#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

phishing attack | Breaking Cybersecurity News | The Hacker News

TimbreStealer Malware Spreading via Tax-themed Phishing Scam Targets IT Users

TimbreStealer Malware Spreading via Tax-themed Phishing Scam Targets IT Users

Feb 28, 2024 Phishing Attack / Malware
Mexican users have been targeted with tax-themed phishing lures at least since November 2023 to distribute a previously undocumented Windows malware called  TimbreStealer . Cisco Talos, which  discovered  the activity, described the authors as skilled and that the "threat actor has previously used similar tactics, techniques and procedures (TTPs) to distribute a banking trojan known as  Mispadu  in September 2023. Besides employing sophisticated obfuscation techniques to sidestep detection and ensure persistence, the phishing campaign makes use of geofencing to single out users in Mexico, returning an innocuous blank PDF file instead of the malicious one if the payload sites are contacted from other locations. Some of the notable evasive maneuvers include leveraging custom loaders and direct system calls to bypass conventional API monitoring, in addition to utilizing Heaven's Gate to execute 64-bit code within a 32-bit process, an approach that was also recently adopted by
Cybersecurity Agencies Warn Ubiquiti EdgeRouter Users of APT28's MooBot Threat

Cybersecurity Agencies Warn Ubiquiti EdgeRouter Users of APT28's MooBot Threat

Feb 28, 2024 Firmware Security / Vulnerability
In a new joint advisory, cybersecurity and intelligence agencies from the U.S. and other countries are urging users of Ubiquiti EdgeRouter to take protective measures, weeks after a botnet comprising infected routers was  felled by law enforcement  as part of an operation codenamed Dying Ember. The botnet, named MooBot, is said to have been used by a Russia-linked threat actor known as APT28 to facilitate covert cyber operations and drop custom malware for follow-on exploitation. APT28, affiliated with Russia's Main Directorate of the General Staff (GRU), is known to be active since at least 2007. APT28 actors have "used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools," the authorities  said  [PDF]. The adversary's use of EdgeRouters dates back to 2022, with the attacks targeting aerospace and defense, education, energy and utilities, governments, hospita
How to Achieve the Best Risk-Based Alerting (Bye-Bye SIEM)

How to Achieve the Best Risk-Based Alerting (Bye-Bye SIEM)

Feb 19, 2024Network Detection and Response
Did you know that Network Detection and Response (NDR) has become the most effective technology to detect cyber threats? In contrast to SIEM, NDR offers adaptive cybersecurity with reduced false alerts and efficient threat response. Are you aware of  Network Detection and Response (NDR)  and how it's become the most effective technology to detect cyber threats?  NDR massively upgrades your security through risk-based alerting, prioritizing alerts based on the potential risk to your organization's systems and data. How? Well, NDR's real-time analysis, machine learning, and threat intelligence provide immediate detection, reducing alert fatigue and enabling better decision-making. In contrast to SIEM, NDR offers adaptive cybersecurity with reduced false positives and efficient threat response. Why Use Risk-Based Alerting? Risk-based alerting is an approach where security alerts and responses are prioritized based on the level of risk they pose to an organization's system
New IDAT Loader Attacks Using Steganography to Deploy Remcos RAT

New IDAT Loader Attacks Using Steganography to Deploy Remcos RAT

Feb 26, 2024 Steganography / Malware
Ukrainian entities based in Finland have been targeted as part of a malicious campaign distributing a commercial remote access trojan known as Remcos RAT using a malware loader called IDAT Loader. The attack has been attributed to a threat actor tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) under the moniker UAC-0184. "The attack, as part of the IDAT Loader, used steganography as a technique," Morphisec researcher Michael Dereviashkin said in a report shared with The Hacker News. "While steganographic, or 'Stego' techniques are well-known, it is important to understand their roles in defense evasion, to better understand how to defend against such tactics." IDAT Loader , which overlaps with another loader family called Hijack Loader, has been used to serve additional payloads like DanaBot, SystemBC, and RedLine Stealer in recent months. It has also been used by a threat actor tracked as TA544 to distribute Remcos RAT and SystemBC
cyber security

Are You Vulnerable to Third-Party Breaches Through Interconnected SaaS Apps?

websiteWing SecuritySaaS Security / Risk Management
Protect against cascading risks by identifying and mitigating app2app and third-party SaaS vulnerabilities.
8,000+ Domains of Trusted Brands Hijacked for Massive Spam Operation

8,000+ Domains of Trusted Brands Hijacked for Massive Spam Operation

Feb 26, 2024 Domain Hijacking / Email Security
More than 8,000 domains and 13,000 subdomains belonging to legitimate brands and institutions have been hijacked as part of a sophisticated distribution architecture for spam proliferation and click monetization. Guardio Labs is tracking the coordinated malicious activity, which has been ongoing since at least September 2022, under the name SubdoMailing. The emails range from "counterfeit package delivery alerts to outright phishing for account credentials." The Israeli security company attributed the campaign to a threat actor it calls  ResurrecAds , which is known to resuscitate dead domains of or affiliated with big brands with the end goal of manipulating the digital advertising ecosystem for nefarious gains. "'ResurrecAds' manages an extensive infrastructure encompassing a wide array of hosts, SMTP servers, IP addresses, and even private residential ISP connections, alongside many additional owned domain names," security researchers Nati Tal and Ole
Banking Trojans Target Latin America and Europe Through Google Cloud Run

Banking Trojans Target Latin America and Europe Through Google Cloud Run

Feb 26, 2024 Cyber Attack / Malware
Cybersecurity researchers are warning about a spike in email phishing campaigns that are weaponizing the Google Cloud Run service to deliver various banking trojans such as  Astaroth  (aka Guildma),  Mekotio , and  Ousaban  (aka Javali) to targets across Latin America (LATAM) and Europe. "The infection chains associated with these malware families feature the use of malicious Microsoft Installers (MSIs) that function as droppers or downloaders for the final malware payload(s)," Cisco Talos researchers  disclosed  last week. The high-volume malware distribution campaigns, observed since September 2023, have employed the same storage bucket within Google Cloud for propagation, suggesting potential links between the threat actors behind the distribution campaigns. Google Cloud Run is a  managed compute platform  that enables users to run frontend and backend services, batch jobs, deploy websites and applications, and queue processing workloads without having to manage or sca
How to Use Tines's SOC Automation Capability Matrix

How to Use Tines's SOC Automation Capability Matrix

Feb 23, 2024 SOC Automation / Security Operation
Created by John Tuckner and the team at workflow and automation platform  Tines , the  SOC Automation Capability Matrix (SOC ACM)  is a set of techniques designed to help security operations teams understand their automation capabilities and respond more effectively to incidents.  A customizable, vendor-agnostic tool featuring lists of automation opportunities, it's been shared and recommended by members of the security community since its launch in January 2023, notably by Airbnb engineer Allyn Stott in his BSides and Black Hat talk,  How I Learned to Stop Worrying and Build a Modern Detection & Response Program .   The SOC ACM has been compared to the MITRE ATT&CK and RE&CT frameworks, with one user saying, "it could be a standard for classification of SOAR automations, a bit like the RE&CT framework, but with more automation focus." It's been used by organizations in Fintech, Cloud Security, and beyond, as a basis for assessing and optimizing their securi
New 'VietCredCare' Stealer Targeting Facebook Advertisers in Vietnam

New 'VietCredCare' Stealer Targeting Facebook Advertisers in Vietnam

Feb 21, 2024 Malware / Cyber Threat
Facebook advertisers in Vietnam are the target of a previously unknown information stealer dubbed  VietCredCare  at least since August 2022. The malware is "notable for its ability to automatically filter out Facebook session cookies and credentials stolen from compromised devices, and assess whether these accounts manage business profiles and if they maintain a positive Meta ad credit balance," Singapore-headquartered Group-IB  said  in a new report shared with The Hacker News. The end goal of the large-scale malware distribution scheme is to facilitate the takeover of corporate Facebook accounts by targeting Vietnamese individuals who manage the Facebook profiles of prominent businesses and organizations. Facebook accounts that have been successfully seized are then used by the threat actors behind the operation to post political content or to propagate phishing and affiliate scams for financial gain. VietCredCare is offered to other aspiring cybercriminals under the stealer-as
Cybersecurity for Healthcare—Diagnosing the Threat Landscape and Prescribing Solutions for Recovery

Cybersecurity for Healthcare—Diagnosing the Threat Landscape and Prescribing Solutions for Recovery

Feb 21, 2024 Endpoint Security / Healthcare
On Thanksgiving Day 2023, while many Americans were celebrating, hospitals across the U.S. were doing quite the opposite. Systems were failing. Ambulances were diverted. Care was impaired. Hospitals in three states were  hit by a ransomware attack , and in that moment, the real-world repercussions came to light—it wasn't just computer networks that were brought to a halt, but actual patient care itself.  Cybercriminals are more brazen than ever, targeting smaller healthcare organizations for big payouts. Sure, it would be nice to believe thieves once lived by a code of conduct, but if one ever existed, it's been torn to shreds and tossed into the wind. Sophisticated hacker groups are now more than happy to launch cyberattacks on medical clinics, nursing homes, and other health service providers. Small- to mid-sized healthcare organizations have, unfortunately, become vulnerable targets from which cybercriminals can easily steal sensitive data, extort heavy ransoms, and, worst of all,
Russian Hackers Target Ukraine with Disinformation and Credential-Harvesting Attacks

Russian Hackers Target Ukraine with Disinformation and Credential-Harvesting Attacks

Feb 21, 2024 Phishing Attack / Information Warfare
Cybersecurity researchers have unearthed a new influence operation targeting Ukraine that leverages spam emails to propagate war-related disinformation. The activity has been linked to Russia-aligned threat actors by Slovak cybersecurity company ESET, which also identified a spear-phishing campaign aimed at a Ukrainian defense company in October 2023 and a European Union agency in November 2023 with an aim to harvest Microsoft login credentials using fake landing pages. Operation Texonto, as the entire campaign has been codenamed, has not been attributed to a specific threat actor, although some elements of it, particularly the spear-phishing attacks, overlap with  COLDRIVER , which has a history of harvesting credentials via bogus sign-in pages. The disinformation operation took place over two waves in November and December 2023, with the email messages bearing PDF attachments and content related to heating interruptions, drug shortages, and food shortages. The November wave tar
Iran and Hezbollah Hackers Launch Attacks to Influence Israel-Hamas Narrative

Iran and Hezbollah Hackers Launch Attacks to Influence Israel-Hamas Narrative

Feb 20, 2024 Hacktivist / Cyber Attack
Hackers backed by Iran and Hezbollah staged cyber attacks designed to undercut public support for the Israel-Hamas war after October 2023. This includes destructive attacks against key Israeli organizations, hack-and-leak operations targeting entities in Israel and the U.S., phishing campaigns designed to steal intelligence, and information operations to turn public opinion against Israel. Iran accounted for nearly 80% of all government-backed phishing activity targeting Israel in the six months leading up to the October 7 attacks, Google said in a new report. "Hack-and-leak and information operations remain a key component in these and related threat actors' efforts to telegraph intent and capability throughout the war, both to their adversaries and to other audiences that they seek to influence," the tech giant  said . But what's also notable about the Israel-Hamas conflict is that the cyber operations appear to be executed independently of the kinetic and batt
 Iranian Hackers Target Middle East Policy Experts with New BASICSTAR Backdoor

Iranian Hackers Target Middle East Policy Experts with New BASICSTAR Backdoor

Feb 19, 2024 Malware / Cyber Espionage
The Iranian-origin threat actor known as Charming Kitten has been linked to a new set of attacks aimed at Middle East policy experts with a new backdoor called  BASICSTAR  by creating a fake webinar portal. Charming Kitten, also called APT35, CharmingCypress, Mint Sandstorm, TA453, and Yellow Garuda, has a history of orchestrating a wide range of social engineering campaigns that cast a wide net in their targeting, often singling out think tanks, NGOs, and journalists. "CharmingCypress often employs unusual social engineering tactics, such as engaging targets in prolonged conversations over email before sending links to malicious content," Volexity researchers Ankur Saini, Callum Roxan, Charlie Gardner, and Damien Cash  said . Last month, Microsoft  revealed  that high-profile individuals working on Middle Eastern affairs have been targeted by the adversary to deploy malware such as MischiefTut and MediaPl (aka EYEGLASS) that are capable of harvesting sensitive informatio
Cybersecurity Resources