The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Law enforcement officials in Ukraine, in coordination with authorities from the U.S. and Australia, last week shut down one of the world's largest phishing services that were used to attack financial institutions in 11 countries, causing tens of millions of dollars in losses. The Ukrainian attorney general's office  said  it worked with the National Police and its Main Investigation Department to identify a 39-year-old man from the Ternopil region who developed a phishing package and a special administrative panel for the service, which were then aimed at several banks located in Australia, Spain, the U.S., Italy, Chile, the Netherlands, Mexico, France, Switzerland, Germany, and the U.K. Computer equipment, mobile phones, and hard drives were seized as part of five authorized searches conducted during the course of the operation. Security researcher Brian Krebs  noted  the raids were in connection with  U-Admin , a phishing framework that makes use of fake ...

Hackers successfully infiltrated the computer system controlling a water treatment facility in the U.S. state of Florida and remotely changed a setting that drastically altered the levels of sodium hydroxide (NaOH) in the water. During a press conference held yesterday, Pinellas County Sheriff Bob Gualtieri said an operator managed to catch the manipulation in real-time and restored the concentration levels to undo the damage. "At no time was there a significant effect on the water being treated, and more importantly the public was never in danger," Sheriff Gualtieri  said  in a statement. The water treatment facility, which is located in the city of Oldsmar and serves about 15,000 residents, is said to have been breached for approximately 3 to 5 minutes by unknown suspects on February 5, with the remote access occurring twice at 8:00 a.m. and 1:30 p.m. The attacker briefly increased the amount of sodium hydroxide from 100 parts-per-million to 11,100 parts-per-million u...

Twin cyber operations conducted by state-sponsored Iranian threat actors demonstrate their continued focus on compiling detailed dossiers on Iranian citizens that could threaten the stability of the Islamic Republic, including dissidents, opposition forces, and ISIS supporters, and Kurdish natives. Tracing the extensive espionage operations to two advanced Iranian cyber-groups  Domestic Kitten  (or APT-C-50) and  Infy , cybersecurity firm Check Point revealed new and recent evidence of their ongoing activities that involve the use of a revamped malware toolset as well as tricking unwitting users into downloading malicious software under the guise of popular apps. "Both groups have conducted long-running cyberattacks and intrusive surveillance campaigns which target both individuals' mobile devices and personal computers," Check Point researchers said in a new analysis. "The operators of these campaigns are clearly active, responsive and constantly seeking new att...

While Gartner does not have a dedicated Magic Quadrant for Bug Bounties or Crowd Security Testing yet, Gartner Peer Insights already lists 24 vendors in the "Application Crowdtesting Services" category. We have compiled the top 5 most promising bug bounty platforms for those of you who are looking to enhance your existing software testing arsenal with knowledge and expertise from international security researchers:  1. HackerOne Being a unicorn backed by numerous reputable venture capitalists,  HackerOne  is probably the most well-known and recognized Bug Bounty brand in the world. According to their most recent annual report, over 1,700 companies trust the HackerOne platform to augment their in-house application security testing capacities. The report likewise says that their security researchers earned approximately $40 million in bounties in 2019 alone and $82 million cumulatively. HackerOne is also famous for hosting US government Bug Bounty programs, including ...

Google on Thursday removed The Great Suspender , a popular Chrome extension used by millions of users, from its Chrome Web Store for containing malware. It also took the unusual step of deactivating it from users' computers. "This extension contains malware,"  read  a terse notification from Google, but it has since emerged that the add-on stealthily added features that could be exploited to execute arbitrary code from a remote server, including tracking users online and committing advertising fraud. "The old maintainer appears to have sold the extension to parties unknown, who have malicious intent to exploit the users of this extension in advertising fraud, tracking, and more," Calum McConnell  said  in a GitHub post. The extension, which had more than two million installs before it was disabled, would suspend tabs that aren't in use, replacing them with a blank gray screen until they were reloaded upon returning to the tabs in question. Signs of the...

A new distributed denial-of-service attack (DDoS) vector has ensnared Plex Media Server systems to amplify malicious traffic against targets to take them offline. "Plex's startup processes unintentionally expose a Plex UPnP-enabled service registration responder to the general Internet, where it can be abused to generate reflection/amplification DDoS attacks," Netscout researchers  said  in a Thursday alert. Plex Media Server  is a personal media library and streaming system that runs on modern Windows, macOS, and Linux operating systems, as well as variants customized for special-purpose platforms such as network-attached storage (NAS) devices and digital media players. The desktop application organizes video, audio, and photos from a user's library and from online services, allowing access to and stream the contents to other compatible devices. DDoS attacks typically involve flooding a legitimate target with junk network traffic that comes from a large number o...

Cisco has rolled out fixes for multiple critical vulnerabilities in the web-based management interface of Small Business routers that could potentially allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. The  flaws  — tracked from CVE-2021-1289 through CVE-2021-1295 (CVSS score 9.8) — impact RV160, RV160W, RV260, RV260P, and RV260W VPN routers running a firmware release earlier than Release 1.0.01.02. Along with the aforementioned three vulnerabilities, patches have also been released for two more  arbitrary file write flaws  (CVE-2021-1296 and CVE-2021-1297) affecting the same set of VPN routers that could have made it possible for an adversary to overwrite arbitrary files on the vulnerable system. All the nine security issues were reported to the networking equipment maker by security researcher Takeshi Shiomitsu, who has previously uncovered  similar critical flaws  in RV110W, RV130W, and RV215...

Google has patched a zero-day vulnerability in Chrome web browser for desktop that it says is being actively exploited in the wild. The company released  88.0.4324.150  for Windows, Mac, and Linux, with a fix for a heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine. "Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild," the company said in a statement. The security flaw was reported to Google by Mattias Buelens on January 24. Previously on February 2, Google  addressed six issues in Chrome , including one critical use after free vulnerability in Payments (CVE-2021-21142) and four high severity flaws in Extensions, Tab Groups, Fonts, and Navigation features. While it's typical of Google to limit details of the vulnerability until a majority of users are updated with the fix, the development comes weeks after Google and Microsoft  disclosed  attacks carried out by North Korean hackers against securi...

Today's admins certainly have plenty on their plates, and boosting ecosystem security remains a top priority. On-premises, and especially remote, accounts are gateways for accessing critical information. Password management makes this possible. After all, authentication should ensure that a user is whom they claim to be. This initial layer of security is crucial for protecting one's entire infrastructure. Unfortunately, the personal nature of passwords has its shortcomings. Passwords are easily forgotten. They may also be too simplistic; many companies don't enforce stringent password-creation requirements. This is where the Active Directory Password Policy comes in. Additionally, the following is achievable: Changing user passwords Recording password changes and storing them within a history log Active Directory accounts for any impactful changes across user accounts. We'll assess why and how administrators might leverage these core features. Why change user ...

A nascent malware campaign has been spotted co-opting Android devices into a botnet with the primary purpose of carrying out distributed denial-of-service (DDoS) attacks. Called " Matryosh " by Qihoo 360's Netlab researchers, the latest threat has been found reusing the Mirai botnet framework and propagates through exposed Android Debug Bridge (ADB) interfaces to infect Android devices and ensnare them into its network. ADB is a  command-line tool  part of the Android SDK that handles communications and allows developers to install and debug apps on Android devices. While this option is turned off by default on most Android smartphones and tablets, some vendors ship with this feature enabled, thus allowing unauthenticated attackers to connect remotely via the 5555 TCP port and open the devices directly to exploitation. This is not the first time a botnet has taken advantage of ADB to infect vulnerable devices. In July 2018, open ADB ports were used to spread multip...

Phishing and Malware Among the major cyber threats, the malware remains a significant danger. The 2017 WannaCry outbreak that cost businesses worldwide up to $4 billion is still in recent memory, and other new strains of malware are discovered on a daily basis. Phishing has also seen a resurgence in the last few years, with many new scams being invented to take advantage of unsuspecting companies. Just one variation, the CEO Fraud email scam, cost UK businesses alone £14.8m in 2018. Working From Home Staff working from home are outside the direct oversight of IT support teams and often struggle to deal with cyber threats and appropriately protect company information. Failing to update software and operating systems, sending data over insecure networks, and increasing reliance on email and online messaging has made employees far more susceptible to threats ranging from malware to phishing. Human Error While technical solutions like spam filters and mobile device management syste...

Major vulnerabilities have been discovered in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take complete control of a device's wireless communications. The six flaws were  reported  by researchers from Israeli IoT security firm Vdoo. The  Realtek RTL8195A  module is a standalone, low-power-consumption Wi-Fi hardware module targeted at embedded devices used in several industries such as agriculture, smart home, healthcare, gaming, and automotive sectors. It also makes use of an "Ameba" API, allowing developers to communicate with the device via Wi-Fi, HTTP, and  MQTT , a lightweight messaging protocol for small sensors and mobile devices. Although the issues uncovered by Vdoo were verified only on RTL8195A, the researchers said they extend to other modules as well, including RTL8711AM, RTL8711AF, and RTL8710AF. The flaws concern a mix of stack overflow, and out-of-bounds reads that stem from the Wi-Fi module's WP...

New details have emerged about a vast network of rogue extensions for Chrome and Edge browsers that were found to hijack clicks to links in search results pages to arbitrary URLs, including phishing sites and ads. Collectively called " CacheFlow " by Avast, the 28 extensions in question — including Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock — made use of a sneaky trick to mask its true purpose: Leverage  Cache-Control  HTTP header as a covert channel to retrieve commands from an attacker-controlled server. All the  backdoored browser add-ons  have been taken down by Google and Microsoft as of December 18, 2020, to prevent more users from downloading them from the official stores. According to telemetry data gathered by the firm, the top three infected countries were Brazil, Ukraine, and France, followed by Argentina, Spain, Russia, and the U.S. The CacheFlow sequence began when unsuspecting users downloaded on...

Cybersecurity researchers on Wednesday disclosed three severe security vulnerabilities impacting SolarWinds products, the most severe of which could have been exploited to achieve remote code execution with elevated privileges. Two of the flaws (CVE-2021-25274 and CVE-2021-25275) were identified in the SolarWinds Orion Platform, while a third separate weakness (CVE-2021-25276) was found in the company's Serv-U FTP server for Windows,  said  cybersecurity firm Trustwave in a technical analysis. None of the three vulnerabilities are believed to have been exploited in any "in the wild" attacks or during the unprecedented  supply chain attack  targeting the Orion Platform that came to light last December. The two sets of vulnerabilities in Orion and Serv-U FTP were disclosed to SolarWinds on December 30, 2020, and January 4, 2021, respectively, following which the company resolved the issues on January 22 and January 25. It's highly recommended that users install t...

The dynamic nature of cybersecurity, the changes in the threat landscape, and the expansion of the attack surface lead organizations to add more security solutions—from different vendors—creating a layered security infrastructure that introduces new challenges to any team, with a much more significant impact on small ones. And yet, sophisticated attacks continue to bypass these advanced security layers while FOMO (fear of missing out) compels security teams to evaluate every new solution that comes out. A new guide, "How Security Consolidation Helps Small Security Teams" ( download here ), reviews the challenges of a layered, multi-vendor security approach for protecting your internal environment and reveals why the concept of consolidation of security solutions is becoming the go-to security approach of many CISOs with small teams. Having a single consolidated solution for protecting your internal environment can free up much of your small team's time and reduce your...

High-performance computing clusters belonging to university networks as well as servers associated with government agencies, endpoint security vendors, and internet service providers have been targeted by a newly discovered backdoor that gives attackers the ability to execute arbitrary commands on the systems remotely. Cybersecurity firm ESET named the malware " Kobalos " — a nod to a " mischievous creature " of the same name from Greek mythology — for its "tiny code size and many tricks." "Kobalos is a generic backdoor in the sense that it contains broad commands that don't reveal the intent of the attackers," researchers Marc-Etienne M. Léveillé and Ignacio Sanmillan  said  in a Tuesday analysis. "In short, Kobalos grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other Kobalos-infected servers." Besides tracing the malware back to attacks against a nu...

Security researchers on Tuesday uncovered new delivery and evasion techniques adopted by Agent Tesla remote access trojan (RAT) to get around defense barriers and monitor its victims. Typically spread through social engineering lures, the Windows spyware not only now targets Microsoft's Antimalware Scan Interface ( AMSI ) in an attempt to defeat endpoint protection software, it also employs a multi-stage installation process and makes use of Tor and Telegram messaging API to communicate with a command-and-control (C2) server. Cybersecurity firm Sophos , which observed two versions of Agent Tesla — version 2 and version 3 — currently in the wild, said the changes are yet another sign of Agent Tesla's constant evolution designed to make a sandbox and static analysis more difficult. "The differences we see between v2 and v3 of Agent Tesla appear to be focused on improving the success rate of the malware against sandbox defenses and malware scanners, and on providing more...