The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Russian-speaking users have become the target of a new phishing campaign that leverages an open-source phishing toolkit called Gophish to deliver DarkCrystal RAT (aka DCRat) and a previously undocumented remote access trojan dubbed PowerRAT. "The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim's intervention to trigger the infection chain," Cisco Talos researcher Chetan Raghuprasad said in a Tuesday analysis. The targeting of Russian-speaking users is an assessment derived from the language used in the phishing emails, the lure content in the malicious documents, links masquerade as Yandex Disk ("disk-yandex[.]ru"), and HTML web pages disguised as VK, a social network predominantly used in the country. Gophish refers to an open-source phishing framework that allows organizations to test their phishing defenses by leveraging easy-to-use templates and launch email-based campaigns that can the...

Details have emerged about a now-patched security flaw in Styra's Open Policy Agent ( OPA ) that, if successfully exploited, could have led to leakage of New Technology LAN Manager ( NTLM ) hashes. "The vulnerability could have allowed an attacker to leak the NTLM credentials of the OPA server's local user account to a remote server, potentially allowing the attacker to relay the authentication or crack the password," cybersecurity firm Tenable said in a report shared with The Hacker News. The security flaw, described as a Server Message Block (SMB) force-authentication vulnerability and tracked as CVE-2024-8260 (CVSS score: 6.1/7.3), impacts both the CLI and Go software development kit (SDK) for Windows. At its core, the issue stems from an improper input validation that can lead to unauthorized access by leaking the Net-NTLMv2 hash of the user who is currently logged into the Windows device running the OPA application. However, for this to work, the victim ...

Bad actors have been observed targeting Docker remote API servers to deploy the SRBMiner crypto miner on compromised instances, according to new findings from Trend Micro. "In this attack, the threat actor used the gRPC protocol over h2c to evade security solutions and execute their crypto mining operations on the Docker host," researchers Abdelrahman Esmail and Sunil Bharti said in a technical report published today. "The attacker first checked the availability and version of the Docker API, then proceeds with requests for gRPC/h2c upgrades and gRPC methods to manipulate Docker functionalities." It all starts with the attacker conducting a discovery process to check for public-facing Docker API hosts and the availability of HTTP/2 protocol upgrades in order to follow up with a connection upgrade request to the h2c protocol (i.e., HTTP/2 sans TLS encryption). The adversary also proceeds to check for gRPC methods that are designed to carry out various tasks...

Service accounts are vital in any enterprise, running automated processes like managing applications or scripts. However, without proper monitoring, they can pose a significant security risk due to their elevated privileges. This guide will walk you through how to locate and secure these accounts within Active Directory (AD), and explore how Silverfort's solutions can help enhance your organization's security posture. Understanding Security Accounts Service accounts are specialized Active Directory accounts that provide the necessary security context for services running on servers. Unlike user accounts , they aren't linked to individuals but enable services and applications to interact with the network autonomously. With their high-level permissions, service accounts are attractive targets for attackers if left unmanaged. Hence, proper management and monitoring are critical to prevent security breaches. Finding Service Accounts in Active Directory Due to the sheer number of acco...

Two malware families that suffered setbacks in the aftermath of a coordinated law enforcement operation called Endgame have resurfaced as part of new phishing campaigns. Bumblebee and Latrodectus , which are both malware loaders, are designed to steal personal data, along with downloading and executing additional payloads onto compromised hosts. Tracked under the names BlackWidow, IceNova, Lotus, or Unidentified 111, Latrodectus, is also considered to be a successor to IcedID owing to infrastructure overlaps between the two malware families. It has been used in campaigns associated with two initial access brokers (IABs) known as TA577 (aka Water Curupira) and TA578. In May 2024, a coalition of European countries said it dismantled over 100 servers linked to several malware strains such as IcedID (and, by extension, Latrodectus), SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot. "Although Latrodectus was not mentioned in the operation, it was also affected and its ...

Cybersecurity researchers have discovered a number of suspicious packages published to the npm registry that are designed to harvest Ethereum private keys and gain remote access to the machine via the secure shell (SSH) protocol. The packages attempt to "gain SSH access to the victim's machine by writing the attacker's SSH public key in the root user's authorized_keys file," software supply chain security company Phylum said in an analysis published last week. The list of packages identified as part of the campaign, which aim to impersonate the legitimate ethers package , are as follows - ethers-mew (62 downloads) ethers-web3 (110 downloads) ethers-6 (56 downloads) ethers-eth (58 downloads) ethers-aaa (781 downloads) ethers-audit (69 downloads) ethers-test (336 downloads) Some of these packages, most of which have been published by accounts named "crstianokavic" and "timyorks," are believed to have been released for testing purpose...

VMware has released software updates to address an already patched security flaw in vCenter Server that could pave the way for remote code execution. The vulnerability, tracked as CVE-2024-38812 (CVSS score: 9.8), concerns a case of heap-overflow vulnerability in the implementation of the DCE/RPC protocol. "A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution," Broadcom-owned virtualization services provider said . The flaw was originally reported by zbl and srs of team TZL at the Matrix Cup cybersecurity competition held in China earlier this year. "VMware by Broadcom has determined that the vCenter patches released on September 17, 2024, did not fully address CVE-2024-38812," the company noted. Patches for the flaw are available in the below vCenter Server versions - 8.0 U3d 8.0 U2e, and  7.0 U3t It's also available as an a...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting ScienceLogic SL1 to its Known Exploited Vulnerabilities ( KEV ) catalog, following reports of active exploitation as a zero-day. The vulnerability in question, tracked as CVE-2024-9537 (CVSS v4 score: 9.3), refers to a bug involving an unspecified third-party component that could lead to remote code execution. The issue has since been addressed in versions 12.1.3, 12.2.3, and 12.3 and later. Fixes have also been made available for version 10.1.x, 10.2.x, 11.1.x, 11.2.x, and 11.3.x. The development comes weeks after cloud hosting provider Rackspace acknowledged that it "became aware of an issue with the ScienceLogic EM7 Portal," prompting it to take its dashboard offline towards the end of last month. "We have confirmed that the exploit of this third-party application resulted in access to three internal Rackspace monitoring web servers," an a...

Pentest Checklists Are More Important Than Ever Given the expanding attack surface coupled with the increasing sophistication of attacker tactics and techniques, penetration testing checklists have become essential for ensuring thorough assessments across an organization's attack surface, both internal and external. By providing a structured approach, these checklists help testers systematically uncover vulnerabilities in various assets like networks, applications, APIs, and systems. They ensure no critical area is overlooked and guide the testing process, making it more efficient and effective at identifying security weaknesses that could be exploited by attackers. A pentest checklist essentially leaves no stone unturned and is a detailed and comprehensive list of every type of vulnerability in which to simulate an attack against. Each asset being tested, however, requires a different pentest checklist tailored to its specific characteristics and risks. For example, a checklist fo...

Hi there! Here's your quick update on the latest in cybersecurity. Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe. Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle. For you, staying protected means keeping your devices and apps up to date. In this newsletter, we'll break down the top stories. Whether you're protecting personal data or managing security for a business, we've got tips to help you stay safe. Let's get started! ⚡ Threat of the Week China Calls Volt Typhoon an Invention of the U.S. : China's National Computer Virus Emergency Response Center (CVERC) has claimed that the threat actor tracked Volt Typhoon is an invention of U.S. intelligence agencies and their allies. It also accused the U.S. of carrying out false flag operations in ...

Cybersecurity researchers have discovered severe cryptographic issues in various end-to-end encrypted (E2EE) cloud storage platforms that could be exploited to leak sensitive data. "The vulnerabilities range in severity: in many cases a malicious server can inject files, tamper with file data, and even gain direct access to plaintext," ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong said . "Remarkably, many of our attacks affect multiple providers in the same way, revealing common failure patterns in independent cryptographic designs." The identified weaknesses are the result of an analysis of five major providers such as Sync, pCloud, Icedrive, Seafile, and Tresorit. The devised attack techniques hinge on a malicious server that's under an adversary's control, which could then be used to target the service providers' users. A brief description of the flaws uncovered in the cloud storage systems is as follows - Sync, in which a maliciou...

Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. Russian cybersecurity company Positive Technologies said it discovered last month an email that was sent to an unspecified governmental organization located in one of the Commonwealth of Independent States (CIS) countries. However, it bears noting that the message was originally sent in June 2024. "The email appeared to be a message without text, containing only an attached document," it said in an analysis published earlier this week. "However, the email client didn't show the attachment. The body of the email contained distinctive tags with the statement eval(atob(...)), which decode and execute JavaScript code." The attack chain, per Positive Technologies, is an attempt to exploit CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting ( XSS ) v...

North Korean information technology (IT) workers who obtain employment under false identities in Western companies are not only stealing intellectual property, but are also stepping up by demanding ransoms in order to not leak it, marking a new twist to their financially motivated attacks. "In some instances, fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes," Secureworks Counter Threat Unit (CTU) said in an analysis published this week. "In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024." The activity, the cybersecurity company added, shares similarities with a threat group it tracks as Nickel Tapestry, which is also known as Famous Chollima and UNC5267 . The fraudulent IT worker scheme, orchestrated with the intent to advance North Korea's strategic and financial interests, refers to an insider threat...