The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

HelpSystems, the company behind the Cobalt Strike software platform, has released an out-of-band security update to address a remote code execution vulnerability that could allow an attacker to take control of targeted systems. Cobalt Strike is a commercial red-team framework that's mainly used for adversary simulation, but cracked versions of the software have been  actively   abused  by ransomware operators and espionage-focused advanced persistent threat (APT) groups alike. The  post-exploitation tool  consists of a team server, which functions as a command-and-control (C2) component, and a beacon, the default malware used to create a connection to the team server and drop next-stage payloads. The issue, tracked as  CVE-2022-42948 , affects Cobalt Strike version 4.7.1, and stems from an incomplete patch released on September 20, 2022, to rectify a cross-site scripting ( XSS ) vulnerability ( CVE-2022-39197 ) that could lead to remote code execution....

The threat actors behind the  Black Basta   ransomware family  have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks. The development marks the first time the  nascent adversary simulation software  is being delivered via a Qakbot infection, cybersecurity firm Trend Micro  said  in a technical analysis released last week. The intrusion, achieved using a phishing email containing a weaponized link pointing to a ZIP archive, further entailed the use of Cobalt Strike for lateral movement. While these legitimate utilities are designed for conducting penetration testing activities, their ability to offer remote access has made them a lucrative tool in the hands of attackers looking to stealthily probe the compromised environment without attracting attention for extended periods of time. This has been compounded by the fact that a  cracked version  of Brute Ratel C4 (BRc4 ...

New research has disclosed what's being called a security vulnerability in Microsoft 365 that could be exploited to infer message contents due to the use of a broken cryptographic algorithm. "The [Office 365 Message Encryption] messages are encrypted in insecure Electronic Codebook ( ECB ) mode of operation," Finnish cybersecurity company WithSecure  said  in a report published last week. Office 365 Message Encryption (OME) is a security mechanism used to send and receive encrypted email messages between users inside and outside an organization without revealing anything about the communications themselves. A consequence of the newly disclosed issue is that rogue third-parties gaining access to the encrypted email messages may be able to decipher the messages, effectively breaking confidentiality protections. Electronic Codebook is one of the simplest modes of encryption wherein each message block is encoded separately by a key, meaning identical plaintext blocks wi...

Is Managing Customer Logins and Data Giving You Headaches? You're Not Alone! Today, we all expect super-fast, secure, and personalized online experiences. But let's be honest, we're also more careful about how our data is used. If something feels off, trust can vanish in an instant. Add to that the lightning-fast changes AI is bringing to everything from how we log in to spotting online fraud, and it's a whole new ball game! If you're dealing with logins, data privacy, bringing new users on board, or building digital trust, this webinar is for you . Join us for " Navigating Customer Identity in the AI Era ," where we'll dive into the Auth0 2025 Customer Identity Trends Report . We'll show you what's working, what's not, and how to tweak your strategy for the year ahead. In just one session, you'll get practical answers to real-world challenges like: How AI is changing what users expect – and where they're starting to push ba...

Don't let the ongoing " crypto winter " lull you into a false sense of cybersecurity. Even as  cryptocurrencies lose value  — and some crypto companies  file for bankruptcy  —  cryptojacking  still poses an urgent threat to enterprises across industries, from financial services to healthcare to industry 4.0 and beyond.  Broadly speaking, cryptojacking is defined as the unauthorized and illegitimate use of an unwitting party's compute and/or server power by a malicious actor to mine cryptocurrencies. While everyone with an internet connection is technically vulnerable to cryptojacking, most attacks target enterprises with significant compute resources, especially those with an outsized number of third-party relationships. (More on that last part in a bit.) And if a malicious actor can breach your cybersecurity defenses for cryptojacking purposes, they can breach them for any number of nefarious reasons.  Under normal conditions, mining for crypt...

A new ransomware campaign targeted the transportation and logistics sectors in Ukraine and Poland on October 11 with a previously unknown payload dubbed  Prestige . "The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the  FoxBlade  malware (also known as HermeticWiper)," the Microsoft Threat Intelligence Center (MSTIC)  said . The tech giant remarked the intrusions occurred within an hour of each other across all victims, attributing the infections to an unnamed cluster called DEV-0960. It did not disclose the scale of the attacks, but stated it's notifying all affected customers. The campaign is also believed to be distinct from other recent destructive attacks that have involved the use of  HermeticWiper  and  CaddyWiper , the latter of which is launched by a malware loader called  ArguePatch  (aka AprilAxe). The method o...

Zimbra has  released patches  to contain an actively exploited security flaw in its enterprise collaboration suite that could be leveraged to upload arbitrary files to vulnerable instances. Tracked as  CVE-2022-41352  (CVSS score: 9.8), the issue affects a component of the Zimbra suite called  Amavis , an open source content filter, and more specifically, the cpio utility it uses to scan and extract archives. The flaw, in turn, is said to be rooted in another underlying vulnerability ( CVE-2015-1197 ) that was first disclosed in early 2015, which  according to Flashpoint  was rectified, only to be subsequently reverted in later Linux distributions. "An attacker can use cpio package to gain incorrect access to any other user accounts," Zimbra said in an advisory published last week, adding it "recommends pax over cpio." Fixes are available in the following versions - Zimbra 9.0.0 Patch 27 Zimbra 8.8.15 Patch 34 All an adversary seeking needs ...

The International Criminal Police Organization, also called the Interpol, has announced the arrests of 75 individuals as part of a coordinated global operation against an organized cyber crime syndicate called  Black Axe . "'Black Axe' and other West African organized crime groups have developed transnational networks, defrauding victims of millions while channeling their profits into lavish lifestyles and other criminal activities, from drug trafficking to sexual exploitation," the agency  said . The law enforcement effort, codenamed Operation Jackal, involved the participation of Argentina, Australia, Côte d'Ivoire, France, Germany, Ireland, Italy, Malaysia, Nigeria, Spain, South Africa, the U.A.E, the U.K., and the U.S. Black Axe, which originated as a confraternity in Nigeria around 1977 before evolving into a mafia group, has not only been linked to killing and scamming operations, but also has been accused of infiltrating the country's political s...

Tata Power Company Limited, India's largest integrated power company, on Friday confirmed it was targeted by a cyber attack. The intrusion on IT infrastructure impacted "some of its IT systems," the company  said  in a filing with the National Stock Exchange (NSE) of India. It further said it has taken steps to retrieve and restore the affected machines, adding it put in place security guardrails for customer-facing portals to prevent unauthorized access. The Mumbai-based electric utility company, part of the Tata Group conglomerate, did not disclose any further details about the nature of the attack, or when it took place. That said, cybersecurity firm Recorded Future in April  disclosed  attacks mounted by China-linked adversaries targeting Indian power grid organizations. The network intrusions were said to have been aimed at "at least seven Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and ele...

Details have emerged about a now-patched security flaw in Windows Common Log File System (CLFS) that could be exploited by an attacker to gain elevated permissions on compromised machines. Tracked as  CVE-2022-37969  (CVSS score: 7.8), the issue was addressed by Microsoft as part of its Patch Tuesday updates for September 2022, while also noting that it was being actively exploited in the wild. "An attacker must already have access and the ability to run code on the target system," the company  noted  in its advisory. "This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system." It also credited researchers from CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler for reporting the vulnerability without delving into additional specifics surrounding the nature of the attacks. Now, the Zscaler ThreatLabz researcher team has disclosed that it captured an in-the-wild exploit for the the...

Telecommunications and IT service providers in the Middle East and Asia are being targeted by a previously undocumented Chinese-speaking threat group dubbed WIP19 . The espionage-related attacks are characterized by the use of a stolen digital certificate issued by a Korean company called DEEPSoft to sign malicious artifacts deployed during the infection chain to evade detection. "Almost all operations performed by the threat actor were completed in a 'hands-on keyboard' fashion, during an interactive session with compromised machines," SentinelOne researchers Joey Chen and Amitai Ben Shushan Ehrlich  said  in a report this week. "This meant the attacker gave up on a stable [command-and-control] channel in exchange for stealth." WIP, short for work-in-progress, is the moniker assigned by SentinelOne to emerging or hitherto unattributed activity clusters,  similar  to the UNC####, DEV-####, and TAG-## designations given by Mandiant, Microsoft, and Reco...

A PHP version of an information-stealing malware called  Ducktail  has been discovered in the wild being distributed in the form of cracked installers for legitimate apps and games, according to the latest findings from Zscaler. "Like older versions (.NetCore), the latest version (PHP) also aims to exfiltrate sensitive information related to saved browser credentials, Facebook account information, etc.," Zscaler ThreatLabz researchers Tarun Dewan and Stuti Chaturvedi  said . Ducktail, which emerged on the threat landscape in late 2021, is attributed to an unnamed Vietnamese threat actor, with the malware primarily designed to hijack Facebook business and advertising accounts. The financially motivated cybercriminal operation was  first documented  by Finnish cybersecurity company WithSecure (formerly F-Secure) in late July 2022. While previous versions of the malware were found to use Telegram as a command-and-control (C2) channel to exfiltrate informatio...

With each passing year, the cybersecurity threat landscape continues to worsen. That reality makes cybersecurity analysts some of the most sought-after technology professionals in the world. And there are nowhere near enough of them to meet the demand. At last count, there were over  3.5 million unfilled cybersecurity jobs  worldwide — and that number is still growing. The situation means that it's a great time to become a cybersecurity analyst. What's more, the skyrocketing demand means it's possible to start a lucrative freelance career in the field and take complete control over your professional future. Here's a start-to-finish guide on how to do exactly that. Start With the Right Training The first step on the path to becoming a freelance cybersecurity analyst is to acquire the necessary skills. For those without an existing technology background, the best place to start is with a cybersecurity bootcamp. They're designed to get newcomers up to speed with ba...