#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cloud Security

rapid7 | Breaking Cybersecurity News | The Hacker News

N. Korea-linked Kimsuky Shifts to Compiled HTML Help Files in Ongoing Cyberattacks

N. Korea-linked Kimsuky Shifts to Compiled HTML Help Files in Ongoing Cyberattacks

Mar 24, 2024 Artificial Intelligence / Cyber Espionage
The North Korea-linked threat actor known as  Kimsuky  (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging Compiled HTML Help (CHM) files as vectors to deliver malware for harvesting sensitive data. Kimsuky, active since at least 2012, is known to target entities located in South Korea as well as North America, Asia, and Europe. According to Rapid7, attack chains have leveraged weaponized Microsoft Office documents, ISO files, and Windows shortcut (LNK) files, with the group also employing CHM files to  deploy malware  on  compromised hosts . The cybersecurity firm has attributed the activity to Kimsuky with moderate confidence, citing similar tradecraft observed in the past. "While originally designed for help documentation, CHM files have also been exploited for malicious purposes, such as distributing malware, because they can execute JavaScript when opened," the company  said . The CHM file is propagated within an IS
Ivanti Vulnerability Exploited to Install 'DSLog' Backdoor on 670+ IT Infrastructures

Ivanti Vulnerability Exploited to Install 'DSLog' Backdoor on 670+ IT Infrastructures

Feb 13, 2024 Vulnerability / Cyber Threat
Threat actors are leveraging a recently disclosed security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor codenamed  DSLog  on susceptible devices. That's according to  findings  from Orange Cyberdefense, which said it observed the exploitation of CVE-2024-21893 within hours of the public release of the proof-the-concept (PoC) code. CVE-2024-21893, which was  disclosed  by Ivanti late last month alongside CVE-2024-21888, refers to a server-side request forgery (SSRF) vulnerability in the SAML module that, if successfully exploited, could permit access to otherwise restricted resources sans any authentication. The Utah-based company has since acknowledged that the flaw has limited targeted attacks, although the exact scale of the compromises is unclear. Then, last week, the Shadowserver Foundation  revealed  a surge in exploitation attempts targeting the vulnerability originating from over 170 unique IP addresses, shortly after both
Webinar: Learn How to Stop Hackers from Exploiting Hidden Identity Weaknesses

Webinar: Learn How to Stop Hackers from Exploiting Hidden Identity Weaknesses

Apr 10, 2024Webinar / Identity Security
We all know passwords and firewalls are important, but what about the invisible threats lurking beneath the surface of your systems? Identity Threat Exposures (ITEs) are like secret tunnels for hackers – they make your security way more vulnerable than you think. Think of it like this: misconfigurations, forgotten accounts, and old settings are like cracks in your digital fortress walls. Hackers exploit these weaknesses to steal login information, gain sneaky access, and move around your systems unnoticed, whether they're in the cloud or on-site. This upcoming webinar,  " Today's Top 4 Identity Security Threat Exposures: Are You Vulnerable? "  isn't just for tech experts—it's about protecting your business.  We'll use real-world examples and insights from Silverfort's latest report to show you the hidden dangers of ITEs. You'll learn about: The Top 4 Identity Threats You Might Be Overlooking:  We'll name them and explain why they're
Recent SSRF Flaw in Ivanti VPN Products Undergoes Mass Exploitation

Recent SSRF Flaw in Ivanti VPN Products Undergoes Mass Exploitation

Feb 06, 2024 Cybersecurity / Vulnerability
A recently disclosed server-side request forgery ( SSRF ) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation. The Shadowserver Foundation  said  it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others. The attacks exploit  CVE-2024-21893  (CVSS score: 8.2), an SSRF flaw in the SAML component of Ivanti Connect Secure, Policy Secure, and Neurons for ZTA that allows an attacker to access otherwise restricted resources without authentication. Ivanti had previously divulged that the vulnerability had been exploited in targeted attacks aimed at a "limited number of customers," but cautioned the status quo could change post public disclosure. That's exactly what appears to have happened, especially following the  release  of a proof-of-concept (PoC) exploit by cybersecurity firm Rapid7 last week. The PoC involves fashioning an exploit cha
cyber security

UPCOMING WEBINAR: Implementing What's New in NIST CSF 2.0

websiteArmorPointCybersecurity / Webinar
Learn three practical steps to implement the latest version of the NIST CSF on 4/15 at 3pm ET. Register Today!
Experts Warn of Ransomware Hackers Exploiting Atlassian and Apache Flaws

Experts Warn of Ransomware Hackers Exploiting Atlassian and Apache Flaws

Nov 07, 2023 Cyber Threat / Malware
Multiple ransomware groups have begun to actively exploit recently disclosed flaws in Atlassian Confluence and Apache ActiveMQ. Cybersecurity firm Rapid7  said  it observed the exploitation of  CVE-2023-22518  and  CVE-2023-22515  in multiple customer environments, some of which have been leveraged for the deployment of  Cerber  (aka  C3RB3R ) ransomware. Both vulnerabilities are critical, allowing threat actors to create unauthorized Confluence administrator accounts and lead to a loss of confidentiality, integrity, and availability. Atlassian, on November 6,  updated its advisory  to note that it observed "several active exploits and reports of threat actors using ransomware" and that it is revising the CVSS score of the flaw from 9.1 to 10.0, indicating maximum severity. The escalation, the Australian company said, is due to the change in the scope of the attack. Attack chains involve mass exploitation of vulnerable internet-facing Atlassian Confluence servers to
HelloKitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability

HelloKitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability

Nov 02, 2023 Threat Intelligence / Vulnerability
Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution. "In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations," cybersecurity firm Rapid7  disclosed  in a report published Wednesday. "Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October." The intrusions are said to involve the exploitation of  CVE-2023-46604 , a remote code execution vulnerability in Apache ActiveMQ that allows a threat actor to run arbitrary shell commands. It's worth noting that the  vulnerability  carries a CVSS score of 10.0, indicating maximum severity. It has been  addressed  in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3
Alert: Juniper Firewalls, Openfire, and Apache RocketMQ Under Attack from New Exploits

Alert: Juniper Firewalls, Openfire, and Apache RocketMQ Under Attack from New Exploits

Aug 30, 2023 Cyber Attack / Vulnerability
Recently disclosed security flaws impacting Juniper firewalls, Openfire, and Apache RocketMQ servers have come under active exploitation in the wild, according to multiple reports. The Shadowserver Foundation  said  that it's "seeing exploitation attempts from multiple IPs for Juniper J-Web CVE-2023-36844 (& friends) targeting /webauth_operation.php endpoint," the same day a proof-of-concept (PoC) became available. The  issues , tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847, reside in the J-Web component of Junos OS on Juniper SRX and EX Series. They could be chained by an unauthenticated, network-based attacker to execute arbitrary code on susceptible installations. Patches for the flaw were released on August 17, 2023, a week after which watchTowr Labs published a proof-of-concept (PoC) by combining CVE-2023-36846 and CVE-2023-36845 to execute a PHP file containing malicious shellcode. Currently, there are  more than 8,200 Junip
Cybercriminals Exploiting WooCommerce Payments Plugin Flaw to Hijack Websites

Cybercriminals Exploiting WooCommerce Payments Plugin Flaw to Hijack Websites

Jul 18, 2023 Server Security / Vulnerability
Threat actors are actively exploiting a recently disclosed critical security flaw in the WooCommerce Payments WordPress plugin as part of a massive targeted campaign. The flaw, tracked as  CVE-2023-28121  (CVSS score: 9.8), is a case of authentication bypass that enables unauthenticated attackers to impersonate arbitrary users and perform some actions as the impersonated user, including an administrator, potentially leading to site takeover. "Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023," Wordfence security researcher Ram Gall  said  in a Monday post. Versions 4.8.0 through 5.6.1 of WooCommerce Payments are vulnerable. The plugin is installed on over 600,000 sites. Patches for the bug were released by WooCommerce back in March 2023, with WordPress issuing auto-updates to sites using affected versions o
Zyxel Releases Patch for Critical Firewall OS Command Injection Vulnerability

Zyxel Releases Patch for Critical Firewall OS Command Injection Vulnerability

May 13, 2022
Zyxel has moved to address a critical security vulnerability affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution. "A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device," the company  said  in an advisory published Thursday. Cybersecurity firm Rapid7, which  discovered  and reported the flaw on April 13, 2022, said that the weakness could permit a remote unauthenticated adversary to execute code as the "nobody" user on impacted appliances. Tracked as  CVE-2022-30525  (CVSS score: 9.8), the flaw impacts the following products, with patches released in version ZLD V5.30 - USG FLEX 100(W), 200, 500, 700 USG FLEX 50(W) / USG20(W)-VPN ATP series, and  VPN series Rapid 7 noted that there are at least 16,213 vulnerable Zyxel devices exposed to the internet, making it a
Rapid7 Source Code Breached in Codecov Supply-Chain Attack

Rapid7 Source Code Breached in Codecov Supply-Chain Attack

May 14, 2021
Cybersecurity company Rapid7 on Thursday revealed that unidentified actors improperly managed to get hold of a small portion of its source code repositories in the aftermath of the software supply chain compromise targeting Codecov earlier this year. "A small subset of our source code repositories for internal tooling for our [Managed Detection and Response] service was accessed by an unauthorized party outside of Rapid7," the Boston-based firm  said  in a disclosure. "These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers." On April 15, software auditing startup Codecov alerted customers that its Bash Uploader utility had been infected with a backdoor as early as January 31 by unknown parties to gain access to authentication tokens for various internal software accounts used by developers. The incident didn't come to light until April 1. "The actor gained access bec
Metasploit website Hacked just by sending a spoofed DNS change request via Fax to Domain Registrar

Metasploit website Hacked just by sending a spoofed DNS change request via Fax to Domain Registrar

Oct 11, 2013
A group of Pro-Palestine hackers ' KDMS Team ' today has been able to hijack the Metasploit website simply by sending a fax and hijacked their DNS records. Rapid7 is a leading Security Company and Creator of world's best penetration testing software called ' Metasploit '. The company confirmed via Twitter that Metasploit.com was hacked via a spoofed DNS change request sent via fax to its registrar, Register.com . The group came to prominence earlier this week when it managed to hijack the websites of popular messaging service WhatsApp and anti-virus company AVG among others. On the website, the hacker posted " Hello Metasploit.  After Whatsapp , Avira, Alexa , AVG and other sites. We were thinking about quitting hacking and disappear again! But we said: there is some sites must be hacked. You are one of our targets. Therefore we are here. And there is another thing do you know Palestine? " Rapid7 official statement regarding the in
Cybersecurity Resources