The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Russian organizations are at the receiving end of cyber attacks that have been found to deliver a Windows version of a malware called Decoy Dog . Cybersecurity company Positive Technologies is tracking the activity cluster under the name Operation Lahat, attributing it to an advanced persistent threat (APT) group called HellHounds . "The Hellhounds group compromises organizations they select and gain a foothold on their networks, remaining undetected for years," security researchers Aleksandr Grigorian and Stanislav Pyzhov said . "In doing so, the group leverages primary compromise vectors, from vulnerable web services to trusted relationships." HellHounds was first documented by the firm in late November 2023 following the compromise of an unnamed power company with the Decoy Dog trojan. It's confirmed to have infiltrated 48 victims in Russia to date, including IT companies, governments, space industry firms, and telecom providers. There is evidence indi...

Progress Software has rolled out updates to address a critical security flaw impacting the Telerik Report Server that could be potentially exploited by a remote attacker to bypass authentication and create rogue administrator users. The issue, tracked as CVE-2024-4358 , carries a CVSS score of 9.8 out of a maximum of 10.0. "In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability," the company said in an advisory. The shortcoming has been addressed in Report Server 2024 Q2 (10.1.24.514). Sina Kheirkhah of Summoning Team, who is credited with discovering and reporting the flaw, described it as a "very simple" bug that could be exploited by a "remote unauthenticated attacker to create an administrator user and login." Besides updating to the latest version, Progress Software is urging cust...

The landscape of browser security has undergone significant changes over the past decade. While Browser Isolation was once considered the gold standard for protecting against browser exploits and malware downloads, it has become increasingly inadequate and insecure in today's SaaS-centric world. The limitations of Browser Isolation, such as degraded browser performance and inability to tackle modern web-borne threats like phishing and malicious extensions, necessitate a shift towards more advanced solutions. These are the findings of a new report, titled " The Next Generation of RBI (Remote Browser Isolation) " ( Download here ). The Roots of Browser Isolation In the past, traditional signature-based antiviruses were commonly used to protect against on-device malware infections. However, they failed to block two main types of threats. The first, browser exploit, especially in Microsoft's Internet Explorer. The second, drive-by malware downloads, i.e using social e...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

A new sophisticated cyber attack has been observed targeting endpoints geolocated to Ukraine with an aim to deploy Cobalt Strike and seize control of the compromised hosts. The attack chain, per Fortinet FortiGuard Labs, involves a Microsoft Excel file that carries an embedded VBA macro to initiate the infection, "The attacker uses a multi-stage malware strategy to deliver the notorious 'Cobalt Strike' payload and establish communication with a command-and-control (C2) server," security researcher Cara Lin said in a Monday report. "This attack employs various evasion techniques to ensure successful payload delivery." Cobalt Strike , developed and maintained by Fortra, is a legitimate adversary simulation toolkit used for red teaming operations. However, over the years, cracked versions of the software have been extensively exploited by threat actors for malicious purposes. The starting point of the attack is the Excel document that, when launched, dis...

Cloud computing and analytics company Snowflake said a "limited number" of its customers have been singled out as part of a targeted campaign. "We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake's platform," the company said in a joint statement along with CrowdStrike and Google-owned Mandiant. "We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel." It further said the activity is directed against users with single-factor authentication, with the unidentified threat actors leveraging credentials previously purchased or obtained through information-stealing malware. "Threat actors are actively compromising organizations' Snowflake customer tenants by using stolen credentials obtained by infostealing malware and logging into databases that are configured with single factor authenticat...

Cyber attacks involving the DarkGate malware-as-a-service (MaaS) operation have shifted away from AutoIt scripts to an AutoHotkey mechanism to deliver the last stages, underscoring continued efforts on the part of the threat actors to continuously stay ahead of the detection curve. The updates have been observed in version 6 of DarkGate released in March 2024 by its developer RastaFarEye, who has been selling the program on a subscription basis to as many as 30 customers. The malware has been active since at least 2018. A fully-featured remote access trojan (RAT), DarkGate is equipped with command-and-control (C2) and rootkit capabilities, and incorporates various modules for credential theft, keylogging, screen capturing, and remote desktop. "DarkGate campaigns tend to adapt really fast, modifying different components to try to stay off security solutions," Trellix security researcher Ernesto Fernández Provecho said in a Monday analysis. "This is the first time...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting the Oracle WebLogic Server to the Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. Tracked as CVE-2017-3506 (CVSS score: 7.4), the issue concerns an operating system (OS) command injection vulnerability that could be exploited to obtain unauthorized access to susceptible servers and take complete control. "Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document," CISA said. While the agency did not disclose the nature of attacks exploiting the vulnerability, the China-based cryptojacking group known as the 8220 Gang (aka Water Sigbin) has a history of leveraging it since early last year to co-opt unpatched devices into a crypto-mining bot...

Cybersecurity researchers have uncovered a new suspicious package uploaded to the npm package registry that's designed to drop a remote access trojan (RAT) on compromised systems. The package in question is glup-debugger-log , which targets users of the gulp toolkit by masquerading as a "logger for gulp and gulp plugins." It has been downloaded 175 times to date. Software supply chain security firm Phylum, which discovered the package, said the software comes fitted with two obfuscated files that work in tandem to deploy the malicious payload. "One worked as a kind of initial dropper setting the stage for the malware campaign by compromising the target machine if it met certain requirements, then downloading additional malware components, and the other script providing the attacker with a persistent remote access mechanism to control the compromised machine," it said . Phylum's closer examination of the library's package.json file – which acts as...

Law enforcement authorities behind Operation Endgame are seeking information related to an individual who goes by the name Odd and is allegedly the mastermind behind the Emotet malware.  Odd is also said to go by the nicknames Aron, C700, Cbd748, Ivanov Odd, Mors, Morse, and Veron over the past few years, according to a video released by the agencies. "Who is he working with? What is his current product?," the video continues, suggesting that he is likely not acting alone and may be collaborating with others on malware other than Emotet. The threat actor(s) behind Emotet has been tracked by the cybersecurity community under the monikers Gold Crestwood, Mealybug, Mummy Spider, and TA542. Originally conceived as a banking trojan, it evolved into a broader-purpose tool capable of delivering other payloads, along the lines of malware such as TrickBot, IcedID, QakBot, and others. It re-emerged in late 2021, albeit as part of low-volume campaigns, following a law enforceme...

Threat actors are evolving, yet Cyber Threat Intelligence (CTI) remains confined to each isolated point solution. Organizations require a holistic analysis across external data, inbound and outbound threats and network activity. This will enable evaluating the true state of cybersecurity in the enterprise. Cato's Cyber Threat Research Lab (Cato CTRL, see more details below) has recently released its first SASE threat report , offering a comprehensive view of and insights into enterprise and network threats. This is based on Cato's capabilities to analyze networks extensively and granularly (see report sources below).  About the Report The SASE Threat Report covers threats across a strategic, tactical and operational standpoint, utilizing the MITRE ATT&CK framework. It includes malicious and suspicious activities, as well as the applications, protocols and tools running on the networks. The report is based on: Granular data on every traffic flow from every endpoint commu...