The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The environmental services industry witnessed an "unprecedented surge" in HTTP-based distributed denial-of-service (DDoS) attacks, accounting for half of all its HTTP traffic. This marks a 61,839% increase in DDoS attack traffic year-over-year, web infrastructure and security company Cloudflare said in its DDoS threat report for 2023 Q4 published last week. "This surge in cyber attacks coincided with  COP 28 , which ran from November 30th to December 12th, 2023," security researchers Omer Yoachimik and Jorge Pacheco  said , describing it as a "disturbing trend in the cyber threat landscape." The uptick in HTTP attacks targeting environmental services websites is part of a larger trend observed annually over the past few years, specifically during COP 26 and COP 27, as well as other United Nations environment-related resolutions or announcements. "This recurring pattern underscores the growing intersection between environmental issues and cyber security, a nexus that is in...

The cyber attacks targeting the energy sector in Denmark last year may not have had the involvement of the Russia-linked Sandworm hacking group,  new findings  from Forescout show. The intrusions, which  targeted around 22 Danish energy organizations  in May 2023, occurred in two distinct waves, one which exploited a security flaw in Zyxel firewall (CVE-2023-28771) and a follow-on activity cluster that saw the attackers deploy Mirai botnet variants on infected hosts via an as-yet-unknown initial access vector. The first wave took place on May 11, while the second wave lasted from May 22 to 31, 2023. In one such attack detected on May 24, it was observed that the compromised system was communicating with IP addresses (217.57.80[.]18 and 70.62.153[.]174) that were previously used as command-and-control (C2) for the now-dismantled  Cyclops Blink  botnet. Forescout's closer examination of the attack campaign, however, has revealed that not only were the t...

Juniper Networks has released updates to fix a critical remote code execution (RCE) vulnerability in its SRX Series firewalls and EX Series switches. The issue, tracked as  CVE-2024-21591 , is rated 9.8 on the CVSS scoring system. "An out-of-bounds write vulnerability in J-Web of Juniper Networks Junos OS SRX Series and EX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS) or Remote Code Execution (RCE) and obtain root privileges on the device," the company  said  in an advisory. The networking equipment major, which is set to be  acquired by Hewlett Packard Enterprise (HPE)  for $14 billion, said the issue is caused by use of an insecure function allowing a bad actor to overwrite arbitrary memory. The flaw impacts the following versions, and has been fixed in versions 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1, and later - Junos OS ver...

A 29-year-old Ukrainian national has been arrested in connection with running a "sophisticated cryptojacking scheme," netting them over $2 million (€1.8 million) in illicit profits. The person, described as the "mastermind" behind the operation, was apprehended in Mykolaiv, Ukraine, on January 9 by the National Police of Ukraine with support from Europol and an unnamed cloud service provider following "months of intensive collaboration." "A cloud provider approached Europol back in January 2023 with information regarding compromised cloud user accounts of theirs," Europol  said , adding it shared the intelligence with the Ukrainian authorities. The Cyber Police of Ukraine, in a separate announcement, said the suspect "infected the servers of a well-known American company with a miner virus" at least since 2021, using custom brute-force tools to infiltrate 1,500 accounts of the firm. "Using the compromised accounts, the hacker gained access to the management ...

As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging  two zero-day vulnerabilities  in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant  said  in an analysis published this week. The Google-owned threat intelligence firm is tracking the threat actor under the moniker  UNC5221 .  The attacks leverage an exploit chain comprising an authentication bypass flaw (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887) to take over susceptible instances. Volexity, which attributed the activity to a suspected Chinese espionage actor named UTA0178, said the twin flaws were used to gain initial access, deploy webshells, backdoor legitimate files, capture credentials and configuration data, and pivot further into the vict...

The threat actors associated with the  Medusa ransomware  have ramped up their activities following the debut of a dedicated data leak site on the dark web in February 2023 to publish sensitive data of victims who are unwilling to agree to their demands. "As part of their multi-extortion strategy, this group will provide victims with multiple options when their data is posted on their leak site, such as time extension, data deletion or download of all the data," Palo Alto Networks Unit 42 researchers Anthony Galiette and Doel Santos  said  in a report shared with The Hacker News. "All of these options have a price tag depending on the organization impacted by this group." Medusa (not to be confused with Medusa Locker) refers to a ransomware family that appeared in late 2022 before coming into prominence in 2023. It's known for opportunistically targeting a wide range of industries such as high technology, education, manufacturing, healthcare, and retail. As many...

Picture a cybersecurity landscape where defenses are impenetrable, and threats are nothing more than mere disturbances deflected by a strong shield. Sadly, this image of fortitude remains a pipe dream despite its comforting nature. In the security world, preparedness is not just a luxury but a necessity. In this context, Mike Tyson's famous adage, "Everyone has a plan until they get punched in the face," lends itself to our arena - cyber defenses must be battle-tested to stand a chance. Tyson's words capture the paradox of readiness in cybersecurity: too often, untested cyber defenses can create a false sense of security, leading to dire consequences when real threats land a blow. This is where Breach and Attack Simulation (BAS), a proactive tool in any organization's cybersecurity arsenal, comes into play. When Cybersecurity Meets the Punch - The Assumption Problem Assumptions are the hidden icebergs in cybersecurity's vast ocean. Although we might believ...

GitLab has released security updates to address two critical vulnerabilities, including one that could be exploited to take over accounts without requiring any user interaction. Tracked as  CVE-2023-7028 , the flaw has been awarded the maximum severity of 10.0 on the CVSS scoring system and could facilitate account takeover by sending password reset emails to an unverified email address. The DevSecOps platform said the vulnerability is the result of a bug in the email verification process, which allowed users to reset their password through a secondary email address. It affects all self-managed instances of GitLab Community Edition (CE) and Enterprise Edition (EE) using the below versions - 16.1 prior to 16.1.6 16.2 prior to 16.2.9 16.3 prior to 16.3.7 16.4 prior to 16.4.5 16.5 prior to 16.5.6 16.6 prior to 16.6.4 16.7 prior to 16.7.2 GitLab said it addressed the issue in GitLab versions 16.5.6, 16.6.4, and 16.7.2, in addition to backporting the fix to versions 16.1....

Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments. "This attack is particularly intriguing due to the attacker's use of packers and rootkits to conceal the malware," Aqua security researchers Nitzan Yaakov and Assaf Morag  said  in an analysis published earlier this week. "The malware deletes contents of specific directories and modifies system configurations to evade detection." The infection chain targeting Hadoop leverages a misconfiguration in the YARN's (Yet Another Resource Negotiator)  ResourceManager , which is responsible for tracking resources in a cluster and scheduling applications. Specifically, the misconfiguration can be exploited by an unauthenticated, remote threat actor to execute arbitrary code by means of a crafted HTTP request, subject to the privileges of the user on the node where the code is executed. The ...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has  added  a critical security vulnerability impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The issue, tracked as  CVE-2023-29357  (CVSS score: 9.8), is a privilege escalation flaw that could be exploited by an attacker to gain administrator privileges. Microsoft  released patches  for the bug as part of its June 2023 Patch Tuesday updates. "An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user," Redmond said. "The attacker needs no privileges nor does the user need to perform any action." Security researcher Nguyễn Tiến Giang (Jang) of StarLabs SG  demonstrated an exploit  for the flaw at the Pwn2Own Vancouver hacking contest last ye...

The ubiquity of GitHub in information technology (IT) environments has made it a lucrative choice for threat actors to host and deliver malicious payloads and act as  dead drop resolvers , command-and-control, and data exfiltration points. "Using GitHub services for malicious infrastructure allows adversaries to blend in with legitimate network traffic, often bypassing traditional security defenses and making upstream infrastructure tracking and actor attribution more difficult," Recorded Future  said  in a report shared with The Hacker News. The cybersecurity firm described the approach as "living-off-trusted-sites" (LOTS), a spin on the living-off-the-land (LotL) techniques often adopted by threat actors to conceal rogue activity and fly under the radar. Prominent among the methods by which GitHub is  abused   relates  to  payload   delivery , with some actors leveraging its features for command-and-control (C2) obfuscation. Last month, Reve...

Cybersecurity researchers have  developed  a proof-of-concept (PoC) code that exploits a  recently disclosed critical flaw  in the Apache OfBiz open-source Enterprise Resource Planning (ERP) system to execute a memory-resident payload. The vulnerability in question is  CVE-2023-51467  (CVSS score: 9.8), a bypass for another severe shortcoming in the same software ( CVE-2023-49070 , CVSS score: 9.8) that could be weaponized to circumvent authentication and remotely execute arbitrary code. While it was fixed in  Apache OFbiz version 18.12.11  released last month, threat actors have been observed attempting to exploit the flaw, targeting vulnerable instances. The latest findings from VulnCheck show that CVE-2023-51467 can be exploited to execute a payload directly from memory, leaving little to no traces of malicious activity. Security flaws disclosed in Apache OFBiz (e.g.,  CVE-2020-9496 ) have been  exploited  by threat actors ...