The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

No fewer than 1,220 Man-in-the-Middle (MitM) phishing websites have been discovered as targeting popular online services like Instagram, Google, PayPal, Apple, Twitter, and LinkedIn with the goal of hijacking users' credentials and carrying out further follow-on attacks. The findings come from a  new study  undertaken by a group of researchers from Stony Brook University and Palo Alto Networks, who have demonstrated a new fingerprinting technique that makes it possible to identify MitM phishing kits in the wild by leveraging their intrinsic network-level properties, effectively automating the discovery and analysis of phishing websites. Dubbed " PHOCA " — named after the Latin word for "seals" — the tool not only facilitates the discovery of previously unseen MitM phishing toolkits, but also can be used to detect and isolate malicious requests coming from such servers. Phishing toolkits aim to  automate and streamline  the work required by attackers to cond...

The notorious Emotet malware is staging a comeback of sorts  nearly 10 months  after a coordinated law enforcement operation dismantled its command-and-control infrastructure in late January 2021. According to a  new report  from security researcher Luca Ebach, the infamous  TrickBot  malware is being used as an entry point to distribute what appears to be a new version of Emotet on systems previously infected by the former. The latest  variant  takes the form of a DLL file, with the first occurrence of the deployment being detected on November 14. Europol  dubbed   Emotet  as the "world's most dangerous malware" for its ability to act as a "door opener" for threat actors to obtain unauthorized access, becoming a precursor to many critical data theft and ransomware attacks. Interestingly, the loader operation enabled other malware families such as Trickbot, QakBot, and Ryuk to enter a machine. The resurfacing is also significa...

A new politically-motivated hacker group named " Moses Staff " has been linked to a wave of targeted attacks targeting Israeli organizations since September 2021 with the goal of plundering and leaking sensitive information prior to encrypting their networks, with no option to regain access or negotiate a ransom. "The group openly states that their motivation in attacking Israeli companies is to cause damage by leaking the stolen sensitive data and encrypting the victim's networks, with no ransom demand," Check Point Research  said  in a report published Monday. "In the language of the attackers, their purpose is to 'Fight against the resistance and expose the crimes of the Zionists in the occupied territories.'" At least 16 victims have had their data leaked to date, according to stats released by the collective. The threat actor is said to leverage publicly known vulnerabilities as a means to breach enterprise servers and gain initial ac...

Cybersecurity researchers on Monday took the wraps off a new Android trojan that takes advantage of accessibility features on mobile devices to siphon credentials from banking and cryptocurrency services in Italy, the U.K., and the U.S. Dubbed " SharkBot " by Cleafy, the malware is designed to strike a total of 27 targets — counting 22 unnamed international banks in Italy and the U.K. as well as five cryptocurrency apps in the U.S. — at least since late October 2021 and is believed to be in its early stages of development, with no overlaps found to that of any known families. "The main goal of SharkBot is to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms (e.g., SCA)," the researchers said in a report. "Once SharkBot is successfully installed in the victim's device, attackers can obtain sensitive banking information through the abuse of Accessibility S...

A new analysis of website fingerprinting (WF) attacks aimed at the Tor web browser has revealed that it's possible for an adversary to glean a website frequented by a victim, but only in scenarios where the threat actor is interested in a specific subset of the websites visited by users. "While attacks can exceed 95% accuracy when monitoring a small set of five popular websites, indiscriminate (non-targeted) attacks against sets of 25 and 100 websites fail to exceed an accuracy of 80% and 60%, respectively," researchers Giovanni Cherubin, Rob Jansen, and Carmela Troncoso  said  in a newly published paper. Tor browser  offers  "unlinkable communication" to its users by routing internet traffic through an overlay network, consisting of more than six thousand relays, with the goal of anonymizing the originating location and usage from third parties conducting network surveillance or traffic analysis. It achieves this by building a circuit that traverses via an ...

Lazarus, the North Korea-affiliated state-sponsored group, is attempting to once again target security researchers with backdoors and remote access trojans using a trojanized pirated version of the popular IDA Pro reverse engineering software. The findings were  reported  by ESET security researcher Anton Cherepanov last week in a series of tweets. IDA Pro is an  Interactive Disassembler  that's designed to translate machine language (aka executables) into assembly language, enabling security researchers to analyze the inner workings of a program (malicious or otherwise) as well as function as a debugger to detect errors. "Attackers bundled the original IDA Pro 7.5 software developed by [Hex-Rays] with two malicious components," the Slovak cybersecurity firm said, one of which is an internal module called "win_fw.dll" that's executed during installation of the application. This tampered version is then orchestrated to load a second component named ...

Whether it's Office 365, Salesforce, Slack, GitHub or Zoom, all SaaS apps include a host of security features designed to protect the business and its data. The job of ensuring these apps' security settings are properly configured falls on the security team. The challenge lies within how burdensome this responsibility is — each app has tens or hundreds of security settings to configure, in addition to the continuous need for general or user updates, compounded by many compliance industry standards and frameworks that organizations need to follow. Not to mention the fact that often the SaaS app owner sits outside the outside of the security team in the department that most uses the app (think Sales has CRM app, Marketing has automation app), and they are untrained and not focused on the security upkeep of the app. It all amounts to just how unrealistic it is to expect security teams to be able to stay in control of the organization's SaaS stack.  That's why Gartner n...

The U.S. Federal Bureau of Investigation (FBI) on Saturday confirmed unidentified threat actors have breached one of its email servers to blast hoax messages about a fake "sophisticated chain attack." The incident, which was first  publicly disclosed  by threat intelligence non-profit SpamHaus, involved sending rogue warning emails with the subject line "Urgent: Threat actor in systems" originating from a legitimate FBI email address "eims@ic.fbi[.]gov" that framed the attack on Vinny Troia, a security researcher and founder of dark web intelligence firms Night Lion Security and Shadowbyte, while also claiming him to be affiliated with a hacking outfit named TheDarkOverlord. SpamHaus cited its own telemetry data to point out that the email blasts happened over two "spam" waves, one shortly before 5:00 a.m. UTC and another one shortly after 7:00 a.m. UTC.  However, according to Kryptos Logic researcher Marcus Hutchins, the goal appears to be ...

Threat actors are increasingly banking on the technique of  HTML smuggling  in phishing campaigns as a means to gain initial access and deploy an array of threats, including banking malware, remote administration trojans (RATs), and ransomware payloads. Microsoft 365 Defender Threat Intelligence Team, in a new report published Thursday, disclosed that it identified infiltrations distributing the  Mekotio  banking Trojan, backdoors such as  AsyncRAT  and  NjRAT , and the infamous  TrickBot  malware. The multi-staged attacks — dubbed  ISOMorph  — were also publicly documented by Menlo Security in July 2021. HTML smuggling is an approach that allows an attacker to "smuggle" first-stage droppers, often encoded malicious scripts embedded within specially-crafted HTML attachments or web pages, on a victim machine by taking advantage of basic features in HTML5 and JavaScript rather than exploiting a vulnerability or a design flaw in mo...

Researchers from Qihoo 360's Netlab security team have released details of a new evolving botnet called " Abcbot " that has been observed in the wild with worm-like propagation features to infect Linux systems and launch distributed denial-of-service (DDoS) attacks against targets. While the earliest version of the botnet dates back to July 2021, new variants observed as recently as October 30 have been equipped with additional updates to strike Linux web servers with weak passwords and are susceptible to N-day vulnerabilities, including a custom implementation of DDoS functionality, indicating that the malware is under continuous development. Netlab's findings also build on a report from Trend Micro early last month, which  publicized  attacks targeting Huawei Cloud with cryptocurrency-mining and cryptojacking malware. The intrusions were also notable for the fact that the malicious shell scripts specifically disabled a process designed to monitor and scan the ser...

Google researchers on Thursday disclosed that it found a watering hole attack in late August exploiting a now-patched zero-day in macOS operating system and targeting Hong Kong websites related to a media outlet and a prominent pro-democracy labor and political group to deliver a never-before-seen backdoor on compromised machines. "Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code," Google Threat Analysis Group (TAG) researcher Erye Hernandez  said  in a report. Tracked as CVE-2021-30869 (CVSS score: 7.8), the security shortcoming concerns a type confusion vulnerability affecting the XNU kernel component that could cause a malicious application to execute arbitrary code with the highest privileges. Apple originally addressed the issue for macOS Big Sur devices as part of a security update shipped on February 1, only to follow...

A new cyber mercenary hacker-for-hire group dubbed " Void Balaur " has been linked to a string of cyberespionage and data theft activities targeting thousands of entities as well as human rights activists, politicians, and government officials around the world at least since 2015 for financial gain while lurking in the shadows. Named after a  many-headed dragon  from Romanian folklore, the adversary has been unmasked advertising its services in Russian-speaking underground forums dating all the way back to 2017 and selling troves of sensitive information such as cell tower phone logs, passenger flight records, credit reports, banking data, SMS messages, and passport details. The threat actor calls itself "Rockethack." "This hacker-for-hire group does not operate out of a physical building, nor does it have a shiny prospectus that describes its services," Trend Micro researcher Feike Hacquebord  said  in a newly published profile of the collective. ...

The operators of TrickBot trojan are collaborating with the Shathak threat group to distribute their wares, ultimately leading to the deployment of Conti ransomware on infected machines. "The implementation of  TrickBot  has evolved over the years, with recent versions of TrickBot implementing malware-loading capabilities," Cybereason security analysts Aleksandar Milenkoski and Eli Salem  said  in a report analysing recent malware distribution campaigns undertaken by the group. "TrickBot has played a major role in many attack campaigns conducted by different threat actors, from common cybercriminals to nation-state actors." The latest report builds on a report from IBM X-Force last month, which  revealed  TrickBot's partnerships with other cybercrime gangs, including Shathak, to deliver proprietary malware. Also tracked under the moniker TA551, Shathak is a sophisticated cybercrime actor targeting end-users on a global scale, acting as a malware distrib...

Though we are recovering from the worst pandemic, cyber threats have shown no sign of downshifting, and cybercriminals are still not short of malicious and advanced ways to achieve their goals.  The  Global Threat Landscape Report  indicates a drastic rise in sophisticated cyberattacks targeting digital infrastructures, organizations, and individuals in 2021. Threats can take different forms with the intent to commit fraud and damage businesses and people. Ransomware,  DDoS attacks , phishing, malware, and man-in-the-middle attacks represent the greatest threat to businesses today. When new threats emerge, attackers take advantage of them – however, most businesses are only aware of the current threats. Organizations struggle to address these threats due to their resource sophistication and their lack of understanding of evolving threat landscapes. For these reasons, organizations need visibility on the advanced threats especially targeting their infrastructure. ...

A state-sponsored threat actor allegedly affiliated with Iran has been linked to a series of targeted attacks aimed at internet service providers (ISPs) and telecommunication operators in Israel, Morocco, Tunisia, and Saudi Arabia, as well as a ministry of foreign affairs (MFA) in Africa, new findings reveal. The intrusions, staged by a group tracked as Lyceum, are believed to have occurred between July and October 2021, researchers from Accenture Cyber Threat Intelligence (ACTI) group and Prevailion's Adversarial Counterintelligence Team (PACT) said in a technical report. The names of the victims were not disclosed. The latest revelations throw light on the web-based infrastructure used by Lyceum, over 20 of them, enabling the identification of "additional victims and provide further visibility into Lyceum's targeting methodology," the researchers  noted , adding "at least two of the identified compromises are assessed to be ongoing despite prior public discl...

A new zero-day vulnerability has been disclosed in Palo Alto Networks GlobalProtect VPN that could be abused by an unauthenticated network-based attacker to execute arbitrary code on affected devices with root user privileges. Tracked as CVE-2021-3064 (CVSS score: 9.8), the security weakness impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Massachusetts-based cybersecurity firm Randori has been credited with discovering and reporting the issue. "The vulnerability chain consists of a method for bypassing validations made by an external web server (HTTP smuggling) and a stack-based buffer overflow," Randori researchers  said . "Exploitation of the vulnerability chain has been proven and allows for remote code execution on both physical and virtual firewall products." However, in a troubling turn of events, the company said it used this exploit as part of its red team engagements for nearly 10 months before disclosing it to Palo Alto Networks in late Septem...