The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

An illicit online marketplace known as SSNDOB was taken down in operation led by U.S. law enforcement agencies, the Department of Justice (DoJ) announced Tuesday. SSNDOB trafficked in personal information such as names, dates of birth, credit card numbers, and Social Security numbers of about 24 million individuals in the U.S., generating its operators $19 million in sales revenue. The action saw the seizure of several domains associated with the marketplace — ssndob.ws, ssndob.vip, ssndob.club, and blackjob.biz — in cooperation with authorities from Cyprus and Latvia. According to blockchain analytics firm  Chainalysis , SSNDOB's Bitcoin payment processing system has received nearly $22 million worth of Bitcoin across over 100,000 transactions since April 2015. Furthermore, bitcoin transfers to the tune of more than $100,000 have been unearthed between SSNDOB and  Joker's Stash , another darknet market that specialized in stolen credit card information and voluntarily ...

The threat cluster dubbed UNC2165, which shares numerous overlaps with a Russia-based cybercrime group known as Evil Corp, has been linked to multiple LockBit ransomware intrusions in what's seen as an attempt by the latter to get around  sanctions  imposed by the U.S. Treasury in December 2019. "These actors have shifted away from using exclusive ransomware variants to LockBit — a well-known ransomware as a service (RaaS) — in their operations, likely to hinder attribution efforts in order to evade sanctions," threat intelligence firm Mandiant  noted  in an analysis last week. Active since 2019, UNC2165 is known to obtain initial access to victim networks via stolen credentials and a JavaScript-based downloader malware called  FakeUpdates  (aka SocGholish), leveraging it to previously deploy  Hades  ransomware. Hades is the work of a financially motivated hacking group named Evil Corp, which is also called by the monikers Gold Drake and Indr...

Enforcing the "double-extortion" technique aka pay-now-or-get-breached emerged as a head-turner last year.  May 6th, 2022 is a recent example. The State Department said the Conti strain of ransomware was the most costly in terms of payments made by victims as of January . Conti, a ransomware-as-a-service (RaaS) program, is one of the most notorious ransomware groups and has been responsible for infecting hundreds of servers with malware to gain corporate data or digital damage systems, essentially spreading misery to individuals and hospitals, businesses, government agencies and more all over the world. So, how different is a  ransomware attack  like Conti from the infamous "WannaCry" or "NotPetya"? While other Ransomware variants can spread fast and encrypt files within short time frames, Conti ransomware has demonstrated unmatched speed by which it can access victims' systems. Given the recent spate of data breaches, it is extremely challengin...

A new wave of phishing campaigns has been observed spreading a previously documented malware called SVCReady . "The malware is notable for the unusual way it is delivered to target PCs — using shellcode hidden in the properties of Microsoft Office documents," Patrick Schläpfer, a threat analyst at HP,  said  in a technical write-up. SVCReady is said to be in its early stage of development, with the authors iteratively updating the malware several times last month. First signs of activity date back to April 22, 2022. Infection chains involve sending Microsoft Word document attachments to targets via email that contain VBA macros to activate the deployment of malicious payloads. But where this campaign stands apart is that instead of employing PowerShell or MSHTA to retrieve next-stage executables from a remote server, the macro runs shellcode stored in the  document properties , which subsequently drops the SVCReady malware. In addition to achieving persistence on t...

Apple has introduced a Rapid Security Response feature in iOS 16 and macOS Ventura that's designed to deploy security fixes without the need for a full operating system version update. "macOS security gets even stronger with new tools that make the Mac more resistant to attack, including Rapid Security Response that works in between normal updates to easily keep security up to date without a reboot," the company  said  in a statement on Monday. The feature, which also works on iOS , aims to separate regular software updates from critical security improvements and are applied automatically so that users are quickly protected against in-the-wild attacks and unexpected threats. It's worth noting that Apple tested an analogous option in iOS 14.5. Rapid Security Response, viewed in that light, mirrors a similar approach taken by Google through Play Services and Play Protect to secure Android devices from malware and other kinds of fraud. Another key security fea...

10 of the most prolific mobile banking trojans have set their eyes on 639 financial applications that are available on the Google Play Store and have been cumulatively downloaded over 1.01 billion times. Some of the most targeted apps include Walmart-backed PhonePe, Binance, Cash App, Garanti BBVA Mobile, La Banque Postale, Ma Banque, Caf - Mon Compte, Postepay, and BBVA México. These apps alone account for more than 260 million downloads from the official app marketplace. Of the 639 apps tracked, 121 are based in the U.S., followed by the U.K. (55), Italy (43), Turkey (34), Australia (33), France (31), Spain (29), and Portugal (27). " TeaBot  is targeting 410 of the 639 applications tracked," mobile security company Zimperium  said  in a new analysis of Android threats during the first half of 2022. " Octo  targets 324 of the 639 applications tracked and is the only one targeting popular, non-financial applications for credential theft." Aside from  TeaBo...

Cybersecurity researchers have disclosed  two unpatched security vulnerabilities  in the open-source U-Boot boot loader. The issues, which were uncovered in the  IP defragmentation  algorithm implemented in U-Boot by NCC Group, could be abused to achieve arbitrary out-of-bounds write and denial-of-service (DoS). U-Boot is a  boot loader  used in Linux-based embedded systems such as ChromeOS as well as ebook readers such as Amazon Kindle and Kobo eReader. The issues are summarized below - CVE-2022-30790  (CVSS score: 9.6) - Hole Descriptor overwrite in U-Boot IP packet defragmentation leads to an arbitrary out-of-bounds write primitive. CVE-2022-30552  (CVSS score: 7.1) - Large buffer overflow leads to DoS in U-Boot IP packet defragmentation code It's worth noting that both the flaws are exploitable only from the local network. But doing so can enable an attacker to root the devices and lead to a DoS by crafting a malformed packet. The s...

Microsoft's Digital Crimes Unit (DCU) last week disclosed that it had taken legal proceedings against an Iranian threat actor dubbed  Bohrium  in connection with a spear-phishing operation. The adversarial collective is said to have targeted entities in tech, transportation, government, and education sectors located in the U.S., Middle East, and India. "Bohrium actors create fake social media profiles, often posing as recruiters," Amy Hogan-Burney of the DCU  said  in a tweet. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware." According to an  ex parte order  shared by the tech giant, the goal of the intrusions was to steal and exfiltrate sensitive information, take control over the infected machines, and carry out remote reconnaissance. To halt the malicious activities of Bohrium, Microsoft said it took down 41 ".com," ".info...

"Shifting (security)" left approach in Software Development Life Cycle (SDLC) means starting security earlier in the process. As organizations realized that software never comes out perfectly and are riddled with many exploitable holes, bugs, and business logic vulnerabilities that require going back to fix and patch, they understood that building secure software requires incorporating and consolidating numerous resources. This conclusion led DevOps and R&D leaders to become proactive, acquiring technology to find and close these gaps in advance, with the aim of reducing the cost and effort while improving the quality of their outcomes.  With emerging comprehensive  continuous security validation technology , the demonstrated benefits of 'shifting left' as a fundamental part of SDLC can now be applied to your cybersecurity program, with results far exceeding the purely technical aspects of security posture management.  At the development level, the conceptuali...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Food and Drug Administration (FDA) have issued an advisory about critical security vulnerabilities in Illumina's next-generation sequencing ( NGS ) software. Three of the flaws are rated 10 out of 10 for severity on the Common Vulnerability Scoring System ( CVSS ), with two others having severity ratings of 9.1 and 7.4. The issues impact software in medical devices used for "clinical diagnostic use in sequencing a person's DNA or testing for various genetic conditions, or for research use only,"  according to the FDA . "Successful exploitation of these vulnerabilities may allow an unauthenticated malicious actor to take control of the affected product remotely and take any action at the operating system level," CISA  said  in an alert. "An attacker could impact settings, configurations, software, or data on the affected product and interact through the affected product with the c...

A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office "Follina" vulnerability to target government entities in Europe and the U.S. Enterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked as  CVE-2022-30190  (CVSS score: 7.8). No less than 1,000 phishing messages containing a lure document were sent to the targets. "This campaign masqueraded as a salary increase and utilized an RTF with the exploit payload downloaded from 45.76.53[.]253," the company  said  in a series of tweets. The payload, which manifests in the form of a PowerShell script, is Base64-encoded and functions as a downloader to retrieve a second PowerShell script from a remote server named "seller-notification[.]live." "This script checks for virtualization, steals information from local browsers, mail clients and file services, conducts machine re...

Atlassian on Friday rolled out fixes to address a  critical security flaw  affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution. Tracked as  CVE-2022-26134 , the issue is similar to  CVE-2021-26084  — another security flaw the Australian software company patched in August 2021. Both relate to a case of Object-Graph Navigation Language ( OGNL ) injection that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance. The newly discovered shortcoming impacts all supported versions of Confluence Server and Data Center, with every version after 1.3.0 also affected. It's been resolved in the following versions - 7.4.17 7.13.7 7.14.3 7.15.2 7.16.4 7.17.4 7.18.1 According to stats from internet asset discovery platform  Censys , there are about 9,325 services across 8,347 distinct hosts running a vulnerable versi...

GitLab has moved to address a critical security flaw in its service that, if successfully exploited, could result in an account takeover. Tracked as  CVE-2022-1680 , the issue has a CVSS severity score of 9.9 and was discovered internally by the company. The security flaw affects all versions of GitLab Enterprise Edition (EE) starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1. "When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus — in the absence of 2FA — take over those accounts," GitLab  said . Having achieved this, a malicious actor can also change the display name and username of the targeted account, the DevOps platform provider cautioned in its...

An "extremely sophisticated" Chinese-speaking advanced persistent threat (APT) actor dubbed  LuoYu  has been observed using a malicious Windows tool called WinDealer that's delivered by means of man-on-the-side attacks. "This groundbreaking development allows the actor to modify network traffic in-transit to insert malicious payloads," Russian cybersecurity company Kaspersky  said  in a new report. "Such attacks are especially dangerous and devastating because they do not require any interaction with the target to lead to a successful infection." Known to be active since 2008, organizations targeted by LuoYu are predominantly foreign diplomatic organizations established in China and members of the academic community as well as financial, defense, logistics, and telecommunications companies. LuoYu's use of  WinDealer  was first documented by Taiwanese cybersecurity firm  TeamT5  at the Japan Security Analyst Conference (JSAC) in January 2021. ...

The Parrot traffic direction system (TDS) that came to light earlier this year has had a larger impact than previously thought, according to new research. Sucuri, which has been tracking the same campaign since February 2019 under the name "NDSW/NDSX," said that "the malware was one of the top infections" detected in 2021, accounting for more than 61,000 websites. Parrot TDS was  documented  in April 2022 by Czech cybersecurity company Avast, noting that the PHP script had ensnared web servers hosting more than 16,500 websites to act as a gateway for further attack campaigns. This involves appending a piece of malicious code to all JavaScript files on compromised web servers hosting content management systems (CMS) such as WordPress that are in turn said to be breached by taking advantage of weak login credentials and vulnerable plugins. Besides using different obfuscation tactics to conceal the code, the "injected JavaScript may also be found well indent...

Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium. In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive applications created by Polonium andd that it notified affected organizations. "The observed activity was coordinated with other actors affiliated with Iran's Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques," MSTIC  assessed  with "moderate confidence." The adversarial collective is believed to have breached more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon since February 2022. Targets of interest included entities in the manufacturing...

Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild. The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as  CVE-2022-26134 . "Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server," it  said  in an advisory. "There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix." Specifics of the security flaw have been withheld until a software patch is available. All supported versions of Confluence Server and Data Center are affected, although it's expected that all versions of the enterprise solution are potentially vulnerable. The earliest impacted version is ...

As the threat landscape evolves and multiplies with more advanced attacks than ever, defending against these modern cyber threats is a monumental challenge for almost any organization.  Threat detection is about an organization's ability to accurately identify threats, be it to the network, an endpoint, another asset or an application – including cloud infrastructure and assets. At scale, threat detection analyzes the entire security infrastructure to identify malicious activity that could compromise the ecosystem. Countless solutions support threat detection, but the key is to have as much data as possible available to bolster your security visibility. If you don't know what is happening on your systems, threat detection is impossible.  Deploying the right security software is critical for protecting you from threats. What do we mean by threat detection software? In the early days of threat detection, software was deployed to protect against different forms of malware. ...

An analysis of  leaked chats  from the notorious  Conti ransomware group  earlier this year has revealed that the syndicate has been working on a set of firmware attack techniques that could offer a path to accessing privileged code on compromised devices. "Control over firmware gives attackers virtually unmatched powers both to directly cause damage and to enable other long-term strategic goals," firmware and hardware security firm Eclypsium  said  in a report shared with The Hacker News. "Such level of access would allow an adversary to cause irreparable damage to a system or to establish ongoing persistence that is virtually invisible to the operating system." Specifically, this includes attacks aimed at embedded microcontrollers such as the Intel  Management Engine  ( ME ), a privileged component that's part of the company's processor chipsets and which can completely bypass the operating system. It's worth noting that the reason for thi...

As ransomware infections have evolved from purely encrypting data to schemes such as double and triple extortion, a new attack vector is likely to set the stage for future campaigns. Called Ransomware for IoT or  R4IoT  by Forescout, it's a "novel, proof-of-concept ransomware that exploits an IoT device to gain access and move laterally in an IT [information technology] network and impact the OT [operational technology] network." This potential pivot is based on the rapid growth in the number of IoT devices as well as the convergence of IT and OT networks in organizations. The ultimate goal of R4IoT is to leverage exposed and vulnerable IoT devices such as IP cameras to gain an initial foothold, followed by deploying ransomware in the IT network and taking advantage of poor operational security practices to hold mission-critical processes hostage. "By compromising IoT, IT, and OT assets, R4IoT goes beyond the usual encryption and data exfiltration to cause phys...