The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers have discovered a software supply chain attack that has remained active for over a year on the npm package registry by starting off as an innocuous library and later adding malicious code to steal sensitive data and mine cryptocurrency on infected systems. The package, named @0xengine/xmlrpc , was originally published on October 2, 2023 as a JavaScript-based XML-RPC server and client for Node.js. It has been downloaded 1,790 times to date and remains available for download from the repository. Checkmarx , which discovered the package, said the malicious code was strategically introduced in version 1.3.4 a day later, harboring functionality to harvest valuable information such as SSH keys, bash history, system metadata, and environment variables every 12 hours, and exfiltrate it via services like Dropbox and file.io. "The attack achieved distribution through multiple vectors: direct npm installation and as a hidden dependency in a legitimate-looking ...

A popular open-source game engine called Godot Engine is being misused as part of a new GodLoader malware campaign, infecting over 17,000 systems since at least June 2024. "Cybercriminals have been taking advantage of Godot Engine to execute crafted GDScript code which triggers malicious commands and delivers malware," Check Point said in a new analysis published Wednesday. "The technique remains undetected by almost all antivirus engines in VirusTotal." It's no surprise that threat actors are constantly on the lookout for new tools and techniques that can help them deliver malware while sidestepping detection by security controls, even as defenders continue to erect new guardrails. The newest addition is Godot Engine , a game development platform that allows users to design 2D and 3D games across platforms , including Windows, macOS, Linux, Android, iOS, PlayStation, Xbox, Nintendo Switch, and the web. The multi-platform support also makes it an attract...

U.S. telecom service provider T-Mobile said it recently detected attempts made by bad actors to infiltrate its systems in recent weeks but noted that no sensitive data was accessed. These intrusion attempts "originated from a wireline provider's network that was connected to ours," Jeff Simon, chief security officer at T-Mobile, said in a statement. "We see no instances of prior attempts like this." The company further said its security defenses prevented the threat actors from disrupting its services or obtaining customer information. It has since confirmed that it cut off connectivity to the unnamed provider's network. It did not explicitly attribute the activity to any known threat actor or group, but noted that it has shared its findings with the U.S. government. Speaking to Bloomberg, Simon said the company observed the attackers running discovery-related commands on routers to probe the topography of the network, adding the attacks were containe...

A critical security flaw impacting the ProjectSend open-source file-sharing application has likely come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability, originally patched over a year-and-a-half ago as part of a commit pushed in May 2023, was not officially made available until August 2024 with the release of version r1720 . As of November 26, 2024, it has been assigned the CVE identifier CVE-2024-11680 (CVSS score: 9.8).  Synacktiv, which reported the flaw to the project maintainers in January 2023, described it as an improper authorization check that allows an attacker to execute malicious code on susceptible servers. "An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files," it said in a report published in Ju...

Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems. Dubbed Bootkitty by its creators who go by the name BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks. Also tracked as IranuKit , it was uploaded to the VirusTotal platform on November 5, 2024. "The bootkit's main goal is to disable the kernel's signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup)," ESET researchers Martin Smolár and Peter Strýček said . The development is significant as it heralds a shift in the cyber threat landscape where UEFI bootkits are no longer confined to Windows systems alone . It's worth noting that Bootkitty is signed by a self-signed certificate, a...

Multi-stage cyber attacks, characterized by their complex execution chains, are designed to avoid detection and trick victims into a false sense of security. Knowing how they operate is the first step to building a solid defense strategy against them. Let's examine real-world examples of some of the most common multi-stage attack scenarios that are active right now. URLs and Other Embedded Content in Documents Attackers frequently hide malicious links within seemingly legitimate documents, such as PDFs or Word files. Upon opening the document and clicking the embedded link, users are directed to a malicious website. These sites often employ deceptive tactics to get the victim to download malware onto their computer or share their passwords. Another popular type of embedded content is QR codes. Attackers conceal malicious URLs within QR codes and insert them into documents. This strategy forces users to turn to their mobile devices to scan the code, which then directs them to ph...

The threat actor known as APT-C-60 has been linked to a cyber attack targeting an unnamed organization in Japan that used a job application-themed lure to deliver the SpyGlace backdoor. That's according to findings from JPCERT/CC, which said the intrusion leveraged legitimate services like Google Drive, Bitbucket, and StatCounter. The attack was carried out around August 2024. "In this attack, an email purporting to be from a prospective employee was sent to the organization's recruiting contact, infecting the contact with malware," the agency said . APT-C-60 is the moniker assigned to a South Korea-aligned cyber espionage group that's known to target East Asian countries. In August 2024, it was observed exploiting a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262) to drop a custom backdoor called SpyGlace. The attack chain discovered by JPCERT/CC involves the use of a phishing email that contains a link to a file hosted on Goo...

An INTERPOL-led operation has led to the arrest of 1,006 suspects across 19 African countries and the takedown of 134,089 malicious infrastructures and networks as part of a coordinated effort to disrupt cybercrime in the continent. Dubbed Serengeti , the law enforcement exercise took place between September 2 and October 31, 2024, and targeted criminals behind ransomware, business email compromise (BEC), digital extortion, and online scams. The participating nations in the operation were Algeria, Angola, Benin, Cameroon, Côte d'Ivoire, Democratic Republic of the Congo, Gabon, Ghana, Kenya, Mauritius, Mozambique, Nigeria, Rwanda, Senegal, South Africa, Tanzania, Tunisia, Zambia, and Zimbabwe. These activities, which ranged from online credit card fraud and Ponzi schemes to investment and multi-level marketing scams, victimized more than 35,000 people, leading to financial losses nearly amounting to $193 million across the world. In connection with the $6 million online Ponzi ...

A threat actor named Matrix has been linked to a widespread distributed denial-of-service (DDoS) campaign that leverages vulnerabilities and misconfigurations in Internet of Things (IoT) devices to co-opt them into a disruptive botnet. "This operation serves as a comprehensive one-stop shop for scanning, exploiting vulnerabilities, deploying malware, and setting up shop kits, showcasing a do-it-all-yourself approach to cyberattacks," Assaf Morag, director of threat intelligence at cloud security firm Aqua, said . There is evidence to suggest that the operation is the work of a lone wolf actor, a script kiddie of Russian origin. The attacks have primarily targeted IP addresses located in China, Japan, and to a lesser extent Argentina, Australia, Brazil, Egypt, India, and the U.S. The absence of Ukraine in the victimology footprint indicates that the attackers are purely driven by financial motivations, the cloud security firm said. The attack chains are characterized by ...

Two critical security flaws impacting the Spam protection, Anti-Spam, and FireWall plugin for WordPress could allow an unauthenticated attacker to install and enable malicious plugins on susceptible sites and potentially achieve remote code execution. The vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781 , carry a CVSS score of 9.8 out of a maximum of 10.0. They were addressed in versions 6.44 and 6.45 released this month. Installed on over 200,000 WordPress sites, CleanTalk's Spam protection,f Anti-Spam, FireWall plugin is advertised as a "universal anti-spam plugin" that blocks spam comments, registrations, surveys, and more. According to Wordfence, both vulnerabilities concern an authorization bypass issue that could allow a malicious actor to install and activate arbitrary plugins. This could then pave the way for remote code execution if the activated plugin is vulnerable of its own. The plugin is "vulnerable to unauthorized Arbitrary Plugin ...

When CVEs go viral, separating critical vulnerabilities from the noise is essential to protecting your organization. That's why Intruder, a leader in attack surface management, built Intel ( now known as cvemon ) - a free vulnerability intelligence platform designed to help you act fast and prioritize real threats. What is Intel? Intel was created to fill a gap in the resources available for tracking emerging vulnerabilities. When one of Intruder's go-to tools shut down last year, the team set out to build a solution that would not only meet their needs but also benefit the wider infosec community. Intel tracks the top trending CVEs from the past 24 hours and assigns each a 'hype score' - a rating out of 100, benchmarked against the year's highest levels. Alongside real-time insights, Intel features expert commentary from Intruder's Security team and consolidates the latest information from trusted sources like NVD and CISA, all in one place. 5 Ways Intel Helps You Stay Ahea...

The Russia-aligned threat actor known as RomCom has been linked to the zero-day exploitation of two security flaws, one in Mozilla Firefox and the other in Microsoft Windows, as part of attacks designed to deliver the eponymous backdoor on victim systems. "In a successful attack, if a victim browses a web page containing the exploit, an adversary can run arbitrary code – without any user interaction required (zero click) – which in this case led to the installation of RomCom's backdoor on the victim's computer," ESET said in a report shared with The Hacker News. The vulnerabilities in question are listed below - CVE-2024-9680 (CVSS score: 9.8) - A use-after-free vulnerability in Firefox's Animation component (Patched by Mozilla in October 2024)  CVE-2024-49039 (CVSS score: 8.8) - A privilege escalation vulnerability in Windows Task Scheduler (Patched by Microsoft in November 2024) RomCom , also known as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and...