The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

An analysis of the indicators of compromise ( IoCs ) associated with the JumpCloud hack has uncovered evidence pointing to the involvement of North Korean state-sponsored groups, in a style that's reminiscent of the  supply chain attack targeting 3CX . The findings come from SentinelOne, which  mapped out  the infrastructure pertaining to the intrusion to uncover underlying patterns. It's worth noting that JumpCloud, last week,  attributed  the attack to an unnamed "sophisticated nation-state sponsored threat actor." "The North Korean threat actors demonstrate a high level of creativity and strategic awareness in their targeting strategies," SentinelOne security researcher Tom Hegel told The Hacker News. "The research findings reveal a successful and multifaceted approach employed by these actors to infiltrate developer environments." "They actively seek access to tools and networks that can serve as gateways to more extensive opportunitie...

If it seems like Remote Desktop Protocol (RDP) has been around forever, it's because it has (at least compared to the many technologies that rise and fall within just a few years.) The initial version, known as "Remote Desktop Protocol 4.0," was released in 1996 as part of the Windows NT 4.0 Terminal Server edition and allowed users to remotely access and control Windows-based computers over a network connection.  In the intervening decades, RDP has become a widely used protocol for remote access and administration of Windows-based systems. RDP plays a crucial role in enabling remote work, IT support, and system management and has served as the foundation for various remote desktop and virtual desktop infrastructure (VDI) solutions.  The downside of RDP's widespread use is that a Remote Code Execution (RCE) vulnerability in an RDP gateway can have severe consequences, potentially leading to significant damage and compromising the security and integrity of the affec...

The defense sector in Ukraine and Eastern Europe has been targeted by a novel .NET-based backdoor called  DeliveryCheck  (aka CAPIBAR or GAMEDAY) that's capable of delivering next-stage payloads. The Microsoft threat intelligence team, in  collaboration  with the Computer Emergency Response Team of Ukraine (CERT-UA), attributed the attacks to a Russian nation-state actor known as  Turla , which is also tracked under the names Iron Hunter, Secret Blizzard (formerly Krypton), Uroburos, Venomous Bear, and Waterbug. It's linked to Russia's Federal Security Service (FSB). "DeliveryCheck is distributed via email as documents with malicious macros," the company  said  in a series of tweets. "It persists via a scheduled task that downloads and launches it in memory. It also contacts a C2 server to retrieve tasks, which can include the launch of arbitrary payloads embedded in XSLT stylesheets." Successful initial access is also accompanied in some cases by...

Cybersecurity researchers have uncovered a new cloud targeting, peer-to-peer (P2P) worm called  P2PInfect  that targets vulnerable Redis instances for follow-on exploitation. "P2PInfect exploits Redis servers running on both Linux and Windows Operating Systems making it more scalable and potent than other worms," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist  said . "This worm is also written in Rust, a highly scalable and cloud-friendly programming language." It's estimated that as many as 934 unique Redis systems may be vulnerable to the threat. The first known instance of P2PInfect was detected on July 11, 2023. A notable characteristic of the worm is its ability to infects vulnerable Redis instances by exploiting a critical Lua sandbox escape vulnerability,  CVE-2022-0543  (CVSS score: 10.0), which has been previously exploited to deliver multiple  malware families  such as  Muhstik ,  Redigo , and  H...

Microsoft on Wednesday announced that it's expanding cloud logging capabilities to help organizations investigate cybersecurity incidents and gain more visibility after facing criticism in the wake of a recent  espionage attack campaign  aimed at its email infrastructure. The tech giant said it's making the change in direct response to increasing frequency and evolution of nation-state cyber threats. It's expected to roll out starting in September 2023 to all government and commercial customers. "Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost," Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft,  said . "As these changes take effect, customers can use Microsoft Purview Audit to centrally visualize more types of cloud log data generated across their enterprise." As part of this change, users are expected to receive access to...

Adobe has released a fresh round of updates to address an incomplete fix for a recently disclosed ColdFusion flaw that has come under active exploitation in the wild. The critical shortcoming, tracked as  CVE-2023-38205  (CVSS score: 7.5), has been described as an instance of improper access control that could result in a security bypass. It impacts the following versions: ColdFusion 2023 (Update 2 and earlier versions) ColdFusion 2021 (Update 8 and earlier versions), and ColdFusion 2018 (Update 18 and earlier versions) "Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion," the company  said . The update also addresses two other flaws, including a critical deserialization bug ( CVE-2023-38204 , CVSS score: 9.8) that could lead to remote code execution and a second improper access control flaw that could also pave the way for a security bypass ( CVE-2023-38206 , CVSS score: 5.3). The disclosure arrives ...

Attack surfaces are growing faster than security teams can keep up. To stay ahead, you need to know what's exposed and where attackers are most likely to strike. With cloud migration dramatically increasing the number of internal and external targets, prioritizing threats and managing your attack surface from an attacker's perspective has never been more important. Let's look at why it's growing, and how to monitor and manage it properly with tools like  Intruder . What is your attack surface? First, it's important to understand that your attack surface is the sum of your digital assets that are 'exposed' – whether the digital assets are secure or vulnerable, known or unknown, in active use or not. This attack surface changes continuously over time, and includes digital assets that are on-premises, in the cloud, in subsidiary networks, and in third-party environments. In short, it's anything that a hacker can attack.  What is attack surface managemen...

U.S. cybersecurity and intelligence agencies have  released  a set of recommendations to address security concerns with 5G standalone network slicing and harden them against possible threats. "The threat landscape in 5G is dynamic; due to this, advanced monitoring, auditing, and other analytical capabilities are required to meet certain levels of network slicing service level requirements over time," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA)  said . 5G is the fifth-generation technology standard for broadband cellular networks, offering increased data speeds and lower latency. Network slicing is an architectural model that allows mobile service providers to partition their network up into several independent "slices" in order to create virtual networks that cater to different clients and use cases. The latest advisory builds upon guidance  previously issued  by the agencies in December 2022, warn...

The prolific China-linked nation-state actor known as APT41 has been linked to two previously undocumented strains of Android spyware called WyrmSpy and DragonEgg. "Known for its exploitation of web-facing applications and infiltration of traditional endpoint devices, an established threat actor like APT 41 including mobile in its arsenal of malware shows how mobile endpoints are high-value targets with coveted corporate and personal data," Lookout  said  in a report shared with The Hacker News. APT41, also tracked under the names Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti, is known to be operational since at least 2007, targeting a wide range of industries to conduct intellectual property theft. Recent attacks mounted by the adversarial collective have  leveraged  an open-source red teaming tool known as Google Command and Control (GC2) as part of attacks aimed at media and job platforms in Taiwan and Italy. ...

On April 5, 2023, the FBI and Dutch National Police  announced the takedown of Genesis Market , one of the largest dark web marketplaces. The operation, dubbed "Operation Cookie Monster," resulted in the arrest of 119 people and the seizure of over $1M in cryptocurrency. You can read the FBI's warrant  here  for details specific to this case. In light of these events, I'd like to discuss how OSINT can assist with dark web investigations. The Dark Web's anonymity attracts a variety of users, from whistleblowers and political activists to cybercriminals and terrorists. There are several techniques that can be used to try and identify the individuals behind these sites and personas. Technical Vulnerabilities While not considered OSINT, there have been instances when technical vulnerabilities have existed in the technology used to host dark websites. These vulnerabilities may exist in the software itself or be due to misconfigurations, but they can sometimes revea...

Cybersecurity researchers have uncovered a privilege escalation vulnerability in Google Cloud that could enable malicious actors tamper with application images and infect users, leading to supply chain attacks. The issue, dubbed  Bad.Build , is rooted in the  Google Cloud Build service , according to cloud security firm Orca, which discovered and reported the issue. "By abusing the flaw and enabling an impersonation of the default Cloud Build service, attackers can manipulate images in the Google Artifact Registry and inject malicious code," the company  said  in a statement shared with The Hacker News. "Any applications built from the manipulated images are then affected and, if the malformed applications are meant to be deployed on customer's environments, the risk crosses from the supplying organization's environment to their customers' environments, constituting a major supply chain risk." Following responsible disclosure, Google has  issued  a ...

The U.S. government on Tuesday added two foreign commercial spyware vendors, Cytrox and Intellexa, to an economic blocklist for weaponizing cyber exploits to gain unauthorized access to devices and "threatening the privacy and security of individuals and organizations worldwide." This includes the companies' corporate holdings in Hungary (Cytrox Holdings Crt), North Macedonia (Cytrox AD), Greece (Intellexa S.A.), and Ireland (Intellexa Limited). By adding to the economic denylist, it prohibits U.S. companies from transacting with these businesses. "Recognizing the increasingly key role that surveillance technology plays in enabling campaigns of repression and other human rights abuses, the Commerce Department's action today targets these entities' ability to access commodities, software, and technology that could contribute to the development of surveillance tools that pose a risk of misuse in violations or abuses of human rights," the Bureau of Indus...