The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A Linux botnet malware known as XorDdos has witnessed a 254% surge in activity over the last six months, according to latest research from Microsoft. The trojan, so named for carrying out denial-of-service attacks on Linux systems and its use of XOR-based encryption for communications with its command-and-control (C2) server, is  known  to have been  active  since at least 2014. "XorDdos' modular nature provides attackers with a versatile trojan capable of infecting a variety of Linux system architectures," Ratnesh Pandey, Yevgeny Kulakov, and Jonathan Bar Or of the Microsoft 365 Defender Research Team  said  in an exhaustive deep-dive of the malware. "Its SSH brute-force attacks are a relatively simple yet effective technique for gaining root access over a number of potential targets." Remote control over vulnerable IoT and other internet-connected devices is gained by means of secure shell (SSH) brute-force attacks, enabling the malware to form a b...

Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users. "The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem," TAG researchers Clement Lecigne and Christian Resell  said . Cytrox is alleged to have packaged the exploits and sold them to different government-backed actors located in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia, who, in turn, weaponized the bugs in at least three different campaigns. The commercial surveillance company is the maker of  Predator , an implant  analogous  to that of NSO Group's  Pegasus , and is known to h...

A case of software supply chain attack has been observed in the Rust programming language's  crate registry  that leveraged typosquatting techniques to publish a rogue library containing malware. Cybersecurity firm SentinelOne dubbed the attack " CrateDepression ." Typosquatting attacks  take place  when an adversary mimics the name of a popular package on a public registry in hopes that developers will accidentally download the malicious package instead of the legitimate library. In this case, the crate in question is "rustdecimal," a typosquat of the real " rust_decimal " package that's been downloaded over 3.5 million times to date. The package was  flagged  earlier this month on May 3 by Askar Safin, a Moscow-based developer. According to an  advisory  published by the Rust maintainers, the crate is said to have been first pushed on March 25, 2022, attracting fewer than 500 downloads before it was permanently removed from the repository....

The North Korea-backed Lazarus Group has been observed leveraging the  Log4Shell vulnerability  in VMware Horizon servers to deploy the NukeSped (aka Manuscrypt) implant against targets located in its southern counterpart. "The attacker used the Log4j vulnerability on VMware Horizon products that were not applied with the security patch," AhnLab Security Emergency Response Center (ASEC)  said  in a new report. The intrusions are said to have been first discovered in April, although  multiple threat actors , including those aligned with  China  and  Iran , have employed the same approach to further their objectives over the past few months. NukeSped is a backdoor that can perform various malicious activities based on commands received from a remote attacker-controlled domain. Last year, Kaspersky disclosed a spear-phishing campaign aimed at stealing critical data from defense companies using a NukeSped variant called  ThreatNeedle . So...

Fraudulent domains masquerading as Microsoft's Windows 11 download portal are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware. "The spoofed sites were created to distribute malicious ISO files which lead to a Vidar info-stealer infection on the endpoint," Zscaler  said  in a report. "These variants of Vidar malware fetch the C2 configuration from attacker-controlled social media channels hosted on Telegram and Mastodon network." Some of the rogue distribution vector domains, which were registered last month on April 20, consist of ms-win11[.]com, win11-serv[.]com, and win11install[.]com, and ms-teams-app[.]net. In addition, the cybersecurity firm cautioned that the threat actor behind the impersonation campaign is also leveraging backdoored versions of Adobe Photoshop and other legitimate software such as Microsoft Teams to deliver Vidar malware. The ISO file, for its part,...

Taiwanese network-attached storage (NAS) devices maker QNAP on Thursday warned its customers of a fresh wave of DeadBolt ransomware attacks. The intrusions are said to have targeted TS-x51 series and TS-x53 series appliances running on QTS 4.3.6 and QTS 4.4.1, according to its product security incident response team.  "QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the internet," QNAP  said  in an advisory. This development marks the third time QNAP devices have come under assault from  DeadBolt ransomware  since the start of the year. In late January, as many as 4,988 DeadBolt-infected QNAP devices were identified, prompting the company to release a forced firmware update. A second uptick in new infections was  observed  in mid-March.  DeadBolt attacks are also notable for the fact that they allegedly leverage zero-day flaws in the software to gain remote access...

A novel Bluetooth relay attack can let cybercriminals more easily than ever remotely  unlock and operate cars ,  break open residential smart locks , and breach secure areas. The vulnerability has to do with weaknesses in the current implementation of Bluetooth Low Energy (BLE), a wireless technology used for authenticating Bluetooth devices that are physically located within a close range. "An attacker can falsely indicate the proximity of Bluetooth LE (BLE) devices to one another through the use of a relay attack," U.K.-based cybersecurity company NCC Group  said . "This may enable unauthorized access to devices in BLE-based proximity authentication systems." Relay attacks , also called two-thief attacks, are a variation of person-in-the-middle attacks in which an adversary intercepts communication between two parties, one of whom is also an attacker, and then relays it to the target device without any manipulation. While various mitigations have been implem...

The  2022 SaaS Security Survey Report,  in collaboration with CSA, examines the state of SaaS security as seen in the eyes of CISOs and security professionals in today's enterprises. The report gathers anonymous responses from 340 CSA members to examine not only the growing risks in SaaS security but also how different organizations are currently working to secure themselves. Demographics The majority (71%) of respondents were located in the Americas, another 17% from Asia, and 13% from EMEA. Of these participants 49% influence the decision-making process while 39% run the process itself. The survey examined organizations from a variety of industries, such as telecommunications (25%), finance (22%), and government (9%).  While there are many takeaways from the survey, these are our top seven.  1: SaaS Misconfigurations are Leading to Security Incidents Since 2019, SaaS misconfigurations have become a top concern for organizations, with at least 43% of organizat...

Google last month addressed a high-severity flaw in its OAuth client library for Java that could be abused by a malicious actor with a compromised token to deploy arbitrary payloads. Tracked as  CVE-2021-22573 , the vulnerability is rated 8.7 out of 10 for severity and relates to an authentication bypass in the library that stems from an improper verification of the cryptographic signature. Credited with discovering and reporting the flaw on March 12 is  Tamjid Al Rahat , a fourth-year Ph.D. student of Computer Science at the University of Virginia, who has been awarded $5,000 as part of Google's bug bounty program. "The vulnerability is that the IDToken verifier does not verify if the token is properly signed," an  advisory  for the flaw reads. "Signature verification makes sure that the token's payload comes from a valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on ...

A new research published by academics from KU Leuven, Radboud University, and the University of Lausanne has revealed that users' email addresses are exfiltrated to tracking, marketing, and analytics domains before such information is submitted and without prior consent. The study  involved  crawling 2.8 million pages from the top 100 websites, and found that as many as 1,844 websites allowed trackers to capture email addresses before form submission in the European Union, a number that jumped to 2,950 when the same set of websites were visited from the U.S. "Emails (or their hashes) were sent to 174 distinct domains ( eTLD+1 ) in the U.S. crawl, and 157 distinct domains in the EU crawl," the researchers  said . Furthermore, 52 websites were determined to be collecting passwords in the same manner, an issue that has since been addressed following responsible disclosure. LiveRamp, Taboola, Adobe, Verizon, Yandex, Meta Platforms, TikTok, Salesforce, Listrak, and Oracle...

VMware has issued patches to contain  two security flaws  impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks. The first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior authentication. CVE-2022-22973 (CVSS score: 7.8), the other bug, is a case of local privilege escalation that could enable an attacker with local access to elevate privileges to the "root" user on vulnerable virtual appliances. "It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments," VMware  said . The disclosure follows a  warning  from the U.S. Cybersecurity and Infrastructure Agency (CISA) that advanced persistent threat (APT) groups are exploiting CVE-2022-22954 and CVE-2022-22960 — two other VMware fla...

Ransomware  is not a new attack vector. In fact, the  first malware of its kind  appeared more than 30 years ago and was distributed via 5.25-inch floppy disks. To pay the ransom, the victim had to mail money to a P.O. Box in Panama. Fast forward to today, affordable ransomware-as-a-service (RaaS) kits are available on the dark web for anyone to purchase and deploy and attackers have an infinite number of channels available to them to infiltrate organizations as a result of reliance on cloud and mobile technologies. Initiating a ransomware attack is all about discretely gaining access. And as employees can now access your data from anywhere, you have lost visibility into how they do so. To safeguard against these attacks, you're not just looking for malware, you need continuous insights into your users, the endpoints they use and the applications and data they access. Lookout , a leader in endpoint-to-cloud security, has published an interactive infographic to help yo...

The inner workings of a cybercriminal group known as the Wizard Spider have been exposed, shedding light on its organizational structure and motivations. "Most of Wizard Spider's efforts go into hacking European and U.S. businesses, with a special cracking tool used by some of their attackers to breach high-value targets," Swiss cybersecurity company PRODAFT  said  in a new report shared with The Hacker News. "Some of the money they get is put back into the project to develop new tools and talent." Wizard Spider, also known as Gold Blackburn, is believed to operate out of Russia and refers to a financially motivated threat actor that's been linked to the TrickBot botnet, a modular malware that was  officially discontinued  earlier this year in favor of improved malware such as BazarBackdoor. That's not all. The TrickBot operators have also extensively cooperated with  Conti , another Russia-linked cybercrime group notorious for offering ransomware-a...

Microsoft on Tuesday warned that it recently spotted a malicious campaign targeting SQL Servers that leverages a built-in PowerShell binary to achieve persistence on compromised systems. The intrusions, which leverage brute-force attacks as an initial compromise vector, stand out for their use of the utility " sqlps.exe ," the tech giant  said  in a series of tweets. The ultimate goals of the campaign are unknown, as is the identity of the threat actor staging it. Microsoft is tracking the malware under the name " SuspSQLUsage ." The sqlps.exe utility, which comes by default with all versions of SQL Servers, enables an SQL Agent — a Windows service to run scheduled tasks — to run jobs using the PowerShell subsystem. "The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem," Microsoft noted. Addi...

To cash in on a thriving market, a managed security service provider (MSSP) must navigate unprecedented competition and complex challenges. The good news is that demand is through the roof. 69% of organizations plan to boost spending on cybersecurity in 2022.  The bad news is that everyone wants a piece of the pie. MSSPs must outshine each other while fending off encroachments by traditional IT vendors and MSPs. As a result, some MSSPs are succumbing to the squeeze of low margins. Others are struggling to scale successfully.  The most successful MSSPs are taking action to improve their current financial position while laying a foundation for long-term growth. A new eBook, " Your 90-Day MSSP Plan: How to Improve Margins and Scale Up Service Delivery ," to help MSSPs understand the current cybersecurity landscape, their current position in it, what you they're well, and where they can improve the most.  This nine-step plan offers a clear path for MSSPs to boost profitab...

Highly skilled software and mobile app developers from the Democratic People's Republic of Korea (DPRK) are posing as "non-DPRK nationals" in hopes of landing freelance employment in an attempt to enable the regime's  malicious cyber intrusions . That's according to a  joint advisory  from the U.S. Department of State, the Department of the Treasury, and the Federal Bureau of Investigation (FBI) issued on Monday. Targets include financial, health, social media, sports, entertainment, and lifestyle-focused companies located in North America, Europe, and East Asia, with most of the dispatched workers situated in China, Russia, Africa, and Southeast Asia. The goal, the U.S. agencies warn, is to generate a constant stream of revenue that sidesteps international sanctions imposed on the nation and help serve its economic and security priorities, including the development of nuclear and ballistic missiles. "The North Korean government withholds up to 90 perce...

Microsoft is warning of an emerging threat targeting internet-connected cryptocurrency wallets, signaling a departure in the use of digital coins in cyberattacks. The tech giant dubbed the new threat "cryware," with the attacks resulting in the irreversible theft of virtual currencies by means of fraudulent transfers to an adversary-controlled wallet. "Cryware are information stealers that collect and exfiltrate data directly from non-custodial cryptocurrency wallets, also known as  hot wallets ," Berman Enconado and Laurie Kirk of the Microsoft 365 Defender Research Team  said  in a new report.  "Because hot wallets, unlike custodial wallets, are stored locally on a device and provide easier access to cryptographic keys needed to perform transactions, more and more threats are targeting them." Attacks of this kind are not theoretical. Earlier this year, Kaspersky  disclosed  a financially-motivated campaign staged by the North Korea-based Lazarus Gr...