The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

More than 500 hosts have been newly compromised en masse by the ESXiArgs ransomware strain, most of which are located in France, Germany, the Netherlands, the U.K., and Ukraine. The  findings  come from attack surface management firm Censys, which  discovered  "two hosts with strikingly similar ransom notes dating back to mid-October 2022, just after ESXi versions 6.5 and 6.7 reached end of life." The first set of infections dates back to October 12, 2022, much earlier than when the campaign  began to gain traction  at the start of February 2023. Then on January 31, 2023, the ransom notes on the two hosts are said to have been updated with a revised version that matches the ones used in the current wave. Some of the crucial differences between the two ransom notes include the use of an onion URL instead of a Tox chat ID, a Proton Mail address at the bottom of the note, and a lower ransom demand (1.05 Bitcoin vs. 2.09 Bitcoin). "Each variant of the ran...

The North Korea-linked threat actor tracked as  APT37  has been linked to a piece of new malware dubbed  M2RAT  in attacks targeting its southern counterpart, suggesting continued evolution of the group's features and tactics. APT37, also tracked under the monikers Reaper, RedEyes, Ricochet Chollima, and ScarCruft, is an element within North Korea's Ministry of State Security (MSS) unlike the Lazarus and Kimsuky threat clusters that are part of the Reconnaissance General Bureau (RGB). According to Google-owned Mandiant, MSS is tasked with "domestic counterespionage and overseas counterintelligence activities," with APT37's attack campaigns reflective of the agency's priorities. The operations have historically singled out individuals such as defectors and human rights activists. "APT37's assessed primary mission is covert intelligence gathering in support of DPRK's strategic military, political, and economic interests," the threat intelli...

Bad actors love to deliver threats in files. Persistent and persuasive messages convince unsuspecting victims to accept and open files from unknown sources, executing the first step in a cyber attack.  This continues to happen whether the file is an EXE or a Microsoft Excel document. Far too often, end users have an illusion of security, masked by good faith efforts of other users and (ineffective) security controls. This creates a virality effect for ransomware, malware, spyware, and annoying grayware and adware to be spread easily from user to user and machine to machine. To stop users from saying, "I reject your reality and substitute my own!" – it's time to bust some myths about file-based attacks.  Testing in three! Two! One!   Register here and join Zscaler's Vinay Polurouthu, Principal Product Manager, and Amy Heng, Product Marketing Manager, to: Bust the 9 most common assumptions and myths about file-based threats Uncover the latest evasion trends and d...

I had the honor of hosting the first episode of the Xposure Podcast live from Xposure Summit 2025. And I couldn't have asked for a better kickoff panel: three cybersecurity leaders who don't just talk security, they live it. Let me introduce them. Alex Delay , CISO at IDB Bank, knows what it means to defend a highly regulated environment. Ben Mead , Director of Cybersecurity at Avidity Biosciences, brings a forward-thinking security perspective that reflects the innovation behind Avidity's targeted RNA therapeutics. Last but not least, Michael Francess , Director of Cybersecurity Advanced Threat at Wyndham Hotels and Resorts, leads the charge in protecting the franchise. Each brought a unique vantage point to a common challenge: applying Continuous Threat Exposure Management (CTEM) to complex production environments. Gartner made waves in 2023 with a bold prediction: organizations that prioritize CTEM will be three times less likely to be breached by 2026. But here's the kicker -...

A new financially motivated campaign that commenced in December 2022 has seen the unidentified threat actor behind it deploying a novel ransomware strain dubbed MortalKombat and a clipper malware known as Laplas. Cisco Talos  said  it "observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389." The attacks, per the cybersecurity company, primarily focuses on individuals, small businesses, and large organizations located in the U.S., and to a lesser extent in the U.K., Turkey, and the Philippines. The starting point that kicks off the multi-stage attack chain is a phishing email bearing a malicious ZIP file that's used as a pathway to deliver either the clipper or the ransomware. In addition to using cryptocurrency-themed email lures impersonating CoinPayments, the threat actor is also known to erase infection markers in an attempt to cover its tracks. MortalKombat, first detected in January 2023, is capable...

In an ideal world, security and development teams would be working together in perfect harmony. But we live in a world of competing priorities, where DevOps and security departments often butt heads with each other. Agility and security  are often at odds with each other— if a new feature is  delivered quickly but  contains security vulnerabilities, the SecOps team will need to scramble the release and patch the vulnerabilities, which can take days or weeks. On the other hand, if the SecOps team takes too long to review and approve a new feature, the development team will get frustrated with the slow pace of delivery. Security needs to move slowly and cautiously, while development wants to "move fast and break things" and release new features quickly. DevOps teams can view security as an impediment to their work instead of an important part of the process. With each team pulling in opposite directions, there is often tension and conflict between the two teams, slowing ...

Cybersecurity researchers have unearthed a new piece of evasive malware dubbed  Beep  that's designed to fly under the radar and drop additional payloads onto a compromised host. "It seemed as if the authors of this malware were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as they could find," Minerva Labs researcher Natalie Zargarov  said . "One such technique involved delaying execution through the use of the  Beep API function , hence the malware's name." Beep comprises three components, the first of which is a dropper that's responsible for creating a new Windows Registry key and executing a Base64-encoded PowerShell script stored in it. The PowerShell script, for its part, reaches out to a remote server to retrieve an injector, which, after confirming it's not being debugged or launched in a virtual machine, extracts and launches the payload via a technique called  process hollowing . The payload is an ...

Google announced on Tuesday that it's officially rolling out  Privacy Sandbox on Android  in beta to eligible mobile devices running Android 13. "The Privacy Sandbox Beta provides new APIs that are designed with privacy at the core, and don't use identifiers that can track your activity across apps and websites," the search and advertising giant  said . "Apps that choose to participate in the Beta can use these APIs to show you relevant ads and measure their effectiveness." Devices that have been selected for the Beta test will have a Privacy Sandbox section within Settings so as to allow users to control their participation as well as view and manage their top interests as determined by the  Topics API  to serve relevant ads. The initial  Topics taxonomy  is set to include somewhere between a few hundred and a few thousand topics,  according to Google , and will be human-curated to exclude sensitive topics. The Beta test is expected to star...

Microsoft on Tuesday released  security updates  to address 75 flaws spanning its product portfolio, three of which have come under active exploitation in the wild. The updates are in addition to 22 flaws the Windows maker  patched  in its Chromium-based Edge browser over the past month. Of the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are classified as remote code execution (RCE) flaws. The three zero-days of note that have been exploited are as follows - CVE-2023-21715  (CVSS score: 7.3) - Microsoft Office Security Feature Bypass Vulnerability CVE-2023-21823  (CVSS score: 7.8) - Windows Graphics Component Elevation of Privilege Vulnerability CVE-2023-23376  (CVSS score: 7.8) - Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability "The attack itself is carried out locally by a user with authentication to the targeted system," Microsoft said in advisory for...

The threat actors behind the black hat redirect malware campaign have scaled up their campaign to use more than 70 bogus domains mimicking URL shorteners and infect over 10,800 websites. "The main objective is still ad fraud by artificially increasing traffic to pages which contain the AdSense ID which contain Google ads for revenue generation," Sucuri researcher Ben Martin  said  in a report published last week. Details of the malicious activity were  first exposed  by the GoDaddy-owned company in November 2022. The campaign, which is said to have been active since September last year, is orchestrated to redirect visitors to compromised WordPress sites to fake Q&A portals. The goal, it appears, is to increase the authority of spammy sites in search engine results. "It's possible that these bad actors are simply trying to convince Google that real people from different IPs using different browsers are clicking on their search results," Sucuri noted at ...

Malicious actors have published more than 451 unique Python packages on the official Python Package Index (PyPI) repository in an attempt to infect developer systems with  clipper malware . Software supply chain security company Phylum, which  spotted the libraries , said the ongoing activity is a follow-up to a campaign that was initially disclosed in November 2022. The initial vector entails using  typosquatting  to mimic popular packages such as beautifulsoup, bitcoinlib, cryptofeed, matplotlib, pandas, pytorch, scikit-learn, scrapy, selenium, solana, and tensorflow, among others. "After installation, a malicious JavaScript file is dropped to the system and executed in the background of any web browsing session," Phylum  said  in a report published last year. "When a developer copies a cryptocurrency address, the address is replaced in the clipboard with the attacker's address." This is achieved by creating a Chromium web browser extension in the W...

One thing is clear. The " business value"  of data continues to grow, making it an organization's primary piece of intellectual property. From a cyber risk perspective, attacks on data are the most prominent threat to organizations.  Regulators, cyber insurance firms, and auditors are paying much closer attention to the integrity, resilience, and recoverability of organization data – as well as the IT infrastructure & systems that store the data. What Impact Does This Have On The Security Of Storage & Backup Systems? Just a few years ago, almost no CISO thought that storage & backups were important. That's no longer the case today.  Ransomware has pushed backup and recovery back onto the IT and corporate agenda. Cybercriminals, such as Conti, Hive and REvil, are  targeting storage and backup  systems, to prevent recovery. Some ransomwares – Locky and Crypto, for example – now bypass production systems altogether, and directly target backups. ...

Microsoft on Monday attributed a China-based cyber espionage actor to a set of attacks targeting diplomatic entities in South America. The tech giant's Security Intelligence team is tracking the cluster under the emerging moniker  DEV-0147 ,  describing  the activity as an "expansion of the group's data exfiltration operations that traditionally targeted government agencies and think tanks in Asia and Europe." The threat actor is said to use established hacking tools such as ShadowPad to infiltrate targets and maintain persistent access. ShadowPad, also called PoisonPlug, is a  successor  to the  PlugX remote access trojan  and has been widely put to use by Chinese adversarial collectives with links to the Ministry of State Security (MSS) and People's Liberation Army (PLA), per Secureworks. One of the other malicious tools utilized by DEV-0147 is a webpack loader called QuasarLoader , which allows for deploying additional payloads onto the compro...