The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Akasa Air, India's newest commercial airline, exposed the personal data belonging to its customers that the company blamed on a technical configuration error. According to security researcher Ashutosh Barot , the issue is rooted in the account registration process, leading to the exposure of details such as names, gender, email addresses, and phone numbers. The bug was identified on August 7, 2022, the same day the low-cost airline commenced its operations in the country. "I found an HTTP request which gave my name, email, phone number, gender, etc. in JSON format," Barot  said  in a write-up. "I immediately changed some parameters in [the] request and I was able to see other user's PII. It took around ~30 minutes to find this issue." Upon receiving the report, the company  said  it temporarily shut down parts of its system to incorporate additional security guardrails. It has also reported the incident to the Indian Computer Emergency Response Team (...

The U.S. Federal Bureau of Investigation (FBI) on Monday warned of cyber criminals increasingly exploiting flaws in decentralized finance (DeFi) platforms to plunder cryptocurrency. "The FBI has observed cyber criminals exploiting vulnerabilities in the smart contracts governing DeFi platforms to steal investors' cryptocurrency," the agency  said  in a notification. Attackers are said to have used different methods to hack and steal cryptocurrency from DeFi platforms, including initiating flash loans that trigger exploits in the platforms' smart contracts and exploiting signature verification flaws in their token bridge to withdraw all investments. The agency has also observed criminals defrauding the platforms by manipulating cryptocurrency price pairs – assets that can be traded for each other on an exchange – by exploiting a series of vulnerabilities to bypass  slippage checks  and steal roughly $35 million in digital funds. It further said that the threat a...

The U.S. Federal Trade Commission (FTC) on Monday said it filed a lawsuit against Kochava, a location data broker, for collecting and selling precise geolocation data gathered from consumers' mobile devices. The complaint alleges that the U.S. company  amasses  a "wealth of information" about users by purchasing data from other data brokers to sell to its own clients. "Kochava then sells customized data feeds to its clients to, among other purposes, assist in advertising and analyzing foot traffic at stores or other locations," the FTC  said . "Among other categories, Kochava sells timestamped latitude and longitude coordinates showing the location of mobile devices." The Idaho-based company advertises itself as a "real-time data solutions company" and the "largest independent data marketplace for connected devices." It also claims its  Kochava Collective  data marketplace provides "premium data feeds, audience targeting, a...

AI agents promise to automate everything from financial reconciliations to incident response. Yet every time an AI agent spins up a workflow, it has to authenticate somewhere; often with a high-privilege API key, OAuth token, or service account that defenders can't easily see. These "invisible" non-human identities (NHIs) now outnumber human accounts in most cloud environments, and they have become one of the ripest targets for attackers. Astrix's Field CTO Jonathan Sander put it bluntly in a recent Hacker News webinar : "One dangerous habit we've had for a long time is trusting application logic to act as the guardrails. That doesn't work when your AI agent is powered by LLMs that don't stop and think when they're about to do something wrong. They just do it." Why AI Agents Redefine Identity Risk Autonomy changes everything: An AI agent can chain multiple API calls and modify data without a human in the loop. If the underlying credential is exposed or overprivileged, each addit...

A new ransomware strain written in Golang dubbed " Agenda " has been spotted in the wild, targeting healthcare and education entities in Indonesia, Saudi Arabia, South Africa, and Thailand. "Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run," Trend Micro researchers  said  in an analysis last week. Qilin, the threat actor advertising the ransomware on the dark web, is said to provide affiliates with options to tailor the binary payloads for each victim, enabling the operators to decide the ransom note, encryption extension, as well as the list of processes and services to terminate before commencing the encryption process. Additionally, the ransomware incorporates techniques for detection evasion by taking advantage of the 'safe mode' feature of a device to proceed with its file encryption routine unnoticed, but not before changing the default user's password and enabl...

A Turkish-speaking entity called Nitrokod has been attributed to an active cryptocurrency mining campaign that involves impersonating a desktop application for Google Translate to infect over 111,000 victims in 11 countries since 2019.  "The malicious tools can be used by anyone," Maya Horowitz, vice president of research at Check Point, said in a statement shared with The Hacker News. "They can be found by a simple web search, downloaded from a link, and installation is a simple double-click." The list of countries with victims includes the U.K., the U.S., Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland. The  campaign  entails serving malware through free software hosted on popular sites such as Softpedia and Uptodown. But in an interesting tactic, the malware puts off its execution for weeks and separates its malicious activity from the downloaded fake software to avoid detection. The installation of the infected program...

If you're heading out of the office on a well-deserved vacation, are you certain the security controls you have in place will let you rest easy while you're away? More importantly – do you have the right action plan in place for a seamless return? Whether you're on the way out of – or back to – the office, our Security Validation Checklist can help make sure your security posture is in good shape. 1. Check the logs and security events of your key critical systems . Stay up-to-date on recent activities. Check for changes – and attempted changes – and any potential indicators of compromise. Planning to be gone for longer than a week? Designate a team member to perform a weekly review in your absence, reducing the chances of a critical event going undetected. 2. Check for any new security vulnerabilities that were identified on your vacation . Use your preferred scanning tool or check one of the regularly updated databases, such as  CVE Details . 3. Investigate failures o...

Twilio, which earlier this month became a  sophisticated phishing attack , disclosed last week that the threat actors also managed to gain access to the accounts of 93 individual users of its Authy two-factor authentication (2FA) service. The communication tools company  said  the unauthorized access made it possible for the adversary to register additional devices to those accounts. It has since identified and removed the illegitimately added devices from the impacted accounts. Authy, acquired by Twilio in February 2015, allows  safeguarding online accounts  with a second security layer to prevent account takeover attacks. It's estimated to have nearly 75 million users. Twilio further noted its investigation as of August 24, 2022, turned up 163 affected customers, up from 125 it reported on August 10, whose accounts it said were hacked for a limited period of time. Besides Twilio, the sprawling campaign, dubbed  0ktapus  by Group-IB, is believed...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added 10 new actively exploited vulnerabilities to its  Known Exploited Vulnerabilities (KEV) Catalog , including a high-severity security flaw affecting industrial automation software from Delta Electronics. The issue, tracked as  CVE-2021-38406  (CVSS score: 7.8), impacts DOPSoft 2 versions 2.00.07 and prior. A successful exploitation of the flaw may lead to arbitrary code execution. "Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (improper input validation) resulting in an out-of-bounds write that allows for code execution," CISA said in an alert. It's worth noting that CVE-2021-38406 was originally disclosed as part of an industrial control systems (ICS) advisory  published  in September 2021. However, there are no patches that address the vulnerability, with CISA noting that the "impacted product is end-of-life and ...

Iranian state-sponsored actors are leaving no stone unturned to exploit unpatched systems running Log4j to target Israeli entities, indicating the vulnerability's  long tail  for remediation. Microsoft attributed the latest set of activities to the  umbrella threat group  tracked as  MuddyWater  (aka Cobalt Ulster, Mercury, Seedworm, or Static Kitten), which is  linked  to the Iranian intelligence apparatus, the Ministry of Intelligence and Security (MOIS). The attacks are notable for using SysAid Server instances unsecured against the  Log4Shell flaw  as a vector for initial access,  marking  a  departure  from the actors' pattern of leveraging VMware applications for breaching target environments. "After gaining access, Mercury establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tool...

Atlassian has rolled out fixes for a  critical security flaw  in Bitbucket Server and Data Center that could lead to the execution of malicious code on vulnerable installations. Tracked as  CVE-2022-36804  (CVSS score: 9.9), the issue has been characterized as a command injection vulnerability in multiple endpoints that could be exploited via specially crafted HTTP requests. "An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request," Atlassian  said  in an advisory. The shortcoming, discovered and reported by security researcher  @TheGrandPew  impacts all versions of Bitbucket Server and Datacenter released after 6.10.17, inclusive of 7.0.0 and newer - Bitbucket Server and Datacenter 7.6 Bitbucket Server and Datacenter 7.17 Bitbucket Server and Datacenter 7.21 Bitbucket Server and Datacenter 8.0 Bitbucket Server and Datacenter 8.1 B...

Password management service LastPass confirmed a security incident that resulted in the theft of certain source code and technical information. The security breach is said to have occurred two weeks ago, targeting its development environment. No customer data or encrypted passwords were accessed, although the company provided no further details regarding the hack and what source code was stolen. "An unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information," LastPass CEO Karim Toubba  said . Amidst ongoing investigation into the incident, the company said it has engaged the services of a leading cybersecurity and forensics firm and that it has implemented additional countermeasures. LastPass, however, didn't elaborate on the exact mitigation techniques that it used to strengthen its environment. It also reiterated that...

Nation-state threat actors are  increasingly adopting  and integrating the Sliver command-and-control (C2) framework in their intrusion campaigns as a replacement for Cobalt Strike. "Given Cobalt Strike's popularity as an attack tool, defenses against it have also improved over time," Microsoft security experts  said . "Sliver thus presents an attractive alternative for actors looking for a lesser-known toolset with a low barrier for entry." Sliver, first made public in late 2019 by cybersecurity company BishopFox, is a Go-based  open source C2 platform  that supports user-developed extensions, custom implant generation, and other commandeering options. "A C2 framework usually includes a server that accepts connections from implants on a compromised system, and a client application that allows the C2 operators to interact with the implants and launch malicious commands," Microsoft said. Besides facilitating long-term access to infected hosts, the cross-pl...