The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers are calling attention to a new sophisticated tool called GoIssue that can be used to send phishing messages at scale targeting GitHub users. The program, first marketed by a threat actor named cyberdluffy (aka Cyber D' Luffy) on the Runion forum earlier this August, is advertised as a tool that allows criminal actors to extract email addresses from public GitHub profiles and send bulk emails directly to user inboxes. "Whether you're aiming to reach a specific audience or expand your outreach, GoIssue offers the precision and power you need," the threat actor claimed in their post. "GoIssue can send bulk emails to GitHub users, directly to their inboxes, targeting any recipient." SlashNext said the tool marks a "dangerous shift in targeted phishing" that could act as a gateway to source code theft, supply chain attacks, and corporate network breaches via compromised developer credentials. "Armed with this inform...

Threat actors with ties to the Democratic People's Republic of Korea (DPRK aka North Korea) have been found embedding malware within Flutter applications, marking the first time this tactic has been adopted by the adversary to infect Apple macOS devices. Jamf Threat Labs, which made the discovery based on artifacts uploaded to the VirusTotal platform earlier this month, said the Flutter-built applications are part of a broader activity that includes malware written in Golang and Python. It's currently not known how these samples are distributed to victims, and if it has been used against any targets, or if the attackers are switching to a new delivery method. That said, North Korean threat actors are known to engage in extensive social engineering efforts targeting employees of cryptocurrency and decentralized finance businesses. "We suspect these specific examples are testing," Jaron Bradley, director at Jamf Threat Labs, told The Hacker News. "It's p...

Behavioral analytics, long associated with threat detection (i.e. UEBA or UBA), is experiencing a renaissance. Once primarily used to identify suspicious activity, it's now being reimagined as a powerful post-detection technology that enhances incident response processes. By leveraging behavioral insights during alert triage and investigation, SOCs can transform their workflows to become more accurate, efficient, and impactful. Fortunately, many new cybersecurity products like AI SOC analysts are able to incorporate these techniques into their investigation capabilities, thus allowing SOCs to utilize them into their response processes. This post will provide a brief overview of behavior analytics then discuss 5 ways it's being reinvented to shake up SOC investigation and incident response work. Behavior Analysis is Back, But Why? Behavioral analytics was a hot topic back in 2015, promising to revolutionize static SIEM and SOC detections with dynamic anomaly detection to uncover t...

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk.  A gap in access control in Microsoft Entra's subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them.  All the guest user needs are the permissions to create subscriptions in their home tenant, and an invitation as a guest user into an external tenant. Once inside, the guest user can create subscriptions in their home tenant, transfer them into the external tenant, and retain full ownership rights. This stealthy privilege escalation tactic allows a guest user to gain a privileged foothold in an environment where they should only have limited access. Many organizations treat guest accounts as low-risk based on their temporary, limited access, but this behavior, which works as designed, opens the door to known attack paths and lateral movement within the resource t...

Cybersecurity researchers have flagged a new ransomware family called Ymir that was deployed in an attack two days after systems were compromised by a stealer malware called RustyStealer. "Ymir ransomware introduces a unique combination of technical features and tactics that enhance its effectiveness," Russian cybersecurity vendor Kaspersky said . "Threat actors leveraged an unconventional blend of memory management functions – malloc, memmove, and memcmp – to execute malicious code directly in the memory. This approach deviates from the typical sequential execution flow seen in widespread ransomware types, enhancing its stealth capabilities." Kaspersky said it observed the ransomware used in a cyber attack targeting an unnamed organization in Colombia, with the threat actors previously delivering the RustyStealer malware to gather corporate credentials. It's believed that the stolen credentials were used to gain unauthorized access to the company's n...

⚠️ Imagine this: the very tools you trust to protect you online—your two-factor authentication, your car's tech system, even your security software—turned into silent allies for hackers. Sounds like a scene from a thriller, right? Yet, in 2024, this isn't fiction; it's the new cyber reality. Today's attackers have become so sophisticated that they're using our trusted tools as secret pathways, slipping past defenses without a 🔍 trace. For banks 🏦, this is especially alarming. Today's malware doesn't just steal codes; it targets the very trust that digital banking relies on. These threats are more advanced and smarter than ever, often staying a step ahead of defenses. And it doesn't stop there. Critical systems that power our cities are at risk too. Hackers are hiding within the very tools that run these essential services, making them harder to detect and harder to stop. It's a high-stakes game of hide-and-seek, where each move raises the risk. As these threats grow, let's dive ...

In an unusually specific campaign, users searching about the legality of Bengal Cats in Australia are being targeted with the GootLoader malware. "In this case, we found the GootLoader actors using search results for information about a particular cat and a particular geography being used to deliver the payload: 'Are Bengal Cats legal in Australia?,'" Sophos researchers Trang Tang, Hikaru Koike, Asha Castle, and Sean Gallagher said in a report published last week. GootLoader , as the name implies, is a malware loader that's typically distributed using search engine optimization (SEO) poisoning tactics for initial access. Specifically, the malware is deployed onto victim machines when searching for certain terms like legal documents and agreements on search engines like Google surface booby-trapped links pointing to compromised websites that host a ZIP archive containing a JavaScript payload. Once installed, it makes way for a second-stage malware, often an...

Cyber threats are intensifying, and cybersecurity has become critical to business operations. As security budgets grow, CEOs and boardrooms are demanding concrete evidence that cybersecurity initiatives deliver value beyond regulation compliance. Just like you wouldn't buy a car without knowing it was first put through a crash test, security systems must also be validated to confirm their value. There is an increasing shift towards security validation as it allows cyber practitioners to safely use real exploits in production environments to accurately assess the efficiency of their security systems and identify critical areas of exposure, at scale. We met with Shawn Baird, Associate Director of Offensive Security & Red Teaming at DTCC, to discuss how to effectively communicate the business value of his Security Validation practices and tools to his upper management. Here is a drill down into how Shawn made room for security validation platforms within his already tight budget an...

Cybersecurity researchers have uncovered nearly two dozen security flaws spanning 15 different machine learning (ML) related open-source projects. These comprise vulnerabilities discovered both on the server- and client-side, software supply chain security firm JFrog said in an analysis published last week. The server-side weaknesses "allow attackers to hijack important servers in the organization such as ML model registries, ML databases and ML pipelines," it said . The vulnerabilities, discovered in Weave, ZenML, Deep Lake, Vanna.AI, and Mage AI, have been broken down into broader sub-categories that allow for remotely hijacking model registries, ML database frameworks, and taking over ML Pipelines. A brief description of the identified flaws is below - CVE-2024-7340 (CVSS score: 8.8) - A directory traversal vulnerability in the Weave ML toolkit that allows for reading files across the whole filesystem, effectively allowing a low-privileged authenticated user to es...

Hewlett Packard Enterprise (HPE) has released security updates to address multiple vulnerabilities impacting Aruba Networking Access Point products, including two critical bugs that could result in unauthenticated command execution. The flaws affect Access Points running Instant AOS-8 and AOS-10 - AOS-10.4.x.x: 10.4.1.4 and below Instant AOS-8.12.x.x: 8.12.0.2 and below Instant AOS-8.10.x.x: 8.10.0.13 and below The most severe among the six newly patched vulnerabilities are CVE-2024-42509 (CVSS score: 9.8) and CVE-2024-47460 (CVSS score: 9.0), two critical unauthenticated command injection flaws in the CLI Service that could result in the execution of arbitrary code. "Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211)," HPE said in an advisory for both the flaws. "Successful exp...

Cybersecurity researchers have discovered a new phishing campaign that spreads a new fileless variant of known commercial malware called Remcos RAT . Remcos RAT "provides purchases with a wide range of advanced features to remotely control computers belonging to the buyer," Fortinet FortiGuard Labs researcher Xiaopeng Zhang said in an analysis published last week. "However, threat actors have abused Remcos to collect sensitive information from victims and remotely control their computers to perform further malicious acts." The starting point of the attack is a phishing email that uses purchase order-themed lures to convince recipients to open a Microsoft Excel attachment. The malicious Excel document is designed to exploit a known remote code execution flaw in Office ( CVE-2017-0199 , CVSS score: 7.8) to download an HTML Application (HTA) file ("cookienetbookinetcahce.hta") from a remote server ("192.3.220[.]22") and launch it using mshta.e...