The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Popular short-form video-sharing service TikTok quietly revised its privacy policy in the U.S., allowing it to automatically collect biometric information such as faceprints and voiceprints from the content its users post on the platform. The policy change, first spotted by TechCrunch , went into effect on June 2. TikTok users who reside in the European Economic Area (EEA), the U.K., Switzerland, and other geographies (excluding India) where the service operates are exempted from the changes. "We may collect biometric identifiers and biometric information as defined under U.S. laws, such as faceprints and voiceprints, from your User Content. Where required by law, we will seek any required permissions from you prior to any such collection," the ByteDance-owned company  said  in a newly introduced section called "Image and Audio Information." On top of this, the company's privacy policy also notes that it may collect information about "the nature of the...

Malicious actors are actively mass scanning the internet for vulnerable VMware vCenter servers that are unpatched against a critical remote code execution flaw, which the company addressed late last month. The ongoing activity was detected by Bad Packets on June 3 and corroborated  yesterday  by security researcher Kevin Beaumont. "Mass scanning activity detected from 104.40.252.159 checking for VMware vSphere hosts vulnerable to remote code execution,"  tweeted  Troy Mursch, chief research officer at Bad Packets. The development follows the publication of a proof-of-concept (PoC) RCE exploit code targeting the VMware vCenter bug. Tracked as  CVE-2021-21985  (CVSS score 9.8), the issue is a consequence of a lack of input validation in the Virtual SAN (vSAN) Health Check plug-in, which could be abused by an attacker to execute commands with unrestricted privileges on the underlying operating system that hosts the vCenter Server. Although the flaw was...

Google is tightening its privacy practices that could make it harder for apps on Android phones and tablets to track users who have opted out of receiving personalized interest-based ads. The change will go into effect sometime in late 2021. The development, which mirrors Apple's move to enable iPhone and iPad users to opt-out of ad tracking, was first  reported  by the Financial Times.  Once the revised policy goes live, Google is expected to completely cut off developers' access to the so-called "Advertising IDs," showing a "string of zeros" in its place. The Google Advertising ID (AAID), analogous to Apple's  IDFA , is a unique device identifier that can be used by app developers to track users as they move between apps to target ads better and measure the effectiveness of marketing campaigns. "Starting in late 2021, when a user opts out of interest-based advertising or ads personalization, the advertising identifier will not be available,...

Python supply chain attacks are surging in 2025. Join our webinar to learn how to secure your code, dependencies, and runtime with modern tools and strategies.

Cybersecurity researchers on Thursday disclosed as many as ten critical vulnerabilities impacting CODESYS automation software that could be exploited to achieve remote code execution on programmable logic controllers (PLCs). "To exploit the vulnerabilities, an attacker does not need a username or password; having network access to the industrial controller is enough," researchers from Positive Technologies  said . "The main cause of the vulnerabilities is insufficient verification of input data, which may itself be caused by failure to comply with the secure development recommendations." The Russian cybersecurity firm noted that it detected the vulnerabilities on a PLC offered by WAGO, which, among other automation technology companies such as Beckhoff, Kontron, Moeller, Festo, Mitsubishi, and HollySys, use CODESYS software for  programming and configuring  the controllers. CODESYS offers a development environment for programming controller applications for use ...

Google on Thursday said it's rolling out new security features to Chrome browser aimed at detecting suspicious downloads and extensions via its Enhanced Safe Browsing feature, which it launched a year ago. To this end, the search giant said it will now offer additional protections when users attempt to install a new extension from the Chrome Web Store, notifying if it can be considered "trusted." Currently, 75% of all add-ons on the platform are compliant, the company pointed out, adding "any extensions built by a developer who follows the Chrome Web Store Developer Program Policies , will be considered trusted by Enhanced Safe Browsing." Enhanced Safe Browsing involves sharing real-time data with Google Safe Browsing to proactively safeguard users against dangerous sites. The company also noted that its integration with Safe Browsing's blocklist API helped improve privacy and security, with the number of malicious extensions disabled by the browser j...

New upgrades have been made to a Python-based "self-replicating, polymorphic bot" called Necro in what's seen as an attempt to improve its chances of infecting vulnerable systems and evading detection. "Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command-and-control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code," researchers from Cisco Talos  said  in a deep-dive published today. Said to be in development as far back as 2015,  Necro  (aka N3Cr0m0rPh) targets both Linux and Windows devices, with heightened activity observed at the start of the year as part of a malware campaign dubbed " FreakOut " that was found exploiting  vulnerabilities  in network-attached storage (...

Major software vulnerabilities are a fact of life, as illustrated by the fact that Microsoft has patched between 55 and 110 vulnerabilities each month this year – with 7% to 17% of those vulnerabilities being critical. May had the fewest vulnerabilities, with a total of 55 and only four considered critical. The problem is that the critical vulnerabilities are things we have seen for many years, like remote code execution and privilege escalation. Microsoft isn't the only big name regularly patching major vulnerabilities: We see monthly security updates coming from Apple, Adobe, Google, Cisco, and others. Everything old is new again With major vulnerabilities in so many applications, is there any hope for a secure future? The answer is, of course, yes, but that does not mean there won't be challenges getting there. The vulnerabilities being seen may not be new to those of us who have been defending against attackers for years or even decades, but the adversaries continual...

A new set of critical vulnerabilities has been disclosed in the Realtek RTL8170C Wi-Fi module that an adversary could abuse to gain elevated privileges on a device and hijack wireless communications. "Successful exploitation would lead to complete control of the Wi-Fi module and potential root access on the OS (such as Linux or Android) of the embedded device that uses this module," researchers from Israeli IoT security firm Vdoo  said  in a write-up published yesterday. The Realtek  RTL8710C  Wi-Fi SoC underpins Ameba, an Arduino-compatible programmable platform equipped with peripheral interfaces for building a variety of IoT applications by devices spanning across agriculture, automotive, energy, healthcare, industrial, security, and smart home sectors. The flaws affect all embedded and IoT devices that use the component to connect to Wi-Fi networks and would require an attacker to be on the same Wi-Fi network as the devices that use the RTL8710C module or kn...

An ongoing cyber-espionage operation with suspected ties to China has been found targeting a Southeast Asian government to deploy spyware on Windows systems while staying under the radar for more than three years. "In this campaign, the attackers utilized the set of Microsoft Office exploits and loaders with anti-analysis and anti-debugging techniques to install a previously unknown backdoor on victim's machines," researchers from Check Point Research said in a report published today. The infection chain works by sending decoy documents, impersonating other entities within the government, to multiple members of the Ministry of Foreign Affairs, which, when opened, retrieves a next-stage payload from the attacker's server that contains an encrypted downloader. The downloader, in turn, gathers and exfiltrates system information to a remote server that subsequently responds back with a shellcode loader. The use of weaponized copies of legitimate-looking official doc...

A top Russian-language underground forum has been running a "contest" for the past month, calling on its community to submit "unorthodox" ways to conduct cryptocurrency attacks. The forum's administrator, in an announcement made on April 20, 2021, invited members to submit papers that assess the possibility of targeting cryptocurrency-related technology, including the theft of private keys and wallets, in addition to covering unusual cryptocurrency mining software, smart contracts, and non-fungible tokens (NFTs). The contest , which is likely to continue till September 1, will see a total prize money of $115,000 awarded to the best research. "So far, the top candidates (according to forum member voting) include topics like generating a fake blockchain front-end website that captures sensitive information such as private keys and balances, creating a new cryptocurrency blockchain from scratch, increasing the hash rate speed of mining farms and botnets, ...

A North Korean threat actor active since 2012 has been behind a new espionage campaign targeting high-profile government officials associated with its southern counterpart to install an Android and Windows backdoor for collecting sensitive information. Cybersecurity firm Malwarebytes attributed the activity to a threat actor tracked as Kimsuky, with the targeted entities comprising of the Ministry of Foreign Affairs, Ambassador of the Embassy of Sri Lanka to the State, International Atomic Energy Agency (IAEA) Nuclear Security Officer, and the Deputy Consul General at Korean Consulate General in Hong Kong. The attacks also involved collecting information about other organizations and universities in the country, including the Korea Internet and Security Agency (KISA), Seoul National University, and Daishin Securities. Malwarebytes, however, noted that there is no evidence of active targeting or compromise by the adversary. The development is only the latest in a series of surveil...

Fancy Product Designer, a WordPress plugin installed on over 17,000 sites, has been discovered to contain a critical file upload vulnerability that's being actively exploited in the wild to upload malware onto sites that have the plugin installed. Wordfence's threat intelligence team, which discovered the flaw, said it reported the issue to the plugin's developer on May 31. While the flaw has been acknowledged, it's yet to be addressed. Fancy Product Designer is a tool that enables businesses to offer customizable products, allowing customers to design any kind of item ranging from T-shirts to phone cases by offering the ability to upload images and PDF files that can be added to the products. "Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed," Wordfence...

Days after  Microsoft ,  Secureworks , and  Volexity  shed light on a new spear-phishing activity unleashed by the Russian hackers who breached SolarWinds IT management software, the U.S. Department of Justice (DoJ) Tuesday said it intervened to take control of two command-and-control (C2) and malware distribution domains used in the campaign. The court-authorized domain seizure took place on May 28, the DoJ said, adding the action was aimed at disrupting the threat actors' follow-on exploitation of victims as well as block their ability to compromise new systems. The department, however, cautioned that the adversary might have deployed additional backdoor accesses in the interim period between when the initial compromises occurred, and the seizures took place last week. "[The] action is a continued demonstration of the Department's commitment to proactively disrupt hacking activity prior to the conclusion of a criminal investigation,"  said  Assistant ...

Researchers have disclosed significant security weaknesses in popular antivirus software applications that could be abused to deactivate their protections and take control of allow-listed applications to perform nefarious operations on behalf of the malware to defeat anti-ransomware defenses. The twin attacks,  detailed  by academics from the University of Luxembourg and the University of London, are aimed at circumventing the protected folder feature offered by antivirus programs to encrypt files (aka "Cut-and-Mouse") and disabling their real-time protection by simulating mouse "click" events (aka "Ghost Control"). "Antivirus software providers always offer high levels of security, and they are an essential element in the everyday struggle against criminals,"  said  Prof. Gabriele Lenzini, chief scientist at the Interdisciplinary Center for Security, Reliability, and Trust at the University of Luxembourg. "But they are competing with cri...

The U.S. National Security Agency (NSA) used a partnership with Denmark's foreign and military intelligence service to eavesdrop on top politicians and high-ranking officials in Germany, Sweden, Norway, and France by tapping into Danish underwater internet cables between 2012 and 2014. Details of the covert wiretapping were  broken  by Copenhagen-based public broadcaster DR over the weekend based on interviews with nine unnamed sources, all of whom are said to have access to classified information held by the Danish Defence Intelligence Service (Forsvarets Efterretningstjeneste or FE). German Chancellor Angela Merkel, the then-German Foreign Minister Frank-Walter Steinmeier, and the opposition leader at the time, Peer Steinbrück, are said to have been targeted through the Danish-American pact. Using the telephone numbers of politicians as search parameters, the report alleged that the NSA "intercepted everything from text messages to phone calls that passed through the ca...

Starting June 8, Amazon will automatically enable a feature on its family of hardware devices, including Echo speakers, Ring Video Doorbells, Ring Floodlight Cams, and Ring Spotlight Cams, that will share a small part of your Internet bandwidth with nearby neighbors — unless you choose to opt-out. To that effect, the company intends to register all compatible devices that are operational in the U.S. into an ambitious location-tracking system called Sidewalk as it prepares to roll out the shared mesh network in the country. Originally  announced  in September 2019,  Sidewalk  is part of Amazon's efforts to build a long-range wireless network that leverages a combination of Bluetooth and 900 MHz spectrum ( FSK ) to help Echo, Ring, Tile trackers, and other Sidewalk-enabled devices communicate over the internet without Wi-Fi. Sidewalk is designed to extend the working range of low-bandwidth devices, and help devices stay connected even if they are outside the range ...

Are you aware of how secure your domain is? In most organizations, there is an assumption that their domains are secure and within a few months, but the truth soon dawns on them that it isn't. Spotting someone spoofing your domain name is one way to determine if your security is unsatisfactory - this means that someone is impersonating you (or confusing some of your recipients) and releasing false information. You may ask, "But why should I care?" Because these spoofing activities can potentially endanger your reputation. With so many companies being targeted by domain impersonators, email domain spoofing shouldn't be taken lightly. By doing so, they could put themselves, as well as their clients, at risk.  Your domain's security rating can make a huge difference in whether or not you get targeted by phishers looking to make money quickly or to use your domain and brand to spread ransomware without you knowing it! Check your domain's security rating with ...

Siemens on Friday shipped firmware updates to address a severe vulnerability in SIMATIC S7-1200 and S7-1500 programmable logic controllers (PLCs) that could be exploited by a malicious actor to remotely gain access to protected areas of the memory and achieve unrestricted and undetected code execution, in what the researchers describe as an attacker's "holy grail." The memory protection bypass vulnerability, tracked as CVE-2020-15782 (CVSS score: 8.1), was discovered by operational technology security company Claroty by reverse-engineering the MC7 / MC7+ bytecode language used to execute PLC programs in the microprocessor. There's no evidence that the weakness was abused in the wild. In an  advisory  issued by Siemens, the German industrial automation firm said an unauthenticated, remote attacker with network access to TCP port 102 could potentially write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks. "Ach...