The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Details of an eight-year-old security vulnerability in the Linux kernel have emerged that the researchers say is "as nasty as Dirty Pipe." Dubbed  DirtyCred  by a group of academics from Northwestern University, the security weakness exploits a previously unknown flaw ( CVE-2022-2588 ) to escalate privileges to the maximum level. "DirtyCred is a kernel exploitation concept that swaps unprivileged  kernel credentials  with privileged ones to escalate privilege," researchers Zhenpeng Lin, Yuhang Wu, and Xinyu Xing noted. "Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged." This entails three steps - Free an in-use unprivileged credential with the vulnerability Allocate privileged credentials in the freed memory slot by triggering a privileged userspace process such as su, mount, or sshd Operate as a privileged user The novel exploitation method, according to the resea...

Atlanta-based cyber risk intelligence company, Cyble discovered a new Remote Access Trojan (RAT) malware. What makes this particular RAT malware distinct enough to be named after the  comic creation of Sacha Baron Cohen ? RAT malware typically helps cybercriminals gain complete control of a victim's system, permitting them to access network resources, files, and power to toggle the mouse and keyboard. Borat RAT malware goes beyond the standard features and enables threat actors to deploy ransomware and  DDoS attacks . It also increases the number of threat actors who can launch attacks, sometimes appealing to the lowest common denominator. The added functionality of carrying out DDoS attacks makes it insidious and a risk to today's digital organizations. Ransomware has been the most common top attack type for over  three years . According to an IBM report, REvil was the most common ransomware strain, consisting of about  37%  of all ransomware attacks. Borat ...

Researchers have disclosed multiple vulnerabilities impacting Ultra-wideband (UWB) Real-time Locating Systems ( RTLS ), enabling threat actors to launch adversary-in-the-middle (AitM) attacks and tamper with location data. "The zero-days found specifically pose a security risk for workers in industrial environments," cybersecurity firm Nozomi Networks  disclosed  in a technical write-up last week. "If a threat actor exploits these vulnerabilities, they have the ability to tamper with safety zones designated by RTLS to protect workers in hazardous areas." RTLS is used to automatically identify and track the location of objects or people in real-time, usually within a confined indoor area. This is achieved by making use of tags that are attached to assets, which broadcast USB signals to fixed reference points called anchors that then determine their location. But flaws identified in RTLS solutions –  Sewio Indoor Tracking RTLS UWB Wi-Fi Kit  and  Avalue Renit...

Bitcoin ATM manufacturer General Bytes confirmed that it was a victim of a cyberattack that exploited a previously unknown flaw in its software to plunder cryptocurrency from its users. "The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user," the company  said  in an advisory last week. "This vulnerability has been present in CAS software since version 2020-12-08." It's not immediately clear how many servers were breached using this flaw and how much cryptocurrency was stolen. CAS is short for  Crypto Application Server , a self-hosted product from General Bytes that enables companies to manage Bitcoin ATM ( BATM ) machines from a central location via a web browser on a desktop or a mobile device. The zero-day flaw, which concerned a bug in the CAS admin interface, has been mitigated in two server p...

Organizations in the Spanish-speaking nations of Mexico and Spain are in the crosshairs of a new campaign designed to deliver the  Grandoreiro  banking trojan.  "In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute 'Grandoreiro,' a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America," Zscaler  said  in a report. The ongoing attacks, which commenced in June 2022, have been observed to target automotive, civil and industrial construction, logistics, and machinery sectors via multiple infection chains in Mexico and chemicals manufacturing industries in Spain. Attack chains entail leveraging spear-phishing emails written in Spanish to trick potential victims into clicking on an embedded link that retrieves a ZIP archi...

With more data stored in the cloud than ever before, now is a good time to  get into cybersecurity . Many top corporations are looking for new talent, and even junior professionals can earn $80,000 or more. The only barrier to entry is education. How do you learn about security protocols and white hat hacking? Enter the  All-In-One 2022 Super-Sized Ethical Hacking Bundle . This collection of 18 courses provides the perfect launchpad for your new career, and readers of The Hacker News can currently grab it at a massive discount. Reader Offer —  This collection of 18 courses is worth $3,284. But for a limited time, you can get lifetime access to all the training  for only $42.99 ! Knowledge is everything in the world of cybersecurity. The more skills you acquire, the more doors will open within the industry.  This bundle helps you fill your résumé, with 1,686 individual tutorials covering a wide range of topics. You don't need any technical background in orde...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday moved to add a  critical SAP security flaw  to its  Known Exploited Vulnerabilities Catalog , based on evidence of active exploitation. The issue in question is  CVE-2022-22536 , which has received the highest possible risk score of 10.0 on the CVSS vulnerability scoring system and was addressed by SAP as part of its Patch Tuesday updates for February 2022. Described as an HTTP request smuggling vulnerability, the shortcoming impacts the following product versions - SAP Web Dispatcher (Versions - 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87) SAP Content Server (Version - 7.53) SAP NetWeaver and ABAP Platform (Versions - KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49) "An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating ...

The Donot Team threat actor has updated its Jaca Windows malware toolkit with improved capabilities, including a revamped stealer module designed to plunder information from Google Chrome and Mozilla Firefox browsers. The improvements also include a new infection chain that incorporates previously undocumented components to the modular framework, Morphisec researchers Hido Cohen and Arnold Osipov  disclosed  in a report published last week. Also known as APT-C-35 and Viceroy Tiger, the Donot Team is known for setting its sights on defense, diplomatic, government, and military entities in India, Pakistan, Sri Lanka, and Bangladesh, among others at least since 2016. Evidence unearthed by Amnesty International in October 2021  connected  the group's attack infrastructure to an Indian cybersecurity company. Spear-phishing campaigns containing malicious Microsoft Office documents are the preferred delivery pathway for malware, followed by taking advantage of macro...

A financially motivated cybercrime group has been linked to an ongoing wave of attacks aimed at hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised systems. Enterprise security firm Proofpoint, which is tracking the group under the name TA558 dating all the way back to April 2018, called it a "small crime threat actor." "Since 2018, this group has used consistent tactics, techniques, and procedures to attempt to install a variety of malware including Loda RAT, Vjw0rm, and Revenge RAT," the company's threat research team  said  in a new report. The group has been operational at a higher tempo in 2022 than usual, with intrusions mainly geared towards Portuguese and Spanish speakers in Latin America, and to a lesser extent in Western Europe and North America. Phishing campaigns mounted by the group involve sending malicious spam messages with reservation-themed lures such as hotel bookings that cont...

Google's cloud division on Thursday disclosed it mitigated a series of HTTPS distributed denial-of-service (DDoS) attacks which peaked at 46 million requests per second (RPS), making it the largest such DDoS offensive recorded to date. The attack, which occurred on June 1, 2022, targeting an unnamed Google Cloud Armor customer, is 76% larger than the  26 million RPS DDoS attack  repealed by Cloudflare earlier this year, surpassing a then-record attack of 17.2 million RPS. "To give a sense of the scale of the attack, that is like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds," Google Cloud's Emil Kiner and Satya Konduru  said . It's said to have started around 9:45 a.m. PT with 10,000 RPS, before growing to 100,000 RPS eight minutes later and further ramping up within two minutes to hit a high of 46 million RPS at 10:18 a.m. PT. In all, the DDoS assault lasted for a total of 69 minutes. ...

Retail giant Amazon patched a high-severity security issue in its Ring app for Android in May that could have enabled a rogue application installed on a user's device to access sensitive information and camera recordings. The Ring app for Android has over 10 million downloads and enables users to monitor video feeds from smart home devices such as video doorbells, security cameras, and alarm systems. Amazon acquired the doorbell maker for about $1 billion in 2018. Application security firm Checkmarx  explained  it identified a cross-site scripting (XSS) flaw that it said could be weaponized as part of an attack chain to trick victims into installing a malicious app. The app can then be used to get hold of the user's Authorization Token, that can be subsequently leveraged to extract the session cookie by sending this information alongside the device's hardware ID, which is also encoded in the token, to the endpoint "ring[.]com/mobile/authorize." Armed with th...

A .NET-based evasive crypter named  DarkTortilla  has been used by threat actors to distribute a broad array of commodity malware as well as targeted payloads like Cobalt Strike and Metasploit, likely  since 2015 . "It can also deliver 'add-on packages' such as additional malicious payloads, benign decoy documents, and executables," cybersecurity firm Secureworks  said  in a Wednesday report. "It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging." Malware delivered by the crypter includes information steakers and remote access trojans (RATs) such as Agent Tesla, AsyncRat, NanoCore, and RedLine Stealer. "DarkTortilla has versatility that similar malware does not," the researchers noted. Crypters are  software tools  that use a  combination  of encryption, obfuscation, and code manipulation of malware so as to  bypass detection  by security solutions. The delive...

The Chinese advanced persistent threat (APT) actor tracked as Winnti has targeted at least 13 organizations geographically spanning across the U.S, Taiwan, India, Vietnam, and China against the backdrop of four different campaigns in 2021. "The targeted industries included the public sector, manufacturing, healthcare, logistics, hospitality, education, as well as the media and aviation," cybersecurity firm Group-IB  said  in a report shared with The Hacker News. This also included the attack on Air India that came to light in June 2021 as part of a campaign codenamed  ColunmTK . The other three campaigns have been assigned the monikers DelayLinkTK, Mute-Pond, and Gentle-Voice based on the domain names used in the attacks. APT41, also known as Barium, Bronze Atlas, Double Dragon, Wicked Panda, or Winnti, is a  prolific   Chinese   cyber threat group  that's known to carry out state-sponsored espionage activity in parallel with financially motivated...