The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Government and state-owned organizations in a number of Asian countries have been targeted by a distinct group of espionage hackers as part of an intelligence gathering mission that has been underway since early 2021. "A notable feature of these attacks is that the attackers leveraged a wide range of legitimate software packages in order to load their malware payloads using a technique known as  DLL side-loading ," the Symantec Threat Hunter team, part of Broadcom Software,  said  in a report shared with The Hacker News. The campaign is said to be exclusively geared towards government institutions related to finance, aerospace, and defense, as well as state-owned media, IT, and telecom firms.  Dynamic-link library (DLL) side-loading is a popular cyberattack method that leverages how Microsoft Windows applications handle DLL files. In these intrusions, a spoofed malicious DLL is planted in the Windows Side-by-Side ( WinSxS ) directory so that the operating system ...

Hackers tied to the Iranian government have been targeting individuals specializing in Middle Eastern affairs, nuclear security, and genome research as part of a new social engineering campaign designed to hunt for sensitive information. Enterprise security firm Proofpoint attributed the targeted attacks to a threat actor named  TA453 , which broadly overlaps with cyber activities monitored under the monikers APT42, Charming Kitten, and Phosphorus. It all starts with a phishing email impersonating legitimate individuals at Western foreign policy research organizations that's ultimately designed to gather intelligence on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC). The sock puppet accounts include people from Pew Research Center, the Foreign Policy Research Institute (FRPI), the U.K.'s Chatham House, and the scientific journal Nature. The technique is said to have been deployed in mid-June 2022. However, what differentiates this from other phishing attacks...

Apple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in attacks in the wild. The issue, assigned the identifier  CVE-2022-32917 , is rooted in the Kernel component and could enable a malicious app to execute arbitrary code with kernel privileges. "Apple is aware of a report that this issue may have been actively exploited," the iPhone maker acknowledged in a brief statement, adding it resolved the bug with improved bound checks. An anonymous researcher has been credited with reporting the shortcoming. It's worth noting that CVE-2022-32917 is also the  second Kernel related zero-day flaw  that Apple has remediated in less than a month. Patches are available in versions  iOS 15.7, iPadOS 15.7 ,  iOS 16 ,  macOS Big Sur 11.7 , and  macOS Monterey 12.6 . The iOS and iPadOS updates cover iPhone 6s and later, iPad Pro (all models), iPad Air 2 and late...

China has accused the U.S. National Security Agency (NSA) of conducting a string of cyberattacks aimed at aeronautical and military research-oriented Northwestern Polytechnical University in the city of Xi'an in June 2022. The National Computer Virus Emergency Response Centre (NCVERC) disclosed its findings last week, and accused the Office of Tailored Access Operations ( TAO ), a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA), of orchestrating thousands of attacks against the entities located within the country. "The U.S. NSA's TAO has carried out tens of thousands of malicious cyber attacks on China's domestic network targets, controlled tens of thousands of network devices (network servers, Internet terminals, network switches, telephone exchanges, routers, firewalls, etc.), and stole more than 140GB of high-value data," the NCVERC  said . According to the U.S. Department of Justice ( DoJ ), Northwestern Polytechnical Unive...

A hacktivist collective called  GhostSec  has claimed credit for compromising as many as 55 Berghof programmable logic controllers ( PLCs ) used by Israeli organizations as part of a "Free Palestine" campaign. Industrial cybersecurity firm OTORIO, which  dug deeper  into the incident, said the breach was made possible owing to the fact that the PLCs were accessible through the Internet and were secured by trivially guessable credentials. Details of the compromise first came to light on September 4 after GhostSec shared a video on its Telegram channel demonstrating a successful login to the PLC's admin panel, in addition to dumping data from the hacked controllers. The Israeli company said the system dumps and screenshots were exported directly from the admin panel following unauthorized access to the controllers through their public IP addresses. GhostSec (aka Ghost Security), first identified in 2015, is a self-proclaimed  vigilante group  that was i...

SOC 2 may be a voluntary standard, but for today's security-conscious business, it's a minimal requirement when considering a SaaS provider. Compliance can be a long and complicated process, but a scanner like  Intruder  makes it easy to tick the vulnerability management box. Security is critical for all organisations, including those that outsource key business operations to third parties like SaaS vendors and cloud providers. Rightfully so, since mishandled data – especially by application and network security providers – can leave organisations vulnerable to attacks, such as data theft, extortion and malware. But how secure are the third parties you've entrusted with your data? SOC 2 is a framework that ensures these service providers securely manage data to protect their customers and clients. For security-conscious businesses – and security should be a priority for every business today – SOC 2 is now a minimal requirement when considering a SaaS provider. What SOC ...

A number of firmware security flaws uncovered in HP's business-oriented high-end notebooks continue to be left unpatched in some devices even months after public disclosure. Binarly, which first  revealed details  of the issues at the  Black Hat USA conference  in mid-August 2022, said the vulnerabilities "can't be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement." Firmware flaws can have serious implications as they can be abused by an adversary to achieve long-term persistence on a device in a manner that can survive reboots and evade traditional operating system-level security protections. The high-severity weaknesses identified by Binarly affect HP EliteBook devices and concern a case of memory corruption in the System Management Mode (SMM) of the firmware, thereby enabling the execution of arbitrary code with the highest privileges - CVE-2022-23930  (CVSS score: 8.2) - Stack-based b...

A state-sponsored advanced persistent threat (APT) actor newly christened APT42 (formerly UNC788) has been attributed to over 30 confirmed espionage attacks against individuals and organizations of strategic interest to the Iranian government at least since 2015. Cybersecurity firm Mandiant said the group operates as the intelligence gathering arm of Iran's Islamic Revolutionary Guard Corps (IRGC), not to mention shares partial overlaps with another cluster called  APT35 , which is also known as Charming Kitten, Cobalt Illusion, ITG18, Phosphorus, TA453, and Yellow Garuda. APT42 has exhibited a propensity to strike various industries such as non-profits, education, governments, healthcare, legal, manufacturing, media, and pharmaceuticals spanning at least 14 countries, including in Australia, Europe, the Middle East, and the U.S. Intrusions aimed at the pharmaceutical sector are also notable for the fact that they commenced at the onset of the COVID-19 pandemic in March 2020, i...

The U.S. Treasury Department on Friday announced sanctions against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies. "Since at least 2007, the MOIS and its cyber actor proxies have conducted malicious cyber operations targeting a range of government and private-sector organizations around the world and across various critical infrastructure sectors," the Treasury  said . The agency also accused Iranian state-sponsored actors of  staging disruptive attacks  aimed at Albanian government computer systems in mid-July 2022, an incident that forced the latter to temporarily suspend its online services. The development comes months nearly nine months after the U.S. Cyber Command characterized the advanced persistent threat (APT) known as MuddyWater as a  subordinate element  within MOIS. It also comes almost two years following the Treasur...

Security threats are always a concern when it comes to APIs. API security can be compared to driving a car. You must be cautious and review everything closely before releasing it into the world. By failing to do so, you're putting yourself and others at risk. API attacks are more dangerous than other breaches. Facebook had a 50M user account affected by an API breach, and an API data breach on the Hostinger account exposed 14M customer records.  If a hacker gets into your API endpoints, it could spell disaster for your project. Depending on the industries and geographies you're talking about, insecure APIs could get you into hot water. Especially in the EU, if you're serving the banking, you could face massive legal and compliance problems if you're discovered to be using insecure APIs.  To mitigate these risks, you need to be aware of the potential  API vulnerabilities  that cybercriminals can exploit.   6 Commonly Overlooked API Security Risks #1 No API ...

More than $30 million worth of cryptocurrency plundered by the North Korea-linked Lazarus Group from online video game Axie Infinity has been recovered, marking the first time digital assets stolen by the threat actor have been seized. "The seizures represent approximately 10% of the total funds stolen from Axie Infinity (accounting for price differences between time stolen and seized), and demonstrate that it is becoming more difficult for bad actors to successfully cash out their ill-gotten crypto gains," Erin Plante, senior director of investigations at Chainalysis,  said . The development arrives more than five months after the  crypto hack  resulted in the theft of $620 million from the decentralized finance (DeFi) platform Ronin Network, with the attackers laundering a majority of the proceeds – amounting to $455 million – through the Ethereum-based cryptocurrency tumbler Tornado Cash. The March 2022 cryptocurrency heist resulted in losses totaling 173,600 ETH ...

A zero-day flaw in a WordPress plugin called  BackupBuddy  is being actively exploited, WordPress security company Wordfence has disclosed. "This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it  said . BackupBuddy allows users to back up their entire WordPress installation from within the dashboard, including theme files, pages, posts, widgets, users, and media files, among others. The plugin is estimated to have around 140,000 active installations, with the flaw (CVE-2022-31474, CVSS score: 7.5) affecting versions 8.5.8.0 to 8.7.4.1. It's been addressed in version 8.7.5 released on September 2, 2022. The issue is rooted in the function called "Local Directory Copy" that's designed to store a local copy of the backups. According to Wordfence, the vulnerability is the result of an insecure implementation, which enables an unauthenticated threat acto...

Multiple security vulnerabilities have been disclosed in Baxter's internet-connected infusion pumps used by healthcare professionals in clinical environments to dispense medication to patients. "Successful exploitation of these vulnerabilities could result in access to sensitive data and alteration of system configuration," the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  said  in a coordinated advisory. Infusion pumps are internet-enabled devices used by hospitals to deliver medication and nutrition directly into a patient's circulatory system. The four vulnerabilities in question, discovered by  cybersecurity firm Rapid7  and reported to Baxter in April 2022, affect the following Sigma Spectrum Infusion systems - Sigma Spectrum v6.x model 35700BAX Sigma Spectrum v8.x model 35700BAX2 Baxter Spectrum IQ (v9.x) model 35700BAX3 Sigma Spectrum LVP v6.x Wireless Battery Modules v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28 Si...

A malicious campaign mounted by the North Korea-linked Lazarus Group  targeted energy providers around the world, including those based in the United States, Canada, and Japan, between February and July 2022. "The campaign is meant to infiltrate organizations around the world for establishing long-term access and subsequently exfiltrating data of interest to the adversary's nation-state," Cisco Talos  said  in a report shared with The Hacker News. Some elements of the espionage attacks have already entered public domain, courtesy of prior reports from Broadcom-owned  Symantec  and  AhnLab  earlier this April and May. Symantec attributed the operation to a group referred to as Stonefly, a Lazarus subgroup which is better known as Andariel, Guardian of Peace, OperationTroy, and Silent Chollima. While these attacks previously led to the instrumentation of Preft (aka Dtrack) and NukeSped (aka Manuscrypt) implants, the latest attack wave is notable for...

A Chinese hacking group has been attributed to a new campaign aimed at infecting government officials in Europe, the Middle East, and South America with a modular malware known as PlugX. Cybersecurity firm Secureworks said it identified the intrusions in June and July 2022, once again demonstrating the adversary's continued focus on espionage against governments around the world. "PlugX is modular malware that contacts a command and control (C2) server for tasking and can download additional plugins to enhance its capability beyond basic information gathering," Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News. Bronze President is a China-based threat actor active since at least July 2018 and is likely estimated to be a state-sponsored group that leverages a mix of proprietary and publicly available tools to compromise and collect data from its targets. It's also publicly documented under other names such as HoneyMyte, Mustang P...

A recent report revealed that ecommerce provider,  Shopify uses particularly weak password policies  on the customer-facing portion of its Website. According to the report, Shopify's requires its customers to use a password that is at least five characters in length and that does not begin or end with a space.  According to the report, Specops researchers analyzed a list of a billion passwords that were known to have been breached and found that 99.7% of those passwords adhere to Shopify's requirements. While this is not meant to suggest that Shopify customers' passwords have been breached, the fact that so many known breached passwords adhere to Shopify's minimum password requirements does underscore the dangers associated with using weak passwords. The danger of weak passwords in your Active Directory  A recent study by Hive Systems  echoes the dangers of using weak passwords. The study examines the amount of time that would be required to brute force crac...

Major financial and insurance companies located in French-speaking nations in Africa have been targeted over the past two years as part of a persistent malicious campaign codenamed  DangerousSavanna . Countries targeted include Ivory Coast, Morocco, Cameroon, Senegal, and Togo, with the spear-phishing attacks heavily focusing on Ivory Coast in recent months, Israeli cybersecurity firm Check Point  said  in a Tuesday report. Infection chains entail targeting employees of financial institutions with social engineering messages containing malicious attachments as a means of initial access, ultimately leading to the deployment of off-the-shelf malware such as  Metasploit ,  PoshC2 ,  DWservice , and  AsyncRAT . "The threat actors' creativity is on display in the initial infection stage, as they persistently pursue the employees of the targeted companies, constantly changing infection chains that utilize a wide range of malicious file types, from self-...