The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

As many as four zero-day security vulnerabilities have been disclosed in the HID Mercury access controller system that's used widely in healthcare, education, transportation, and government facilities. "The vulnerabilities uncovered allowed us to demonstrate the ability to remotely unlock and lock doors, subvert alarms and undermine logging and notification systems," Trellix security researchers Steve Povolny and Sam Quinn said in a report shared with The Hacker News. The issues, in a nutshell, could be weaponized by a malicious actor to gain full system control, including the ability to manipulate door locks. One of the bugs (CVE-2022-31481) includes an unauthenticated remote execution flaw that's rated 10 out of 10 for severity on the CVSS scoring system. HID Mercury controllers, which feature highly flexible configurations, are utilized by over 20 OEM (original equipment manufacturer) partners to design and deploy a broad range of access control systems, with ...

A newly designed privacy-sensitive architecture aims to enable developers to create smart home apps in a manner that addresses data sharing concerns and puts users in control over their personal information.  Dubbed  Peekaboo  by researchers from Carnegie Mellon University, the  system  "leverages an in-home hub to pre-process and minimize outgoing data in a structured and enforceable manner before sending it to external cloud servers." Peekaboo operates on the principle of data minimization, which refers to the practice of limiting data collection to only what is required to fulfill a specific purpose. To achieve this, the system requires developers to explicitly declare the relevant data collection behaviors in the form of a manifest file that's then fed into an in-home trusted hub to transmit sensitive data from smart home apps such as smart doorbells on a need-to-know basis. The hub not only functions as a mediator between raw data from IoT devices and...

Cybersecurity researchers have taken the wraps off what they call a "nearly-impossible-to-detect" Linux malware that could be weaponized to backdoor infected systems. Dubbed  Symbiote  by threat intelligence firms BlackBerry and Intezer, the stealthy malware is so named for its ability to conceal itself within running processes and network traffic and drain a victim's resources like a  parasite . The operators behind Symbiote are believed to have commenced development on the malware in November 2021, with the threat actor predominantly using it to target the financial sector in Latin America, including banks like Banco do Brasil and Caixa, based on the domain names used. "Symbiote's main objective is to capture credentials and to facilitate backdoor access to a victim's machine," researchers Joakim Kennedy and Ismael Valenzuela said in a report shared with The Hacker News. "What makes Symbiote different from other Linux malware is that it infec...

Common cybercriminals are a menace, there's no doubt about it – from bedroom hackers through to ransomware groups, cybercriminals are causing a lot of damage. But both the tools used and the threat posed by common cybercriminals pale in comparison to the tools used by more professional groups such as the famous hacking groups and state-sponsored groups. In fact, these tools can prove almost impossible to detect – and guard against. BVP47 is a case in point. In this article, we'll outline how this powerful state-sponsored malware has been quietly circulating for years, how it so cleverly disguises itself, and explain what that means for cybersecurity in the enterprise. Background story behind BVP47 It's a long story, fit for a spy novel. Earlier this year, a Chinese cybersecurity research group called Pangu Lab published an in-depth, 56-page report covering a piece of malicious code that the research group decided to call BVP47 (because BVP was the most common string in ...

A previously undocumented Chinese-speaking advanced persistent threat (APT) actor dubbed  Aoqin Dragon  has been linked to a string of espionage-oriented attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013. "Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices," SentinelOne researcher Joey Chen  said  in a report shared with The Hacker News. "Other techniques the attacker has been observed using include DLL hijacking,  Themida-packed files , and DNS tunneling to evade post-compromise detection." The group is said to have some level of tactical association with another threat actor known as  Naikon  (aka Override Panda), with the campaigns primarily directed against targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Infections chains mounted by Aoqin Dragon have banked on Asia-Pacific political affairs a...

Image Source: Toptal The notorious Emotet malware has turned to deploy a new module designed to siphon credit card information stored in the Chrome web browser. The credit card stealer, which exclusively singles out Chrome, has the ability to exfiltrate the collected information to different remote command-and-control (C2) servers, according to enterprise security company  Proofpoint , which observed the component on June 6. The development comes amid a  spike  in  Emotet   activity  since it was resurrected late last year following a 10-month-long hiatus in the wake of a law enforcement operation that  took down its attack infrastructure  in January 2021. Emotet, attributed to a threat actor known as TA542 (aka Mummy Spider or Gold Crestwood), is an advanced, self-propagating and modular trojan that's delivered via email campaigns and is used as a distributor for other payloads such as ransomware. As of April 2022, Emotet is still the ...

An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild. The issue — referenced as  DogWalk  — relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a specially crafted ".diagcab" archive file that contains a diagnostics configuration file. The idea is that the payload would get executed the next time the victim logs in to the system after a restart. The vulnerability affects all Windows versions, starting from Windows 7 and Server Server 2008 to the latest releases. DogWalk was originally  disclosed  by security researcher Imre Rad in January 2020 after Microsoft, having acknowledged the problem, deemed it as not a security issue. "There are a number of file types that can execute code in such a way but aren't techni...

U.S. cybersecurity and intelligence agencies have  warned  about China-based state-sponsored cyber actors leveraging network vulnerabilities to exploit public and private sector organizations since at least 2020. The widespread intrusion campaigns aim to exploit publicly identified security flaws in network devices such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices with the goal of gaining deeper access to victim networks. In addition, the actors used these compromised devices as route command-and-control (C2) traffic to break into other targets at scale, the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI)  said  in a joint advisory. The perpetrators, besides shifting their tactics in response to public disclosures, are known to employ a mix of open-source and custom tools for reconnaissance and vulnerability scanning as well as...

An illicit online marketplace known as SSNDOB was taken down in operation led by U.S. law enforcement agencies, the Department of Justice (DoJ) announced Tuesday. SSNDOB trafficked in personal information such as names, dates of birth, credit card numbers, and Social Security numbers of about 24 million individuals in the U.S., generating its operators $19 million in sales revenue. The action saw the seizure of several domains associated with the marketplace — ssndob.ws, ssndob.vip, ssndob.club, and blackjob.biz — in cooperation with authorities from Cyprus and Latvia. According to blockchain analytics firm  Chainalysis , SSNDOB's Bitcoin payment processing system has received nearly $22 million worth of Bitcoin across over 100,000 transactions since April 2015. Furthermore, bitcoin transfers to the tune of more than $100,000 have been unearthed between SSNDOB and  Joker's Stash , another darknet market that specialized in stolen credit card information and voluntarily ...

The threat cluster dubbed UNC2165, which shares numerous overlaps with a Russia-based cybercrime group known as Evil Corp, has been linked to multiple LockBit ransomware intrusions in what's seen as an attempt by the latter to get around  sanctions  imposed by the U.S. Treasury in December 2019. "These actors have shifted away from using exclusive ransomware variants to LockBit — a well-known ransomware as a service (RaaS) — in their operations, likely to hinder attribution efforts in order to evade sanctions," threat intelligence firm Mandiant  noted  in an analysis last week. Active since 2019, UNC2165 is known to obtain initial access to victim networks via stolen credentials and a JavaScript-based downloader malware called  FakeUpdates  (aka SocGholish), leveraging it to previously deploy  Hades  ransomware. Hades is the work of a financially motivated hacking group named Evil Corp, which is also called by the monikers Gold Drake and Indr...

Enforcing the "double-extortion" technique aka pay-now-or-get-breached emerged as a head-turner last year.  May 6th, 2022 is a recent example. The State Department said the Conti strain of ransomware was the most costly in terms of payments made by victims as of January . Conti, a ransomware-as-a-service (RaaS) program, is one of the most notorious ransomware groups and has been responsible for infecting hundreds of servers with malware to gain corporate data or digital damage systems, essentially spreading misery to individuals and hospitals, businesses, government agencies and more all over the world. So, how different is a  ransomware attack  like Conti from the infamous "WannaCry" or "NotPetya"? While other Ransomware variants can spread fast and encrypt files within short time frames, Conti ransomware has demonstrated unmatched speed by which it can access victims' systems. Given the recent spate of data breaches, it is extremely challengin...

A new wave of phishing campaigns has been observed spreading a previously documented malware called SVCReady . "The malware is notable for the unusual way it is delivered to target PCs — using shellcode hidden in the properties of Microsoft Office documents," Patrick Schläpfer, a threat analyst at HP,  said  in a technical write-up. SVCReady is said to be in its early stage of development, with the authors iteratively updating the malware several times last month. First signs of activity date back to April 22, 2022. Infection chains involve sending Microsoft Word document attachments to targets via email that contain VBA macros to activate the deployment of malicious payloads. But where this campaign stands apart is that instead of employing PowerShell or MSHTA to retrieve next-stage executables from a remote server, the macro runs shellcode stored in the  document properties , which subsequently drops the SVCReady malware. In addition to achieving persistence on t...

Apple has introduced a Rapid Security Response feature in iOS 16 and macOS Ventura that's designed to deploy security fixes without the need for a full operating system version update. "macOS security gets even stronger with new tools that make the Mac more resistant to attack, including Rapid Security Response that works in between normal updates to easily keep security up to date without a reboot," the company  said  in a statement on Monday. The feature, which also works on iOS , aims to separate regular software updates from critical security improvements and are applied automatically so that users are quickly protected against in-the-wild attacks and unexpected threats. It's worth noting that Apple tested an analogous option in iOS 14.5. Rapid Security Response, viewed in that light, mirrors a similar approach taken by Google through Play Services and Play Protect to secure Android devices from malware and other kinds of fraud. Another key security fea...

10 of the most prolific mobile banking trojans have set their eyes on 639 financial applications that are available on the Google Play Store and have been cumulatively downloaded over 1.01 billion times. Some of the most targeted apps include Walmart-backed PhonePe, Binance, Cash App, Garanti BBVA Mobile, La Banque Postale, Ma Banque, Caf - Mon Compte, Postepay, and BBVA México. These apps alone account for more than 260 million downloads from the official app marketplace. Of the 639 apps tracked, 121 are based in the U.S., followed by the U.K. (55), Italy (43), Turkey (34), Australia (33), France (31), Spain (29), and Portugal (27). " TeaBot  is targeting 410 of the 639 applications tracked," mobile security company Zimperium  said  in a new analysis of Android threats during the first half of 2022. " Octo  targets 324 of the 639 applications tracked and is the only one targeting popular, non-financial applications for credential theft." Aside from  TeaBo...

Cybersecurity researchers have disclosed  two unpatched security vulnerabilities  in the open-source U-Boot boot loader. The issues, which were uncovered in the  IP defragmentation  algorithm implemented in U-Boot by NCC Group, could be abused to achieve arbitrary out-of-bounds write and denial-of-service (DoS). U-Boot is a  boot loader  used in Linux-based embedded systems such as ChromeOS as well as ebook readers such as Amazon Kindle and Kobo eReader. The issues are summarized below - CVE-2022-30790  (CVSS score: 9.6) - Hole Descriptor overwrite in U-Boot IP packet defragmentation leads to an arbitrary out-of-bounds write primitive. CVE-2022-30552  (CVSS score: 7.1) - Large buffer overflow leads to DoS in U-Boot IP packet defragmentation code It's worth noting that both the flaws are exploitable only from the local network. But doing so can enable an attacker to root the devices and lead to a DoS by crafting a malformed packet. The s...

Microsoft's Digital Crimes Unit (DCU) last week disclosed that it had taken legal proceedings against an Iranian threat actor dubbed  Bohrium  in connection with a spear-phishing operation. The adversarial collective is said to have targeted entities in tech, transportation, government, and education sectors located in the U.S., Middle East, and India. "Bohrium actors create fake social media profiles, often posing as recruiters," Amy Hogan-Burney of the DCU  said  in a tweet. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware." According to an  ex parte order  shared by the tech giant, the goal of the intrusions was to steal and exfiltrate sensitive information, take control over the infected machines, and carry out remote reconnaissance. To halt the malicious activities of Bohrium, Microsoft said it took down 41 ".com," ".info...

"Shifting (security)" left approach in Software Development Life Cycle (SDLC) means starting security earlier in the process. As organizations realized that software never comes out perfectly and are riddled with many exploitable holes, bugs, and business logic vulnerabilities that require going back to fix and patch, they understood that building secure software requires incorporating and consolidating numerous resources. This conclusion led DevOps and R&D leaders to become proactive, acquiring technology to find and close these gaps in advance, with the aim of reducing the cost and effort while improving the quality of their outcomes.  With emerging comprehensive  continuous security validation technology , the demonstrated benefits of 'shifting left' as a fundamental part of SDLC can now be applied to your cybersecurity program, with results far exceeding the purely technical aspects of security posture management.  At the development level, the conceptuali...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Food and Drug Administration (FDA) have issued an advisory about critical security vulnerabilities in Illumina's next-generation sequencing ( NGS ) software. Three of the flaws are rated 10 out of 10 for severity on the Common Vulnerability Scoring System ( CVSS ), with two others having severity ratings of 9.1 and 7.4. The issues impact software in medical devices used for "clinical diagnostic use in sequencing a person's DNA or testing for various genetic conditions, or for research use only,"  according to the FDA . "Successful exploitation of these vulnerabilities may allow an unauthenticated malicious actor to take control of the affected product remotely and take any action at the operating system level," CISA  said  in an alert. "An attacker could impact settings, configurations, software, or data on the affected product and interact through the affected product with the c...