The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Proof-of-concept (PoC) exploit code has been made available for a recently disclosed and patched critical flaw impacting VMware Aria Operations for Networks (formerly vRealize Network Insight). The flaw, tracked as  CVE-2023-34039 , is rated 9.8 out of a maximum of 10 for severity and has been described as a case of authentication bypass due to a lack of unique cryptographic key generation. "A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI," VMware said earlier this week. Summoning Team's Sina Kheirkhah, who published the PoC following an analysis of the patch released by VMware, said the root cause can be traced back to a bash script containing a method named refresh_ssh_keys(), which is responsible for overwriting the current SSH keys for the support and ubuntu users in the authorized_keys file. "There is SSH authentication in place; however, VMware forgot to regenerat...

Identity services provider Okta on Friday warned of social engineering attacks orchestrated by threat actors to obtain elevated administrator permissions. "In recent weeks, multiple U.S.-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller's strategy was to convince service desk personnel to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users," the company  said . The adversary then moved to abuse the highly privileged Okta Super Administrator accounts to impersonate users within the compromised organization. The campaign, per the company, took place between July 29 and August 19, 2023. Okta did not disclose the identity of the threat actor, but the tactics exhibit all the hallmarks of an activity cluster known as  Muddled Libra , which is said to share some degree of overlap with Scattered Spider and Scatter Swine. Central to the attacks is a comme...

Threat actors are exploiting poorly secured Microsoft SQL (MS SQL) servers to deliver Cobalt Strike and a ransomware strain called FreeWorld. Cybersecurity firm Securonix, which has dubbed the campaign DB#JAMMER , said it stands out for the way the toolset and infrastructure is employed. "Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical breakdown of the activity. "The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld." Initial access to the victim host is achieved by brute-forcing the MS SQL server, using it to enumerate the database and leveraging the xp_cmdshell configuration option to run shell commands and conduct reconnaissance. The next stage entails taking steps to impair system firewall and establish persistence by connecting to a remote SMB share...

A newly released report by cybersecurity firm CTM360 reveals a large-scale scam operation utilizing fake news websites—known as Baiting News Sites (BNS)—to deceive users into online investment fraud across 50 countries. These BNS pages are made to look like real news outlets: CNN, BBC, CNBC, or regional media. They publish fake stories that feature public figures, central banks, or financial brands, all claiming to back new ways to earn passive income. The goal? Build trust quickly and steer readers toward professional-looking scam platforms like Trap10, Solara Vynex, or Eclipse Earn. Scammers use sponsored ads on Google, Meta, and blog networks to push traffic to these sites. Ads often carry clickbait headlines—"You won't believe what a prominent public figure just revealed"—paired with official photos or national flags to make them feel legit. Clicking the ad directs users to a fake article, which then redirects them to a fraudulent trading platform. Many of these scams follow a...

Cybersecurity and intelligence agencies from Australia, Canada, New Zealand, the U.K., and the U.S. on Thursday disclosed details of a mobile malware strain targeting Android devices used by the Ukrainian military. The malicious software, dubbed  Infamous Chisel  and attributed to a Russian state-sponsored actor called Sandworm, has  capabilities  to "enable unauthorized access to compromised devices, scan files, monitor traffic, and periodically steal sensitive information." Some aspects of the malware were  uncovered  by the Security Service of Ukraine (SBU) earlier in August, highlighting unsuccessful attempts on part of the adversary to penetrate Ukrainian military networks and gather valuable intelligence. It's said that Russian forces captured tablets used by Ukraine on the battlefield, using them as a foothold to remotely disseminate the malware to other devices by using the Android Debug Bridge ( ADB ) command-line tool. Sandworm, also known b...

A new phishing attack likely targeting civil society groups in South Korea has led to the discovery of a novel remote access trojan called  SuperBear . The intrusion singled out an unnamed activist, who was contacted in late August 2023 and received a malicious LNK file from an address impersonating a member of the organization, non-profit entity Interlabs  said  in a new report. The LNK file, upon execution, launches a PowerShell command to execute a Visual Basic script that, in turn, fetches the next-stage payloads from a legitimate but compromised WordPress website. This includes the Autoit3.exe binary ("solmir.pdb") and an AutoIt script ("solmir_1.pdb") that's launched using the former. The AutoIt script, for its part, performs process injection using a  process hollowing technique , in which malicious code is inserted into a process that's in a suspended state. In this case, an instance of Explorer.exe is spawned to inject a never-before-seen RAT referred...

As cyber threats continue to evolve, adversaries are deploying a range of tools to breach security defenses and compromise sensitive data. Surprisingly, one of the most potent weapons in their arsenal is not malicious code but simply stolen or weak usernames and passwords. This article explores the seriousness of compromised credentials, the challenges they present to security solutions, and the importance of implementing robust measures to protect Active Directory (AD) environments. Additionally, we introduce Silverfort Unified Identity Protection , a comprehensive solution that offers enhanced security for AD environments against the misuse of compromised credentials. The Power of Stolen Credentials: Full Access to Any Resource  In the world of cyberattacks, stolen usernames and passwords are a highly effective means of gaining unauthorized access to networks and systems. They grant adversaries an entry point, allowing them subsequent access to sensitive on-prem and cloud reso...

The Classiscam scam-as-a-service program has reaped the criminal actors $64.5 million in illicit earnings since its emergence in 2019. "Classiscam campaigns initially started out on classified sites, on which scammers placed fake advertisements and used social engineering techniques to convince users to pay for goods by transferring money to bank cards," Group-IB  said  in a new report. "Since then, Classiscam campaigns have become highly automated, and can be run on a host of other services, such as online marketplaces and carpooling sites." A majority of victims are based in Europe (62.2%), followed by the Middle East and Africa (18.2%), and the Asia-Pacific (13%). Germany, Poland, Spain, Italy, and Romania accounted for the highest number of fraudulent transactions registered in Classiscam chats.  First discovered in 2019, Classiscam is an  umbrella term  for an operation that encompasses 1,366 distinct groups on Telegram. The activities first targeted R...

An open-source .NET-based information stealer malware dubbed  SapphireStealer  is being used by multiple entities to enhance its capabilities and spawn their own bespoke variants. "Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion," Cisco Talos researcher Edmund Brumaghin  said  in a report shared with The Hacker News. An entire ecosystem has developed over time that allows both financially motivated and nation-state actors to use services from purveyors of stealer malware to carry out various kinds of attacks. Viewed in that light, such malware not only represents an evolution of the cybercrime-as-a-service (CaaS) model, they also offer other threat actors to monetize the stolen data to distribute ransomware, conduct data theft,...

Three additional rogue Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called  VMConnect , with signs pointing to the involvement of North Korean state-sponsored threat actors. The  findings  come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro. First disclosed at the start of the month by the company and Sonatype,  VMConnect  refers to a collection of Python packages that mimic popular open-source Python tools to download an unknown second-stage malware. The latest tranche is no different, with ReversingLabs noting that the bad actors are disguising their packages and making them appear trustworthy by using typosquatting techniques to impersonate prettytable and requests and confuse developers. The nefarious code within tablediter is designed to run in an endless execution loop in which a remote server is polled periodically ...

How often do cyberattacks happen? How frequently do threat actors target businesses and governments around the world? The BlackBerry® Threat Research and Intelligence Team recently analyzed 90 days of real-world data to answer these questions. Full results are in the latest BlackBerry  Global Threat Intelligence Report , but read on for a teaser of several interesting cyber attack statistics. Analyzing Real-World Cyberattacks In their most recent quarterly report, BlackBerry threat researchers analyzed the onslaught of malware-based attacks from December 2022 to February 2023. During that time, BlackBerry's AI-powered endpoint protection solution, detected and blocked a total of  1,578,733  malware-based cyberattacks targeting customers. 90 Days of Cyberattacks Based on analysis of cyberattacks detected and blocked during the 90-day window, the BlackBerry Threat Research and Intelligence Team recorded the following statistics: Total number of malware-based attacks:...

A hacking outfit nicknamed  Earth Estries  has been attributed to a new, ongoing cyber espionage campaign targeting government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S. "The threat actors behind Earth Estries are working with high-level resources and functioning with sophisticated skills and experience in cyber espionage and illicit activities," Trend Micro researchers Ted Lee, Lenart Bermejo, Hara Hiroaki, Leon M Chang, and Gilbert Sison  said . Active since at least 2020, Earth Estries is said to share tactical overlaps with another nation-state group tracked as  FamousSparrow , which was first exposed by ESET in 2021 as exploiting ProxyLogon flaws in Microsoft Exchange Server to penetrate hospitality, government, engineering, and legal sectors. It's worth pointing out that commonalities have also been unearthed between FamousSparrow and  UNC4841 , an uncategorized activity cluster held respo...

New findings show that malicious actors could leverage a sneaky malware detection evasion technique and bypass endpoint security solutions by manipulating the Windows Container Isolation Framework. The findings were presented by Deep Instinct security researcher Daniel Avinoam at the  DEF CON security conference  held earlier this month. Microsoft's  container architecture  (and by extension,  Windows Sandbox ) uses what's called a  dynamically generated image  to separate the file system from each container to the host and at the same time avoid duplication of system files. It's nothing but an "operating system image that has clean copies of files that can change, but links to files that cannot change that are in the Windows image that already exists on the host," thereby bringing down the overall size for a full OS. "The result is images that contain 'ghost files,' which store no actual data but point to a different volume on the system,"...