website security | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers today disclosed details of two newly identified Magecart attacks targeting online shoppers of bedding retailers MyPillow and Amerisleep . Magecart is an umbrella term researchers gave to at least 11 different hacking groups that are specialized in implanting malware code on e-commerce websites with an intent to steal payment card details of their customers silently. Magecart made headlines last year after attackers conducted several high-profile cyber attacks against major international companies including British Airways , Ticketmaster , and Newegg . Magecart hackers use a digital payment card skimmer, a few lines of malicious Javascript code they insert into the checkout page of hacked websites and designed to captured payment information of customers in real time and then send it to a remote attacker-controlled server. Earlier this year, Magecart attackers also compromised nearly 277 e-commerce websites in a supply-chain attack by inserting its

If for some reason your WordPress-based website has not yet been automatically updated to the latest version 5.1.1, it's highly recommended to immediately upgrade it before hackers could take advantage of a newly disclosed vulnerability to hack your website. Simon Scannell, a researcher at RIPS Technologies GmbH, who previously reported multiple critical vulnerabilities in WordPress, has once again discovered a new flaw in the content management software (CMS) that could potentially lead to remote code execution attacks. The flaw stems from a cross-site request forgery (CSRF) issue in the Wordpress' comment section, one of its core components that comes enabled by default and affects all WordPress installations prior to version 5.1.1. Unlike most of the previous attacks documented against WordPress, this new exploit allows even an "unauthenticated, remote attacker" to compromise and gain remote code execution on the vulnerable WordPress websites. "

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

One of the most important software companies NGINX , which is also behind the very popular open-source web server of the same name, is being acquired by its rival, F5 Networks , in a deal valued at about $670 million. While NGINX is not a name that you have ever heard of, the reality is that you use NGINX every day when you post a photo, watch streaming video, purchase goods online, or log into your applications at work. NGINX powers over half of the busiest websites in the world. Majority of sites on the Internet today, including The Hacker News, and hundreds of thousands apps, like Instagram, Pinterest, Netflix, and Airbnb are hosted on web servers running NGINX. NGINX web server is the third most widely used servers in the world—behind only Microsoft and Apache, and ahead of Google. In short, the internet as we know it today would not exist without NGINX. F5 Acquires NGINX to Bridge NetOps and DevOps F5 Networks is the industry leader in cloud and security application

Cybercriminals have actively started exploiting an already patched security vulnerability in the wild to install cryptocurrency miners on vulnerable Drupal websites that have not yet applied patches and are still vulnerable. Last week, developers of the popular open-source content management system Drupal patched a critical remote code execution (RCE) vulnerability (CVE-2019-6340) in Drupal Core that could allow attackers to hack affected websites. Despite releasing no technical details of the security vulnerability, the proof-of-concept (PoC) exploit code for the vulnerability was made publicly available on the Internet just two days after the Drupal security team rolled out the patched version of its software. Now, security researchers at data center security vendor Imperva discovered a series of attacks—that began just a day after the exploit code went public—against its customers' websites using an exploit that leverages the CVE-2019-6340 security flaw. The attacks or

The U.S. Department of Homeland Security (DHS) has today issued an "emergency directive" to all federal agencies ordering IT staff to audit DNS records for their respective website domains, or other agency-managed domains, within next 10 business days. The emergency security alert came in the wake of a series of recent incidents involving DNS hijacking , which security researchers with "moderate confidence" believe originated from Iran. Domain Name System (DNS) is a key function of the Internet that works as an Internet's directory where your device looks up for the server IP addresses after you enter a human-readable web address (e.g., thehackernews.com). What is DNS Hijacking Attack? DNS hijacking involves changing DNS settings of a domain, redirecting victims to an entirely different attacker-controlled server with a fake version of the websites they are trying to visit, often with an objective to steal users' data. "The attacker alter

Starting today with the release of Chrome 68, Google Chrome prominently marks all non-HTTPS websites as 'Not Secure' in its years-long effort to make the web a more secure place for Internet users. So if you are still running an insecure HTTP (Hypertext Transfer Protocol) website, many of your visitors might already be greeted with a 'Not Secure' message on their Google Chrome browser warning them that they can't trust your website to be secure. By displaying ' Not Secure ,' Google Chrome means that your connection is not secure because there is no SSL Certificate to encrypt your connection between your computer and the website's server. So, anything sent over a non-HTTPS connection is in plain text, like your password or payment card information, allowing attackers to snoop or tamper with your data. The non-https connection has been considered dangerous particularly for web pages that transfer sensitive information—like login pages and payment

More than 2,000 WordPress websites have once again been found infected with a piece of crypto-mining malware that not only steals the resources of visitors' computers to mine digital currencies but also logs visitors' every keystroke. Security researchers at Sucuri discovered a malicious campaign that infects WordPress websites with a malicious script that delivers an in-browser cryptocurrency miner from CoinHive and a keylogger. Coinhive is a popular browser-based service that offers website owners to embed a JavaScript to utilise CPUs power of their website visitors in an effort to mine the Monero cryptocurrency. Sucuri researchers said the threat actors behind this new campaign is the same one who infected more than 5,400 Wordpress websites last month since both campaigns used keylogger/cryptocurrency malware called cloudflare[.]solutions. Spotted in April last year, Cloudflare[.]solutions is cryptocurrency mining malware and is not at all related to network

Buying popular plugins with a large user-base and using it for effortless malicious campaigns have become a new trend for bad actors. One such incident happened recently when the renowned developer BestWebSoft sold a popular Captcha WordPress plugin to an undisclosed buyer, who then modified the plugin to download and install a hidden backdoor. In a blog post published on Tuesday, WordFence security firm revealed why WordPress recently kicked a popular Captcha plugin with more than 300,000 active installations out of its official plugin store. While reviewing the source code of the Captcha plugin, WordFence folks found a severe backdoor that could allow the plugin author or attackers to remotely gain administrative access to WordPress websites without requiring any authentication. The plugin was configured to automatically pull an updated "backdoored" version from a remote URL — https[://]simplywordpress[dot]net/captcha/captcha_pro_update.php — after installati

It's been close to five years since we last looked at Incapsula , a security-focused CDN service known for its DDoS mitigation and web application security features. As one would expect, during these five years the company has expanded and improved, introducing lots of new features and even several new products. Most recently, Incapsula underwent an extensive network expansion that includes new PoPs in Asia including two new data centers in New Delhi and Mumbai. This seems like an excellent opportunity to revisit the service and see how it has evolved. Acquisition, Award and Growth Before we jump into Incapsula's service upgrades, we want to mention the changes in the company itself briefly. The most notable of those is Incapsula's 2014 acquisition by Imperva—an authority in web application security and a four-time Gartner Magic Quadrant leader for web application firewalls. The acquisition boosted Incapsula's security capabilities, resulting in its own cloud

Nothing in this world is fully secure, from our borders to cyberspace. I know vulnerabilities are bad, but the worst part comes in when people just don't care to apply patches on time. Late last year, Cisco's Talos intelligence and research group discovered three critical remote code execution (RCE) vulnerabilities in Memcached that exposed major websites including Facebook, Twitter, YouTube, Reddit, to hackers. Memcached is a popular open-source and easily deployable distributed caching system that allows objects to be stored in memory. The Memcached application has been designed to speed up dynamic web applications ( for example php-based websites) by reducing stress on the database that helps administrators to increase performance and scale web applications. It's been almost eight months since the Memcached developers have released patches for three critical RCE vulnerabilities (CVE-2016-8704, CVE-2016-8705 and CVE-2016-8706) but tens of thousands of servers

In an effort to expand its certificate authority capabilities and build the "foundation of a more secure web," Google has finally launched its root certificate authority. In past few years, we have seen Google taking many steps to show its strong support for sites using HTTPS, like: Giving more preference to HTTPS websites in its search rankings than others. Warning users that all HTTP pages are not secure. Starting an industry-wide initiative, Certificate Transparency − an open framework to log, audit, and monitor certificates that CAs have issued. However, Google has been relying on an intermediate Certificate Authority (Google Internet Authority G2 - GIAG2) issued by a third party, with the latest suppliers being GlobalSign and GeoTrust, which manages and deploys certificates to Google's products and services. Google announced Thursday the creation of its own certified, and independent Root Certificate Authority called Google Trust Services , allowing

A critical vulnerability has been discovered in PHPMailer , which is one of the most popular open source PHP libraries to send emails used by more than 9 Million users worldwide. Millions of PHP websites and popular open source web applications, including WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla comes with PHPMailer library for sending emails using a variety of methods, including SMTP to their users. Discovered by Polish security researcher Dawid Golunski of Legal Hackers , the critical vulnerability ( CVE-2016-10033 ) allows an attacker to remotely execute arbitrary code in the context of the web server and compromise the target web application. "To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class," Golunski writes in the advisory published today. Golunski respo

As announced on Tuesday, the OpenSSL project team released OpenSSL version 1.1.0c that addresses three security vulnerabilities in its software. The most serious of all is a heap-based buffer overflow bug (CVE-2016-7054) related to Transport Layer Security (TLS) connections using *-CHACHA20-POLY1305 cipher suites. The vulnerability, reported by Robert Święcki of the Google Security Team on September 25, can lead to DoS attack by corrupting larger payloads, resulting in a crash of OpenSSL. The severity of the flaw is rated "High" and does not affect OpenSSL versions prior to 1.1.0. However, the OpenSSL team reports there is no evidence that the flaw is exploitable beyond a DoS attack. The OpenSSL project also patches a moderate severity flaw (CVE-2016-7053) that can cause applications to crash. "Applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0

A Chinese certificate authority (CA) appeared to be making a significant security blunder by handing out duplicate SSL certificates for a base domain if someone just has control over its any subdomain. The certificate authority, named WoSign , issued a base certificate for the Github domains to an unnamed GitHub user. But How? First of all, do you know, the traditional Digital Certificate Management System is the weakest link on the Internet today and has already been broken? Billions of Internet users blindly rely on hundreds of Certificate Authorities (CA) around the globe to ensure the confidentiality and integrity of their personal data. But, these CAs have powers to issue valid SSL cert for any domain you own, despite the fact you already have one purchased from another CA. ...and that's the biggest loophole in the CA system. In the latest case as well, WoSign issued a duplicate SSL certificate for GitHub domains without verifying ownership of the base domain.

If you think that the HTTP/2 protocol is more secure than the standard HTTP ( Hypertext Transfer Protocol ), then you might be wrong, as it took researchers just four months to discover four flaws in the HTTP/2 protocol. HTTP/2 was launched properly just in May last year after Google bundled its SPDY project into HTTP/2 in February in an effort to speed up the loading of web pages as well as the browsing experience of the online users. Now, security researchers from data center security vendor Imperva today at Black Hat conference revealed details on at least four high-profile vulnerabilities in HTTP/2 – a major revision of the HTTP network protocol that the today's web is based on. The vulnerabilities allow attackers to slow web servers by flooding them with innocent looking messages that carry a payload of gigabytes of data, putting the servers into infinite loops and even causing them to crash. The HTTP/2 protocol can be divided into three layers: The transmissio

The extraordinary ' Panama Papers leak ' from Law firm Mossack Fonseca that exposed the tax-avoiding efforts by the world's richest and most influential members was initially believed to be the result of an unpatched vulnerability in the popular content management systems: Drupal and WordPress. Now, we are quite sure that the Panama Papers, which implicated 72 current and former heads of state, was due to vulnerabilities in Drupal and WordPress that allowed hackers to get into the law firm's system and stole over 11.5 Million files (around 2.6 Terabytes of data). The Drupal Security Team has announced that critical patches to address several security issues in Drupal contributed modules, including several highly critical Remote Code Execution (RCE) vulnerabilities, will be released today at 16:00 UTC. According to an advisory, the critical arbitrary remote PHP code execution vulnerability ( PSA-2016-001 ) affects up to 10000 Drupal websites. However, "Drupal c

With the growing number of cyber attacks and data breaches, a significant number of companies and organizations have started Bug Bounty Programs to encourage hackers and security researchers to find and responsibly report bugs in their services and get a reward. Now, even pornography sites are starting to embrace bug bounty practices in order to safeguard its user's security. The world's most popular pornography site PornHub has launched a bug bounty program for security researchers and bug hunters who can find and report security vulnerabilities in its website. Partnered with HackerOne, PornHub is offering to pay independent security researchers and bug hunters between $50 and $25,000, depending upon the impact of vulnerabilities they find. Also Read: 10-year-old Boy becomes the youngest Bug Bounty Hacker . HackeOne is a bug bounty startup that operates bug bounty programs for companies including Yahoo, Twitter, Slack, Dropbox, Uber, General Motors – and even th

OpenSSL has released a series of patches against six vulnerabilities, including a pair of high-severity flaws that could allow attackers to execute malicious code on a web server as well as decrypt HTTPS traffic . OpenSSL is an open-source cryptographic library that is the most widely being used by a significant portion of the Internet services; to cryptographically protect their sensitive Web and e-mail traffic using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol. One of the high-severity flaws, CVE-2016-2107 , allows a man-in-the-middle attacker to initiate a " Padding Oracle Attack " that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI. A Padding Oracle flaw weakens the encryption protection by allowing attackers to repeatedly request plaintext data about an encrypted payload content. The Padding Oracle flaw ( exploit code ) was discovered by Juraj Somorovsky using his own developed tool c