The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Banking and financial services organizations are the targets of a new multi-stage adversary-in-the-middle ( AitM ) phishing and business email compromise (BEC) attack, Microsoft has revealed. "The attack originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations," the tech giant  disclosed  in a Thursday report. Microsoft, which is tracking the cluster under its emerging moniker  Storm-1167 , called out the group's use of indirect proxy to pull off the attack. This enabled the attackers to flexibly tailor the phishing pages to their targets and carry out session cookie theft, underscoring the continued sophistication of AitM attacks. The modus operandi is unlike other AitM campaigns where the decoy pages act as a  reverse proxy  to harvest credentials and time-based one-time passwords (TOTPs) entered by the victims. "The attacker presented targets with a website th...

The threat actor known as  Asylum Ambuscade  has been observed straddling cybercrime and cyber espionage operations since at least early 2020. "It is a crimeware group that targets bank customers and cryptocurrency traders in various regions, including North America and Europe," ESET  said  in an analysis published Thursday. "Asylum Ambuscade also does espionage against government entities in Europe and Central Asia." Asylum Ambuscade was  first documented  by Proofpoint in March 2022 as a nation-state-sponsored phishing campaign that targeted European governmental entities in an attempt to obtain intelligence on refugee and supply movement in the region. The goal of the attackers, per the Slovak cybersecurity firm, is to siphon confidential information and web email credentials from official government email portals. The attacks start off with a spear-phishing email bearing a malicious Excel spreadsheet attachment that, when opened, either exploits V...

The way we work has undergone a dramatic transformation in recent years. We now operate within digital ecosystems, where remote work and the reliance on a multitude of digital tools is the norm rather than the exception. This shift – as you likely know from your own life – has led to superhuman levels of productivity that we wouldn't ever want to give up. But moving fast comes at a cost. And for our digital work environment, that cost is security.  Our desire for innovation, speed and efficiency has birthed new and complex security challenges that all in some way or another revolve around securing how we access resources. Because of this, effective access management now plays a more critical role in securing the modern workplace than ever. Follow along as we uncover five reasons why this is the case. Educating People About Security is Not Working For years, we've held the belief that educating people about cyberthreats would make them more cautious online. Yet, despite 17 y...

A new custom backdoor dubbed  Stealth Soldier  has been deployed as part of a set of highly-targeted espionage attacks in North Africa. "Stealth Soldier malware is an undocumented backdoor that primarily operates surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging and stealing browser information," cybersecurity company Check Point  said  in a technical report. The ongoing operation is characterized by the use of command-and-control (C&C) servers that mimic sites belonging to the Libyan Ministry of Foreign Affairs. The earliest artifacts associated with the campaign date back to October 2022. The attacks commence with potential targets downloading bogus downloader binaries that are delivered via social engineering attacks. The intermediate payloads act as a conduit for retrieving Stealth Soldier, while simultaneously displaying a decoy empty PDF file. The custom modular implant, which is believed to be used s...

Details have emerged about a now-patched actively exploited security flaw in Microsoft Windows that could be abused by a threat actor to gain elevated privileges on affected systems. The vulnerability, tracked as  CVE-2023-29336 , is rated 7.8 for severity and concerns an elevation of privilege bug in the Win32k component. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft  disclosed  in an advisory issued last month as part of Patch Tuesday updates. Avast researchers Jan Vojtěšek, Milánek, and Luigino Camastra were credited with discovering and reporting the flaw. Win32k.sys is a kernel-mode driver and an integral part of the Windows architecture, being responsible for graphical device interface (GUI) and window management. While the exact specifics surrounding in-the-wild abuse of the flaw is presently not known, Numen Cyber has deconstructed the patch released by Microsoft to craft a proof-of-concept ( PoC ) expl...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have published a joint advisory regarding the active exploitation of a  recently disclosed critical flaw  in Progress Software's MOVEit Transfer application to drop ransomware. "The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer," the agencies  said . "Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases." The prolific cybercrime gang has since  issued an ultimatum  to several impacted businesses, urging them to get in touch by June 14, 2023, or risk getting all their stolen data published. Microsoft is tracking the activity under the moniker  Lace Tempest  (aka Storm-...

APIs, more formally known as application programming interfaces, empower apps and microservices to communicate and share data. However, this level of connectivity doesn't come without major risks. Hackers can exploit vulnerabilities in APIs to gain unauthorized access to sensitive data or even take control of the entire system. Therefore, it's essential to have a robust API security posture to protect your organization from potential threats. What is API posture management? API posture management refers to the process of monitoring and managing the security posture of your APIs. It involves identifying potential vulnerabilities and misconfigurations that could be exploited by attackers, and taking the necessary steps to remediate them. Posture management also helps organizations classify sensitive data and ensure that it's compliant with the leading data compliance regulations such as GDPR, HIPAA, and PCI DSS.  As mentioned above, APIs are a popular target for attackers...

VMware has  released  security updates to fix a trio of flaws in Aria Operations for Networks that could result in information disclosure and remote code execution. The most critical of the three vulnerabilities is a command injection vulnerability tracked as  CVE-2023-20887  (CVSS score: 9.8) that could allow a malicious actor with network access to achieve remote code execution. Also patched by VMware is another  deserialization vulnerability  ( CVE-2023-20888 ) that's rated 9.1 out of a maximum of 10 on the CVSS scoring system. "A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution," the company said in an advisory. The third security defect is a high-severity information disclosure bug ( CVE-2023-20889 , CVSS score: 8.8) that could permit an actor with network access to perform a command injection attack and...

The North Korean nation-state threat actor known as  Kimsuky  has been linked to a social engineering campaign targeting experts in North Korean affairs with the goal of stealing Google credentials and delivering reconnaissance malware. "Further, Kimsuky's objective extends to the theft of subscription credentials from NK News," cybersecurity firm SentinelOne  said  in a report shared with The Hacker News. "To achieve this, the group distributes emails that lure targeted individuals to log in on the malicious website nknews[.]pro, which masquerades as the authentic NK News site. The login form that is presented to the target is designed to capture entered credentials." NK News , established in 2011, is an American subscription-based news website that provides stories and analysis about North Korea. The disclosure comes days after U.S. and South Korean intelligence agencies  issued an alert  warning of Kimsuky's use of social engineering tactics to stri...

Enterprise security company Barracuda is now urging customers who were impacted by a recently disclosed zero-day flaw in its Email Security Gateway (ESG) appliances to immediately replace them. "Impacted ESG appliances must be immediately replaced regardless of patch version level," the company  said  in an update, adding its "remediation recommendation at this time is full replacement of the impacted ESG." While the company did not disclose the reasons behind the move, it's likely an indication that the threat actors behind the campaign managed to tamper with the firmware on a much deeper level that a patch cannot completely address. The latest development comes as Barracuda  disclosed  that a critical flaw in the devices (CVE-2023-2868, CVSS score: 9.8) had been exploited as a zero-day for at least seven months since October 2022 to deliver bespoke malware and steal data. The  vulnerability  concerns a case of remote code injection affecting version...

Microsoft has agreed to pay a penalty of $20 million to settle U.S. Federal Trade Commission (FTC) charges that the company illegally collected and retained the data of children who signed up to use its Xbox video game console without their parents' knowledge or consent. "Our proposed order makes it easier for parents to protect their children's privacy on Xbox, and limits what information Microsoft can collect and retain about kids," FTC's Samuel Levine  said . "This action should also make it abundantly clear that kids' avatars, biometric data, and health information are not exempt from  COPPA ." As part of the proposed settlement, which is pending court approval, Redmond has been ordered to update its account creation process for children to prevent the collection and storage of data, including obtaining parental consent and deleting said information within two weeks if approval is not obtained. The privacy protections also extend to third-par...

Get exclusive insights from a real ransomware negotiator who shares authentic stories from network hostage situations and how he managed them. The Ransomware Industry Ransomware is an industry. As such, it has its own business logic: organizations pay money, in crypto-currency, in order to regain control over their systems and data. This industry's landscape is made up of approximately 10-20 core threat actors who originally developed the ransomware's malware. To distribute the malware, they work with affiliates and distributors who utilize widespread  phishing attacks  to breach organizations. Profits are distributed with approximately 70% allocated to the affiliates and 10%-30% to these developers. The use of phishing renders online-based industries, like gaming, finance and insurance, especially vulnerable.  In addition to its financial motivations, the ransomware industry is also influenced by geo-political politics. For example, in June 2021, following the ranso...