The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The U.S. Treasury Department on Monday placed sanctions against crypto mixing service Tornado Cash, citing its use by the North Korea-backed Lazarus Group in the high-profile hacks of Ethereum bridges to launder and cash out the ill-gotten money. Tornado Cash, which allows users to move cryptocurrency assets between accounts by obfuscating their origin and destination, is estimated to have been used to launder more than $7.6 billion worth of virtual assets since its creation in 2019, the department said. Thefts, hacks, and fraud account for $1.54 billion of the total assets sent through the mixer, according to blockchain analytics firm  Elliptic . Crypto mixing is akin to shuffling digital currencies through a black box, blending a certain quantity of cryptocurrency in private pools before transferring it to its designated receivers for a fee. The aim is to make transactions anonymous and difficult to trace. "Despite public assurances otherwise, Tornado Cash has repeatedly f...

TL;DR: As weird as it might sound, seeing a few false positives reported by a security scanner is probably a good sign and certainly better than seeing none. Let's explain why. Introduction False positives have made a somewhat unexpected appearance in our lives in recent years. I am, of course, referring to the COVID-19 pandemic, which required massive testing campaigns in order to control the spread of the virus. For the record, a false positive is a result that appears positive (for COVID-19 in our case), where it is actually negative (the person is not infected). More commonly, we speak of false alarms. In computer security, we are also often confronted with false positives. Ask the security team behind any SIEM what their biggest operational challenge is, and chances are that false positives will be mentioned. A recent  report  estimates that as much as 20% of all the alerts received by security professionals are false positives, making it a big source of fatigue. Yet...

In what's yet another instance of malicious packages creeping into public code repositories, 10 modules have been removed from the Python Package Index (PyPI) for their ability to harvest critical data points such as passwords and API tokens. The packages "install info-stealers that enable attackers to steal developer's private data and personal credentials," Israeli cybersecurity firm Check Point  said  in a Monday report. A short summary of the offending packages is below - Ascii2text , which downloads a nefarious script that gathers passwords stored in web browsers such as Google Chrome, Microsoft Edge, Brave, Opera, and Yandex Browser Pyg-utils, Pymocks, and PyProto2 , which are designed to  steal users' AWS credentials Test-async and Zlibsrc , which download and execute malicious code during installation Free-net-vpn, Free-net-vpn2, and WINRPCexploit , which steal user credentials and environment variables, and Browserdiv , which are capable of coll...

Over a dozen military-industrial complex enterprises and public institutions in Afghanistan and Europe have come under a wave of targeted attacks since January 2022 to steal confidential data by simultaneously making use of six different backdoors. Russian cybersecurity firm Kaspersky  attributed  the attacks "with a high degree of confidence" to a China-linked threat actor tracked by  Proofpoint  as  TA428 , citing overlaps in tactics, techniques, and procedures (TTPs).  TA428, also known by the names Bronze Dudley, Temp.Hex, and Vicious Panda, has a  history  of striking entities in Ukraine, Russia, Belarus, and Mongolia. It's believed to share connections with another hacking group called Mustang Panda (aka Bronze President). Targets of the latest cyber espionage campaign included industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries and Afghanistan. A...

A new botnet named Orchard has been observed using Bitcoin creator Satoshi Nakamoto's account transaction information to generate domain names to conceal its command-and-control (C2) infrastructure. "Because of the uncertainty of Bitcoin transactions, this technique is more unpredictable than using the common time-generated [ domain generation algorithms ], and thus more difficult to defend against," researchers from Qihoo 360's Netlab security team said in a Friday write-up. Orchard is said to have undergone three revisions since February 2021, with the botnet primarily used to deploy additional payloads onto a victim's machine and execute commands received from the C2 server. It's also designed to upload device and user information as well as infect USB storage devices to propagate the malware. Netlab's analysis shows that over 3,000 hosts have been enslaved by the malware to date, most of them located in China. Orchard has also been subjected to ...

A few days ago, a friend and I were having a rather engaging conversation that sparked my excitement. We were discussing my prospects of becoming a red teamer as a natural career progression. The reason I got stirred up is not that I want to change either my job or my position, as I am a happy camper being part of Cymulate's blue team. What upset me was that my friend could not grasp the idea that I wanted to keep working as a blue teamer because, as far as he was concerned, the only natural progression is to move to the red team.  Red teams include many roles ranging from penetration testers to attackers and exploit developers. These roles attract most of the buzz, and the many certifications revolving around these roles (OSCP, OSEP, CEH) make them seem fancy. Movies usually make hackers the heroes, while typically ignoring the defending side, the complexities and challenges of blue teamers' roles are far less known. While blue teams' defending roles might not sound as...

A sophisticated scam-as-a-service operation dubbed Classiscam has now infiltrated into Singapore, more than 1.5 years after  expanding to Europe . "Scammers posing as legitimate buyers approach sellers with the request to purchase goods from their listings and the ultimate aim of stealing payment data," Group-IB  said  in a report shared with The Hacker News. The cybersecurity firm called the operators a "well-coordinated and technologically advanced scammer criminal network." Classiscam refers to a  Russia-based cybercrime operation  that was first recorded in summer 2019 but only came under spotlight a year later coinciding with a surge in activity owing to an increase in online shopping in the aftermath of COVID-19 outbreak. Called the  most widely used fraud scheme  during the pandemic, Classiscam targets people who use marketplaces and services relating to property rentals, hotel bookings, online bank transfers, online retail, ride-sharing, ...

Facebook parent company Meta disclosed that it took action against two espionage operations in South Asia that leveraged its social media platforms to distribute malware to potential targets. The first set of activities is what the company described as "persistent and well-resourced" and undertaken by a hacking group tracked under the moniker Bitter APT (aka APT-C-08 or T-APT-17) targeting individuals in New Zealand, India, Pakistan, and the U.K. "Bitter used various malicious tactics to target people online with social engineering and infect their devices with malware," Meta  said  in its Quarterly Adversarial Threat Report. "They used a mix of link-shortening services, malicious domains, compromised websites, and third-party hosting providers to distribute their malware." The attacks involved the threat actor creating fictitious personas on the platform, masquerading as attractive young women in a bid to build trust with targets and lure them into cl...

A new IoT botnet malware dubbed RapperBot has been observed rapidly evolving its capabilities since it was first discovered in mid-June 2022. "This family borrows heavily from the original  Mirai source code , but what separates it from other IoT malware families is its built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai," Fortinet FortiGuard Labs  said  in a report. The malware, which gets its name from an embedded URL to a YouTube rap music video in an earlier version, is said to have amassed a growing collection of compromised SSH servers, with over 3,500 unique IP addresses used to scan and brute-force their way into the servers. RapperBot's current implementation also delineates it from Mirai, allowing it to primarily function as an SSH brute-force tool with limited capabilities to carry out distributed denial-of-service (DDoS) attacks. The deviation from traditional Mirai behavior is further ...

Twitter on Friday revealed that a now-patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform. "As a result of the vulnerability, if someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any," the company  said  in an advisory. Twitter said the bug, which it was  made aware  of in January 2022, stemmed from a code change introduced in June 2021. No passwords were exposed as a result of the incident. The six-month delay in making this public stems from new evidence last month that an unidentified actor had potentially taken advantage of the flaw before the fix to scrape user information and sell it for profit on  Breach Forums . Although Twitter didn't reveal the exact number of impacted users, the forum post made by the threat actor shows that the flaw was ...

Slack said it took the step of resetting passwords for about 0.5% of its users after a flaw exposed salted password hashes when creating or revoking shared invitation links for workspaces. "When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members," the enterprise communication and collaboration platform  said  in an alert on 4th August. Hashing refers to a cryptographic technique that transforms any form of data into a fixed-size output (called a hash value or simply hash).  Salting  is designed to add an extra security layer to the hashing process to make it resistant to brute-force attempts. The Salesforce-owned company, which reported more than  12 million daily active users  in September 2019, didn't reveal the exact  hashing algorithm  used to safeguard the passwords. The bug is said to have impacted all users who created or revoked shared invitation links between 17 ...

A threat actor working to further Iranian goals is said to have been behind a set of damaging cyberattacks against Albanian government services in mid-July 2022. Cybersecurity firm Mandiant  said  the malicious activity against a NATO state represented a "geographic expansion of Iranian disruptive cyber operations." The  July 17 attacks , according to Albania's National Agency of Information Society, forced the government to "temporarily close access to online public services and other government websites" because of a "synchronized and sophisticated cybercriminal attack from outside Albania." The politically motivated disruptive operation, per Mandiant, entailed the deployment of a new ransomware family called ROADSWEEP that included a ransom note with the text: "Why should our taxes be spent on the benefit of DURRES terrorists?" A front named HomeLand Justice has since claimed responsibility for the cyber offensive, with the group als...