustyBuer," the malware is propagated via emails masquerading as shipping notices from DHL Support, and is said to have affected no fewer than 200 organizations across more than 50 verticals since early April. "The new Buer variant is written in Rust, an efficient and easy-to-use programming language that is becoming increasingly popular," Proofpoint researchers  said  in a report shared with The Hacker News. "Rewriting the malware in Rust enables the threat actor to better evade existing Buer detection capabilities." First introduced in August of 2019,  Buer  is a modular malware-as-a-service offering that's sold on underground forums and used as a first-stage downloader to deliver additiona

Iran has been linked to yet another state-sponsored ransomware operation through a contracting company based in the country, according to new analysis. "Iran's Islamic Revolutionary Guard Corps ( IRGC ) was operating a state-sponsored ransomware campaign through an Iranian contracting company called 'Emen Net Pasargard' (ENP)," cybersecurity firm Flashpoint  said  in its findings summarizing three documents leaked by an anonymous entity named Read My Lips or Lab Dookhtegan between March 19 and April 1 via its Telegram channel. Dubbed "Project Signal," the initiative is said to have kickstarted sometime between late July 2020 and early September 2020, with ENP's internal research organization, named the "Studies Center," putting together a list of unspecified target websites. A second spreadsheet validated by Flashpoint explicitly spelled out the project's financial motivations, with plans to launch the ransomware operations in late

An "aggressive" financially motivated threat group tapped into a zero-day flaw in SonicWall VPN appliances prior to it being patched by the company to deploy a new strain of ransomware called FIVEHANDS. The group, tracked by cybersecurity firm Mandiant as UNC2447, took advantage of an "improper SQL command neutralization" flaw in the SSL-VPN SMA100 product ( CVE-2021-20016 , CVSS score 9.8) that allows an unauthenticated attacker to achieve remote code execution. "UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums," Mandiant researchers  said . "UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics." CVE-2021-20016 is the same  zero-day  that the

Threat actors are increasingly adopting  Excel 4.0 documents  as an initial stage vector to distribute malware such as  ZLoader  and Quakbot, according to new research. The findings come from an analysis of 160,000 Excel 4.0 documents between November 2020 and March 2021, out of which more than 90% were classified as malicious or suspicious. "The biggest risk for the targeted companies and individuals is the fact that security solutions still have a lot of problems with detecting malicious Excel 4.0 documents, making most of these slip by conventional signature based detections and analyst written YARA rules," researchers from ReversingLabs said in a report  published today . Excel 4.0 macros (XLM), the precursor to Visual Basic for Applications (VBA), is a legacy feature incorporated in Microsoft Excel for backward compatibility reasons. Microsoft warns in its  support document  that enabling all macros can cause "potentially dangerous code" to run. The eve

Cybersecurity researchers on Wednesday disclosed a new bypass vulnerability (CVE-2021-23008) in the Kerberos Key Distribution Center (KDC) security feature impacting F5 Big-IP application delivery services. "The KDC Spoofing vulnerability allows an attacker to bypass the Kerberos authentication to Big-IP Access Policy Manager (APM), bypass security policies and gain unfettered access to sensitive workloads," Silverfort researchers Yaron Kassner and Rotem Zach said in a report. "In some cases this can be used to bypass authentication to the Big-IP admin console as well." Coinciding with the public disclosure, F5 Networks has released patches to address the weakness (CVE-2021-23008, CVSS score 8.1), with fixes introduced in BIG-IP APM versions 12.1.6, 13.1.4, 14.1.4, and 15.1.3. A similar patch for version 16.x is expected at a future date. "We recommend customers running 16.x check the security advisory to assess their exposure and get details on mitigati

A recently identified security vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users' machines that have Homebrew installed. The issue, which was reported to the maintainers on April 18 by a Japanese security researcher named RyotaK, stemmed from the way code changes in its  GitHub repository  were handled, resulting in a scenario where a malicious  pull request  — i.e., the proposed changes — could be automatically reviewed and approved. The flaw was fixed on April 19. Homebrew is a free and open-source software package manager solution that allows the installation of software on Apple's macOS operating system as well as Linux. Homebrew  Cask  extends the functionality to include command-line workflows for GUI-based macOS applications, fonts, plugins, and other non-open source software. "The discovered vulnerability would allow an attacker to inject arbitrary code into a cask and have it be

A new ransomware strain called " Qlocker " is targeting QNAP network attached storage (NAS) devices as part of an ongoing campaign and encrypting files in password-protected 7zip archives. First reports of the  infections   emerged on April 20, with the adversaries behind the operations demanding a bitcoin payment (0.01 bitcoins or about $500.57) to receive the decryption key. In response to the ongoing attacks, the Taiwanese company has released an advisory prompting users to apply updates to QNAP NAS running Multimedia Console, Media Streaming Add-on, and HBS 3 Hybrid Backup Sync to secure the devices from any attacks. "QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS," the company  said . "The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks."

The sprawling  SolarWinds cyberattack  which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure, so much so that Microsoft went on to call the threat actor behind the campaign "skillful and methodic operators who follow operations security (OpSec) best practices to minimize traces, stay under the radar, and avoid detection." As further proof of this, new research published today shows that the threat actor carefully planned each stage of the operation to "avoid creating the type of patterns that make tracking them simple," thus deliberately making forensic analysis difficult. By analyzing telemetry data associated with previously published indicators of compromise, RiskIQ said it identified an additional set of 18 servers with high confidence that likely communicated with the targeted, secondary Cobalt Strike payloads delivered via the TEARDROP and RAINDROP malware, r

There are many labor-intensive tasks that the IT service desk carries out on a daily basis. None as tedious and costly as resetting passwords. Modern IT service desks spend a significant amount of time both unlocking and resetting passwords for end-users. This issue has been exacerbated by the COVID-19 pandemic. Causes of account lockouts and password resets End-user password policies, such as those found in Microsoft Active Directory Domain Services (ADDS), typically define a  password age . The password age is the length of time an end-user can keep their current password. While  new guidance from NIST  recommends against the long-held notion of forced password changes, it is still a common and required security mechanism across other compliance standards and industry certifications such as PCI and HITRUST. When the password age is reached for the user account, the user must change their account password. It is generally prompted at the next login on their workstation. This sce