The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Google's Threat Analysis Group (TAG) on Thursday disclosed that it acted to mitigate threats from two distinct government-backed attacker groups based in North Korea that exploited a recently-uncovered remote code execution flaw in the Chrome web browser. The campaigns, once again "reflective of the regime's immediate concerns and priorities," are said to have targeted U.S. based organizations spanning news media, IT, cryptocurrency, and fintech industries, with one set of the activities sharing direct infrastructure overlaps with previous attacks  aimed at security researchers  last year. The shortcoming in question is  CVE-2022-0609 , a use-after-free vulnerability in the browser's Animation component that Google addressed as part of updates (version 98.0.4758.102) issued on February 14, 2022. It's also the first zero-day flaw patched by the tech giant since the start of 2022. "The earliest evidence we have of this exploit kit being actively deploy...

A 23-year-old Russian national has been indicted in the U.S. and added to the Federal Bureau of Investigation's (FBI) Cyber Most Wanted List for his alleged role as the administrator of Marketplace A, a cyber crime forum that sold stolen login credentials, personal information, and credit card data. Igor Dekhtyarchuk , who first appeared in hacker forums in 2013 under the alias "floraby," has been accused of charges of wire fraud, access device fraud, and aggravated identity theft, a set of offenses that could lead to up to 20 years in federal prison. According to the FBI's  Wanted poster , Dekhtyarchuk previously studied at the Ural State University in Yekaterinburg, Russia, and was last known to reside in the city of Kamensk-Uralsky. "Marketplace A specialized in the sale of unlawfully obtained access devices for compromised online payment platforms, retailers, and credit card accounts, including providing the data associated with those accounts such as na...

A Chinese-speaking advanced persistent threat (APT) has been linked to a new campaign targeting gambling-related companies in South East Asia, particularly Taiwan, the Philippines, and Hong Kong. Cybersecurity firm Avast dubbed the campaign  Operation Dragon Castling , describing its malware arsenal as a "robust and modular toolset." The ultimate motives of the threat actor are not immediately discernible as yet nor has it been linked to a known hacking group. While multiple initial access avenues were employed during the course of the campaign, one of the attack vectors involved leveraging a previously unknown remote code execution flaw in the WPS Office suite ( CVE-2022-24934 ) to backdoor its targets. The issue has since been addressed by Kingsoft Office, the developers of the office software. In the case observed by the Czech security firm, the vulnerability was used to drop a malicious binary from a fake update server with the domain update.wps[.]cn that triggers a m...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

Before hunting malware, every researcher needs to find a system where to analyze it. There are several ways to do it: build your own environment or use third-party solutions. Today we will walk through all the steps of creating a custom malware sandbox where you can perform a proper analysis without infecting your computer. And then compare it with a ready-made service. Why do you need a malware sandbox?  A sandbox allows detecting cyber threats and analyzing them safely. All information remains secure, and a suspicious file can't access the system. You can monitor malware processes, identify their patterns and investigate behavior. Before setting up a sandbox, you should have a clear goal of what you want to achieve through the lab.  There are two ways how to organize your working space for analysis: Custom sandbox.  Made from scratch by an analyst on their own, specifically for their needs. A turnkey solution.  A versatile service with a range of configurat...

Authentication services provider Okta on Wednesday named Sitel as the third-party linked to a  security incident  experienced by the company in late January that allowed the LAPSUS$ extortion gang to remotely take over an internal account belonging to a customer support engineer. The company added that 366 corporate customers, or about 2.5% of its customer base, may have been impacted by the "highly constrained" compromise. "On January 20, 2022, the Okta Security team was alerted that a new factor was added to a Sitel customer support engineer' Okta account [from a new location]," Okta's Chief Security Officer, David Bradbury,  said  in a statement. "This factor was a password." The disclosure comes after LAPSUS$ posted screenshots of Okta's apps and systems earlier this week, about two months after the hackers gain access to the company's internal network over a five-day period between January 16 and 21, 2022 using remote desktop proto...

A new large scale supply chain attack has been observed targeting Azure developers with no less than 218 malicious NPM packages with the goal of stealing personal identifiable information. "After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire  @azure NPM scope , by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope," JFrog researchers Andrey Polkovnychenko and Shachar Menashe  said  in a new report. The entire set of malicious packages was disclosed to the NPM maintainers roughly two days after they were published earlier this week, leading to their quick removal, but not before each of the packages were downloaded around 50 times on average. The attack refers to what's called typosquatting, which takes place when bad actors push rogue packages with names mimicking legitimate libraries to a public software registry such ...

VMware on Wednesday released software updates to plug two critical security vulnerabilities affecting its Carbon Black App Control platform that could be abused by a malicious actor to execute arbitrary code on affected installations in Windows systems. Tracked as  CVE-2022-22951 and CVE-2022-22952 , both the flaws are rated 9.1 out of a maximum of 10 on the CVSS vulnerability scoring system. Credited with reporting the two issues is security researcher Jari Jääskelä. That said, successful exploitation of the vulnerabilities banks on the prerequisite that the attacker is already logged in as an administrator or a highly privileged user. VMware Carbon Black App Control is an  application allow listing solution  that's used to lock down servers and critical systems, prevent unwanted changes, and ensure continuous compliance with regulatory mandates. CVE-2022-22951 has been described as a command injection vulnerability that could enable an authenticated, high pri...

A China-based advanced persistent threat (APT) known as Mustang Panda has been linked to an ongoing cyber espionage campaign using a previously undocumented variant of the  PlugX  remote access trojan on infected machines. Slovak cybersecurity firm ESET dubbed the new version Hodur , owing to its resemblance to another PlugX (aka Korplug) variant called  THOR  that came to light in July 2021. "Most victims are located in East and Southeast Asia, but a few are in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan)," ESET malware researcher Alexandre Côté Cyr  said  in a report shared with The Hacker News. "Known victims include research entities, internet service providers (ISPs), and European diplomatic missions mostly located in East and Southeast Asia." Mustang Panda, also known as TA416, HoneyMyte, RedDelta, or PKPLUG, is a  cyber espionage group  that's primarily known for targeting non-governmental organizations with...

Researchers have disclosed details of a newly discovered macOS variant of a malware implant developed by a Chinese espionage threat actor known to strike attack organizations across Asia. Attributing the attacks to a group tracked as  Storm Cloud , cybersecurity firm Volexity characterized the new malware, dubbed Gimmick, as a "feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google Drive) for command-and-control (C2) channels." The cybersecurity firm said it recovered the sample through memory analysis of a compromised MacBook Pro running macOS 11.6 (Big Sur) as part of an intrusion campaign that took place in late 2021. "Storm Cloud is an advanced and versatile threat actor, adapting its tool set to match different operating systems used by its targets," Volexity researchers Damien Cash, Steven Adair, and Thomas Lancaster  said  in a report. "They make use of built-in operating system utilities, open-source to...

A new class of security tools is emerging that promises to significantly improve the effectiveness and efficiency of threat detection and response. Emerging Extended Detection and Response (XDR) solutions aim to aggregate and correlate telemetry from multiple detection controls and then synthesize response actions. XDR has been referred to as the next step in the evolution of Endpoint Detection and Response (EDR) solutions. Because XDR represents a new solution category, there is no single accepted definition of what capabilities and features should (and shouldn't) be included. Each provider approaches XDR with different strengths and perspectives on how what an XDR solution should include. Therefore, selecting an XDR provider is quite challenging as organizations must organize and prioritize a wide range of capabilities that can differ significantly between providers. Cynet is now addressing this need with the Definitive RFP Template for XDR solutions ( download here ), ...

Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years.  According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted  Glupteba botnet  as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server. "The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers," Avast's senior malware researcher, Martin Hron,  said  in a write-up, potentially linking it to what's now called the Mēris botnet. The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers ( CVE-2018-14847 ), enabling the attackers to gain unauthenticated, remote administrative access to any affected device. Parts of the Mēris botnet were  sinkholed  in late  September 2021 . ...

Microsoft on Tuesday  confirmed  that the LAPSUS$ extortion-focused hacking crew had gained "limited access" to its systems, as authentication services provider Okta revealed that nearly 2.5% of its customers have been potentially impacted in the wake of the breach. "No customer code or data was involved in the observed activities," Microsoft's Threat Intelligence Center (MSTIC) said, adding that the breach was facilitated by means of a single compromised account that has since been remediated to prevent further malicious activity. The Windows maker, which was already tracking the group under the moniker DEV-0537 prior to the public disclosure,  said  it "does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk." "This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact," the company's security ...

Microsoft and authentication services provider Okta said they are investigating claims of a potential breach alleged by the LAPSUS$ extortionist gang. The development, which was first reported by  Vice  and  Reuters , comes after the cyber criminal group posted screenshots and source code of what it said were the companies' internal projects and systems on its Telegram channel. The leaked 37GB archive shows that the group may have accessed the repositories related to Microsoft's Bing, Bing Maps, and Cortana, with the  images  highlighting Okta's Atlassian suite and in-house Slack channels. "For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor," the hacking cartel wrote on Telegram. On top of this, the group alleged that it breached LG Electronics (LGE) for the "second time" in a year. Bill Demirkapi, an independent security researcher,  noted  ...

Back in 2018, Palo Alto Networks CTO and co-founder Nir Zuk coined a new term to describe the way that businesses needed to approach cybersecurity in the years to come. That term, of course, was extended detection and response (XDR). It described a unified cybersecurity infrastructure that brought endpoint threat detection, network analysis and visibility (NAV), access management, and more under a single roof to find and neutralize digital threats in real-time. And Zuk's vision of XDR proved prophetic. In the years since he coined the phrase, platforms leveraging the XDR model have emerged as the de-facto leaders of the business cybersecurity industry. But their scale and complexity put them in a product class that's just out of reach for some enterprises. Fortunately, the open-source community — as it often does — has filled the XDR void with an affordable product — because it's totally free. It's called  Wazuh , and it provides enterprises the tools they need to bu...

The U.S. government on Monday once again cautioned of potential cyber attacks from Russia in retaliation for  economic sanctions  imposed by the west on the country following its  military assault on Ukraine  last month. "It's part of Russia's playbook," U.S. President Joe Biden  said  in a  statement , citing "evolving intelligence that the Russian Government is exploring options." The development comes as the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned of "possible threats" to U.S. and international satellite communication (SATCOM) networks in the wake of a cyber attack targeting  Viasat KA-SAT network , used extensively by the Ukrainian military, roughly around the time when Russian armed forces invaded Ukraine on February 24. "Successful intrusions into SATCOM networks could create risk in SATCOM network providers' customer environments," the agencies  said . T...

Five new security weaknesses have been disclosed in Dell BIOS that, if successfully exploited, could lead to code execution on vulnerable systems, joining the likes of firmware vulnerabilities recently uncovered in Insyde Software's  InsydeH2O  and HP Unified Extensible Firmware Interface ( UEFI ). Tracked as CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, and CVE-2022-24421, the high-severity vulnerabilities are rated 8.2 out of 10 on the CVSS scoring system. "The active exploitation of all the discovered vulnerabilities can't be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement," firmware security company Binarly, which discovered the latter three flaws,  said  in a write-up. "The remote device health attestation solutions will not detect the affected systems due to the design limitations in visibility of the firmware runtime." All the flaws relate to improper input v...

A novel phishing technique called browser-in-the-browser (BitB) attack can be exploited to simulate a browser window within the browser in order to spoof a legitimate domain, thereby making it possible to stage convincing phishing attacks. According to penetration tester and security researcher, who goes by the handle mrd0x on Twitter, the method takes advantage of third-party single sign-on ( SSO ) options embedded on websites such as "Sign in with Google" (or Facebook, Apple, or Microsoft). While the default behavior when a user attempts to sign in via these methods is to be greeted by a pop-up window to complete the authentication process, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code to create an entirely fabricated browser window. "Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it's basically indistinguishable," mrd0x  said  in a technical write-up publ...

Researchers have exposed a new targeted email campaign aimed at French entities in the construction, real estate, and government sectors that leverages the Chocolatey Windows package manager to deliver a backdoor called  Serpent  on compromised systems. Enterprise security firm Proofpoint attributed the attacks to a likely advanced threat actor based on the tactics and the victimology patterns observed. The ultimate objective of the campaign remains presently unknown. "The threat actor attempted to install a backdoor on a potential victim's device, which could enable remote administration, command and control (C2), data theft, or deliver other additional payloads," Proofpoint researchers  said  in a report shared with The Hacker News. The phishing lure that triggers the infection sequence makes use of a resume-themed subject line, with the attached macro-embedded Microsoft Word document masquerading as information related to the European Union's General Data Pro...