The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A new large scale supply chain attack has been observed targeting Azure developers with no less than 218 malicious NPM packages with the goal of stealing personal identifiable information. "After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire  @azure NPM scope , by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope," JFrog researchers Andrey Polkovnychenko and Shachar Menashe  said  in a new report. The entire set of malicious packages was disclosed to the NPM maintainers roughly two days after they were published earlier this week, leading to their quick removal, but not before each of the packages were downloaded around 50 times on average. The attack refers to what's called typosquatting, which takes place when bad actors push rogue packages with names mimicking legitimate libraries to a public software registry such ...

VMware on Wednesday released software updates to plug two critical security vulnerabilities affecting its Carbon Black App Control platform that could be abused by a malicious actor to execute arbitrary code on affected installations in Windows systems. Tracked as  CVE-2022-22951 and CVE-2022-22952 , both the flaws are rated 9.1 out of a maximum of 10 on the CVSS vulnerability scoring system. Credited with reporting the two issues is security researcher Jari Jääskelä. That said, successful exploitation of the vulnerabilities banks on the prerequisite that the attacker is already logged in as an administrator or a highly privileged user. VMware Carbon Black App Control is an  application allow listing solution  that's used to lock down servers and critical systems, prevent unwanted changes, and ensure continuous compliance with regulatory mandates. CVE-2022-22951 has been described as a command injection vulnerability that could enable an authenticated, high pri...

A China-based advanced persistent threat (APT) known as Mustang Panda has been linked to an ongoing cyber espionage campaign using a previously undocumented variant of the  PlugX  remote access trojan on infected machines. Slovak cybersecurity firm ESET dubbed the new version Hodur , owing to its resemblance to another PlugX (aka Korplug) variant called  THOR  that came to light in July 2021. "Most victims are located in East and Southeast Asia, but a few are in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan)," ESET malware researcher Alexandre Côté Cyr  said  in a report shared with The Hacker News. "Known victims include research entities, internet service providers (ISPs), and European diplomatic missions mostly located in East and Southeast Asia." Mustang Panda, also known as TA416, HoneyMyte, RedDelta, or PKPLUG, is a  cyber espionage group  that's primarily known for targeting non-governmental organizations with...

Researchers have disclosed details of a newly discovered macOS variant of a malware implant developed by a Chinese espionage threat actor known to strike attack organizations across Asia. Attributing the attacks to a group tracked as  Storm Cloud , cybersecurity firm Volexity characterized the new malware, dubbed Gimmick, as a "feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google Drive) for command-and-control (C2) channels." The cybersecurity firm said it recovered the sample through memory analysis of a compromised MacBook Pro running macOS 11.6 (Big Sur) as part of an intrusion campaign that took place in late 2021. "Storm Cloud is an advanced and versatile threat actor, adapting its tool set to match different operating systems used by its targets," Volexity researchers Damien Cash, Steven Adair, and Thomas Lancaster  said  in a report. "They make use of built-in operating system utilities, open-source to...

A new class of security tools is emerging that promises to significantly improve the effectiveness and efficiency of threat detection and response. Emerging Extended Detection and Response (XDR) solutions aim to aggregate and correlate telemetry from multiple detection controls and then synthesize response actions. XDR has been referred to as the next step in the evolution of Endpoint Detection and Response (EDR) solutions. Because XDR represents a new solution category, there is no single accepted definition of what capabilities and features should (and shouldn't) be included. Each provider approaches XDR with different strengths and perspectives on how what an XDR solution should include. Therefore, selecting an XDR provider is quite challenging as organizations must organize and prioritize a wide range of capabilities that can differ significantly between providers. Cynet is now addressing this need with the Definitive RFP Template for XDR solutions ( download here ), ...

Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years.  According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted  Glupteba botnet  as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server. "The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers," Avast's senior malware researcher, Martin Hron,  said  in a write-up, potentially linking it to what's now called the Mēris botnet. The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers ( CVE-2018-14847 ), enabling the attackers to gain unauthenticated, remote administrative access to any affected device. Parts of the Mēris botnet were  sinkholed  in late  September 2021 . ...

Microsoft on Tuesday  confirmed  that the LAPSUS$ extortion-focused hacking crew had gained "limited access" to its systems, as authentication services provider Okta revealed that nearly 2.5% of its customers have been potentially impacted in the wake of the breach. "No customer code or data was involved in the observed activities," Microsoft's Threat Intelligence Center (MSTIC) said, adding that the breach was facilitated by means of a single compromised account that has since been remediated to prevent further malicious activity. The Windows maker, which was already tracking the group under the moniker DEV-0537 prior to the public disclosure,  said  it "does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk." "This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact," the company's security ...

Microsoft and authentication services provider Okta said they are investigating claims of a potential breach alleged by the LAPSUS$ extortionist gang. The development, which was first reported by  Vice  and  Reuters , comes after the cyber criminal group posted screenshots and source code of what it said were the companies' internal projects and systems on its Telegram channel. The leaked 37GB archive shows that the group may have accessed the repositories related to Microsoft's Bing, Bing Maps, and Cortana, with the  images  highlighting Okta's Atlassian suite and in-house Slack channels. "For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor," the hacking cartel wrote on Telegram. On top of this, the group alleged that it breached LG Electronics (LGE) for the "second time" in a year. Bill Demirkapi, an independent security researcher,  noted  ...

Back in 2018, Palo Alto Networks CTO and co-founder Nir Zuk coined a new term to describe the way that businesses needed to approach cybersecurity in the years to come. That term, of course, was extended detection and response (XDR). It described a unified cybersecurity infrastructure that brought endpoint threat detection, network analysis and visibility (NAV), access management, and more under a single roof to find and neutralize digital threats in real-time. And Zuk's vision of XDR proved prophetic. In the years since he coined the phrase, platforms leveraging the XDR model have emerged as the de-facto leaders of the business cybersecurity industry. But their scale and complexity put them in a product class that's just out of reach for some enterprises. Fortunately, the open-source community — as it often does — has filled the XDR void with an affordable product — because it's totally free. It's called  Wazuh , and it provides enterprises the tools they need to bu...

The U.S. government on Monday once again cautioned of potential cyber attacks from Russia in retaliation for  economic sanctions  imposed by the west on the country following its  military assault on Ukraine  last month. "It's part of Russia's playbook," U.S. President Joe Biden  said  in a  statement , citing "evolving intelligence that the Russian Government is exploring options." The development comes as the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned of "possible threats" to U.S. and international satellite communication (SATCOM) networks in the wake of a cyber attack targeting  Viasat KA-SAT network , used extensively by the Ukrainian military, roughly around the time when Russian armed forces invaded Ukraine on February 24. "Successful intrusions into SATCOM networks could create risk in SATCOM network providers' customer environments," the agencies  said . T...

Five new security weaknesses have been disclosed in Dell BIOS that, if successfully exploited, could lead to code execution on vulnerable systems, joining the likes of firmware vulnerabilities recently uncovered in Insyde Software's  InsydeH2O  and HP Unified Extensible Firmware Interface ( UEFI ). Tracked as CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, and CVE-2022-24421, the high-severity vulnerabilities are rated 8.2 out of 10 on the CVSS scoring system. "The active exploitation of all the discovered vulnerabilities can't be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement," firmware security company Binarly, which discovered the latter three flaws,  said  in a write-up. "The remote device health attestation solutions will not detect the affected systems due to the design limitations in visibility of the firmware runtime." All the flaws relate to improper input v...

A novel phishing technique called browser-in-the-browser (BitB) attack can be exploited to simulate a browser window within the browser in order to spoof a legitimate domain, thereby making it possible to stage convincing phishing attacks. According to penetration tester and security researcher, who goes by the handle mrd0x on Twitter, the method takes advantage of third-party single sign-on ( SSO ) options embedded on websites such as "Sign in with Google" (or Facebook, Apple, or Microsoft). While the default behavior when a user attempts to sign in via these methods is to be greeted by a pop-up window to complete the authentication process, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code to create an entirely fabricated browser window. "Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it's basically indistinguishable," mrd0x  said  in a technical write-up publ...

Researchers have exposed a new targeted email campaign aimed at French entities in the construction, real estate, and government sectors that leverages the Chocolatey Windows package manager to deliver a backdoor called  Serpent  on compromised systems. Enterprise security firm Proofpoint attributed the attacks to a likely advanced threat actor based on the tactics and the victimology patterns observed. The ultimate objective of the campaign remains presently unknown. "The threat actor attempted to install a backdoor on a potential victim's device, which could enable remote administration, command and control (C2), data theft, or deliver other additional payloads," Proofpoint researchers  said  in a report shared with The Hacker News. The phishing lure that triggers the infection sequence makes use of a resume-themed subject line, with the attached macro-embedded Microsoft Word document masquerading as information related to the European Union's General Data Pro...

Social engineering attacks leveraging a combination of romantic lures and cryptocurrency fraud have been deceiving unsuspecting victims into installing fake apps by taking advantage of legitimate iOS features like TestFlight and Web Clips. Cybersecurity company Sophos, which has named the organized crime campaign " CryptoRom ," characterized it as a wide-ranging global scam. "This style of cyber-fraud, known as sha zhu pan (杀猪盘) — literally 'pig butchering plate' — is a well-organized, syndicated scam operation that uses a combination of often romance-centered social engineering and fraudulent financial applications and websites to ensnare victims and steal their savings after gaining their confidence," Sophos analyst Jagadeesh Chandraiah  said  in a report published last week. The campaign works by approaching potential targets through dating apps like Bumble, Tinder, Facebook Dating, and Grindr, before moving the conversation to messaging apps such as...

Luxury hotels in the Chinese special administrative region of Macau were the target of a malicious spear-phishing campaign from the second half of November 2021 and through mid-January 2022. Cybersecurity firm Trellix  attributed  the campaign with moderate confidence to a suspected South Korean advanced persistent threat (APT) tracked as DarkHotel, building on research previously published by  Zscaler  in December 2021. Believed to be active since 2007, DarkHotel has a history of striking "senior business executives by uploading malicious code to their computers through infiltrated hotel Wi-Fi networks, as well as through spear-phishing and P2P attacks," Zscaler researchers Sahil Antil and Sudeep Singh said. Prominent sectors targeted include law enforcement, pharmaceuticals, and automotive manufacturers. The attack chains involved distributing email messages directed to individuals in executive roles in the hotel, such as the vice president of human resources,...

A financially motivated threat actor has been observed deploying a previously unknown rootkit targeting Oracle Solaris systems with the goal of compromising Automatic Teller Machine (ATM) switching networks and carrying out unauthorized cash withdrawals at different banks using fraudulent cards. Threat intelligence and incident response firm Mandiant is tracking the cluster under the moniker UNC2891, with some of the group's tactics, techniques, and procedures sharing overlaps with that of another cluster dubbed  UNC1945 . The intrusions staged by the actor involve "a high degree of OPSEC and leverage both public and private malware, utilities, and scripts to remove evidence and hinder response efforts," Mandiant researchers  said  in a new report published this week. Even more concerningly, the attacks spanned several years in some cases, during the entirety of which the actor remained undetected by taking advantage of a rootkit called CAKETAP, whic is designed to c...

An analysis of two ransomware attacks has  identified overlaps  in the tactics, techniques, and procedures (TTPs) between BlackCat and BlackMatter, indicating a strong connection between the two groups. While it's typical of ransomware groups to rebrand their operations in response to increased visibility into their attacks,  BlackCat  (aka Alphv) marks a new frontier in that the cyber crime cartel is built out of affiliates of other ransomware-as-a-service (RaaS) operations. BlackCat first emerged in November 2021 and has since targeted several organizations worldwide over the past few months. It has been called out for being similar to  BlackMatter , a short-lived ransomware family that originated from  DarkSide , which, in turn, attracted notoriety for its high-profile attack on  Colonial Pipeline  in May 2021. In an interview with Recorded Future's The Record last month, a BlackCat representative dismissed speculations that it's a rebrand...

Google's Threat Analysis Group (TAG) took the wraps off a new  initial access broker  that it said is closely affiliated to a Russian cyber crime gang notorious for its Conti and Diavol ransomware operations. Dubbed Exotic Lily, the financially motivated threat actor has been observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform ( CVE-2021-40444 ) as part of widespread phishing campaigns that involved sending no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally. "Initial access brokers are the opportunistic locksmiths of the security world, and it's a full-time job," TAG researchers Vlad Stolyarov and Benoit Sevens  said . "These groups specialize in breaching a target in order to open the doors — or the Windows — to the malicious actor with the highest bid." Exotic Lily, first spotted in September 2021, is said to have been involved in data exfiltration and deployment of the...