#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
DevSecOps

linux | Breaking Cybersecurity News | The Hacker News

Category — linux
FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux

FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux

Feb 13, 2025 Malware / Cyber Espionage
Threat hunters have shed light on a new campaign targeting the foreign ministry of an unnamed South American nation with bespoke malware capable of granting remote access to infected hosts. The activity, detected in November 2024, has been attributed by Elastic Security Labs to a threat cluster it tracks as REF7707 . Some of the other targets include a telecommunications entity and a university, both located in Southeast Asia. "While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices," security researchers Andrew Pease and Seth Goodwin said in a technical analysis. The exact initial access vector used in the attacks is currently not clear, although it has been observed that Microsoft's certutil application is used to download additional payloads from a web server associated with the Foreign Ministry. The certutil commands used to ...
⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [6 Jan]

⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [6 Jan]

Jan 06, 2025
Every tap, click, and swipe we make online shapes our digital lives, but it also opens doors—some we never meant to unlock. Extensions we trust, assistants we rely on, and even the codes we scan are turning into tools for attackers. The line between convenience and vulnerability has never been thinner. This week, we dive into the hidden risks, surprising loopholes, and the clever tricks cybercriminals are using to outsmart the systems we depend on. Stay with us as we unpack what's happening behind the screen and how you can stay one step ahead. ⚡ Threat of the Week Dozens of Google Chrome Extensions Caught Stealing Sensitive Data — The challenges with securing the software supply chain reared once again after about three dozen extensions were found surreptitiously siphoning sensitive data from roughly 2.6 million devices for several months as part of two related campaigns. The compromises came to light after data loss prevention service Cyberhaven revealed that its browser extens...
Protecting Your Software Supply Chain: Assessing the Risks Before Deployment

Protecting Your Software Supply Chain: Assessing the Risks Before Deployment

Feb 11, 2025Software Security / Threat Intelligence
Imagine you're considering a new car for your family. Before making a purchase, you evaluate its safety ratings, fuel efficiency, and reliability. You might even take it for a test drive to ensure it meets your needs. The same approach should be applied to software and hardware products before integrating them into an organization's environment. Just as you wouldn't buy a car without knowing its safety features, you shouldn't deploy software without understanding the risks it introduces. The Rising Threat of Supply Chain Attacks Cybercriminals have recognized that instead of attacking an organization head-on, they can infiltrate through the software supply chain—like slipping counterfeit parts into an assembly line. According to the 2024 Sonatype State of the Software Supply Chain report , attackers are infiltrating open-source ecosystems at an alarming rate, with over 512,847 malicious packages detected last year alone—a 156% increase from the previous year. Traditional sec...
FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks

FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks

Dec 27, 2024 Botnet / DDoS Attack
Cybersecurity researchers are warning about a spike in malicious activity that involves roping vulnerable D-Link routers into two different botnets, a Mirai variant dubbed FICORA and a Kaiten (aka Tsunami) variant called CAPSAICIN. "These botnets are frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands via a GetDeviceSettings action on the HNAP (Home Network Administration Protocol) interface," Fortinet FortiGuard Labs researcher Vincent Li said in a Thursday analysis. "This HNAP weakness was first exposed almost a decade ago, with numerous devices affected by a variety of CVE numbers, including CVE-2015-2051 , CVE-2019-10891 , CVE-2022-37056 , and CVE-2024-33112 ." According to the cybersecurity company's telemetry data, attacks involving FICORA have targeted various countries globally, whereas those related to CAPSAICIN primarily singled out East Asian territories like Japan and Taiwan. T...
cyber security

Webinar: 5 Ways New AI Agents Can Automate Identity Attacks | Register Now

websitePush SecurityAI Agents / Identity Security
Learn how CUAs like OpenAI Operator can be used by attackers to automate account takeover and exploitation.
Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack

Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack

Dec 20, 2024 Malware / Supply Chain Attack
The developers of Rspack have revealed that two of their npm packages, @rspack/core and @rspack/cli , were compromised in a software supply chain attack that allowed a malicious actor to publish malicious versions to the official package registry with cryptocurrency mining malware. Following the discovery , versions 1.1.7 of both libraries have been unpublished from the npm registry. The latest safe version is 1.1.8. "They were released by an attacker who gained unauthorized npm publishing access, and contain malicious scripts," software supply chain security firm Socket said in an analysis. Rspack is billed as an alternative to the webpack , offering a "high performance JavaScript bundler written in Rust." Originally developed by ByteDance, it has since been adopted by several companies such as Alibaba, Amazon, Discord, and Microsoft, among others. The npm packages in question, @rspack/core, and @rspack/cli, attract weekly downloads of over 300,000 and 145...
Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords

Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords

Dec 19, 2024 Malware / Botnet
Juniper Networks is warning that Session Smart Router (SSR) products with default passwords are being targeted as part of a malicious campaign that deploys the Mirai botnet malware. The company said it's issuing the advisory after "several customers" reported anomalous behavior on their Session Smart Network (SSN) platforms on December 11, 2024. "These systems have been infected with the Mirai malware and were subsequently used as a DDoS attack source to other devices accessible by their network," it said . "The impacted systems were all using default passwords." Mirai , which has had its source code leaked in 2016, has spawned several variants over the years. The malware is capable of scanning for known vulnerabilities as well as default credentials to infiltrate devices and enlist them into a botnet for mounting distributed denial-of-service (DDoS) attacks. To mitigate such threats, organizations are recommended to change their passwords with i...
⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips

⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips

Dec 16, 2024 Cyber Threats / Weekly Recap
This past week has been packed with unsettling developments in the world of cybersecurity. From silent but serious attacks on popular business tools to unexpected flaws lurking in everyday devices, there's a lot that might have flown under your radar. Attackers are adapting old tricks, uncovering new ones, and targeting systems both large and small. Meanwhile, law enforcement has scored wins against some shady online marketplaces, and technology giants are racing to patch problems before they become a full-blown crisis. If you've been too busy to keep track, now is the perfect time to catch up on what you may have missed. ⚡ Threat of the Week Cleo Vulnerability Comes Under Active Exploitation — A critical vulnerability (CVE-2024-50623) in Cleo's file transfer software—Harmony, VLTrader, and LexiCom—has been actively exploited by cybercriminals , creating major security risks for organizations worldwide. The flaw enables attackers to execute code remotely without authorization...
New Glutton Malware Exploits Popular PHP Frameworks Like Laravel and ThinkPHP

New Glutton Malware Exploits Popular PHP Frameworks Like Laravel and ThinkPHP

Dec 16, 2024 Malware / Cybercrime
Cybersecurity researchers have discovered a new PHP-based backdoor called Glutton that has been put to use in cyber attacks targeting China, the United States, Cambodia, Pakistan, and South Africa. QiAnXin XLab, which discovered the malicious activity in late April 2024, attributed the previously unknown malware with moderate confidence to the prolific Chinese nation-state group tracked Winnti (aka APT41). "Interestingly, our investigation revealed that Glutton's creators deliberately targeted systems within the cybercrime market," the company said . "By poisoning operations, they aimed to turn the tools of cybercriminals against them – a classic 'no honor among thieves' scenario." Glutton is designed to harvest sensitive system information, drop an ELF backdoor component, and perform code injection against popular PHP frameworks like Baota (BT), ThinkPHP, Yii, and Laravel. The ELF malware also shares "near-complete similarity" with a know...
390,000+ WordPress Credentials Stolen via Malicious GitHub Repository Hosting PoC Exploits

390,000+ WordPress Credentials Stolen via Malicious GitHub Repository Hosting PoC Exploits

Dec 13, 2024 Cyber Attack / Malware
A now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials. The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to "mysterious unattributed threat") by Datadog Security Labs, that involves phishing and several trojanized GitHub repositories hosting proof-of-concept (PoC) code for exploiting known security flaws. "Victims are believed to be offensive actors – including pentesters and security researchers, as well as malicious threat actors – and had sensitive data such as SSH private keys and AWS access keys exfiltrated," researchers Christophe Tafani-Dereeper, Matt Muir, and Adrian Korn said in an analysis shared with The Hacker News. It's no surprise that security researchers have been an attractive target for threat actors, including nation-sta...
Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection

Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection

Dec 13, 2024 Linux / Vulnerability
A security flaw has been disclosed in OpenWrt 's Attended Sysupgrade ( ASU ) feature that, if successfully exploited, could have been abused to distribute malicious firmware packages. The vulnerability, tracked as CVE-2024-54143 , carries a CVSS score of 9.3 out of a maximum of 10, indicating critical severity. Flatt Security researcher RyotaK has been credited with discovering and reporting the flaw on December 4, 2024. The issue has been patched in ASU version 920c8a1 . "Due to the combination of the command injection in the imagebuilder image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision," the project maintainers said in an alert. OpenWrt is a popular open-source Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic. Successful exploitation of the shortcoming could essentiall...
New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection

New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection

Dec 13, 2024 Linux / Threat Analysis
Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection. "PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers," Elastic Security Lab researchers Remco Sprooten and Ruben Groenewoud said in a technical report published Thursday. The company's analysis comes from artifacts uploaded to the VirusTotal malware scanning platform earlier this September. The internals of the malware is based on a multi-stage architecture that comprises a dropper component named "cron," two memory-resident executables ("/memfd:tgt" and "/memfd:wpn"), an LKM rootkit ("puma.ko"), and a shared object (SO) userland rootkit called Kitsune ("li...
⚡ THN Recap: Top Cybersecurity Threats, Tools and Tips (Dec 2 - 8)

⚡ THN Recap: Top Cybersecurity Threats, Tools and Tips (Dec 2 - 8)

Dec 09, 2024 Cyber Threats / Weekly Recap
This week's cyber world is like a big spy movie. Hackers are breaking into other hackers' setups, sneaky malware is hiding in popular software, and AI-powered scams are tricking even the smartest of us. On the other side, the good guys are busting secret online markets and kicking out shady chat rooms, while big companies rush to fix new security holes before attackers can jump in. Want to know who's hacking who, how they're doing it, and what's being done to fight back? Stick around—this recap has the scoop. ⚡ Threat of the Week Turla Hackers Hijack Pakistan Hackers' Infrastructure — Imagine one hacker group sneaking into another hacker group 's secret hideout and using their stuff to carry out their own missions. That's basically what the Russia-linked Turla group has been doing since December 2022. They broke into the servers of a Pakistani hacking team called Storm-0156 and used those servers to spy on government and military targets in Afghanistan and India. By doing th...
Expert Insights / Articles Videos
Cybersecurity Resources