The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The macOS information stealer known as Atomic is now being delivered to target via a bogus web browser update chain tracked as ClearFake. "This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system," Malwarebytes' Jérôme Segura  said  in a Tuesday analysis. Atomic Stealer (aka AMOS),  first documented  in April 2023, is a commercial stealer malware family that's sold on a subscription basis for $1,000 per month. It comes with capabilities to siphon data from web browsers and cryptocurrency wallets. Then in September 2023, Malwarebytes  detailed  an Atomic Stealer campaign that took advantage of malicious Google ads, tricking macOS users searching for a financial charting platform known as TradingView into downloading the malware. ClearFake, on the other hand, is a nascent malware distribution operation that employs comp...

Multiple threat actors, including LockBit ransomware affiliates, are  actively exploiting  a recently disclosed critical security flaw in Citrix NetScaler application delivery control (ADC) and Gateway appliances to obtain initial access to target environments. The joint advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Australian Signals Directorate's Australian Cyber Security Center (ASD's ACSC). "Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances," the agencies  said . "Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to ...

The ransomware strain known as  Play  is now being offered to other threat actors "as a service," new evidence unearthed by Adlumin has revealed. "The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it," the cybersecurity company said in a report shared with The Hacker News. The findings are based on various Play ransomware attacks tracked by Adlumin spanning different sectors that incorporated almost identical tactics and in the same sequence. This includes the use of the public music folder (C:\...\public\music) to hide the malicious file, the same password to create high-privilege accounts, and both attacks, and the same commands. Play , also called Balloonfly and PlayCrypt, first came to light in June 2022, leveraging security flaws in Microsoft Exchange Server – i.e.,  ...

Is Managing Customer Logins and Data Giving You Headaches? You're Not Alone! Today, we all expect super-fast, secure, and personalized online experiences. But let's be honest, we're also more careful about how our data is used. If something feels off, trust can vanish in an instant. Add to that the lightning-fast changes AI is bringing to everything from how we log in to spotting online fraud, and it's a whole new ball game! If you're dealing with logins, data privacy, bringing new users on board, or building digital trust, this webinar is for you . Join us for " Navigating Customer Identity in the AI Era ," where we'll dive into the Auth0 2025 Customer Identity Trends Report . We'll show you what's working, what's not, and how to tweak your strategy for the year ahead. In just one session, you'll get practical answers to real-world challenges like: How AI is changing what users expect – and where they're starting to push ba...

A new variant of the  Agent Tesla  malware has been observed delivered via a lure file with the  ZPAQ compression format  to harvest data from several email clients and nearly 40 web browsers. "ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR," G Data malware analyst Anna Lvova  said  in a Monday analysis. "That means that ZPAQ archives can be smaller, saving storage space and bandwidth when transferring files. However, ZPAQ has the biggest disadvantage: limited software support." First appearing in 2014, Agent Tesla is a  keylogger  and  remote access trojan  (RAT) written in .NET that's  offered  to other threat actors as part of a malware-as-a-service (MaaS) model. It's often used as a first-stage payload, providing remote access to a compromised system and utilized to download more sophisticated second-stage tools such as ...

Phishing attacks are steadily becoming more sophisticated, with cybercriminals investing in new ways of deceiving victims into revealing sensitive information or installing malicious software. One of the latest trends in phishing is the use of QR codes, CAPTCHAs, and steganography. See how they are carried out and learn to detect them. Quishing Quishing, a phishing technique resulting from the combination of "QR" and "phishing," has become a popular weapon for cybercriminals in 2023. By concealing malicious links within QR codes, attackers can evade traditional spam filters, which are primarily geared towards identifying text-based phishing attempts. The inability of many security tools to decipher the content of QR codes further makes this method a go-to choice for cybercriminals. An email containing a QR code with a malicious link Analyzing a QR code with an embedded malicious link in a safe environment is easy with  ANY.RUN : Simply open  this task  in th...

The  Kinsing  threat actors are actively exploiting a critical security flaw in vulnerable Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits. "Once Kinsing infects a system, it deploys a cryptocurrency mining script that exploits the host's resources to mine cryptocurrencies like Bitcoin, resulting in significant damage to the infrastructure and a negative impact on system performance," Trend Micro security researcher Peter Girnus  said . Kinsing  refers to a  Linux malware  with a history of targeting misconfigured containerized environments for cryptocurrency mining, often utilizing compromised server resources to generate illicit profits for the threat actors. The group is also known to quickly adapt its tactics to include newly disclosed flaws in web applications to breach target networks and deliver crypto miners. Earlier this month, Aqua  disclosed  the threat actor's attempts to exploit a Linux pri...

Android smartphone users in India are the target of a new malware campaign that employs social engineering lures to install fraudulent apps that are capable of harvesting sensitive data. "Using social media platforms like WhatsApp and Telegram, attackers are sending messages designed to lure users into installing a malicious app on their mobile device by impersonating legitimate organizations, such as banks, government services, and utilities," Microsoft threat intelligence researchers Abhishek Pustakala, Harshita Tripathi, and Shivang Desai  said  in a Monday analysis. The ultimate goal of the operation is to capture banking details, payment card information, account credentials, and other personal data. The attack chains involve sharing malicious APK files via social media messages sent on WhatsApp and Telegram by falsely presenting them as banking apps and inducing a sense of urgency by claiming that the targets' bank accounts will be blocked unless they update their pe...

The China-linked Mustang Panda actor has been linked to a cyber attack targeting a Philippines government entity amid  rising tensions  between the two countries over the disputed South China Sea. Palo Alto Networks Unit 42 attributed the adversarial collective to three campaigns in August 2023, primarily singling out organizations in the South Pacific. "The campaigns leveraged legitimate software including Solid PDF Creator and SmadavProtect (an Indonesian-based antivirus solution) to sideload malicious files," the company  said . "Threat authors also creatively configured the malware to impersonate legitimate Microsoft traffic for command-and-control (C2) connections." Mustang Panda, also tracked under the names Bronze President, Camaro Dragon, Earth Preta, RedDelta, and Stately Taurus, is assessed to be a Chinese advanced persistent threat (APT) active since at least 2012,  orchestrating   cyber espionage   campaigns  targeting non-governmenta...

Threat actors are targeting the education, government and business services sectors with a remote access trojan called  NetSupport RAT . "The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as  GHOSTPULSE ), and various forms of phishing campaigns," VMware Carbon Black researchers said in a report shared with The Hacker News. The cybersecurity firm said it detected no less than 15 new infections related to NetSupport RAT in the last few weeks.  While NetSupport Manager started off as a  legitimate remote administration tool  for technical assistance and support, malicious actors have misappropriated the tool to their own advantage, using it as a beachhead for subsequent attacks. NetSupport RAT is typically downloaded onto a victim's computer via deceptive websites and fake browser updates. In August 2022, Sucuri  detailed  a campaign in which compromised WordPress...

Phishing campaigns delivering malware families such as DarkGate and PikaBot are following the same tactics previously used in attacks leveraging the now-defunct QakBot trojan. "These include hijacked email threads as the initial infection, URLs with unique patterns that limit user access, and an infection chain nearly identical to what we have seen with QakBot delivery," Cofense  said  in a report shared with The Hacker News. "The malware families used also follow suit to what we would expect QakBot affiliates to use." QakBot, also called QBot and Pinkslipbot, was  shut down  as part of a coordinated law enforcement effort codenamed Operation Duck Hunt earlier this August. The use of DarkGate and PikaBot in these campaigns is not surprising as they can both act as conduits to deliver additional payloads to compromised hosts, making them both an attractive option for cybercriminals. PikaBot's parallels to QakBot were  previously highlighted  by Zscale...

In this article, we will provide a brief overview of Silverfort's platform, the first (and currently only) unified identity protection platform on the market. Silverfort's patented technology aims to protect organizations from identity-based attacks by integrating with existing identity and access management solutions, such as AD (Active Directory) and cloud-based services, and extending secure access controls like Risk-Based Authentication and MFA (Multi-Factor Authentication) to all their resources. This includes on-prem and cloud resources, legacy systems, command-line tools and service accounts. A recent report by Silverfort and Osterman Research revealed that  83% of organizations worldwide have experienced data breaches due to compromised credentials . Many organizations admit that they are underprotected against identity-based attacks, such as lateral movement and ransomware. Resources like command-line access tools and legacy systems, which are widely used, are particular...