The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The  BlackCat ransomware crew  has been spotted fine-tuning their malware arsenal to fly under the radar and expand their reach. "Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software," researchers from Symantec  said  in a new report. BlackCat, also known by the names ALPHV and Noberus, is attributed to an adversary tracked as Coreid (aka  FIN7 , Carbanak, or Carbon Spider) and is said to be a  rebranded successor  of  DarkSide  and  BlackMatter , both of which shut shop last year following a string of high-profile attacks, including that of Colonial Pipeline. The threat actor, like other notorious ransomware groups, is known to run a ransomware-as-a-service (RaaS) operation, which involves its core developers enlisting the help of affiliates to carr...

Cybersecurity today matters so much because of everyone's dependence on technology, from collaboration, communication and collecting data to e-commerce and entertainment. Every organisation that needs to deliver services to their customers and employees must protect their IT 'network' - all the apps and connected devices from laptops and desktops to servers and smartphones. While traditionally, these would all live on one "corporate network," - networks today are often just made up of the devices themselves, and how they're connected: across the internet, sometimes via VPNs, to the homes and cafes people work from, to the cloud and data centres where services live. So what threats does this modern network face? Let's look at them in more detail. #1 Misconfiguration According to recent research by  Verizon , misconfiguration errors and misuse now make up 14% of breaches. Misconfiguration errors occur when configuring a system or application so that it...

Wearable technology company Fitbit has announced a new clause that requires users to switch to a Google account "sometime" in 2023. "In 2023, we plan to launch Google accounts on Fitbit, which will enable use of Fitbit with a Google account," the Google-owned fitness devices maker  said . The switch will not go live for all users in 2023. Rather, support for Fitbit accounts is expected to continue until at least the beginning of 2025, after which a Google account will be mandatory for using the devices. The deeper integration also means that a Google account will be compulsory to sign up for Fitbit and activate new features, including those that incorporate Google products and services such as Google Assistant. Also necessitated as part of the transition is the consent from the part of users to move their personal data from Fitbit to Google. The internet giant  stressed that  users' personal information will not be used to serve ads. The goal, Fitbit said...

While phishing and ransomware dominate headlines, another critical risk quietly persists across most enterprises: exposed Git repositories leaking sensitive data. A risk that silently creates shadow access into core systems Git is the backbone of modern software development, hosting millions of repositories and serving thousands of organizations worldwide. Yet, amid the daily hustle of shipping code, developers may inadvertently leave behind API keys, tokens, or passwords in configuration files and code files, effectively handing attackers the keys to the kingdom. This isn't just about poor hygiene; it's a systemic and growing supply chain risk. As cyber threats become more sophisticated, so do compliance requirements. Security frameworks like NIS2, SOC2, and ISO 27001 now demand proof that software delivery pipelines are hardened and third-party risk is controlled. The message is clear: securing your Git repositories is no longer optional, it's essential. Below, we look at the ris...

Ukrainian law enforcement authorities on Friday disclosed that it had "neutralized" a hacking group operating from the city of Lviv that it said acted on behalf of Russian interests. The group specialized in the sales of 30 million accounts belonging to citizens from Ukraine and the European Union on the dark web and netted a profit of $372,000 (14 million UAH) through electronic payment systems like YooMoney, Qiwi, and WebMoney that are outlawed in the country. "Their 'wholesale clients' were pro-kremlin propagandists," the Security Service of Ukraine (SSU)  said  in a press release. "It was them who used the received identification data of Ukrainian and foreign citizens to spread fake 'news' from the front and sow panic." The goal behind the campaign was "large-scale destabilization in multiple countries," it stated, adding the hacked accounts were used to propagate false information about the socio-political situation in U...

The City of London Police on Friday revealed that it has arrested a 17-year-old teenager from Oxfordshire on suspicion of hacking. "On the evening of Thursday 22 September 2022, the City of London Police arrested a 17-year-old in Oxfordshire on suspicion of hacking," the agency  said , adding "he remains in police custody." The department said the arrest was made as part of an investigation in partnership with the U.K. National Crime Agency's cyber crime unit. No further details about the nature of the investigation were disclosed, although it's suspected that the law enforcement action may have something to do with the recent string of high-profile hacks aimed at  Uber  and  Rockstar Games . Both the intrusions are alleged to have been committed by the same threat actor, who goes by the name Tea Pot (aka teapotuberhacker). Uber, for its part, has pinned the breach on an attacker (or attackers) that it believes is associated with the LAPSUS$ extortion...

Security software company Sophos has released a patch update for its firewall product after it was discovered that attackers were exploiting a new critical zero-day vulnerability to attack its customers' network. The issue, tracked as  CVE-2022-3236  (CVSS score: 9.8), impacts Sophos Firewall v19.0 MR1 (19.0.1) and older and concerns a code injection vulnerability in the User Portal and Webadmin components that could result in remote code execution. The company  said  it "has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region," adding it directly notified these entities. As a workaround, Sophos is recommending that users take steps to ensure that the User Portal and Webadmin are not exposed to WAN. Alternatively, users can update to the latest supported version - v19.5 GA v19.0 MR2 (19.0.2) v19.0 GA, MR1, and MR1-1 v18.5 MR5 (18.5.5) v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4 v18.0 MR3, ...

GitHub has put out an advisory detailing what may be an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform. The Microsoft-owned code hosting service said it learned of the attack on September 16, 2022, adding the campaign impacted "many victim organizations." The fraudulent messages claim to notify users that their CircleCI sessions have expired and that they should log in using GitHub credentials by clicking on a link. Another bogus email  revealed by CircleCI  prompts users to sign in to their GitHub accounts to accept the company's new Terms of Use and Privacy Policy by following the link embedded in the message. Regardless of the lure, doing so redirects the target to a lookalike GitHub login page designed to steal and exfiltrate the entered credentials as well as the Time-based One Time Password (TOTP) codes in real-time to the attacker, effectively allowing ...

A previously undocumented threat actor of unknown origin has been linked to attacks targeting telecom, internet service providers, and universities across multiple countries in the Middle East and Africa. "The operators are highly aware of operations security, managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions," researchers from SentinelOne  said  in a new report. The cybersecurity firm codenamed the "pragmatic" group Metador in reference to a string "I am meta" in one of their malware samples and because of Spanish-language responses from the command-and-control (C2) servers. The threat actor is said to have primarily focused on the development of cross-platform malware in its pursuit of espionage aims. Other hallmarks of the campaign are the limited number of intrusions and long-term access to targets. This includes two different Windows malware platforms ca...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday  added  a recently disclosed security flaw in Zoho ManageEngine to its Known Exploited Vulnerabilities ( KEV ) Catalog, citing evidence of active exploitation. "Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability which allows for remote code execution," the agency said in a notice. The  critical vulnerability , tracked as  CVE-2022-35405 , is rated 9.8 out of 10 for severity on the CVSS scoring system, and was patched by Zoho as part of updates released on June 24, 2022. Although the exact nature of the flaw remains unknown, the India-based enterprise solutions company  said  it addressed the issue by removing the vulnerable components that could lead to the remote execution of arbitrary code. Zoho has also warned of the public availability of a proof-of-concept (PoC) exploit for the vulnerability, making it imperative ...

What on earth were they thinking? That's what we – and other security experts – were wondering when content giant Patreon recently dismissed its entire internal cybersecurity team in exchange for outsourced services. Of course, we don't know the true motivations for this move. But, as outsiders looking in, we can guess the cybersecurity implications of the decision would be inescapable for any organization. Fire the internal team and you take a huge risk Patreon is a content-creator site that handles billions of dollars in revenue. For reasons unknown to us, Patreon fired not just a couple of staff members or someone in middle management. No: the company fired its entire security team.  It's a big decision with significant consequences because it results in an incalculable loss of organizational knowledge. At the technical level, it's a loss of soft knowledge around deep system interdependencies that internal security experts will just "know" about and ac...

A hack-for-hire group that was  first exposed in 2019  has expanded its focus to set its sights on entities with business or political ties to Russia. Dubbed Void Balaur , the cyber mercenary collective has a history of launching cyberattacks against biotechnology and telecom companies since 2015. As many as 3,500 victims have been reported as of November 2021. "Void Balaur [...] primarily dabbles in cyber espionage and data theft, selling the stolen information to anyone willing to pay," Trend Micro  noted  at the time. Attacks conducted by the group are typically both generic and opportunistic and are aimed at gaining unauthorized access to widely-used email services, social media, messaging, and corporate accounts. Earlier this June, Google's Threat Analysis Group (TAG) took the wraps off a set of  credential theft attacks  targeting journalists, European politicians, and non-profit's mounted by the threat actor. "Void Balaur also goes after targ...

An SMS-based phishing campaign is targeting customers of Indian banks with information-stealing malware that masquerades as a rewards application. The Microsoft 365 Defender Research Team said that the messages contain links that redirect users to a sketchy website that triggers the download of the fake banking rewards app for ICICI Bank. "The malware's RAT capabilities allow the attacker to intercept important device notifications such as incoming messages, an apparent effort to catch two-factor authentication (2FA) messages often used by banking and financial institutions," researchers Shivang Desai, Abhishek Pustakala, and Harshita Tripathi  said . Additionally, the malware is equipped with the ability to steal SMSes, potentially enabling the attacker to swipe 2FA codes sent as text messages and gain unauthorized access to victim accounts. Like other social engineering attacks, familiar brand logos and names are used in the smishing message as well as the rogue a...

Microsoft on Thursday warned of a consumer-facing attack that made use of rogue OAuth applications deployed on compromised cloud tenants to ultimately seize control of Exchange servers and spread spam. "The threat actor launched credential stuffing attacks against high-risk accounts that didn't have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access," the Microsoft 365 Defender Research Team said. The unauthorized access to the cloud tenant permitted the adversary to register a malicious OAuth application and grant it elevated permissions, and eventually modify Exchange Server settings to allow inbound emails from specific IP addresses to be routed through the compromised email server. "These modifications to the Exchange server settings allowed the threat actor to perform their primary goal in the attack: sending out spam emails," Microsoft  said . "The spam emails were sent as part of a...

A new wave of a mobile surveillance campaign has been observed targeting the Uyghur community as part of a long-standing spyware operation active since at least 2015, cybersecurity researchers disclosed Thursday. The intrusions, originally attributed to a threat actor named  Scarlet Mimic  back in January 2016, is said to have encompassed 20 different variants of the Android malware, which were disguised as books, pictures, and an audio version of the Quran. The malware, while relatively unsophisticated from a technical standpoint, comes with extensive capabilities to steal sensitive data from an infected device, send SMS messages on the victim's behalf, make phone calls, and track their locations. Additionally, it allows the recording of incoming and outgoing phone calls as well as surrounding audio. "All this makes it a powerful and dangerous surveillance tool," Israeli cybersecurity firm Check Point  said  in a technical deepdive, calling the spyware  M...

A malicious NPM package has been found masquerading as the legitimate software library for Material Tailwind, once again indicating attempts on the part of threat actors to distribute malicious code in open source software repositories. Material Tailwind is a  CSS-based framework  advertised by its maintainers as an "easy to use components library for Tailwind CSS and Material Design." "The malicious Material Tailwind npm package, while posing as a helpful development tool, has an automatic post-install script," Karlo Zanki, security researcher at ReversingLabs,  said  in a report shared with The Hacker News. This script is engineered to download a password-protected ZIP archive file that contains a Windows executable capable of running PowerShell scripts. The now-removed rogue package, named  material-tailwindcss , has been downloaded 320 times to date, all of which occurred on or after September 15, 2022. In a tactic that's becoming increasingly common,...

Last month Tech Crunch reported that  payment terminal manufacturer Wiseasy had been hacked . Although Wiseasy might not be well known in North America, their Android-based payment terminals are widely used in the Asia Pacific region and hackers managed to steal passwords for 140,000 payment terminals. How Did the Wiseasy Hack Happen? Wiseasy employees use a cloud-based dashboard for remotely managing payment terminals. This dashboard allows the company to perform a variety of configuration and management tasks such as managing payment terminal users, adding or removing apps, and even locking the terminal.  Hackers were able to gain access to the Wiseasy dashboard by infecting employee's computers with malware. This allowed hackers to gain access to two different employee's dashboards, ultimately leading to a massive harvesting of payment terminal credentials once they gained access. Top Lessons Learned from the Wiseasy Hack 1 — Transparency isn't always the best policy...

Researchers have disclosed a new severe Oracle Cloud Infrastructure (OCI) vulnerability that could be exploited by users to access the virtual disks of other Oracle customers. "Each virtual disk in Oracle's cloud has a unique identifier called OCID," Shir Tamari, head of research at Wiz,  said  in a series of tweets. "This identifier is not considered secret, and organizations do not treat it as such." "Given the OCID of a victim's disk that is not currently attached to an active server or configured as shareable, an attacker could 'attach' to it and obtain read/write over it," Tamari added. The cloud security firm, which dubbed the tenant isolation vulnerability " AttachMe ," said Oracle  patched the issue  within 24 hours of responsible disclosure on June 9, 2022. Accessing a volume using the CLI without sufficient permissions At its core, the vulnerability is rooted in the fact that a disk could be attached to a compute ...

As many as 350,000 open source projects are believed to be potentially vulnerable to exploitation as a result of a security flaw in a Python module that has remained unpatched for 15 years. The open source repositories span a number of industry verticals, such as software development, artificial intelligence/machine learning, web development, media, security, and IT management. The shortcoming, tracked as  CVE-2007-4559  (CVSS score: 6.8), is rooted in the tarfile module, successful exploitation of which could lead to code execution from an arbitrary file write. "The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the '..' sequence to filenames in a TAR archive," Trellix security researcher Kasimir Schulz  said  in a writeup. Originally disclosed in August 2007, the bug has to do with how a specially crafted tar archive can be leveraged to overwr...

A now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations. "If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware," Trend Micro threat researcher Sunil Bharti  said  in a report. The issue, tracked as  CVE-2022-26134  (CVSS score: 9.8), was addressed by the Australian software company in June 2022. In one of the infection chains observed by the cybersecurity company, the flaw was leveraged to download and run a shell script ("ro.sh") on the victim's machine, which, in turn, fetched a second shell script ("ap.sh"). The malicious code is designed to update the  PATH variable  to include additional paths...

An unknown attacker targeted tens of thousands of unauthenticated Redis servers exposed on the internet in an attempt to  install a cryptocurrency miner . It's not immediately known if all of these hosts were successfully compromised. Nonetheless, it was made possible by means of a "lesser-known technique" designed to trick the servers into writing data to arbitrary files – a case of  unauthorized access  that was first documented in September 2018. "The general idea behind this exploitation technique is to configure Redis to write its file-based database to a directory containing some method to authorize a user (like adding a key to '.ssh/authorized_keys'), or start a process (like adding a script to '/etc/cron.d')," Censys  said  in a new write-up. The attack surface management platform said it uncovered evidence (i.e., Redis commands) indicating efforts on part of the attacker to store malicious  crontab entries  into the file "/var/...