The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A shellcode-based  packer  dubbed  TrickGate  has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years. "TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically," Check Point Research's Arie Olshtein  said , calling it a "master of disguises." Offered as a service to other threat actors since at least late 2016, TrickGate helps conceal payloads behind a layer of wrapper code in an attempt to get past security solutions installed on a host. Packers can also function as crypters by encrypting the malware as an obfuscation mechanism. "Packers have different features that allow them to circumvent detection mechanisms by appearing as benign files, being difficult to reverse engineer, or incorporating sandbox evasion tec...

Taiwanese company QNAP has released updates to remediate a critical security flaw affecting its network-attached storage (NAS) devices that could lead to arbitrary code injection. Tracked as  CVE-2022-27596 , the vulnerability is rated 9.8 out of a maximum of 10 on the CVSS scoring scale. It affects QTS 5.0.1 and QuTS hero h5.0.1. "If exploited, this vulnerability allows remote attackers to inject malicious code," QNAP  said  in an advisory released Monday. The exact technical specifics surrounding the flaw are unclear, but the NIST National Vulnerability Database (NVD) has categorized it as an SQL injection vulnerability. This means an attacker could send specially crafted SQL queries such that they could be weaponized to bypass security controls and access or alter valuable information. "Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL injection attack," according to  MI...

GitHub on Monday disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps. As a result, the company is  taking the step  of revoking the exposed certificates out of abundance of caution. The following versions of GitHub Desktop for Mac have been invalidated: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2. Versions 1.63.0 and 1.63.1 of Atom are also expected to stop working as of February 2, 2023, requiring that users downgrade to a  previous version  (1.60.0) of the source code editor. Atom was officially discontinued in December 2022. GitHub Desktop for Windows is not affected. The Microsoft-owned subsidiary said it detected unauthorized access to a set of repositories, including those from deprecated GitHub-owned organizations, used in the planning and development of GitHub Desktop and Atom on December 7, 2022. The repositories ...

A newly released report by cybersecurity firm CTM360 reveals a large-scale scam operation utilizing fake news websites—known as Baiting News Sites (BNS)—to deceive users into online investment fraud across 50 countries. These BNS pages are made to look like real news outlets: CNN, BBC, CNBC, or regional media. They publish fake stories that feature public figures, central banks, or financial brands, all claiming to back new ways to earn passive income. The goal? Build trust quickly and steer readers toward professional-looking scam platforms like Trap10, Solara Vynex, or Eclipse Earn. Scammers use sponsored ads on Google, Meta, and blog networks to push traffic to these sites. Ads often carry clickbait headlines—"You won't believe what a prominent public figure just revealed"—paired with official photos or national flags to make them feel legit. Clicking the ad directs users to a fake article, which then redirects them to a fraudulent trading platform. Many of these scams follow a...

A new Golang-based information stealer malware dubbed  Titan Stealer  is being advertised by threat actors through their Telegram channel. "The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files," Uptycs security researchers Karthickkumar Kathiresan and Shilpesh Trivedi  said  in a recent report. Details of the malware were  first documented  by cybersecurity researcher Will Thomas (@BushidoToken) in November 2022 by querying the IoT search engine Shodan. Titan is offered as a builder, enabling customers to customize the malware binary to include specific functionalities and the kind of information to be exfiltrated from a victim's machine. The malware, upon execution, employs a technique known as  process hollowing  to inject the malicious payload into the memory of a legitima...

Researchers are warning about a spike in exploitation attempts weaponizing a now-patched critical remote code execution flaw in Realtek Jungle SDK since the start of August 2022. According to Palo Alto Networks Unit 42, the ongoing campaign is said to have recorded 134 million exploit attempts as of December 2022, with 97% of the attacks occurring in the past four months. Close to 50% of the attacks originated from the U.S. (48.3%), followed by Vietnam (17.8%), Russia (14.6%), The Netherlands (7.4%), France (6.4%), Germany (2.3%0, and Luxembourg (1.6%). What's more, 95% of the attacks leveraging the security shortcoming that emanated from Russia singled out organizations in Australia. "Many of the attacks we observed tried to deliver malware to infect vulnerable IoT devices," Unit 42 researchers  said  in a report, adding "threat groups are using this vulnerability to carry out large-scale attacks on smart devices around the world." The vulnerability in q...

The threat actors associated with the Gootkit malware have made "notable changes" to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is  monitoring  the activity cluster under the moniker  UNC2565 , noting that the usage of the malware is "exclusive to this group." Gootkit , also called Gootloader, is spread through compromised websites that victims are tricked into visiting when searching for business-related documents like agreements and contracts via a technique called search engine optimization (SEO) poisoning. The purported documents take the form of ZIP archives that harbor the JavaScript malware, which, when launched, paves the way for additional payloads such as  Cobalt Strike Beacon , FONELAUNCH, and SNOWCONE. FONELAUNCH is a .NET-based loader designed to load an encoded payload into memory, whereas SNOWCONE is a downloader that's tasked with retrieving next-stage payloads, typically  IcedID ,...

Microsoft is urging customers to keep their Exchange servers updated as well as take steps to bolster the environment, such as enabling  Windows Extended Protection  and configuring  certificate-based signing  of PowerShell serialization payloads. "Attackers looking to exploit unpatched Exchange servers are not going to go away," the tech giant's Exchange Team  said  in a post. "There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts." Microsoft also emphasized mitigations issued by the company are only a stopgap solution and that they can "become insufficient to protect against all variations of an attack," necessitating that users install necessary security updates to secure the servers. Exchange Server has been proven to be a lucrative attack vector in recent years, what with a number of security flaws in the software weaponized as zero-d...

The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could lead to a denial-of-service (DoS) condition. "A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions and system failures," the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  said  in an advisory released Friday. The open source software is used by major financial firms, national and international carriers, internet service providers (ISPs), retailers, manufacturers, educational institutions, and government entities, according to its  website . All four flaws reside in  named , a  BIND9 service  that functions as an authoritative nameserver for a fixed set of DNS zones or as a recursive resolver for clients on a local network. The list of the bugs, which are rated 7.5 on the CVSS scoring syst...

Ukraine has come under a fresh cyber onslaught from Russia that involved the deployment of a previously undocumented Golang-based data wiper dubbed  SwiftSlicer . ESET attributed the attack to Sandworm, a nation-state group linked to Military Unit 74455 of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). "Once executed it deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives and then reboots computer," ESET  disclosed  in a series of tweets. The overwrites are achieved by using randomly generated byte sequences to fill 4,096 byte-length blocks. The intrusion was discovered on January 25, 2023, the Slovak cybersecurity company added. "Attackers deployed the SwiftSlicer wiper using Group Policy of Active Directory," Robert Lipovsky, senior malware researcher for ESET, told The Hacker News. "Once SwiftSlicer...

The use of software as a service (SaaS) is experiencing rapid growth and shows no signs of slowing down. Its decentralized and easy-to-use nature is beneficial for increasing employee productivity, but it also poses many security and IT challenges. Keeping track of all the SaaS applications that have been granted access to an organization's data is a difficult task. Understanding the risks that SaaS applications pose is just as important, but it can be challenging to secure what cannot be seen. Many organizations have implemented access management solutions, but these are limited in visibility to only pre-approved applications. The average medium-sized organization has hundreds, and sometimes thousands, of SaaS applications that have been adopted by employees who needed a quick and easy solution or found a free version, completely bypassing IT and security. This leads to a significant risk as many of these applications do not have the necessary security and/or compliance standard...

Cybersecurity researchers have discovered the real-world identity of the threat actor behind  Golden Chickens  malware-as-a-service, who goes by the online persona "badbullzvenom." eSentire's Threat Response Unit (TRU), in an exhaustive report published following a 16-month-long investigation,  said  it "found multiple mentions of the badbullzvenom account being shared between two people." The threat actor, known online as Frapstar and badbullzvenom, is said to identify themselves as "Chuck from Montreal," enabling the cybersecurity firm to piece together the criminal actor's digital footprint. This includes his real name, pictures, home address, the names of his parents, siblings, and friends, along with his social media accounts and his interests. He is also said to be the sole proprietor of a small business that's run from his own home. Golden Chickens, also known as  Venom Spider , is a malware-as-a-service (MaaS) provider that's ...

Cybersecurity researchers have uncovered a PlugX sample that employs sneaky methods to infect attached removable USB media devices in order to propagate the malware to additional systems. "This PlugX variant is wormable and infects USB devices in such a way that it conceals itself from the Windows operating file system," Palo Alto Networks Unit 42 researchers Mike Harbison and Jen Miller-Osborn  said . "A user would not know their USB device is infected or possibly used to exfiltrate data out of their networks." The cybersecurity company said it uncovered the artifact during an incident response effort following a Black Basta ransomware attack against an unnamed victim. Among other tools discovered in the compromised environment include the  Gootkit  malware loader and the  Brute Ratel C4  red team framework. The use of Brute Ratel by the Black Basta group was previously  highlighted  by Trend Micro in October 2022, with the software delivered as a...