The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers from Palo Alto Networks Unit 42  disclosed  details of a new security flaw affecting Microsoft's Service Fabric that could be exploited to obtain elevated permissions and seize control of all nodes in a cluster. The issue, which has been dubbed  FabricScape  ( CVE-2022-30137 ), could only be weaponized on containers that are configured to have  runtime access . It has been  remediated  as of June 14, 2022, in  Service Fabric 9.0 Cumulative Update 1.0 . Azure Service Fabric  is Microsoft's platform-as-a-service ( PaaS ) and a container orchestrator solution used to build and deploy microservices-based cloud applications across a cluster of machines. "The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource's host SF node and the entire cluster," Microsoft  said  as part of the coordinated disclosure process. "Though the bug exi...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to  add  a Linux vulnerability dubbed  PwnKit  to its  Known Exploited Vulnerabilities Catalog , citing evidence of active exploitation. The issue, tracked as  CVE-2021-4034  (CVSS score: 7.8), came to light in January 2022 and concerns a case of  local privilege escalation  in polkit's pkexec utility, which allows an authorized user to execute commands as another user. Polkit (formerly called PolicyKit) is a toolkit for controlling system-wide privileges in Unix-like operating systems, and provides a mechanism for non-privileged processes to communicate with privileged processes. Successful exploitation of the flaw could induce pkexec to execute arbitrary code, granting an unprivileged attacker administrative rights on the target machine. It's not immediately clear how the vulnerability is being weaponized in the wild, nor is there any information on the id...

A never-before-seen remote access trojan dubbed ZuoRAT has been singling out small office/home office (SOHO) routers as part of a sophisticated campaign targeting North American and European networks. The malware "grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold," researchers from Lumen Black Lotus Labs said in a report shared with The Hacker News. The stealthy operation, which targeted routers from ASUS, Cisco, DrayTek, and NETGEAR, is believed to have commenced in early 2020 during the initial months of the COVID-19 pandemic, effectively remaining under the radar for over two years. "Consumers and remote employees routinely use SOHO routers, but these devices are rarely monitored or patched, which makes them one of the weakest points of a network's perimeter," the company's threat intelligence team said. Initial access...

Entities located in Afghanistan, Malaysia, and Pakistan are in the crosshairs of an attack campaign that targets unpatched Microsoft Exchange Servers as an initial access vector to deploy the ShadowPad malware. Russian cybersecurity firm Kaspersky, which first detected the activity in mid-October 2021,  attributed  it to a previously unknown Chinese-speaking threat actor. Targets include organizations in the telecommunications, manufacturing, and transport sectors. "During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated  building automation systems  of one of the victims," the company said. "By taking control over those systems, the attacker can reach other, even more sensitive systems of the attacked organization." ShadowPad , which emerged in 2015 as the successor to PlugX, is a privately sold modular malware platform that has been put to use by many Chinese espionage actors over the years....

Your smartphone is your daily companion. The chances are that most of our activities rely on them, from ordering food to booking medical appointments. However, the threat landscape always reminds us how vulnerable smartphones can be.  Consider the recent  discovery by Oversecured , a security startup. These experts observed the dynamic code loading and its potential dangers. Why is this a problem? Well, the Google app uses code that does not come integrated with the app itself. Okay, this might sound confusing, but it all works in favor of optimizing certain processes. Thus, Google exploits code libraries pre-installed on Android phones to reduce their download size. In fact, many Android apps use this trick to optimize the storage space needed to run.  As revealed by Oversecured, perpetrators could compromise this retrieval of code from libraries. Instead of Google obtaining code from a reliable source, it could be tricked into taking code from malicious apps operatin...

The latest version of the OpenSSL library has been discovered as susceptible to a remote memory-corruption vulnerability on select systems. The issue has been identified in OpenSSL  version 3.0.4 , which was released on June 21, 2022, and impacts x64 systems with the  AVX-512  instruction set. OpenSSL 1.1.1 as well as OpenSSL forks BoringSSL and LibreSSL are not affected. Security researcher Guido Vranken, who disclosed details of the bug,  said  it "can be triggered trivially by an attacker." Although the shortcoming has been  fixed , no patches have been made available as yet. OpenSSL is a popular cryptography library that offers an open source implementation of the Transport Layer Security ( TLS ) protocol. Advanced Vector Extensions ( AVX ) are extensions to the x86 instruction set architecture for microprocessors from Intel and AMD. "I do not think this is a security vulnerability," Tomáš Mráz of the OpenSSL Foundation said in a GitHub issue thre...

A previously unknown Android banking trojan has been discovered in the wild, targeting users of the Spanish financial services company BBVA. Said to be in its early stages of development, the malware — dubbed  Revive  by Italian cybersecurity firm Cleafy — was first observed on June 15, 2022 and distributed by means of phishing campaigns. "The name Revive has been chosen since one of the functionality of the malware (called by the [threat actors] precisely 'revive') is restarting in case the malware stops working," Cleafy researchers Federico Valentini and Francesco Iubatti  said  in a Monday write-up. Available for download from rogue phishing pages ("bbva.appsecureguide[.]com" or "bbva.european2fa[.]com") as a lure to trick users into downloading the app, the malware impersonates the bank's two-factor authentication (2FA) app and is said to be inspired from open-source spyware called  Teardroid , with the authors tweaking the original so...

The Black Basta ransomware-as-a-service (RaaS) syndicate has amassed nearly 50 victims in the U.S., Canada, the U.K., Australia, and New Zealand within two months of its emergence in the wild, making it a prominent threat in a short window. "Black Basta has been observed targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarments manufacturers, and more," Cybereason  said  in a report. Evidence indicates the ransomware strain was still in development as recently as February 2022, and only started to be used in attacks starting April after it was advertised on underground forums with an intent to buy and monetize corporate network access for a share of the profits. Similar to other ransomware operations, Black Basta is known to employ the tried-and-tested tactic of double extortion to plunder sensitive information from the targets and threaten to publish ...

CODESYS has released patches to address as many as 11 security flaws that, if successfully exploited, could result in information disclosure and a denial-of-service (DoS) condition, among others.  "These vulnerabilities are simple to exploit, and they can be successfully exploited to cause consequences such as sensitive information leakage, PLCs entering a severe fault state, and arbitrary code execution," Chinese cybersecurity firm NSFOCUS  said . "In combination with industrial scenarios on the field, these vulnerabilities could expose industrial production to stagnation, equipment damage, etc." CODESYS is a  software   suite  used by automation specialists as a development environment for programmable logic controller applications ( PLCs ). Following responsible disclosure between September 2021 and January 2022, fixes were  shipped  by the German software company last week on June 23, 2022. Two of the bugs are rated as Critical, seven as High,...

Just before last Christmas, in a first-of-a-kind case, JPMorgan was fined $200M for employees using non-sanctioned applications for communicating about financial strategy. No mention of insider trading, naked shorting, or any malevolence. Just employees circumventing regulation using, well, Shadow IT. Not because they tried to obfuscate or hide anything, simply because it was a convenient tool that they preferred over any other sanctioned products (which JPMorgan certainly has quite a few of.)  Visibility into unknown and unsanctioned applications has been required by regulators and also recommended by the Center for Internet Security community for a long time. Yet it seems like new and better approaches are still in demand. Gartner has identified External Attack Surface Management, Digital Supply Chain Risk, and Identity Threat Detection as the top three trends to focus on in 2022, all of which are closely intertwined with Shadow IT. "Shadow IDs," or in other words, unman...

Following the footsteps of  Austria  and  France , the Italian Data Protection Authority has become the latest regulator to find the use of Google Analytics to be non-compliant with E.U. data protection regulations. The Garante per la Protezione dei Dati Personali, in a press release  published  last week, called out a local web publisher for using the widely used analytics tool in a manner that allowed key bits of users' personal data to be illegally transferred to the U.S. without necessary safeguards. This includes interactions of users with the websites, the individual pages visited, IP addresses of the devices used to access the websites, browser specifics, details related to the device's operating system, screen resolution, and the selected language, as well as the date and time of the visits. The Italian supervisory authority (SA) said that it arrived at this conclusion following a "complex fact-finding exercise" it commenced in collaboration with ot...

A malware-as-a-service (Maas) dubbed  Matanbuchus  has been observed spreading through phishing campaigns, ultimately dropping the Cobalt Strike post-exploitation framework on compromised machines. Matanbuchus, like other  malware loaders  such as  BazarLoader ,  Bumblebee , and  Colibri , is engineered to download and execute second-stage executables from command-and-control (C&C) servers on infected systems without detection. Available on Russian-speaking cybercrime forums for a price of $2,500 since February 2021, the malware is equipped with capabilities to launch .EXE and .DLL files in memory and run arbitrary PowerShell commands. The findings, released by threat intelligence firm Cyble last week, document the latest infection chain associated with the loader, which is linked to a threat actor who goes by the online moniker BelialDemon. "If we look historically, BelialDemon has been involved in the development of malware loaders," Unit 4...

In cybersecurity, many of the best jobs involve working on government projects. To get a security clearance, you need to prove that you meet  NIST standards . Cybersecurity firms are particularly interested in people who understand the RMF, or Risk Management Framework — a U.S. government guideline for taking care of data. The NIST Cybersecurity & Risk Management Frameworks Course  helps you understand this topic, with over 21 hours of video instruction. The training is worth a total of $295, but readers of The Hacker News can  get the course today for only $39 . Special Offer  — Normally priced at $295, this Risk Management Framework course is  now only $39 for a limited time , with lifetime access included. That's a massive 86% discount! Designed by the United States Government, the Risk Management Framework provides a complete guide to securing sensitive data. It also ensures that cybersecurity professionals comply with the various laws, directives, ...

A suspected ransomware intrusion attempt against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment. The  findings  come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown exploit as well as a couple of anti-forensic measures adopted by the actor on the device to erase traces of their actions. The zero-day exploit in question is tracked as CVE-2022-29499 and was fixed by Mitel in April 2022 by means of a remediation script that it shared with customers. It's rated 9.8 out of 10 for severity on the CVSS vulnerability scoring system, making it a critical shortcoming. "A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA) which could allow a malic...

A week after it emerged that a sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices. Additionally, necessary changes have been implemented in  Google Play Protect  — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG)  said  in a Thursday report. Hermit, the work of an Italian vendor named RCS Lab, was  documented  by Lookout last week, calling out its modular feature-set and its abilities to harvest sensitive information such as call logs, contacts, photos, precise location, and SMS messages. Once the threat has thoroughly insinuated itself into a device, it's also equipped to record audio and make and redirect phone calls, besides abusing its permissions to accessibility services on Android to keep tabs on various foreground apps used by the victims. Its...

Researchers have discovered a number of malicious Python packages in the official third-party software repository that are engineered to exfiltrate AWS credentials and environment variables to a publicly exposed endpoint. The list of packages includes loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils, according to Sonatype security researcher Ax Sharma. The packages and as well as the endpoint have now been taken down. "Some of these packages either contain code that reads and exfiltrates your secrets or use one of the dependencies that will do the job," Sharma  said . The malicious code injected into "loglib-modules" and "pygrata-utils" allow the packages to harvest AWS credentials, network interface information, and environment variables and export them to a remote endpoint: "hxxp://graph.pygrata[.]com:8000/upload." Troublingly, the endpoints hosting this information in the form of hundreds of .TXT files were not secu...

A China-based advanced persistent threat (APT) group is possibly deploying short-lived ransomware families as a decoy to cover up the true operational and tactical objectives behind its campaigns. The activity cluster, attributed to a hacking group dubbed  Bronze Starlight  by Secureworks, involves the deployment of post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0. "The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group," the researchers  said  in a new report. "In each case, the ransomware targets a small number of victims over a relatively brief period of time before it ceases operations, apparently permanently." Bronze Starlight, active since mid-2021, is also tracked by Microsoft under the emerging threat cluster moniker DEV-0401, with the tech giant empha...