#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

web security | Breaking Cybersecurity News | The Hacker News

Category — web security
Python-Based Bots Exploiting PHP Servers Fuel Gambling Platform Proliferation

Python-Based Bots Exploiting PHP Servers Fuel Gambling Platform Proliferation

Jan 17, 2025 Web Security / Botnet
Cybersecurity researchers have exposed a new campaign that targets web servers running PHP-based applications to promote gambling platforms in Indonesia. "Over the past two months, a significant volume of attacks from Python-based bots has been observed, suggesting a coordinated effort to exploit thousands of web apps," Imperva researcher Daniel Johnston said in an analysis. "These attacks appear tied to the proliferation of gambling-related sites, potentially as a response to the heightened government scrutiny ." The Thales-owned company said it has detected millions of requests originating from a Python client that includes a command to install GSocket (aka Global Socket), an open-source tool that can be used to establish a communication channel between two machines regardless of the network perimeter. It's worth noting that GSocket has been put to use in many a cryptojacking operation in recent months, not to mention even exploiting the access provi...
WordPress Skimmers Evade Detection by Injecting Themselves into Database Tables

WordPress Skimmers Evade Detection by Injecting Themselves into Database Tables

Jan 13, 2025 Payment Security / Web Security
Cybersecurity researchers are warning of a new stealthy credit card skimmer campaign that targets WordPress e-commerce checkout pages by inserting malicious JavaScript code into a database table associated with the content management system (CMS). "This credit card skimmer malware targeting WordPress websites silently injects malicious JavaScript into database entries to steal sensitive payment details," Sucuri researcher Puja Srivastava said in a new analysis. "The malware activates specifically on checkout pages, either by hijacking existing payment fields or injecting a fake credit card form." The GoDaddy-owned website security company said it discovered the malware embedded into the WordPress wp_options table with the option "widget_block," thus allowing it to avoid detection by scanning tools and persist on compromised sites without attracting attention. In doing so, the idea is to insert the malicious JavaScript into an HTML block widget thr...
Product Walkthrough: How Reco Discovers Shadow AI in SaaS

Product Walkthrough: How Reco Discovers Shadow AI in SaaS

Jan 09, 2025AI Security / SaaS Security
As SaaS providers race to integrate AI into their product offerings to stay competitive and relevant, a new challenge has emerged in the world of AI: shadow AI.  Shadow AI refers to the unauthorized use of AI tools and copilots at organizations. For example, a developer using ChatGPT to assist with writing code, a salesperson downloading an AI-powered meeting transcription tool, or a customer support person using Agentic AI to automate tasks – without going through the proper channels. When these tools are used without IT or the Security team's knowledge, they often lack sufficient security controls, putting company data at risk. Shadow AI Detection Challenges Because shadow AI tools often embed themselves in approved business applications via AI assistants, copilots, and agents they are even more tricky to discover than traditional shadow IT. While traditional shadow apps can be identified through network monitoring methodologies that scan for unauthorized connections based on...
New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites

New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites

Jan 01, 2025 Web Security / Vulnerability
Threat hunters have disclosed a new "widespread timing-based vulnerability class" that leverages a double-click sequence to facilitate clickjacking attacks and account takeovers in almost all major websites. The technique has been codenamed DoubleClickjacking by security researcher Paulos Yibelo. "Instead of relying on a single click, it takes advantage of a double-click sequence," Yibelo said . "While it might sound like a small change, it opens the door to new UI manipulation attacks that bypass all known clickjacking protections, including the X-Frame-Options header or a SameSite: Lax/Strict cookie." Clickjacking , also called UI redressing, refers to an attack technique in which users are tricked into clicking on a seemingly innocuous web page element (e.g., a button), leading to the deployment of malware or exfiltration of sensitive data. DoubleClickjacking is a variation of this theme that exploits the gap between the start of a click and the...
cyber security

Secure Your Azure: Proactive Tips for Cloud Protection

websiteWizCloud Security
Discover how to boost your Azure cloud security with practical steps to help you maintain control and visibility.
Cisco Warns of Exploitation of Decade-Old ASA WebVPN Vulnerability

Cisco Warns of Exploitation of Decade-Old ASA WebVPN Vulnerability

Dec 03, 2024 Vulnerability / Network Security
Cisco on Monday updated an advisory to warn customers of active exploitation of a decade-old security flaw impacting its Adaptive Security Appliance (ASA). The vulnerability, tracked as CVE-2014-2120 (CVSS score: 4.3), concerns a case of insufficient input validation in ASA's WebVPN login page that could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a targeted user of the appliance. "An attacker could exploit this vulnerability by convincing a user to access a malicious link," Cisco noted in an alert released in March 2014. As of December 2, 2024, the networking equipment major has revised its bulletin to note that it has become aware of "additional attempted exploitation" of the vulnerability in the wild. The development comes shortly after cybersecurity firm CloudSEK revealed that the threat actors behind AndroxGh0st are leveraging an extensive list of security vulnerabilities in various internet-faci...
Opera Browser Fixes Big Security Hole That Could Have Exposed Your Information

Opera Browser Fixes Big Security Hole That Could Have Exposed Your Information

Oct 30, 2024 Browser Security / Vulnerability
A now-patched security flaw in the Opera web browser could have enabled a malicious extension to gain unauthorized, full access to private APIs. The attack, codenamed CrossBarking , could have made it possible to conduct actions such as capturing screenshots, modifying browser settings, and account hijacking, Guardio Labs said. To demonstrate the issue, the company said it managed to publish a seemingly harmless browser extension to the Chrome Web Store that could then exploit the flaw when installed on Opera, making it an instance of a cross-browser-store attack. "This case study not only highlights the perennial clash between productivity and security but also provides a fascinating glimpse into the tactics used by modern threat actors operating just below the radar," Nati Tal, head of Guardio Labs, said in a report shared with The Hacker News. The issue has been addressed by Opera as of September 24, 2024, following responsible disclosure. That said, this is not th...
New Case Study: The Evil Twin Checkout Page

New Case Study: The Evil Twin Checkout Page

Oct 08, 2024 Web Security / Payment Fraud
Is your store at risk? Discover how an innovative web security solution saved one global online retailer and its unsuspecting customers from an "evil twin" disaster. Read the full real-life case study here . The Invisible Threat in Online Shopping When is a checkout page, not a checkout page? When it's an "evil twin"! Malicious redirects can send unsuspecting shoppers to these perfect-looking fake checkout pages and steal their payment information, so could your store be at risk too? Discover how an innovative web security solution saved one global online retailer and its unsuspecting customers from an "evil twin" disaster. (You can read the full case study here ) Anatomy of an Evil Twin Attack In today's fast-paced world of online shopping, convenience often trumps caution. Shoppers quickly move through product selection to checkout, rarely scrutinizing the process. This lack of attention creates an opportunity for cybercriminals to exploit. The Deceptive Redirect The ...
Master Your PCI DSS v4 Compliance with Innovative Smart Approvals

Master Your PCI DSS v4 Compliance with Innovative Smart Approvals

Sep 16, 2024 Payment Security / Data Protection
The PCI DSS landscape is evolving rapidly. With the Q1 2025 deadline looming ever larger, businesses are scrambling to meet the stringent new requirements of PCI DSS v4.0. Two sections in particular, 6.4.3 and 11.6.1, are troublesome as they demand that organizations rigorously monitor and manage payment page scripts and use a robust change detection mechanism. With the deadline fast approaching and the consequences of non-compliance so severe, there is no room for complacency, so, in this article, we look at the best way to meet these complex coding requirements. PCI DSS v4: Understanding Requirements 6.4.3 and 11.6.1 These changes to PCI DSS in v4.0 acknowledge the urgent need to tighten client-side security in the face of pervasive supply-chain threats. They call for beefed-up payment page security to keep customers' sensitive payment details safe from malicious script injection attacks: 6.4.3: To meet this requirement your organization needs to monitor and manage all payment ...
DragonRank Black Hat SEO Campaign Targeting IIS Servers Across Asia and Europe

DragonRank Black Hat SEO Campaign Targeting IIS Servers Across Asia and Europe

Sep 11, 2024 Network Security / Cyber Espionage
A "simplified Chinese-speaking actor" has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation. The black hat SEO cluster has been codenamed DragonRank by Cisco Talos, with victimology footprint scattered across Thailand, India, Korea, Belgium, the Netherlands, and China. "DragonRank exploits targets' web application services to deploy a web shell and utilizes it to collect system information and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities," security researcher Joey Chen said . The attacks have led to compromises of 35 Internet Information Services ( IIS ) servers with the end goal of deploying the BadIIS malware, which was first documented by ESET in August 2021. It's specifically designed to facilitate proxy ware and SEO fraud by turning the compromised IIS server into a relay point for mal...
DigiCert to Revoke 83,000+ SSL Certificates Due to Domain Validation Oversight

DigiCert to Revoke 83,000+ SSL Certificates Due to Domain Validation Oversight

Jul 31, 2024 Web Security / Compliance
Certificate authority (CA) DigiCert has warned that it will be revoking a subset of SSL/TLS certificates within 24 hours due to an oversight with how it verified if a digital certificate is issued to the rightful owner of a domain. The company said it will be taking the step of revoking certificates that do not have proper Domain Control Validation ( DCV ). "Before issuing a certificate to a customer, DigiCert validates the customer's control or ownership over the domain name for which they are requesting a certificate using one of several methods approved by the CA/Browser Forum ( CABF )," it said . One of the ways this is done hinges on the customer setting up a DNS CNAME record containing a random value provided to them by DigiCert, which then performs a DNS lookup for the domain in question to make sure that the random values are the same. The random value, per DigiCert, is prefixed with an underscore character so as to prevent a possible collision with an actu...
New SnailLoad Attack Exploits Network Latency to Spy on Users' Web Activities

New SnailLoad Attack Exploits Network Latency to Spy on Users' Web Activities

Jun 28, 2024 Network Security / Data Protection
A group of security researchers from the Graz University of Technology have demonstrated a new side-channel attack known as SnailLoad that could be used to remotely infer a user's web activity. "SnailLoad exploits a bottleneck present on all Internet connections," the researchers said in a study released this week. "This bottleneck influences the latency of network packets, allowing an attacker to infer the current network activity on someone else's Internet connection. An attacker can use this information to infer websites a user visits or videos a user watches." A defining characteristic of the approach is that it obviates the need for carrying out an adversary-in-the-middle (AitM) attack or being in physical proximity to the Wi-Fi connection to sniff network traffic. Specifically, it entails tricking a target into loading a harmless asset (e.g., a file, an image, or an ad) from a threat actor-controlled server, which then exploits the victim's ...
Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack

Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack

Jun 26, 2024 Supply Chain Attack / Web Security
Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library ("polyfill.js") to redirect users to malicious and scam sites. "Protecting our users is our top priority. We detected a security issue recently that may affect websites using certain third-party libraries," the company said in a statement shared with The Hacker News. "To help potentially impacted advertisers secure their websites, we have been proactively sharing information on how to quickly mitigate the issue." More than 110,000 sites that embed the library are impacted by the supply chain attack, Sansec said in a Tuesday report. Polyfill is a popular library that incorporates support for modern functions in web browsers. Earlier this February, concerns were raised following its purchase by China-based content delivery network (CDN) company Funnull. The original creator of the pr...
New Cyberthreat 'Boolka' Deploying BMANAGER Trojan via SQLi Attacks

New Cyberthreat 'Boolka' Deploying BMANAGER Trojan via SQLi Attacks

Jun 25, 2024 Data Theft / Web Security
A previously undocumented threat actor dubbed Boolka has been observed compromising websites with malicious scripts to deliver a modular trojan codenamed BMANAGER . "The threat actor behind this campaign has been carrying out opportunistic SQL injection attacks against websites in various countries since at least 2022," Group-IB researchers Rustam Mirkasymov and Martijn van den Berk said in a report published last week. "Over the last three years, the threat actors have been infecting vulnerable websites with malicious JavaScript scripts capable of intercepting any data entered on an infected website." Boolka gets its name from the JavaScript code inserted into the website that beacons out to a command-and-control server named "boolka[.]tk" every time an unsuspecting visitor lands on the infected site. The JavaScript is also designed to collect and exfiltrate user inputs and interactions in a Base64-encoded format, indicating the use of the malware...
Multiple WordPress Plugins Compromised: Hackers Create Rogue Admin Accounts

Multiple WordPress Plugins Compromised: Hackers Create Rogue Admin Accounts

Jun 25, 2024 WordPress / Web Security
Multiple WordPress plugins have been backdoored to inject malicious code that makes it possible to create rogue administrator accounts with the aim of performing arbitrary actions. "The injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server," Wordfence security researcher Chloe Chamberland said in a Monday alert. "In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website." The admin accounts have the usernames "Options" and "PluginAuth," with the account information exfiltrated to the IP address 94.156.79[.]8. It's currently not known how the unknown attackers behind the campaign managed to compromise the plugins, but the earliest signs of the software supply chain attack date back to June 21, 2024. The plugins in question are no longer available for downlo...
New Case Study: Unmanaged GTM Tags Become a Security Nightmare

New Case Study: Unmanaged GTM Tags Become a Security Nightmare

Jun 19, 2024 GDPR Compliance / Data Privacy
Are your tags really safe with Google Tag Manager? If you've been thinking that using GTM means that your tracking tags and pixels are safely managed , then it might be time to think again. In this article we look at how a big-ticket seller that does business on every continent came unstuck when it forgot that you can't afford to allow tags to go unmanaged or become misconfigured.  Read the full case study here . Google Tag Manager saves website owners time and money. Its visual interface lets them attach tracking tags to their sites and then modify them as needed without the need to call a developer every time. Such tags gather the marketing and analytics data that power growth, and GTM makes them easier to manage, but with strict rules around data privacy to consider, you can't trust it completely; it needs active oversight. The ticket seller A case in point that we recently became aware of involves a global company that sells tickets to live events. With global operations i...
Hackers Exploiting LiteSpeed Cache Bug to Gain Full Control of WordPress Sites

Hackers Exploiting LiteSpeed Cache Bug to Gain Full Control of WordPress Sites

May 08, 2024 Web Security / Vulnerability
A high-severity flaw impacting the LiteSpeed Cache plugin for WordPress is being actively exploited by threat actors to create rogue admin accounts on susceptible websites. The  findings  come from WPScan, which said that the vulnerability ( CVE-2023-40000 , CVSS score: 8.3) has been leveraged to set up bogus admin users with the names wpsupp‑user and wp‑configuser. CVE-2023-40000, which was  disclosed  by Patchstack in February 2024, is a stored cross-site scripting (XSS) vulnerability that could permit an unauthenticated user to elevate privileges by means of specially crafted HTTP requests. The flaw was addressed in October 2023 in version 5.7.0.1. It's worth noting that the latest version of the plugin is 6.2.0.1, which was  released  on April 25, 2024. LiteSpeed Cache has over 5 million active installations, with statistics showing that versions other than 5.7, 6.0, 6.1, and 6....
Expert Insights / Articles Videos
Cybersecurity Resources