The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A Chinese hacking group has been attributed to a new campaign aimed at infecting government officials in Europe, the Middle East, and South America with a modular malware known as PlugX. Cybersecurity firm Secureworks said it identified the intrusions in June and July 2022, once again demonstrating the adversary's continued focus on espionage against governments around the world. "PlugX is modular malware that contacts a command and control (C2) server for tasking and can download additional plugins to enhance its capability beyond basic information gathering," Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News. Bronze President is a China-based threat actor active since at least July 2018 and is likely estimated to be a state-sponsored group that leverages a mix of proprietary and publicly available tools to compromise and collect data from its targets. It's also publicly documented under other names such as HoneyMyte, Mustang P...

A recent report revealed that ecommerce provider,  Shopify uses particularly weak password policies  on the customer-facing portion of its Website. According to the report, Shopify's requires its customers to use a password that is at least five characters in length and that does not begin or end with a space.  According to the report, Specops researchers analyzed a list of a billion passwords that were known to have been breached and found that 99.7% of those passwords adhere to Shopify's requirements. While this is not meant to suggest that Shopify customers' passwords have been breached, the fact that so many known breached passwords adhere to Shopify's minimum password requirements does underscore the dangers associated with using weak passwords. The danger of weak passwords in your Active Directory  A recent study by Hive Systems  echoes the dangers of using weak passwords. The study examines the amount of time that would be required to brute force crac...

Major financial and insurance companies located in French-speaking nations in Africa have been targeted over the past two years as part of a persistent malicious campaign codenamed  DangerousSavanna . Countries targeted include Ivory Coast, Morocco, Cameroon, Senegal, and Togo, with the spear-phishing attacks heavily focusing on Ivory Coast in recent months, Israeli cybersecurity firm Check Point  said  in a Tuesday report. Infection chains entail targeting employees of financial institutions with social engineering messages containing malicious attachments as a means of initial access, ultimately leading to the deployment of off-the-shelf malware such as  Metasploit ,  PoshC2 ,  DWservice , and  AsyncRAT . "The threat actors' creativity is on display in the initial infection stage, as they persistently pursue the employees of the targeted companies, constantly changing infection chains that utilize a wide range of malicious file types, from self-...

Microsoft's threat intelligence division on Wednesday assessed that a subgroup of the Iranian threat actor tracked as  Phosphorus  is conducting ransomware attacks as a "form of moonlighting" for personal gain. The tech giant, which is monitoring the activity cluster under the moniker  DEV-0270  (aka Nemesis Kitten), said it's operated by a company that functions under the public aliases Secnerd and Lifeweb, citing infrastructure overlaps between the group and the two organizations. "DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities," Microsoft  said . "DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices." The use of BitLocker and DiskCryptor by Iranian actor...

Cisco on Wednesday rolled out patches to address  three security flaws  affecting its products, including a high-severity weakness disclosed in NVIDIA Data Plane Development Kit (MLNX_DPDK) late last month. Tracked as  CVE-2022-28199  (CVSS score: 8.6), the vulnerability stems from a lack of proper error handling in DPDK's network stack, enabling a remote adversary to trigger a denial-of-service (DoS) condition and cause an impact on data integrity and confidentiality. "If an error condition is observed on the device interface, the device may either reload or fail to receive traffic, resulting in a denial-of-service (DoS) condition," Cisco  said  in a notice published on September 7. DPDK  refers to a set of libraries and optimized network interface card (NIC) drivers for fast packet processing, offering a framework and common API for high-speed networking applications. Cisco said it investigated its product lineup and determined the following se...

Former members of the Conti cybercrime cartel have been implicated in five different campaigns targeting Ukraine from April to August 2022. The findings, which come from Google's Threat Analysis Group (TAG), builds upon a  prior report  published in July 2022 detailing the continued cyber activity aimed at the Eastern European nation amid the ongoing Russo-Ukrainian war. "UAC-0098 is a threat actor that historically delivered the  IcedID banking trojan , leading to human-operated ransomware attacks," TAG researcher Pierre-Marc Bureau  said  in a report shared with The Hacker News. "The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations." UAC-0098 is believed to have functioned as an initial access broker for ransomware groups such as Quantum and  Conti  (aka FIN12, Gold Ulrick, or Wizard Spider), the former of which was subsumed by the l...

An international law enforcement operation has resulted in the dismantling of  WT1SHOP , an online criminal marketplace that specialized in the sales of stolen login credentials and other personal information. The seizure was orchestrated by Portuguese authorities, with the U.S. officials taking control of four domains used by the website: "wt1shop[.]net," "wt1store[.]cc," "wt1store[.]com," and "wt1store[.]net." The website peddled over 5.85 million records of personally identifying information (PII), including approximately 25,000 scanned driver's licenses/passports, 1.7 million login credentials for various online shops, 108,000 bank accounts, 21,800 credit cards, the U.S. Justice Department (DoJ)  said . The DoJ also unveiled a criminal complaint against Nicolai Colesnicov, accusing the 36-year-old individual from the Republic of Moldova of running the marketplace. Colesnicov has been charged with conspiracy and with trafficking in un...

A new piece of stealthy Linux malware called Shikitega has been uncovered adopting a multi-stage infection chain to compromise endpoints and IoT devices and deposit additional payloads. "An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist," AT&T Alien Labs  said  in a new report published Tuesday. The findings add to a growing list of Linux malware that has been found in the wild in recent months, including  BPFDoor ,  Symbiote ,  Syslogk ,  OrBit , and  Lightning Framework . Once deployed on a targeted host, the attack chain downloads and executes the Metasploit's " Mettle " meterpreter to maximize control, exploits vulnerabilities to elevate its privileges, adds persistence on the host via crontab, and ultimately launches a cryptocurrency miner on infected devices. The exact method by which the initial compromise is achieved remains unknown as yet, but what makes ...

The prolific North Korean nation-state actor known as the Lazarus Group has been linked to a new remote access trojan called  MagicRAT . The previously unknown piece of malware is said to have been deployed in victim networks that had been initially breached via successful exploitation of internet-facing VMware Horizon servers, Cisco Talos said in a report shared with The Hacker News. "While being a relatively simple RAT capability-wise, it was built with recourse to the  Qt Framework , with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely," Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura  said . Lazarus Group , also known as APT38, Dark Seoul, Hidden Cobra, and Zinc, refers to a cluster of financial motivated and espionage-driven  cyber activities  undertaken by the North Korean government as a means to sidestep sanctions imposed on the country and meet its strate...

Cyberattacks on large organizations dominate news headlines. So, you may be surprised to learn that small and medium enterprises (SMEs) are actually  more frequent  targets of cyberattacks. Many SMEs understand this risk firsthand.  In a recent  survey , 58% of CISOs of SMEs said that their risk of attack was higher compared to enterprises. Yet, they don't have the same resources as enterprises – making it nearly impossible to protect their organizations from widespread and increasingly more sophisticated attacks that don't discriminate based on company size. What's their solution? Extended detection and response (XDR).  During a recent webinar, Cynet's Director of Product Strategy, George Tubin ,  and guest speaker Senior Analyst at Forrester,Allie Mellen, discussed the most serious cybersecurity challenges for SMEs and how they can benefit from XDR platforms.  Here are the four key takeaways from the  conversation .  The Bigges...

A variant of the Mirai botnet known as MooBot is co-opting vulnerable D-Link devices into an army of denial-of-service bots by taking advantage of multiple exploits. "If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks," Palo Alto Networks Unit 42  said  in a Tuesday report. MooBot, first disclosed by Qihoo 360's Netlab team in September 2019, has previously targeted  LILIN digital video recorders  and  Hikvision video surveillance products  to expand its network. In the latest wave of attacks discovered by Unit 42 in early August 2022, as many as four different flaws in D-Link devices, both old and new, have paved the way for the deployment of MooBot samples. These include - CVE-2015-2051  (CVSS score: 10.0) - D-Link HNAP SOAPAction Header Command Execution Vulnerability CVE-2018-6530  (CVSS score: 9.8) -...

Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage (NAS) devices. Tracked as  CVE-2022-34747  (CVSS score: 9.8), the issue relates to a "format string vulnerability" affecting NAS326, NAS540, and NAS542 models. Zyxel credited researcher Shaposhnikov Ilya for reporting the flaw. "A format string vulnerability was found in a specific binary of Zyxel NAS products that could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet," the company  said  in an advisory released on September 6. The flaw affects the following versions - NAS326 (V5.21(AAZF.11)C0 and earlier) NAS540 (V5.21(AATB.8)C0 and earlier), and NAS542 (V5.21(ABAG.8)C0 and earlier) The disclosure comes as Zyxel previously addressed local privilege escalation and authenticated directory traversal vulnerabilities ( CVE-2022-30526 and CVE-2022-2030 ) affecting its firewall products in July. In J...