The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Google on Thursday announced that it's seeking contributors to a new open source initiative called Graph for Understanding Artifact Composition , also known as GUAC, as part of its ongoing efforts to beef up the  software supply chain . "GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata," Brandon Lum, Mihai Maruseac, and Isaac Hepworth of Google said in a post shared with The Hacker News. "GUAC is meant to democratize the availability of this security information by making it freely accessible and useful for every organization, not just those with enterprise-scale security and IT funding." Software supply chain has  emerged  a  lucrative   attack vector  for threat actors, wherein exploiting just one weakness -- as seen in the case of  SolarWinds  and  Log4Shell  -- opens a pathway long enough to traverse down the supply chain and steal sensiti...

A Russian-speaking ransomware group dubbed OldGremlin has been attributed to 16 malicious campaigns aimed at entities operating in the transcontinental Eurasian nation over the course of two and a half years. "The group's victims include companies in sectors such as logistics, industry, insurance, retail, real estate, software development, and banking," Group-IB  said  in an exhaustive report shared with The Hacker News. "In 2020, the group even targeted an arms manufacturer." In what's a rarity in the ransomware landscape, OldGremlin (aka TinyScouts) is one of the very few financially motivated cybercrime gangs that primarily focuses on Russian companies. Other notable groups consist of Dharma, Crylock, and Thanos, contributing to an uptick in ransomware attacks targeting businesses in the country by over 200% in 2021. OldGremlin first came to light in September 2020 when the Singapore-headquartered cybersecurity company  disclosed  nine campaigns orch...

The Iranian threat actor known as Domestic Kitten has been attributed to a new mobile campaign that masquerades as a translation app to distribute an updated variant of an Android malware known as FurBall. "Since June 2021, it has been distributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books," ESET researcher Lukas Stefanko  said  in a report shared with The Hacker News. The updates, while retaining the same surveillance functionality as earlier versions, are designed to evade detection by security solutions, the Slovak cybersecurity firm added. Domestic Kitten, also called APT-C-50, is an Iranian threat activity cluster that has been previously identified as targeting individuals of interest with the goal of harvesting sensitive information from compromised mobile devices. It's been known to be active since at least 2016. A tactical analysis conducted by Trend Micro in 2019 revealed Domestic Kitten...

AI agents promise to automate everything from financial reconciliations to incident response. Yet every time an AI agent spins up a workflow, it has to authenticate somewhere; often with a high-privilege API key, OAuth token, or service account that defenders can't easily see. These "invisible" non-human identities (NHIs) now outnumber human accounts in most cloud environments, and they have become one of the ripest targets for attackers. Astrix's Field CTO Jonathan Sander put it bluntly in a recent Hacker News webinar : "One dangerous habit we've had for a long time is trusting application logic to act as the guardrails. That doesn't work when your AI agent is powered by LLMs that don't stop and think when they're about to do something wrong. They just do it." Why AI Agents Redefine Identity Risk Autonomy changes everything: An AI agent can chain multiple API calls and modify data without a human in the loop. If the underlying credential is exposed or overprivileged, each addit...

When creating a Sandbox, the mindset tends to be that the Sandbox is considered a place to play around, test things, and there will be no effect on the production or operational system. Therefore, people don't actively think they need to worry about its security. This mindset is not only wrong, but extremely dangerous.  When it comes to software developers, their version of sandbox is similar to a child's playground — a place to build and test without breaking any flows in production. Meanwhile, in the world of cybersecurity, the term 'sandbox' is used to describe a virtual environment or machine used to run suspicious code and other elements.  Many organizations use a Sandbox for their SaaS apps — to test changes without disrupting the production SaaS app or even to connect new apps (much like a software developer's Sandbox). This common practice often leads to a false sense of security and in turn a lack of thought for its security implications. This article wi...

As many as 16 malicious apps with over 20 million cumulative downloads have been taken down from the Google Play Store after they were caught committing mobile ad fraud. The  Clicker  malware masqueraded as seemingly harmless utilities like cameras, currency/unit converters, QR code readers, note-taking apps, and dictionaries, among others, in a bid to trick users into downloading them, cybersecurity firm McAfee  said . The list of offending apps is as follows - High-Speed Camera (com.hantor.CozyCamera) - 10,000,000+ downloads Smart Task Manager (com.james.SmartTaskManager) - 5,000,000+ downloads Flashlight+ (kr.caramel.flash_plus) - 1,000,000+ downloads 달력메모장 (com.smh.memocalendar) - 1,000,000+ downloads K-Dictionary (com.joysoft.wordBook) - 1,000,000+ downloads BusanBus (com.kmshack.BusanBus) - 1,000,000+ downloads Flashlight+ (com.candlencom.candleprotest) - 500,000+ downloads Quick Note (com.movinapp.quicknote) - 500,000+ downloads Currency Converter (co...

The Ursnif malware has become the latest malware to shed its roots as a banking trojan to revamp itself into a generic backdoor capable of delivering next-stage payloads, joining the likes of Emotet, Qakbot, and TrickBot. "This is a significant shift from the malware's original purpose to enable banking fraud, but is consistent with the broader threat landscape," Mandiant researchers Sandor Nemes, Sulian Lebegue, and Jessa Valdez  disclosed  in a Wednesday analysis. The refreshed and refactored variant, first spotted by the Google-owned threat intelligence firm in the wild on June 23, 2022, has been codenamed LDR4, in what's being seen as an attempt to lay the groundwork for potential ransomware and data theft extortion operations. Ursnif, also called Gozi or ISFB, is one of the oldest banker malware families, with  the earliest documented attacks  going as far back as 2007. Check Point, in August 2020, mapped the " divergent evolution of Gozi " over th...

The Federal Police of Brazil on Wednesday announced it had arrested an individual for purported links to the notorious LAPSUS$ extortionist gang. The arrest was made as part of a new law enforcement effort, dubbed Operation Dark Cloud, that was launched in August 2022, the agency noted. Not much is known about the suspect other than the fact that the person could be a teenager. The Polícia Federal said it commenced its investigation in December 2021 following an attack on websites under Brazil's  Ministry of Health , resulting in the alleged exfiltration of 50TB of data and  temporary unavailability  of COVID-19 vaccination information of millions of citizens. Other federal government portals targeted by the LAPSUS$ group in Brazil include the Ministry of Economy, Comptroller General of the Union, and the Federal Highway Police. "The crimes determined in the police investigation are those of criminal organization, invasion of a computer device, interruption or distu...

Cybersecurity researchers have shared more details about a now-patched security flaw in Azure Service Fabric Explorer (SFX) that could potentially enable an attacker to gain administrator privileges on the cluster. The vulnerability, tracked as  CVE-2022-35829 , carries a CVSS severity rating of 6.2 and was addressed by Microsoft as part of its  Patch Tuesday updates  last week. Orca Security, which  discovered and reported  the flaw to the tech giant on August 11, 2022, dubbed the vulnerability  FabriXss  (pronounced "fabrics"). It impacts Azure Fabric Explorer version 8.1.316 and prior. SFX is described by Microsoft as an  open-source tool  for inspecting and managing  Azure Service Fabric  clusters, a distributed systems platform that's used to build and deploy microservices-based cloud applications. The vulnerability is rooted in the fact that a user with  permissions  to "Create Compose Application" through the...

An advanced persistent threat (APT) group of Chinese origin codenamed  DiceyF  has been linked to a string of attacks aimed at online casinos in Southeast Asia for years. Russian cybersecurity company Kaspersky said the activity aligns with another set of intrusions attributed to  Earth Berberoka  (aka  GamblingPuppet ) and  DRBControl , citing tactical and targeting similarities as well as the abuse of secure messaging clients. "Possibly we have a mix of espionage and [intellectual property] theft, but the true motivations remain a mystery," researchers Kurt Baumgartner and Georgy Kucherin  said  in a technical write-up published this week. The starting point of the investigation was in November 2021 when Kaspersky said it detected multiple  PlugX loaders  and other payloads that were deployed via an employee monitoring service and a security package deployment service. The initial infection method – the distribution of the frame...

In the world of insurance providers and policies, cyber insurance is a fairly new field. And many security teams are trying to wrap their heads around it.  What is it and do they need it? And with what time will they spend researching how to integrate cyber insurance into their strategy?  For small security teams, this is particularly challenging as they contend with limited resources. Luckily, there's a  new eBook  dedicated to helping small security teams better understand cyber insurance policies and how they may impact an organization's cybersecurity measures. Background In 1997, the "Internet Security Liability" (ISL) insurance policy was launched at the International Risk Insurance Management Society's convention in Honolulu. Underwritten by AIG, ISL insurance was designed to protect ecommerce retailers like Amazon that were collecting sensitive customer data and storing it on internal networks. It is credited as one of the very first cyber insurance poli...

Details have emerged about a previously undocumented and fully undetectable (FUD) PowerShell backdoor that gains its stealth by disguising itself as part of a Windows update process. "The covert self-developed tool and the associated C2 commands seem to be the work of a sophisticated, unknown threat actor who has targeted approximately 100 victims," Tomer Bar, director of security research at SafeBreach,  said  in a new report. Attributed to an  unnamed threat actor , attack chains involving the malware commence with a weaponized  Microsoft Word document  that, per the company, was uploaded from Jordan on August 25, 2022. Metadata associated with the lure document indicates that the initial intrusion vector is a LinkedIn-based spear-phishing attack, which ultimately leads to the execution of a PowerShell script via a piece of embedded macro code. "The Macro drops 'updater.vbs,' creates a scheduled task pretending to be part of a Windows update, which will ...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released two Industrial Control Systems (ICS)  advisories  pertaining to severe flaws in Advantech R-SeeNet and Hitachi Energy APM Edge appliances. This consists of three weaknesses in the R-SeeNet monitoring solution, successful exploitation of which "could result in an unauthorized attacker remotely deleting files on the system or allowing remote code execution." The list of issues, which affect R-SeeNet Versions 2.4.17 and prior, is as follows - CVE-2022-3385 and CVE-2022-3386  (CVSS scores: 9.8) - Two stack-based buffer overflow flaws that could lead to remote code execution CVE-2022-3387  (CVSS score: 6.5) - A path traversal flaw that could enable a remote attacker to delete arbitrary PDF files Patches have been made available in version  R-SeeNet version 2.4.21  released on September 30, 2022. Also published by CISA is an update to a December 2021 advisory about mult...

Both cryptocurrency and ransomware are nothing new in the digital world; both have been there for a very long time, which was enough for them to find common pieces for starting their relationship. Ransomware can be like a virtual car that works on all types of fuels, and crypto is the one that is currently most recommended. No one can argue that 2020 was the year of ransomware in the cyber world, but it wasn't due to the fact that cybercriminals chose ransomware just because they knew how to attack properly. It's because of the fact that crypto rose mostly this year, along with the new normal of the digital world. It gave them a new cause to stick to ransomware, thanks to the anonymous payments that can be made using a cryptocurrency.  How does ransomware work?  Ransomware is a malware type that encrypts the victim's files, whether it's a random user or an organization, leading to denying them access to those files on their personal devices. And the key to gaining ...

The China-aligned espionage-focused actor dubbed Winnti has set its sights on government organizations in Hong Kong as part of an ongoing campaign dubbed  Operation CuckooBees . Active since at least 2007,  Winnti  (aka APT41, Barium, Bronze Atlas, and Wicked Panda) is the name designated to a prolific cyber threat group that carries out Chinese state-sponsored espionage activity, predominantly aimed at stealing technology secrets from organizations in developed economies. The threat actor's campaigns have targeted healthcare, telecoms, high-tech, media, agriculture, and education sectors, with infection chains primarily relying on spear-phishing emails with attachments to initially break into the victims' networks. Earlier this May, Cybereason  disclosed  long-running attacks orchestrated by the group since 2019 to siphon intellectual property from technology and manufacturing companies mainly located in East Asia, Western Europe, and North America. The i...

Law enforcement authorities in France, in collaboration with Spain and Latvia, have disrupted a cybercrime ring that leveraged a hacking tool to steal cars without having to use a physical key fob. "The criminals targeted vehicles with keyless entry and start systems, exploiting the technology to get into the car and drive away," Europol  said  in a press statement. The coordinated operation, which took place on October 10, 2022, resulted in the arrest of 31 suspects from across 22 locations in the three nations, including software developers, its resellers, and the car thieves who used the tool to break into vehicles. Also confiscated by the officials as part of the arrests were criminal assets worth €1,098,500, not to mention an internet domain that allegedly advertised the service online. Per Europol, the criminals are said to have singled out keyless vehicles from two unnamed French car manufacturers. The perpetrators then used the fraudulent package to replace the ...

HelpSystems, the company behind the Cobalt Strike software platform, has released an out-of-band security update to address a remote code execution vulnerability that could allow an attacker to take control of targeted systems. Cobalt Strike is a commercial red-team framework that's mainly used for adversary simulation, but cracked versions of the software have been  actively   abused  by ransomware operators and espionage-focused advanced persistent threat (APT) groups alike. The  post-exploitation tool  consists of a team server, which functions as a command-and-control (C2) component, and a beacon, the default malware used to create a connection to the team server and drop next-stage payloads. The issue, tracked as  CVE-2022-42948 , affects Cobalt Strike version 4.7.1, and stems from an incomplete patch released on September 20, 2022, to rectify a cross-site scripting ( XSS ) vulnerability ( CVE-2022-39197 ) that could lead to remote code execution....

The threat actors behind the  Black Basta   ransomware family  have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks. The development marks the first time the  nascent adversary simulation software  is being delivered via a Qakbot infection, cybersecurity firm Trend Micro  said  in a technical analysis released last week. The intrusion, achieved using a phishing email containing a weaponized link pointing to a ZIP archive, further entailed the use of Cobalt Strike for lateral movement. While these legitimate utilities are designed for conducting penetration testing activities, their ability to offer remote access has made them a lucrative tool in the hands of attackers looking to stealthily probe the compromised environment without attracting attention for extended periods of time. This has been compounded by the fact that a  cracked version  of Brute Ratel C4 (BRc4 ...