The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Earlier this month, Oracle patched a highly critical Java deserialization remote code execution vulnerability in its WebLogic Server component of Fusion Middleware that could allow attackers to easily gain complete control of a vulnerable server. However, a security researcher, who operates through the Twitter handle @pyn3rd and claims to be part of the Alibaba security team, has now found a way using which attackers can bypass the security patch and exploit the WebLogic vulnerability once again. WebLogic Server acts as a middle layer between the front end user interface and the backend database of a multi-tier enterprise application. It provides a complete set of services for all components and handles details of the application behavior automatically. Initially discovered in November last year by Liao Xinxi of NSFOCUS security team, the Oracle WebLogic Server flaw (CVE-2018-2628) can be exploited with network access over TCP port 7001. If exploited successfully, the fl

"Alexa, are you spying on me?" — aaaa.....mmmm.....hmmm.....maybe!!! Security researchers have developed a new malicious 'skill' for Amazon's popular voice assistant Alexa that can turn your Amazon Echo into a full-fledged spying device. Amazon Echo is an always-listening voice-activated smart home speaker that allows you to get things done by using your voice, like playing music, setting alarms, and answering questions. However, the device doesn't remain activated all the time; instead, it sleeps until the user says, "Alexa," and by default, it ends a session after some duration. Amazon also allows developers to build custom 'skills,' applications for Alexa, which is the brain behind millions of voice-activated smart devices including Amazon Echo Show, Echo Dot, and Amazon Tap. However, security researchers at cybersecurity firm Checkmarx created a proof-of-concept voice-driven 'skill' for Alexa that forces device to indefin

Only a few hours after the Drupal team releases latest updates to fix a new remote code execution flaw in its content management system software, hackers have already started exploiting the vulnerability in the wild. Announced yesterday, the newly discovered vulnerability ( CVE-2018-7602 ) affects Drupal 7 and 8 core and allows remote attackers to achieve exactly same what previously discovered Drupalgeddon2 (CVE-2018-7600) flaw allowed—complete take over of affected websites. Although Drupal team has not released any technical details of the vulnerability to prevent immediate exploitation, two individual hackers have revealed some details, along with a proof-of-concept exploit just a few hours after the patch release. If you have been actively reading every latest story on The Hacker News, you must be aware of how the release of Drupalgeddon2 PoC exploit derived much attention, which eventually allowed attackers actively hijack websites and spread cryptocurrency miners , b

Early in 2024, Wing Security released its State of SaaS Security report , offering surprising insights into emerging threats and best practices in the SaaS domain. Now, halfway through the year, several SaaS threat predictions from the report have already proven accurate. Fortunately, SaaS Security Posture Management (SSPM) solutions have prioritized mitigation capabilities to address many of these issues, ensuring security teams have the necessary tools to face these challenges head-on. In this article, we will revisit our predictions from earlier in the year, showcase real-world examples of these threats in action, and offer practical tips and best practices to help you prevent such incidents in the future. It's also worth noting the overall trend of an increasing frequency of breaches in today's dynamic SaaS landscape, leading organizations to demand timely threat alerts as a vital capability. Industry regulations with upcoming compliance deadlines are demanding similar time-sens

If you often leave your valuable and expensive stuff like laptop and passports in the hotel rooms, then beware. Your room can be unlocked by not only a malicious staff having access to the master key, but also by an outsider. A critical design vulnerability in a popular and widely used electronic lock system can be exploited to unlock every locked room in a facility, leaving millions of hotel rooms around the world vulnerable to hackers. The vulnerability has been discovered in Vision by VingCard locking system—made by the world's largest lock manufacturer, Assa Abloy, and deployed in more than 42,000 facilities in 166 different countries, which equals to millions of doors. After thousands of hours work, F-Secure researchers Tomi Tuominen and Timo Hirvonen managed to build a master key that could be used to unlock doors and gain entry to any of the hotel rooms using the Vision by VingCard digital lock technology, without leaving a trace on the system. How Hackers Built

Damn! You have to update your Drupal websites. Yes, of course once again—literally it's the third time in last 30 days. As notified in advance two days back, Drupal has now released new versions of its software to patch yet another critical remote code execution (RCE) vulnerability, affecting its Drupal 7 and 8 core. Drupal is a popular open-source content management system software that powers millions of websites, and unfortunately, the CMS has been under active attacks since after the disclosure of a highly critical remote code execution vulnerability. The new vulnerability was discovered while exploring the previously disclosed RCE vulnerability, dubbed Drupalgeddon2 (CVE-2018-7600) that was patched on March 28, forcing the Drupal team to release this follow-up patch update. According to a new advisory released by the team, the new remote code execution vulnerability (CVE-2018-7602) could also allow attackers to take over vulnerable websites completely. How to Pa

In a major hit against international cybercriminals, the Dutch police have taken down the world's biggest DDoS-for-hire service that helped cyber criminals launch over 4 million attacks and arrested its administrators. An operation led by the UK's National Crime Agency (NCA) and the Dutch Police, dubbed " Power Off, " with the support of Europol and a dozen other law enforcement agencies, resulted in the arrest of 6 members of the group behind the " webstresser.org " website in Scotland, Croatia, Canada and Serbia on Tuesday. With over 136,000 registered users, Webstresser website lets its customers rent the service for about £10 to launch Distributed Denial of Service (DDoS) attacks against their targets with little or no technical knowledge. "With webstresser.org, any registered user could pay a nominal fee using online payment systems or cryptocurrencies to rent out the use of stressers and booters," Europol said. The service was also

Google has finally been rolling out its new massively redesigned Gmail  for desktop and mobile to 1.4 billion of users worldwide, which might be the most significant single upgrade in Gmail's history. This huge revamped version of the email service now offers plenty of new features such as confidential mode, offline support, email snoozing and more, to make Gmail more smarter, secure, and easier to use. In this article, I have listed details of the most significant changes that you need to know and how to use them. Give it a quick read. New 'Confidential Mode' Features For Security & Privacy Are you afraid of sending sensitive documents in an email due to fear of hacking or being forwarded? Well, now you can simply click the lock icon at the bottom of an email to enable the new Confidential Mode, which lets you add a bunch of extra layers of security (as mentioned below) to the emails of your choice. 1) Self-Destructing Emails:  This feature lets you se

Two separate teams of security researchers have published working proof-of-concept exploits for an unpatchable vulnerability in Nvidia's Tegra line of embedded processors that comes on all currently available Nintendo Switch consoles. Dubbed Fusée Gelée and ShofEL2 , the exploits lead to a coldboot execution hack that can be leveraged by device owners to install Linux, run unofficial games, custom firmware, and other unsigned code on Nintendo Switch consoles, which is typically not possible. Both exploits take advantage of a buffer overflow vulnerability in the USB software stack of read-only boot instruction ROM (IROM/bootROM), allowing unauthenticated arbitrary code execution on the game console before any lock-out operations (that protect the chip's bootROM) take effect. The buffer overflow vulnerability occurs when a device owner sends an "excessive length" argument to an incorrectly coded USB control procedure, which overflows a crucial direct memory a

Dr. Mordechai Guri, the head of R&D team at Israel's Ben Gurion University, who previously demonstrated various methods to steal data from an air-gapped computer, has now published new research named " BeatCoin ." BeatCoin is not a new hacking technique; instead, it's an experiment wherein the researcher demonstrates how all previously discovered out-of-band communication methods can be used to steal private keys for a cryptocurrency wallet installed on cold storage, preferably an air-gapped computer or Raspberry Pi. For those unaware, keeping your cryptocurrency protected in a wallet on a device which is entirely offline is called cold storage. Since online digital wallets carry different security risks, some people prefer keeping their private keys offline. Air-gapped computers are those that are isolated from the Internet, local networks, Bluetooth and therefore, are believed to be the most secure devices and are difficult to infiltrate or exfiltrate.

Security researchers have uncovered a new hacking group that is aggressively targeting healthcare organizations and related sectors across the globe to conduct corporate espionage. Dubbed " Orangeworm ," the hacking group has been found installing a wormable trojan on machines hosting software used for controlling high-tech imaging devices, such as X-Ray and MRI machines, as well as machines used to assist patients in completing consent forms. According to a new report  published by Symantec on Monday, the Orangeworm hacking group has been active since early 2015 and targeting systems of major international corporations based in the United States, Europe, and Asia with a primary focus on the healthcare sector. "We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare," Symantec said. After getting into the victim's network, atta

Not just Facebook , a new vulnerability discovered in Linkedin's popular AutoFill functionality found leaking its users' sensitive information to third party websites without the user even knowing about it. LinkedIn provides an AutoFill plugin for a long time that other websites can use to let LinkedIn users quickly fill in profile data, including their full name, phone number, email address, ZIP code, company and job title, with a single click. In general, the AutoFill button only works on specifically "whitelisted websites," but 18-year-old security researcher Jack Cable of Lightning Security said it is not just the case. Cable discovered that the feature was plagued with a simple yet important security vulnerability that potentially enabled any website (scrapers) secretly harvest user profile data and the user would not even realize of the event. A legitimate website would likely place a AutoFill button near the fields the button can fill, but accordin

The British teenager who managed to hack into the online accounts of several high-profile US government employees sentenced to two years in prison on Friday. Kane Gamble , now 18, hacked into email accounts of former CIA director  John Brennan , former Director of National Intelligence James Clapper , former FBI Deputy Director Mark Giuliano , and other senior FBI officials—all from his parent's home in Leicestershire. Gamble, who went by the online alias Cracka, was just 15 at the time of carrying out those attacks and was the alleged founder of a hacking group calling themselves Crackas With Attitude (CWA). The notorious pro-Palestinian hacking group carried out a series of embarrassing attacks against U.S. intelligence officials and leaked personal details of 20,000 FBI agents , 9,000 officers from Department of Homeland Security, and some number of DoJ staffers in 2015. The teenager was arrested in February 2016 at his home in Coalville and pleaded guilty to 8 charg

If you have installed any of the below-mentioned Ad blocker extension in your Chrome browser, you could have been hacked. A security researcher has spotted five malicious ad blockers extension in the Google Chrome Store that had already been installed by at least 20 million users. Unfortunately, malicious browser extensions are nothing new. They often have access to everything you do online and could allow its creators to steal any information victims enter into any website they visit, including passwords, web browsing history and credit card details. Discovered by Andrey Meshkov, co-founder of Adguard, these five malicious extensions are copycat versions of some legitimate, well-known Ad Blockers. Creators of these extensions also used popular keywords in their names and descriptions to rank top in the search results, increasing the possibility of getting more users to download them. "All the extensions I've highlighted are simple rip-offs with a few lines of co

How to become a Professional Hacker? This is one of the most frequently asked queries we came across on a daily basis. Do you also want to learn real-world hacking techniques but don't know where to start? This week's THN deal is for you. Today THN Deal Store has announced a new Super-Sized Ethical Hacking Bundle that let you get started your career in hacking and penetration testing regardless of your experience level. The goal of this online training course is to help you master an ethical hacking and penetration testing methodology. This 76 hours of the Super-Sized Ethical Hacking Bundle usually cost $1,080, but you can exclusively get this 9-in-1 online training course for just $43 (after 96% discount) at the THN Deals Store. 96% OFF — Register For This Course 9-in-1 Online Hacking Courses: What's Included in this Package? The Super-Sized Ethical Hacking Bundle will provide you access to the following nine online courses that would help you secure you

A new job opening post on Facebook suggests that the social network is forming a team to build its own hardware chips, joining other tech titans like Google, Apple, and Amazon in becoming more self-reliant. According to the post , Facebook is looking for an expert in ASIC and FPGA—two custom silicon designs to help it evaluate, develop and drive next-generation technologies within Facebook—particularly in artificial intelligence and machine learning. The social media company is seeking to hire an expert who can "an end-to-end SoC/ASIC, firmware and driver development organization, including all aspects of front-end and back-end standard cell ASIC development," reads the job listing on Facebook's corporate website. SoC (system-on-a-chip) is a processor typically used in mobile devices with all the components required to power a device, while ASIC (application-specific integrated circuit) is a customized piece of silicon designed for a narrow purpose that companie

Be careful while plugging your iPhone into a friend's laptop for a quick charge or sharing selected files. Researchers at Symantec have issued a security warning for iPhone and iPad users about a new attack, which they named " TrustJacking ," that could allow someone you trust to remotely take persistent control of, and extract data from your Apple device. Apple provides an iTunes Wi-Fi sync feature in iOS that allows users to sync their iPhones to a computer wirelessly. To enable this feature, users have to grant one-time permission to a trusted computer (with iTunes) over a USB cable. Once enabled, the feature allows the computer owner to secretly spy on your iPhone over the Wi-Fi network without requiring any authentication, even when your phone is no longer physically connected to that computer. "Reading the text, the user is led to believe that this is only relevant while the device is physically connected to the computer, so assumes that disconnecti