The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Often, organizations think of firewall security as a one-and-done type of solution. They install firewalls, then assume that they are "good to go" without investigating whether or not these solutions are actually protecting their systems in the best way possible. "Set it and forget it!" Instead of just relying on firewalls and assuming that they will always protect their businesses from cyber risk, executives need to start asking deeper questions about them. As with most areas of business, it's important to take a critical look at each solution that your organization relies on for security. So, let's break down a few questions that you and your team should be asking about firewall security to get a more accurate view into your network defense posture. 1 — What does your team's firewall knowledge look like? In order to properly service and upkeep firewalls, your team needs to have at least a baseline knowledge of how firewalls operate. It's espe...

Cybersecurity researchers have uncovered new variants of the  ChromeLoader  information-stealing malware, highlighting its evolving feature set in a short span of time. Primarily used for hijacking victims' browser searches and presenting advertisements, ChromeLoader came to light in January 2022 and has been distributed in the form of ISO or DMG file downloads advertised via QR codes on Twitter and free gaming sites. ChromeLoader has also been codenamed Choziosi Loader and ChromeBack by the broader cybersecurity community. What makes the adware notable is that it's fashioned as a browser extension as opposed to a Windows executable (.exe) or Dynamic Link Library (.dll). The infections typically work by enticing unsuspecting users into downloading movie torrents or cracked video games through malvertising campaigns on pay-per-install sites and social media. Besides requesting invasive permissions to access browser data and manipulate web requests, it's also designed t...

The operators behind the Qakbot malware are transforming their delivery vectors in an attempt to sidestep detection. "Most recently, threat actors have transformed their techniques to evade detection by using ZIP file extensions, enticing file names with common formats, and Excel (XLM) 4.0 to trick victims into downloading malicious attachments that install Qakbot," Zscaler Threatlabz researchers Tarun Dewan and Aditya Sharma  said . Other methods adopted by the group include code obfuscation, introducing new layers in the attack chain from initial compromise to execution, and using multiple URLs as well as unknown file extensions (e.g., .OCX, .ooccxx, .dat, or .gyp) to deliver the payload. Also called QBot, QuackBot, or Pinkslipbot, Qakbot has been a  recurring threat  since late 2007, evolving from its initial days as a banking trojan to a modular information stealer capable of deploying next-stage payloads such as  ransomware . "Qakbot is a flexible post-ex...

Microsoft released its monthly round of Patch Tuesday updates to address  84 new security flaws  spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are  two other bugs  in the Chromium-based Edge browser, one of which plugs another  zero-day flaw  that Google disclosed as being actively exploited in real-world attacks. Top of the list of this month's updates is  CVE-2022-22047  (CVSS score: 7.8), a case of privilege escalation in the Windows Client Server Runtime Subsystem ( CSRSS ) that could be abused by an attacker to gain SYSTEM permissions. "With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools," Kev Breen, director of cyber threat research at Immersive Labs, told The Hacker News. "...

Popular video-sharing platform TikTok on Tuesday agreed to pause a controversial privacy policy update that could have allowed it to serve targeted ads based on users' activity on the social video platform without their permission to do so. The reversal, reported by  TechCrunch , comes a day after the Italian data protection authority — the Garante per la Protezione dei Dati Personali — warned the company against the change, citing violations of data protection laws. "The personal data stored in users' devices may not be used to profile those users and send personalized ads without their explicit consent," the Garante  said . The formal warning was in response to a privacy policy revision that noted the service had historically asked users' "consent" to their on-TikTok activity and off-TikTok activity to serve personalized ads and that, therefore, it intends to stop asking users for their permission to profile their behavior and process personal dat...

Businesses know they need to secure their client-side scripts. Content security policies (CSPs) are a great way to do that. But CSPs are cumbersome. One mistake and you have a potentially significant client-side security gap. Finding those gaps means long and tedious hours (or days) in manual code reviews through thousands of lines of script on your web applications. Automated content security policies can help streamline the code review process by first identifying all first- and third-party scripts and the assets they access, and then generating an appropriate content security policy to help better secure the client-side attack surface. There are few developers or AppSec professionals who claim to enjoy deploying CSPs. First, the CSP has to work for the specific web application. Then the team needs to make sure it provides the appropriate level of protection. The CSP also can't conflict with any existing widgets or plugins (or the decision must be made to not deploy the CSP or dea...

Microsoft on Monday announced the general availability of a feature called Autopatch that automatically keeps Windows and Office software up-to-date on enrolled endpoints. The launch, which comes a day before Microsoft is expected to release its monthly round of security patches, is available for customers with Windows Enterprise E3 and E5 licenses. It, however, doesn't support Windows Education (A3) or Windows Front Line Worker (F3) licenses. "Microsoft will continue to release updates on the second Tuesday of every month and now Autopatch helps streamline updating operations and create new opportunities for IT pros," Lior Bela  said . Autopatch works by  applying security updates  first to devices in what's called the Test ring, which contains a minimum number of representative devices. After a validation period, the updates are pushed to the First (1% devices), Fast (9%), and Broad (90%) rings. The service was first  teased  by the tech giant in April...

GitHub Actions and Azure virtual machines (VMs) are being leveraged for cloud-based cryptocurrency mining, indicating sustained attempts on the part of malicious actors to target cloud resources for illicit purposes. "Attackers can abuse the  runners  or servers provided by GitHub to run an organization's pipelines and automation by maliciously downloading and installing their own cryptocurrency miners to gain profit easily," Trend Micro researcher Magno Logan  said  in a report last week. GitHub Actions ( GHAs ) is a continuous integration and continuous delivery (CI/CD) platform that allows users to automate the software build, test, and deployment pipeline. Developers can leverage the feature to create workflows that build and test every pull request to a code repository, or deploy merged pull requests to production. Both Linux and Windows runners are hosted on  Standard_DS2_v2  virtual machines on Azure and come with two vCPUs and 7GB of memory. T...

It's not a new concept that Office 365, Salesforce, Slack, Google Workspace or Zoom, etc., are amazing for enabling the hybrid workforce and hyper-productivity in businesses today. However, there are three main challenges that have arisen stemming from this evolution: (1) While SaaS apps include a host of native security settings, they need to be hardened by the security team of the organization. (2) Employees are granting 3rd party app access to core SaaS apps that pose potential threats to the company. (3) These SaaS apps are accessed by different devices without their device hygiene score even being checked.  1 — Misconfiguration Management It's not an easy task to have every app setting properly configured — at all times. The challenge lies within how burdensome this responsibility is — each app has tens or hundreds of security settings to configure, in addition to thousands of user roles and permission in a typical enterprise, compounded by the many compliance industry...

The $540 million hack of Axie Infinity's  Ronin Bridge  in late March 2022 was the consequence of one of its former employees getting tricked by a fraudulent job offer on LinkedIn, it has emerged.  According to a report from  The Block  published last week citing two people familiar with the matter, a senior engineer at the company was duped into applying for a job at a non-existent company, causing the individual to download a fake offer document disguised as a PDF. "After what one source described as multiple rounds of interviews, a Sky Mavis engineer was offered a job with an extremely generous compensation package," the Block reported. The offer document subsequently acted as a conduit to deploy malware designed to breach Ronin's network, ultimately facilitating one of the crypto sector's biggest hacks to date. "Sky Mavis employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised," t...

The maintainers of the official third-party software repository for Python have begun imposing a new two-factor authentication (2FA) condition for projects deemed "critical." "We've begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them," Python Package Index (PyPI)  said  in a tweet last week. "Any maintainer of a critical project (both 'Maintainers' and 'Owners') are included in the 2FA requirement," it  added . Additionally, the developers of critical projects who have not previously turned on 2FA on PyPi are being offered free hardware security keys from the Google Open Source Security Team. PyPI, which is run by the Python Software Foundation, houses more than 350,000 projects, of which over  3,500 projects  are said to be tagged with a "critical" designation. According to the repository maintainers, any project accounting for the top 1% ...

A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems. "Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Fortinet FortiGuard Labs researcher Cara Lin  said  in a report this week. Tracked as  CVE-2022-30190 , the now-patched Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability has come under heavy exploitation in recent weeks ever since it came to light in late May 2022. The starting point for the latest attack chain observed by Fortinet is a weaponized  Office document  that, when opened, connects to a  Discord CDN URL  to retrieve an HTML file (" index.htm ") that, in turn, invokes the diagnostic utility using a PowerShell command to download next-stage payloads from the same CDN attachment space. This includes the Rozena implant (...

Cybersecurity researchers are drawing attention to an ongoing wave of attacks linked to a threat cluster tracked as Raspberry Robin that's behind a Windows malware with worm-like capabilities.  Describing it as a "persistent" and "spreading" threat, Cybereason  said  it observed a number of victims in Europe. The infections involve a worm that propagates over removable USB devices containing malicious a .LNK file and leverages compromised QNAP network-attached storage (NAS) devices for command-and-control. It was  first documented  by researchers from Red Canary in May 2022. Also codenamed  QNAP worm  by Sekoia, the malware leverages a legitimate Windows installer binary called "msiexec.exe" to download and execute a malicious shared library (DLL) from a compromised QNAP NAS appliance. "To make it harder to detect, Raspberry Robin leverages process injections in three legitimate Windows system processes," Cybereason researcher Loïc Cast...

LockBit ransomware attacks are constantly evolving by making use of a wide range of techniques to infect targets while also taking steps to disable endpoint security solutions. "The affiliates that use LockBit's services conduct their attacks according to their preference and use different tools and techniques to achieve their goal," Cybereason security analysts Loïc Castel and Gal Romano  said . "As the attack progresses further along the kill chain, the activities from different cases tend to converge to similar activities." LockBit, which operates on a ransomware-as-a-service (RaaS) model like most groups, was first observed in September 2019 and has since emerged as the most dominant ransomware strain this year, surpassing other well-known groups like  Conti ,  Hive , and  BlackCat . This involves the malware authors licensing access to affiliates, who execute the attacks in exchange for using their tools and infrastructure and earn as much as 80% of ea...

Five months after announcing plans to disable Visual Basic for Applications (VBA) macros by default in the Office productivity suite, Microsoft appears to have rolled back its plans. "Based on feedback received, a rollback has started," Microsoft employee Angela Robertson  said  in a July 6 comment. "An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available." When reached by The Hacker News, Redmond said its decision to reverse course was temporary and that it's working to incorporate further usability improvements. "Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability," a Microsoft spokesperson said. "This is a temporary change, and we are fully committed to making the default change for all users. Regardless of the default setting, customers can block internet macros th...

Progress powers technology forward. But progress also has a cost: by adding new capabilities and features, the developer community is constantly adjusting the building blocks. That includes the fundamental languages used to code technology solutions. When the building blocks change, the code behind the technology solution must change too. It's a challenging and time-consuming exercise that drains resources. But what if there's an alternative? The problem: reading code someone else wrote Let's take a step back and take a look at one of the fundamental challenges in development: editing someone else's code. Editing code you just wrote, or wrote a couple of weeks ago, is just fine. But editing your own code written years ago – never mind someone else's code - that's a different story. In-house code style rules can help but there are always odd naming conventions for variables and functions, or unusual choices for algorithms. Arguably, a programmer's abilit...

A malicious browser extension with 350 variants is masquerading as a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers. Mobile security firm Zimperium dubbed the malware family  ABCsoup , stating the "extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores." The rogue browser add-ons come with the same extension ID as that of Google Translate — " aapbdbdomjkkjkaonfhkkikfgjllcleb " — in an attempt to trick users into believing that they have installed a legitimate extension. The extensions are not available on the official browser web stores themselves. Rather they are delivered through different Windows executables that install the add-on on the victim's web browser. In the event the targeted user already has the Google Translate ext...