The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

As if the exponential rise in phishing scams and malware attacks in the last five years wasn't enough, the COVID-19 crisis has worsened it further. The current scenario has given a viable opportunity to cybercriminals to find a way to target individuals, small and large enterprises, government corporations. According to Interpol's  COVID-19 Cybercrime Analysis Report , based on the feedback of 194 countries, phishing/scam/fraud, malware/ransomware, malicious domains, and fake news have emerged as the biggest digital threats across the world in the wake of the pandemic. Image source: interpol.int There are primarily two reasons for emerging cyber threats in 2020: Most of the population is working, learning, shopping, or running their business from home, where they're using personal devices from the home/public internet connection, which are usually unsafe and hence highly vulnerable to cybercrimes. The cybercriminals are using the COVID-19 theme to exploit people and...

The US Federal Bureau of Investigation (FBI) and Interpol have allegedly seized proxy servers used in connection with Blockchain-based domains belonging to Joker's Stash, a notorious fraud bazaar known for selling compromised payment card data in underground forums. The takedown  happened  last week on December 17. The operators of Joker's Stash operate several versions of the platform, including  Blockchain proxy server domains  — .bazar, .lib, .emc, and .coin — that are responsible for redirecting users to the actual website and two other Tor (.onion) variants. Joker's Stash implemented the use of  Blockchain DNS  via a  Chrome browser extension  in 2017. These Blockchain websites make use of a decentralized DNS where the top-level domains (e.g., .bazar) are not owned by a single central authority, with the lookup records shared over a peer-to-peer network as opposed to a DNS provider, thus bringing in significant advantages like  bul...

The US Cybersecurity Infrastructure and Security Agency (CISA) has  warned  of critical vulnerabilities in a low-level TCP/IP software library developed by Treck that, if weaponized, could allow remote attackers to run arbitrary commands and mount denial-of-service (DoS) attacks. The four flaws affect Treck TCP/IP stack version 6.0.1.67 and earlier and were reported to the company by Intel. Two of these are rated critical in severity. Treck's embedded TCP/IP stack is deployed worldwide in manufacturing, information technology, healthcare, and transportation systems. The most severe of them is a heap-based buffer overflow vulnerability ( CVE-2020-25066 ) in the Treck HTTP Server component that could permit an adversary to crash or reset the target device and even execute remote code. It has a CVSS score of 9.8 out of a maximum of 10. The second flaw is an out-of-bounds write in the IPv6 component ( CVE-2020-27337 , CVSS score 9.1) that could be exploited by an unauthentic...

Law enforcement agencies from the US, Germany, Netherlands, Switzerland, France, along with Europol's European Cybercrime Centre (EC3), announced today the coordinated takedown of Safe-Inet, a popular virtual private network (VPN) service that was used to facilitate criminal activity. The three domains in question — insorg[.]org, safe-inet[.]com, and safe-inet[.]net — were shut down, and their infrastructure seized as part of a joint investigation called "Operation Nova." Europol called Safe-Inet a cybercriminals' " favorite ." A crucial reason for the domains' seizure has been their central role in facilitating ransomware, carrying out web-skimming, spear-phishing, and account takeover attacks. The service, which comes with support for Russian and English languages and has been active for over a decade, offered " bulletproof hosting services " to website visitors, often at a steep price to the criminal underworld. As of December 1, the ...

As the probe into the  SolarWinds supply chain attack  continues, new digital forensic evidence has brought to light that a separate threat actor may have been abusing the IT infrastructure provider's Orion software to drop a similar persistent backdoor on target systems. "The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," Microsoft 365 research team  said  on Friday in a post detailing the Sunburst malware. What makes the newly revealed malware, dubbed "Supernova," different is that unlike the Sunburst DLL,  Supernova  ("app_web_logoimagehandler.ashx.b6031896.dll") is not signed with a legitimate SolarWinds digital certificate, signaling that the compromise may be unrelated to the previously disclosed supply chain attack. In a  standalone write-up , ...

A team of researchers today unveiled two critical security vulnerabilities in Dell Wyse Thin clients that could have potentially allowed attackers to remotely execute malicious code and access arbitrary files on affected devices. The flaws, which were uncovered by healthcare cybersecurity provider CyberMDX and reported to Dell in June 2020, affects all devices running ThinOS versions 8.6 and below. Dell has addressed both the vulnerabilities in an  update  released today. The flaws also have a CVSS score of 10 out of 10, making them critical in severity. Thin clients are typically computers that run from resources stored on a central server instead of a localized hard drive. They work by establishing a remote connection to the server, which takes care of launching and running applications and storing relevant data. Tracked as CVE-2020-29491 and CVE-2020-29492 , the security shortcomings in Wyse's thin clients stem from the fact that the FTP sessions used to pull firmwar...

Everyone makes mistakes. That one sentence was drummed into me in my very first job in tech, and it has held true since then. In the cybersecurity world, misconfigurations can create exploitable issues that can haunt us later - so let's look at a few common security misconfigurations. The first one is development permissions that don't get changed when something goes live. For example, AWS S3 buckets are often assigned permissive access while development is going on. The issues arise when security reviews aren't carefully performed prior to pushing the code live, no matter if that push is for the initial launch of a platform or for updates. The result is straight-forward; a bucket goes live with the ability for anyone to read and write to and from it. This particular misconfiguration is dangerous; since the application is working and the site is loading for users, there's no visible indication that something is wrong until a threat actor hunting for open buckets stum...

Three dozen journalists working for Al Jazeera had their iPhones stealthily compromised via a zero-click exploit to install spyware as part of a Middle East cyberespionage campaign. In a new  report  published yesterday by University of Toronto's Citizen Lab, researchers said personal phones of 36 journalists, producers, anchors, and executives at Al Jazeera, and a journalist at London-based Al Araby TV were infected with Pegasus malware via a now-fixed flaw in Apple's iMessage. Pegasus is developed by Israeli private intelligence firm NSO Group and allows an attacker to  access sensitive data  stored on a target device — all without the victim's knowledge. "The shift towards zero-click attacks by an industry and customers already steeped in secrecy increases the likelihood of abuse going undetected," the researchers said. "It is more challenging [...] to track these zero-click attacks because targets may not notice anything suspicious on their phone. E...

The massive state-sponsored  espionage campaign  that compromised software maker SolarWinds also targeted Microsoft, as the unfolding investigation into the hacking spree reveals the incident may have been far more wider in scope, sophistication, and impact than previously thought. News of Microsoft's compromise was first reported by Reuters , which also said the company's own products were then used to strike other victims by leveraging its cloud offerings, citing people familiar with the matter. The Windows maker, however, denied the threat actor had infiltrated its production systems to stage further attacks against its customers. In a statement to The Hacker News via email, the company said — "Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or custom...

One of the many features of an Active Directory Password Policy is the  maximum password age . Traditional Active Directory environments have long using password aging as a means to bolster password security. Native password aging in the default Active Directory Password Policy is relatively limited in configuration settings. Let's take a look at a few best practices that have changed in regards to password aging. What controls can you enforce in regards to password aging using the default Active Directory Password Policy? Are there better tools that organizations can use regarding controlling the maximum password age for Active Directory user accounts? What password aging best practices have changed? Password aging for Active Directory user accounts has long been a controversial topic in security best practices. While many organizations still apply more traditional password aging rules, noted security organizations have provided updated password aging guidance. Microsoft has...

Cybersecurity researchers today disclosed a new supply-chain attack targeting the Vietnam Government Certification Authority (VGCA) that compromised the agency's digital signature toolkit to install a backdoor on victim systems. Uncovered by Slovak internet security company ESET early this month, the "SignSight" attack involved modifying software installers hosted on the CA's  website  ("ca.gov.vn") to insert a spyware tool called  PhantomNet  or Smanager. According to ESET's telemetry, the breach happened from at least July 23 to August 16, 2020, with the  two installers  in question — "gca01-client-v2-x32-8.3.msi" and "gca01-client-v2-x64-8.3.msi" for 32-bit and 64-bit Windows systems — tampered to include the backdoor. "The compromise of a certification authority website is a good opportunity for APT groups, since visitors are likely to have a high level of trust in a state organization responsible for digital signatures...

The investigation into how the attackers managed to compromise SolarWinds' internal network and poison the company's software updates is still underway, but we may be one step closer to understanding what appears to be a very meticulously planned and highly-sophisticated supply chain attack. A new report published by ReversingLabs today and shared in advance with The Hacker News has revealed that the operators behind the  espionage campaign  likely managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the malicious backdoor through its software release process. "The source code of the affected library was directly modified to include malicious backdoor code, which was compiled, signed, and delivered through the existing software patch release management system," ReversingLabs' Tomislav Pericin said. Cybersecurity firm FireEye earlier this week  detailed  how multiple SolarWin...

Cybercriminals are increasingly outsourcing the task of deploying ransomware to affiliates using commodity malware and attack tools, according to new research. In a new analysis published by Sophos today and shared with The Hacker News, recent deployments of  Ryuk  and  Egregor  ransomware have involved the use of  SystemBC  backdoor to laterally move across the network and fetch additional payloads for further exploitation. Affiliates are typically threat actors responsible for gaining an initial foothold in a target network. "SystemBC is a regular part of recent ransomware attackers' toolkits," said Sophos senior threat researcher and former Ars Technica national security editor Sean Gallagher. "The backdoor can be used in combination with other scripts and malware to perform discovery, exfiltration and lateral movement in an automated way across multiple targets. These SystemBC capabilities were originally intended for mass exploitation, but they h...

As 5G networks are being gradually rolled out in major cities across the world, an analysis of its network architecture has revealed a number of potential weaknesses that could be exploited to carry out a slew of cyber assaults, including denial-of-service (DoS) attacks to deprive subscribers of Internet access and intercept data traffic. The findings form the basis of a new " 5G Standalone core security research " published by London-based cybersecurity firm Positive Technologies today, exactly six months after the company released its " Vulnerabilities in LTE and 5G Networks 2020 " report in June detailing high impact flaws in LTE and 5G protocols. "Key elements of network security include proper configuration of equipment, as well as authentication and authorization of network elements," Positive Technologies said. "In the absence of these elements, the network becomes vulnerable [to] subscriber denial of service due to exploitation of vulnera...