#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

network security | Breaking Cybersecurity News | The Hacker News

GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks

GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks
Feb 29, 2024 Linux / Network Security
Threat hunters have discovered a new Linux malware called  GTPDOOR  that's designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges ( GRX ) The  malware  is novel in the fact that it leverages the GPRS Tunnelling Protocol ( GTP ) for command-and-control (C2) communications. GPRS roaming allows subscribers to access their GPRS services while they are beyond the reach of their home mobile network. This is facilitated by means of a GRX that transports the roaming traffic using GTP between the visited and the home Public Land Mobile Network ( PLMN ). Security researcher haxrob, who discovered two  GTPDOOR   artifacts  uploaded to VirusTotal from China and Italy, said the backdoor is likely linked to a known threat actor tracked as  LightBasin  (aka UNC1945), which was previously disclosed by CrowdStrike in October 2021 in connection with a series of attacks targeting the telecom sector to steal subscriber information and call metadata. "When run, the f

Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub

Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub
Feb 27, 2024 Malware / Network Security
An "intricately designed" remote access trojan (RAT) called  Xeno RAT  has been made available on GitHub, making it easily accessible to other actors at no extra cost. Written in C# and compatible with Windows 10 and Windows 11 operating systems, the open-source RAT comes with a "comprehensive set of features for remote system management," according to its developer, who goes by the name moom825. It includes a SOCKS5 reverse proxy and the ability to record real-time audio, as well as incorporate a hidden virtual network computing ( hVNC ) module along the lines of  DarkVNC , which allows attackers to gain remote access to an infected computer. "Xeno RAT is developed entirely from scratch, ensuring a unique and tailored approach to remote access tools," the developer  states  in the project description. Another notable aspect is that it has a builder that enables the creation of bespoke variants of the malware.  It's worth noting that moom825 is a

SaaS Compliance through the NIST Cybersecurity Framework

SaaS Compliance through the NIST Cybersecurity Framework
Feb 20, 2024Cybersecurity Framework / SaaS Security
The US National Institute of Standards and Technology (NIST) cybersecurity framework is one of the world's most important guidelines for securing networks. It can be applied to any number of applications, including SaaS.  One of the challenges facing those tasked with securing SaaS applications is the different settings found in each application. It makes it difficult to develop a configuration policy that will apply to an HR app that manages employees, a marketing app that manages content, and an R&D app that manages software versions, all while aligning with NIST compliance standards.  However, there are several settings that can be applied to nearly every app in the SaaS stack. In this article, we'll explore some universal configurations, explain why they are important, and guide you in setting them in a way that improves your SaaS apps' security posture.  Start with Admins Role-based access control (RBAC) is a key to NIST adherence and should be applied to every SaaS a

Cybercriminals Weaponizing Open-Source SSH-Snake Tool for Network Attacks

Cybercriminals Weaponizing Open-Source SSH-Snake Tool for Network Attacks
Feb 22, 2024 Network Security / Penetration Testing
A recently open-sourced network mapping tool called  SSH-Snake  has been repurposed by threat actors to conduct malicious activities. "SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network," Sysdig researcher Miguel Hern├índez  said . "The worm automatically searches through known credential locations and shell history files to determine its next move." SSH-Snake was first released on GitHub in early January 2024, and is described by its developer as a "powerful tool" to carry out  automatic network traversal  using SSH private keys discovered on systems. In doing so, it creates a comprehensive map of a network and its dependencies, helping determine the extent to which a network can be compromised using SSH and SSH private keys starting from a particular host. It also supports  resolution of domains  which have multiple IPv4 addresses. "It's comp

Are You Vulnerable to Third-Party Breaches Through Interconnected SaaS Apps?

cyber security
websiteWing SecuritySaaS Security / Risk Management
Protect against cascading risks by identifying and mitigating app2app and third-party SaaS vulnerabilities.

New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers

New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers
Feb 21, 2024 Network Security / Vulnerability
Cybersecurity researchers have identified two authentication bypass flaws in open-source Wi-Fi software found in Android, Linux, and ChromeOS devices that could trick users into joining a malicious clone of a legitimate network or allow an attacker to join a trusted network without a password. The vulnerabilities, tracked as CVE-2023-52160 and CVE-2023-52161, have been discovered following a security evaluation of  wpa_supplicant  and Intel's iNet Wireless Daemon ( IWD ), respectively. The flaws "allow attackers to trick victims into connecting to malicious clones of trusted networks and intercept their traffic, and join otherwise secure networks without needing the password," Top10VPN  said  in a new research conducted in collaboration with Mathy Vanhoef, who has previously uncovered Wi-Fi attacks like  KRACK ,  DragonBlood , and  TunnelCrack . CVE-2023-52161, in particular, permits an adversary to gain unauthorized access to a protected Wi-Fi network, exposing exis

Critical Flaws Found in ConnectWise ScreenConnect Software - Patch Now

Critical Flaws Found in ConnectWise ScreenConnect Software - Patch Now
Feb 20, 2024 Vulnerability / Network Security
ConnectWise has released software updates to address two security flaws in its ScreenConnect remote desktop and access software, including a critical bug that could enable remote code execution on affected systems. The vulnerabilities are listed below - CVE-2024-1708 (CVSS score: 8.4) - Improper limitation of a pathname to a restricted directory aka "path traversal" CVE-2024-1709 (CVSS score: 10.0) - Authentication bypass using an alternate path or channel The company deemed the severity of the issues as critical, citing they "could allow the ability to execute remote code or directly impact confidential data or critical systems." Both the vulnerabilities impact ScreenConnect versions 23.9.7 and prior, with fixes available in version 23.9.8. The flaws were reported to the company on February 13, 2024. While there is no evidence that the shortcomings have been exploited in the wild, users who are running self-hosted or on-premise versions are recommended

Malicious 'SNS Sender' Script Abuses AWS for Bulk Smishing Attacks

Malicious 'SNS Sender' Script Abuses AWS for Bulk Smishing Attacks
Feb 16, 2024 Cyber Threat / Cloud Security
A malicious Python script known as  SNS Sender  is being advertised as a way for threat actors to send bulk smishing messages by abusing Amazon Web Services (AWS) Simple Notification Service ( SNS ). The SMS phishing messages are designed to propagate malicious links that are designed to capture victims' personally identifiable information (PII) and payment card details, SentinelOne  said  in a new report, attributing it to a threat actor named ARDUINO_DAS. "The smishing scams often take the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery," security researcher Alex Delamotte said. SNS Sender is also the first tool observed in the wild that leverages AWS SNS to conduct SMS spamming attacks. SentinelOne said that it identified links between ARDUINO_DAS and more than 150 phishing kits offered for sale. The malware requires a list of phishing links stored in a file named links.txt in its working directory, in addition t

U.S. Government Disrupts Russia-Linked Botnet Engaged in Cyber Espionage

U.S. Government Disrupts Russia-Linked Botnet Engaged in Cyber Espionage
Feb 16, 2024 Botnet / Network Security
The U.S. government on Thursday said it disrupted a botnet comprising hundreds of small office and home office (SOHO) routers in the country that was put to use by the Russia-linked APT28 actor to conceal its malicious activities. "These crimes included vast spear-phishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations," the U.S. Department of Justice (DoJ)  said  in a statement. APT28 , also tracked under the monikers BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, and TA422, is  assessed  to be linked to Unit 26165 of Russia's Main Directorate of the General Staff (GRU). It's known to be active since at least 2007. Court documents allege that the attackers pulled off their cyber espionage campaigns by relying on  MooBot , a Mirai

Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days

Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days
Feb 14, 2024 Patch Tuesday / Vulnerability
Microsoft has released patches to address  73 security flaws  spanning its software lineup as part of its Patch Tuesday updates for February 2024, including two zero-days that have come under active exploitation. Of the 73 vulnerabilities, 5 are rated Critical, 65 are rated Important, and three and rated Moderate in severity. This is in addition to  24 flaws  that have been fixed in the Chromium-based Edge browser since the release of the January 2024 Patch Tuesday updates . The two flaws that are listed as under active attack at the time of release are below - CVE-2024-21351  (CVSS score: 7.6) - Windows SmartScreen Security Feature Bypass Vulnerability CVE-2024-21412  (CVSS score: 8.1) - Internet Shortcut Files Security Feature Bypass Vulnerability "The vulnerability allows a malicious actor to inject code into  SmartScreen  and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both," Microsoft said a

Why Are Compromised Identities the Nightmare to IR Speed and Efficiency?

Why Are Compromised Identities the Nightmare to IR Speed and Efficiency?
Feb 12, 2024 Threat Intelligence / Cyber Resilience
Incident response (IR) is a race against time. You engage your internal or external team because there's enough evidence that something bad is happening, but you're still blind to the scope, the impact, and the root cause. The common set of IR tools and practices provides IR teams with the ability to discover malicious files and outbound network connections. However, the identity aspect - namely the pinpointing of compromised user accounts that were used to spread in your network - unfortunately remains unattended. This task proves to be the most time-consuming for IR teams and has become a challenging uphill battle that enables attackers to earn precious time in which they can still inflict damage.  In this article, we analyze the root cause of the identity of IR blind spots and provide sample IR scenarios in which it acts as an inhibitor to a rapid and efficient process. We then introduce Silverfort's Unified Identity Protection Platform and show how its real-time MFA and ident

Warning: New Ivanti Auth Bypass Flaw Affects Connect Secure and ZTA Gateways

Warning: New Ivanti Auth Bypass Flaw Affects Connect Secure and ZTA Gateways
Feb 09, 2024 Vulnerability / Zero Day
Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication. The issue, tracked as  CVE-2024-22024 , is rated 8.3 out of 10 on the CVSS scoring system. "An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication," the company  said  in an advisory. The company said it discovered the flaw during an internal review as part of its ongoing investigation into multiple security weaknesses in the products that have come to light since the start of the year, including  CVE-2023-46805, CVE-2024-21887 ,  CVE-2024-21888, and CVE-2024-21893 . CVE-2024-22024 affects the following versions of the products - Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, a

Chinese Hackers Operate Undetected in U.S. Critical Infrastructure for Half a Decade

Chinese Hackers Operate Undetected in U.S. Critical Infrastructure for Half a Decade
Feb 08, 2024 Critical Infrastructure / Network security
The U.S. government on Wednesday said the Chinese state-sponsored hacking group known as  Volt Typhoon  had been embedded into some critical infrastructure networks in the country for at least five years. Targets of the threat actor include communications, energy, transportation, and water and wastewater systems sectors in the U.S. and Guam. "Volt Typhoon's choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions," the U.S. government  said . The idea is to pre-position themselves on IT networks by maintaining persistence and understanding the target environment over time for disruptive or destructive cyber attacks against U.S. critical infrastructure in the event of a major crisis or conflict with the coun

Critical Patches Released for New Flaws in Cisco, Fortinet, VMware Products

Critical Patches Released for New Flaws in Cisco, Fortinet, VMware Products
Feb 08, 2024 Cyber Threat / Network Security
Cisco, Fortinet, and VMware have released security fixes for multiple security vulnerabilities, including critical weaknesses that could be exploited to perform arbitrary actions on affected devices. The first set from Cisco consists of three flaws – CVE-2024-20252 and CVE-2024-20254 (CVSS score: 9.6) and CVE-2024-20255 (CVSS score: 8.2) – impacting Cisco Expressway Series that could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks. All the issues, which were found during internal security testing, stem from insufficient CSRF protections for the web-based management interface that could permit an attacker to perform arbitrary actions with the privilege level of the affected user. "If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts," Cisco  said  about CVE-2024-20252 and CVE-2024-20254. On the other hand, successful exploitatio

After FBI Takedown, KV-Botnet Operators Shift Tactics in Attempt to Bounce Back

After FBI Takedown, KV-Botnet Operators Shift Tactics in Attempt to Bounce Back
Feb 07, 2024 Malware / Network Security
The threat actors behind the  KV-botnet  made "behavioral changes" to the malicious network as U.S. law enforcement began issuing commands to neutralize the activity. KV-botnet is the name given to a network of compromised small office and home office (SOHO) routers and firewall devices across the world, with one specific cluster acting as a covert data transfer system for other Chinese state-sponsored actors, including  Volt Typhoon  (aka Bronze Silhouette, Insidious Taurus, or Vanguard Panda). Active since at least February 2022, it was  first documented  by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The botnet is known to comprise two main sub-groups, viz. KV and JDY, with the latter principally used for scanning potential targets for reconnaissance. Late last month, the U.S. government  announced  a court-authorized disruption effort to take down the KV cluster, which is typically reserved for manual operations against high-profile targets c
Cybersecurity Resources