The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The maintainers of the RubyGems package manager have addressed a critical security flaw that could have been abused to remove gems and replace them with rogue versions under specific circumstances. "Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so," RubyGems  said  in a security advisory published on May 6, 2022. RubyGems, like npm for JavaScript and pip for Python, is a  package manager  and a gem hosting service for the Ruby programming language, offering a repository of more than 171,500 libraries. In a nutshell, the flaw in question, tracked as CVE-2022-29176, enabled anyone to pull certain gems and upload different files with the same name, same version number, and different platforms. For this to happen, however, a gem needed to have one or more dashes in its name, where the word before the dash was the name of an attacker-controlled gem, and which w...

Cybersecurity researchers have shed light on an actively maintained remote access trojan called DCRat (aka DarkCrystal RAT) that's offered on sale for "dirt cheap" prices, making it accessible to professional cybercriminal groups and novice actors alike. "Unlike the well-funded, massive Russian threat groups crafting custom malware [...], this remote access Trojan (RAT) appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget," BlackBerry researchers said in a report shared with The Hacker News. "In fact, this threat actor's commercial RAT sells at a fraction of the standard price such tools command on Russian underground forums." Written in .NET by an individual codenamed "boldenis44" and "crystalcoder," DCRat is a full-featured backdoor whose functionalities can be further augmented by third-party plugins developed by affiliates using a dedicated integrated ...

Unless you are living completely off the grid, you know the horrifying war in Ukraine and the related geopolitical tensions have dramatically increased cyberattacks and the threat of even more to come. The Cybersecurity and Infrastructure Security Agency (CISA) provides guidance to US federal agencies in their fight against cybercrime, and the agency's advice has proven so valuable that it's been widely adopted by commercial organizations too. In February, CISA responded to the current situation by issuing an unusual " SHIELDS UP! " warning and advisory. According to CISA, "Every organization—large and small—must be prepared to respond to disruptive cyber incidents." The announcement from CISA consisted of a range of recommendations to help organizations and individuals reduce the likelihood of a successful attack and limit damage in case the worst happens. It also contains general advice for C-level leaders, as well as a tip sheet on how to respond to r...

A new set of trojanized apps spread via the Google Play Store has been observed distributing the notorious Joker malware on compromised Android devices. Joker, a  repeat   offender , refers to a class of harmful apps that are used for billing and SMS fraud, while also performing a number of actions of a malicious hacker's choice, such as stealing text messages, contact lists, and device information. Despite continued attempts on the part of Google to scale up its defenses, the apps have been continually iterated to search for gaps and slip into the app store undetected. "They're usually spread on Google Play, where scammers download legitimate apps from the store, add malicious code to them and re-upload them to the store under a different name," Kaspersky researcher Igor Golovin  said  in a report published last week. The trojanized apps, taking the place of their removed counterparts, often appear as messaging, health tracking, and PDF scanner apps that, once...

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of phishing attacks that deploy an information-stealing malware called Jester Stealer on compromised systems. The mass email campaign carries the subject line "chemical attack" and contains a link to a macro-laced Microsoft Excel file, opening which leads to computers getting infected with Jester Stealer. The attack, which requires potential victims to enable macros after opening the document, works by downloading and executing an .EXE file that is retrieved from compromised web resources, CERT-UA detailed. Jester Stealer, as documented by Cyble in February 2022, comes with features to steal and transmit login credentials, cookies, and credit card information along with data from passwords managers, chat messengers, email clients, crypto wallets, and gaming apps to the attackers. It's purchasable for $99 per month or $249 for lifetime access. "The hackers get the stolen data via Telegram usi...

The U.S. State Department has  announced  rewards of up to $10 million for any information leading to the identification of key individuals who are part of the infamous Conti cybercrime gang. Additionally, it's offering another $5 million for intelligence information that could help arrest or convict individuals who are conspiring or attempting to affiliate with the group in a ransomware attack. The department called the Conti variant the "costliest strain of ransomware ever documented." Conti , the work of a Russia-based transnational organized crime group dubbed Gold Ulrick, is one most prolific ransomware cartels that has continued to strike entities globally while simultaneously  expanding its empire  by absorbing TrickBot and running side hustles that involve data extortion. After the syndicate expressed public support for Russia's invasion of Ukraine in February, it  suffered a major breach  of its own after its source code and internal chats we...

Days after F5 released patches for a critical remote code execution vulnerability affecting its BIG-IP family of products, security researchers are warning that they were able to create an exploit for the shortcoming. Tracked  CVE-2022-1388  (CVSS score: 9.8), the flaw relates to an iControl REST authentication bypass that, if successfully exploited, could lead to remote code execution, allowing an attacker to gain initial access and take control of an affected system. This could range anywhere from deploying cryptocurrency miners to dropping web shells for follow-on attacks, such as information theft and ransomware. "We have reproduced the fresh CVE-2022-1388 in F5's BIG-IP," cybersecurity company Positive Technologies  said  in a tweet on Friday. "Patch ASAP!" The critical security vulnerability impacts the following versions of BIG-IP products - 16.1.0 - 16.1.2 15.1.0 - 15.1.5 14.1.0 - 14.1.4 13.1.0 - 13.1.4 12.1.0 - 12.1.6 11.6.1 - 11.6.5 Fixe...

The U.S. Treasury Department on Friday moved to sanction virtual currency mixer Blender.io, marking the first time a mixing service has been subjected to economic blockades. The move signals continued efforts on the part of the government to prevent North Korea's Lazarus Group from laundering the funds stolen from the  unprecedented hack of Ronin Bridge  in late March. The newly imposed sanctions, issued by the U.S. Office of Foreign Assets Control (OFAC), target 45 Bitcoin addresses linked to Blender.io and four new wallets linked to Lazarus Group, an advanced persistent with ties to the Democratic People's Republic of Korea (DPRK). "Blender was used in processing over $20.5 million of the illicit proceeds," the Treasury  said , adding it was utilized by DPRK to "support its malicious cyber activities and money-laundering of stolen virtual currency." Cryptocurrency mixers, also called  tumblers , are privacy-focused services that allow users to move cr...

A new malicious campaign has been spotted taking advantage of Windows event logs to stash chunks of shellcode for the first time in the wild. "It allows the 'fileless' last stage trojan to be hidden from plain sight in the file system," Kaspersky researcher Denis Legezo  said  in a technical write-up published this week. The stealthy infection process, not attributed to a known actor, is believed to have commenced in September 2021 when the intended targets were lured into downloading compressed .RAR files containing Cobalt Strike and  Silent Break . "The spreading of the Cobalt Strike module was achieved by persuading the target to download the link to the .RAR on the legitimate site file.io, and run it themselves," Legezo explained. The adversary simulation software modules are then used as a launchpad to inject code into Windows system processes or trusted applications. Also notable is the use of anti-detection wrappers as part of the toolset, sugg...

QNAP, Taiwanese maker of network-attached storage (NAS) devices, on Friday released security updates to patch nine security weaknesses, including a critical issue that could be exploited to take over an affected system. "A vulnerability has been reported to affect QNAP VS Series NVR running QVR," QNAP  said  in an advisory. "If exploited, this vulnerability allows remote attackers to run arbitrary commands." Tracked as  CVE-2022-27588  (CVSS score: 9.8), the vulnerability has been addressed in QVR 5.1.6 build 20220401 and later. Credited with reporting the flaw is the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). Aside from the critical shortcoming, QNAP has also resolved three high-severity and five medium-severity bugs in its software - CVE-2021-38693  (CVSS score: 5.3) - A  path traversal vulnerability  in thttpd affecting QNAP devices running QTS, QuTS hero, QuTScloud, and QVR Pro Appliance, leading to information d...