The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT). "This campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to similar attacks in the past," Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar  said  in a Tuesday write-up. Sold on the dark web for €189 a month,  Quantum Builder  is a customizable tool for generating malicious shortcut files as well as HTA, ISO, and PowerShell payloads to deliver next-stage malware on the targeted machines, in this case  Agent Tesla . The multi-stage attack chain starts with a spear-phishing email containing a GZIP archive attachment that includes a shortcut designed to execute PowerShell code responsible for launching a remote HTML application (HTA) using  MSHTA . The phishing emails purport to be an order confirmation message from a Chinese supplier of lump and rock sugar, with the L...

Organizations struggle to find ways to keep a good security posture. This is because it is difficult to create secure system policies and find the right tools that help achieve a good posture. In many cases, organizations work with tools that do not integrate with each other and are expensive to purchase and maintain. Security posture management is a term used to describe the process of identifying and mitigating security misconfigurations and compliance risks in an organization. To maintain a good security posture, organizations should at least do the following: Maintain inventory:  Asset inventory is considered first because it provides a comprehensive list of all IT assets that should be protected. This includes the hardware devices, applications, and services that are being used. Perform vulnerability assessment:  The next step is to perform a vulnerability assessment to identify weaknesses in applications and services. Knowledge of the vulnerabilities help to priorit...

The Russian state-sponsored threat actor known as  APT28  has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware. The technique "is designed to be triggered when the user starts the presentation mode and moves the mouse," cybersecurity firm Cluster25  said  in a technical report. "The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive." The dropper, a seemingly harmless image file, functions as a pathway for a follow-on payload, a variant of a malware known as Graphite, which uses the Microsoft Graph API and OneDrive for command-and-control (C2) communications to retrieve additional payloads. The attack employs a lure document that makes use of a template potentially linked to the Organisation for Economic Co-operation and Development ( OECD ), a Paris-based intergovernmental entity. Cluster25 noted the attacks may be ongoing, con...

Meta Platforms on Tuesday disclosed it took steps to dismantle two covert influence operations originating from China and Russia for engaging in coordinated inauthentic behavior (CIB) so as to manipulate public debate. While the Chinese operation sets its sights on the U.S. and the Czech Republic, the Russian network primarily targeted Germany, France, Italy, Ukraine and the U.K. with themes surrounding the ongoing war in Ukraine. "The largest and most complex Russian operation we've disrupted since the war in Ukraine began, it ran a sprawling network of over 60 websites impersonating news organizations, as well as accounts on Facebook, Instagram, YouTube, Telegram, Twitter, Change.org and Avaaz, and even LiveJournal," the social media behemoth  said . The sophisticated Russian activity, which commenced in May 2022, impersonated mainstream European news outlets like Der Spiegel, The Guardian, and Bild, not to mention build credibility by creating fake accounts across...

WhatsApp has released  security updates  to address two flaws in its messaging app for Android and iOS that could lead to remote code execution on vulnerable devices. One of them concerns  CVE-2022-36934  (CVSS score: 9.8), a critical integer overflow vulnerability in WhatsApp that results in the execution of arbitrary code simply by establishing a video call. The issue impacts the WhatsApp and WhatsApp Business for Android and iOS prior to versions 2.22.16.12. Also patched by the Meta-owned messaging platform is an integer underflow bug, which refers to an opposite category of errors that occur when the result of an operation is too small for storing the value within the allocated memory space. The high-severity issue, given the CVE identifier  CVE-2022-27492  (CVSS score: 7.8), affects WhatsApp for Android prior to versions 2.22.16.2 and WhatsApp for iOS version 2.22.15.9, and could be triggered upon receiving a specially crafted video file. Exploi...

The Ukrainian government on Monday warned of "massive cyberattacks" by Russia targeting critical infrastructure facilities located in the country and that of its allies. The attacks are said to be targeting the energy sector, the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) said. "By the cyberattacks, the enemy will try to increase the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine," the agency  said  in a brief advisory. GUR also cautioned of intensified distributed denial-of-service (DDoS) attacks aimed at the critical infrastructure of Ukraine's closest allies, chiefly Poland and the Baltic states of Estonia, Latvia, and Lithuania. It's not immediately clear what prompted the intelligence agency to issue the notice, but Ukraine has been at the receiving end of  disruptive and destructive cyberattacks  since the onset of the Russo-Ukrainian war earli...

Cybercriminals are continuing to prey on users searching for cracked software by directing them to fraudulent websites hosting weaponized installers that deploy malware called  NullMixer  on compromised systems. "When a user extracts and executes NullMixer, it drops a number of malware files to the compromised machine," cybersecurity firm Kaspersky said in a Monday report. "It drops a wide variety of malicious binaries to infect the machine with, such as backdoors, bankers, downloaders, spyware, and many others." Besides siphoning users' credentials, address, credit card data, cryptocurrencies, and even Facebook and Amazon account session cookies, what makes NullMixer insidious is its ability to download dozens of trojans at once, significantly widening the scale of the infections. Attack chains typically start when a user attempts to download cracked software from one of the sites, which leads to a password-protected archive that contains an executable fil...

As many as 75 apps on Google Play and 10 on Apple App Store have been discovered engaging in ad fraud as part of an ongoing campaign that commenced in 2019. The latest iteration, dubbed  Scylla  by Online fraud-prevention firm HUMAN Security, follows similar attack waves in August 2019 and late 2020 that go by the codename Poseidon and Charybdis, respectively. Prior to their removal from the app storefronts, the apps had been collectively installed more than 13 million times. The original Poseidon operation comprised over 40 Android apps that were designed to display ads out of context or hidden from the view of the device user. Charybdis, on the other hand, was an improvement over the former by making use of code obfuscation tactics to target advertising platforms. Scylla presents the latest adaption of the scheme in that it expands beyond Android to make a foray into the iOS ecosystem for the first time, alongside relying on additional layers of code roundabout using...

The global cybersecurity market is flourishing. Experts at Gartner predict that the end-user spending for the information security and risk management market will grow from $172.5 billion in 2022 to $267.3 billion in 2026.  One big area of spending includes the art of putting cybersecurity defenses under pressure, commonly known as security testing. MarketsandMarkets forecasts the global penetration testing (pentesting) market size is expected to grow at a Compound Annual Growth Rate (CAGR) of 13.7% from 2022 to 2027. However, the costs and limitations involved in carrying out a penetration test are already hindering the market growth, and consequently, many cybersecurity professionals are making moves to find an alternative solution. Pentests aren't solving cybersecurity pain points Pentesting can serve specific and important purposes for businesses. For example, prospective customers may ask for the results of one as proof of compliance. However, for certain challenges, this ...

The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple's macOS operating system. In the latest variant of the campaign observed by cybersecurity company SentinelOne last week, decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto[.]com have been used to mount the attacks. The latest disclosure builds on previous findings from Slovak cybersecurity firm ESET in August, which  delved  into a similar phony job posting for the Coinbase cryptocurrency exchange platform. Both these fake job advertisements are just the latest in a series of attacks dubbed  Operation In(ter)ception , which, in turn, is a constituent of a broader campaign tracked under the name  Operation Dream Job . Although the exact distribution vector for the malware remains unknown, it's suspected that potential targets are singled out via direct messages on the business networking...

The Australian Federal Police (AFP) on Monday disclosed it's working to gather "crucial evidence" and that it's collaborating with overseas law enforcement authorities following the hack of telecom provider Optus. "Operation Hurricane has been launched to identify the criminals behind the alleged breach and to help shield Australians from identity fraud," the AFP  said  in a statement. The development comes after Optus, Australia's second-largest wireless carrier,  disclosed  on September 22, 2022, that it was a victim of a cyberattack. It claimed it "immediately shut down the attack" as soon as it came to light. The threat actor behind the breach also briefly released a sample of 10,200 records from the breach – putting those users at heightened risk of fraud – in addition to asking for $1 million as part of an extortion demand. The dataset has since been taken down, with the attacker also claiming to have deleted the only copy of the sto...

At least three alleged hacktivist groups working in support of Russian interests are likely doing so in collaboration with state-sponsored cyber threat actors, according to Mandiant. The Google-owned threat intelligence and incident response firm  said  with moderate confidence that "moderators of the purported hacktivist Telegram channels 'XakNet Team,' 'Infoccentr,' and 'CyberArmyofRussia_Reborn' are coordinating their operations with Russian Main Intelligence Directorate (GRU)-sponsored cyber threat actors." Mandiant's assessment is based on evidence that the leakage of data stolen from Ukrainian organizations occurred within 24 hours of  malicious wiper incidents  undertaken by the Russian nation-state group tracked as  APT28  (aka Fancy Bear, Sofacy, or Strontium). To that end, four of the 16 data leaks from these groups coincided with  disk wiping malware attacks  by APT28 that involved the use of a strain dubbed  CaddyWiper . APT...

A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called LOWZERO as part of an espionage campaign aimed at Tibetan entities. Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan government-in-exile. The intrusions involved the exploitation of  CVE-2022-1040  and  CVE-2022-30190  (aka "Follina"), two remote code execution vulnerabilities in Sophos Firewall and Microsoft Office, respectively. "This willingness to rapidly incorporate new techniques and methods of initial access contrasts with the group's continued use of well known and reported capabilities, such as the Royal Road RTF weaponizer, and often lax infrastructure procurement tendencies," Recorded Future  said  in a new technical analysis. TA413, also known as LuckyCat, has been linked t...

The  BlackCat ransomware crew  has been spotted fine-tuning their malware arsenal to fly under the radar and expand their reach. "Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software," researchers from Symantec  said  in a new report. BlackCat, also known by the names ALPHV and Noberus, is attributed to an adversary tracked as Coreid (aka  FIN7 , Carbanak, or Carbon Spider) and is said to be a  rebranded successor  of  DarkSide  and  BlackMatter , both of which shut shop last year following a string of high-profile attacks, including that of Colonial Pipeline. The threat actor, like other notorious ransomware groups, is known to run a ransomware-as-a-service (RaaS) operation, which involves its core developers enlisting the help of affiliates to carr...

Cybersecurity today matters so much because of everyone's dependence on technology, from collaboration, communication and collecting data to e-commerce and entertainment. Every organisation that needs to deliver services to their customers and employees must protect their IT 'network' - all the apps and connected devices from laptops and desktops to servers and smartphones. While traditionally, these would all live on one "corporate network," - networks today are often just made up of the devices themselves, and how they're connected: across the internet, sometimes via VPNs, to the homes and cafes people work from, to the cloud and data centres where services live. So what threats does this modern network face? Let's look at them in more detail. #1 Misconfiguration According to recent research by  Verizon , misconfiguration errors and misuse now make up 14% of breaches. Misconfiguration errors occur when configuring a system or application so that it...

Wearable technology company Fitbit has announced a new clause that requires users to switch to a Google account "sometime" in 2023. "In 2023, we plan to launch Google accounts on Fitbit, which will enable use of Fitbit with a Google account," the Google-owned fitness devices maker  said . The switch will not go live for all users in 2023. Rather, support for Fitbit accounts is expected to continue until at least the beginning of 2025, after which a Google account will be mandatory for using the devices. The deeper integration also means that a Google account will be compulsory to sign up for Fitbit and activate new features, including those that incorporate Google products and services such as Google Assistant. Also necessitated as part of the transition is the consent from the part of users to move their personal data from Fitbit to Google. The internet giant  stressed that  users' personal information will not be used to serve ads. The goal, Fitbit said...

Ukrainian law enforcement authorities on Friday disclosed that it had "neutralized" a hacking group operating from the city of Lviv that it said acted on behalf of Russian interests. The group specialized in the sales of 30 million accounts belonging to citizens from Ukraine and the European Union on the dark web and netted a profit of $372,000 (14 million UAH) through electronic payment systems like YooMoney, Qiwi, and WebMoney that are outlawed in the country. "Their 'wholesale clients' were pro-kremlin propagandists," the Security Service of Ukraine (SSU)  said  in a press release. "It was them who used the received identification data of Ukrainian and foreign citizens to spread fake 'news' from the front and sow panic." The goal behind the campaign was "large-scale destabilization in multiple countries," it stated, adding the hacked accounts were used to propagate false information about the socio-political situation in U...

The City of London Police on Friday revealed that it has arrested a 17-year-old teenager from Oxfordshire on suspicion of hacking. "On the evening of Thursday 22 September 2022, the City of London Police arrested a 17-year-old in Oxfordshire on suspicion of hacking," the agency  said , adding "he remains in police custody." The department said the arrest was made as part of an investigation in partnership with the U.K. National Crime Agency's cyber crime unit. No further details about the nature of the investigation were disclosed, although it's suspected that the law enforcement action may have something to do with the recent string of high-profile hacks aimed at  Uber  and  Rockstar Games . Both the intrusions are alleged to have been committed by the same threat actor, who goes by the name Tea Pot (aka teapotuberhacker). Uber, for its part, has pinned the breach on an attacker (or attackers) that it believes is associated with the LAPSUS$ extortion...