The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers have uncovered a new malware campaign targeting Linux environments to conduct illicit cryptocurrency mining and deliver botnet malware. The activity, which specifically singles out the Oracle Weblogic server, is designed to deliver a malware strain dubbed Hadooken , according to cloud security firm Aqua. "When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner," security researcher Assaf Moran said . The attack chains exploit known security vulnerabilities and misconfigurations, such as weak credentials, to obtain an initial foothold and execute arbitrary code on susceptible instances. This is accomplished by launching two nearly-identical payloads, one written in Python and the other, a shell script, both of which are responsible for retrieving the Hadooken malware from a remote server (" 89.185.85[.]102 " or " 185.174.136[.]204 "). "In addition, the shell script version attempts to iterate ov...

Bank customers in the Central Asia region have been targeted by a new strain of Android malware codenamed Ajina.Banker since at least November 2023 with the goal of harvesting financial information and intercepting two-factor authentication (2FA) messages. Singapore-headquartered Group-IB, which discovered the threat in May 2024, said the malware is propagated via a network of Telegram channels set up by the threat actors under the guise of legitimate applications related to banking, payment systems, and government services, or everyday utilities. "The attacker has a network of affiliates motivated by financial gain, spreading Android banker malware that targets ordinary users," security researchers Boris Martynyuk, Pavel Naumov, and Anvar Anarkulov said . Targets of the ongoing campaign include countries such as Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan. There is evidence to suggest that some aspects of...

GitLab on Wednesday released security updates to address 17 security vulnerabilities, including a critical flaw that allows an attacker to run pipeline jobs as an arbitrary user. The issue, tracked as CVE-2024-6678, carries a CVSS score of 9.9 out of a maximum of 10.0 "An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances," the company said in an alert. The vulnerability, along with three high-severity, 11 medium-severity, and two low-severity bugs, have been addressed in versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). It's worth noting that CVE-2024-6678 is the fourth such flaw that GitLab has patched over the past year after CVE-2023-5009 (CVSS score: 9.6), CVE-2024-5655 (CVSS score: 9.6), and CVE-2024...

Nearly 1.3 million Android-based TV boxes running outdated versions of the operating system and belonging to users spanning 197 countries have been infected by a new malware dubbed Vo1d (aka Void). "It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software," Russian antivirus vendor Doctor Web said in a report published today. A majority of the infections have been detected in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria, and Indonesia. It's currently not known what the source of the infection is, although it's suspected that it may have either involved an instance of prior compromise that allows for gaining root privileges or the use of unofficial firmware versions with built-in root access. The following TV models have been targeted as part of the campaign - KJ-SMART4KVIP (Android 10.1; KJ-SMA...

Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns. "Selenium Grid is a server that facilitates running test cases in parallel across different browsers and versions," Cado Security researchers Tara Gould and Nate Bill said in an analysis published today. "However, Selenium Grid's default configuration lacks authentication, making it vulnerable to exploitation by threat actors." The abuse of publicly-accessible Selenium Grid instances for deploying crypto miners was previously highlighted by cloud security firm Wiz in late July 2024 as part of an activity cluster dubbed SeleniumGreed . Cado, which observed two different campaigns against its honeypot server, said the threat actors are exploiting the lack of authentication protections to carry out a diverse set of malicious actions. The first of them leverages the " goog:chromeOptions " dictionary to inject a Ba...

Cato CTRL (Cyber Threats Research Lab) has released its Q2 2024 Cato CTRL SASE Threat Report . The report highlights critical findings based on the analysis of a staggering 1.38 trillion network flows from more than 2,500 of Cato's global customers, between April and June 2024. Key Insights from the Q2 2024 Cato CTRL SASE Threat Report The report is packed with unique insights that are based on thorough data analysis of network flows. The top three insights for enterprises are as follows. 1) IntelBroker: A Persistent Threat Actor in the Cyber Underground During an in-depth investigation into hacking communities and the dark web, Cato CTRL identified a notorious threat actor known as IntelBroker. IntelBroker is a prominent figure and moderator within the BreachForums hacking community and has been actively involved in the sale of data and source code from major organizations. These include AMD, Apple, Facebook, KrypC, Microsoft, Space-Eyes, T-Mobile and the US Army Aviation and Mi...

Iraqi government networks have emerged as the target of an "elaborate" cyber attack campaign orchestrated by an Iran state-sponsored threat actor called OilRig . The attacks singled out Iraqi organizations such as the Prime Minister's Office and the Ministry of Foreign Affairs, cybersecurity company Check Point said in a new analysis. OilRig, also called APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, is an Iranian cyber group associated with the Iranian Ministry of Intelligence and Security (MOIS). Active since at least 2014, the group has a track record of conducting phishing attacks in the Middle East to deliver a variety of custom backdoors such as Karkoff, Shark, Marlin, Saitama, MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah for information theft. The latest campaign is no exception in that it involves the use of a new set of malware families dubbed Veaty and Spearal, which come with capabilities t...

The Irish Data Protection Commission (DPC) has announced that it has commenced a "Cross-Border statutory inquiry" into Google's foundational artificial intelligence (AI) model to determine whether the tech giant has adhered to data protection regulations in the region when processing the personal data of European users. "The statutory inquiry concerns the question of whether Google has complied with any obligations that it may have had to undertake an assessment, pursuant to Article 35[2] of the General Data Protection Regulation (Data Protection Impact Assessment), prior to engaging in the processing of the personal data of E.U./E.E.A. data subjects associated with the development of its foundational AI model, Pathways Language Model 2 (PaLM 2)," the DPC said . PaLM 2 is Google's state-of-the-art language model with improved multilingual, reasoning, and coding capabilities. It was unveiled by the company in May 2023. With Google's European headqu...

WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily. The enforcement is expected to come into effect starting October 1, 2024. "Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," the maintainers of the open-source, self-hosted version of the content management system (CMS) said . "Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community." Besides requiring mandatory 2FA, WordPress.org said it's introducing what's called SVN passwords, which refers to a dedicated password for committing changes. This, it said, is an effort to introduce a new layer of security by separating users' code commit access from their WordPress.org account credentials. "This ...

The operators of the mysterious Quad7 botnet are actively evolving by compromising several brands of SOHO routers and VPN appliances by leveraging a combination of both known and unknown security flaws. Targets include devices from TP-LINK, Zyxel, Asus, Axentra, D-Link, and NETGEAR, according to a new report by French cybersecurity company Sekoia. "The Quad7 botnet operators appear to be evolving their toolset, introducing a new backdoor and exploring new protocols, with the aim of enhancing stealth and evading the tracking capabilities of their operational relay boxes (ORBs)," researchers Felix Aimé, Pierre-Antoine D., and Charles M. said .  Quad7, also called 7777, was first publicly documented by independent researcher Gi7w0rm in October 2023, highlighting the activity cluster's pattern of ensnaring TP-Link routers and Dahua digital video recorders (DVRs) into a botnet. The botnet, which gets its name from the fact it opens TCP port 7777 on compromised devices, ...