The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers are warning of "massive phishing campaigns" that distribute five different malware targeting banking users in India. "The bank customers targeted include account subscribers of seven banks, including some of the most well-known banks located in the country and potentially affecting millions of customers," Trend Micro  said  in a report published this week. Some of the targeted banks include Axis Bank, ICICI Bank, and the State Bank of India (SBI), among others. The infection chains all have a common entry point in that they rely on SMS messages containing a phishing link that urge potential victims to enter their personal details and credit card information to supposedly get a tax refund or gain credit card reward points. The smishing attacks, which deliver Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy, are just the latest in a series of similar rewards-themed malware campaigns that have been documented by  Microsoft, Cyble , and  K...

Google has resolved a high-severity security issue affecting all Pixel smartphones that could be trivially exploited to unlock the devices. The vulnerability, tracked as  CVE-2022-20465  and reported by security researcher David Schütz in June 2022, was remediated as part of the search giant's  monthly Android update  for November 2022. "The issue allowed an attacker with physical access to bypass the lock screen protections (fingerprint, PIN, etc.) and gain complete access to the user's device," Schütz, who was awarded $70,000 for the lock screen bypass,  said  in a write-up of the flaw. The problem, per the researcher, is rooted in the fact that lock screen protections are completely defeated when following a specific sequence of steps - Supply incorrect fingerprint three times to disable biometric authentication on the locked device Hot swap  the SIM card in the device with an attacker-controlled SIM that has a PIN code set up Enter incorre...

A malicious package discovered on the Python Package Index (PyPI) has been found employing a steganographic trick to conceal malicious code within image files. The package in question, named " apicolor ," was uploaded to the Python third-party repository on October 31, 2022, and described as a "Core lib for REST API," according to Israeli cybersecurity firm  Check Point . It has since been  taken down . Apicolor, like other  rogue packages  detected recently, harbors its malicious behavior in the setup script used to specify metadata associated with the package, such as its dependencies. This takes the form of a second package called "judyb" as well as a seemingly harmless PNG file ("8F4D2uF.png") hosted on Imgur, an image-sharing service. "The judyb code turned out to be a steganography module, responsible [for] hiding and revealing hidden messages inside pictures," Check Point explained. The attack chain entails using the judy...

Cybersecurity Awareness Month has been going on since 2004. This year,  Cybersecurity Awareness Month  urged the public, professionals, and industry partners to "see themselves in cyber" in the following ways:  The public, by taking action to stay safe online. Professionals, by joining the cyber workforce. Cyber industry partners, as part of the cybersecurity solution. CISA outlined four "things you can do" to stay safe online for individuals and families, including updating their software, thinking before they click, using strong passwords, and enabling multifactor authentication on sensitive accounts. The industry has been teaching security tips to employees and the public for a long time. With so much repetitive media and education on cyber awareness in the rearview mirror, the returning October focus weighs on many. Here's a roundup of reactions to cyber month and traction from this year's themes and messaging which should tell us if there's ...

Citrix has released  security updates  to address a critical authentication bypass flaw in the application delivery controller (ADC) and Gateway products that could be exploited to take control of affected systems. Successful exploitation of the issues could enable an adversary to gain authorized access, perform remote desktop takeover, and even circumvent defenses against login brute-force attempts under specific configurations. CVE-2022-27510  - Unauthorized access to Gateway user capabilities CVE-2022-27513  - Remote desktop takeover via phishing CVE-2022-27516  - User login brute-force protection functionality bypass The following supported versions of Citrix ADC and Citrix Gateway are affected by the flaws - Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47  Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12  Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21 Citrix ADC 12.1-FIPS before 12.1-55.289 Citrix ADC 12.1-NDcPP befor...

Cybersecurity researchers have disclosed details of a new vulnerability in a system used across oil and gas organizations that could be exploited by an attacker to inject and execute arbitrary code. The high-severity issue, tracked as  CVE-2022-0902  (CVSS score: 8.1), is a path-traversal vulnerability in ABB Totalflow  flow computers and remote controllers . "Attackers can exploit this flaw to gain root access on an ABB flow computer, read and write files, and remotely execute code," industrial security company Claroty  said  in a report shared with The Hacker News. ABB, a Swedish-Swiss industrial automation firm, has since released  firmware updates  as of July 14, 2022, following responsible disclosure. Flow computers are special-purpose electronic instruments used by petrochemical manufacturers to interpret data from flow meters and calculate and record the volume of substances such as natural gas, crude oils, and other hydrocarbon fluids at ...

The rise in the costs of data breaches, ransomware, and other cyber attacks leads to rising cyber insurance premiums and more limited cyber insurance coverage. This cyber insurance situation increases risks for organizations struggling to find coverage or facing steep increases. Some  Akin Gump Strauss Hauer & Feld LLP's  law firm clients, for example, reported a three-fold increase in insurance rates, and carriers are making "a huge pullback" on coverage limits in the past two years. Their cybersecurity practice co-head, Michelle Reed, adds, "The reduced coverage amount can no longer shield policyholders from cyber losses. A $10 million policy can end up with a $150,000 limit on cyber frauds." The cyber-insurance situation is so concerning that the U.S. Treasury Department recently issued a  request for public input  on a potential federal cyber-insurance response program. This request is in addition to the assessment led conjointly by the Federal Insura...

PC maker Lenovo has addressed yet another set of three shortcomings in the Unified Extensible Firmware Interface (UEFI) firmware affecting several Yoga, IdeaPad, and ThinkBook devices. "The vulnerabilities allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS," Slovak cybersecurity firm ESET  explained  in a series of tweets. UEFI refers to software that acts as an interface between the operating system and the firmware embedded in the device's hardware. Because UEFI is  responsible  for launching the operating system when a device is powered on, it has made the technology an attractive option for threat actors looking to  drop malware  that's difficult to detect and remove. Viewed in that light, the flaws, tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432, could be abused by an adversary to turn off Secure Boot, a security mechanism that's designed to prevent malicious programs ...

The Russia-linked APT29 nation-state actor has been found leveraging a "lesser-known" Windows feature called Credential Roaming following a successful phishing attack against an unnamed European diplomatic entity. "The diplomatic-centric targeting is consistent with Russian strategic priorities as well as historic APT29 targeting," Mandiant researcher Thibault Van Geluwe de Berlaere  said  in a technical write-up. APT29, a Russian espionage group also called Cozy Bear, Iron Hemlock, and The Dukes, is  known  for its intrusions aimed at collecting intelligence that align with the country's strategic objectives. It's believed to be sponsored by the Foreign Intelligence Service (SVR). Some of the adversarial collective's cyber activities are tracked publicly under the moniker  Nobelium , a threat cluster responsible for the widespread supply chain compromise through SolarWinds software in December 2020. The Google-owned threat intelligence and inciden...

A number of phishing campaigns are leveraging the decentralized InterPlanetary Filesystem (IPFS) network to host malware, phishing kit infrastructure, and facilitate other attacks. "Multiple malware families are currently being hosted within IPFS and retrieved during the initial stages of malware attacks," Cisco Talos researcher Edmund Brumaghin said in an analysis shared with The Hacker News. The research mirrors similar findings from Trustwave SpiderLabs in July 2022, which  found  more than 3,000 emails containing IPFS phishing URLs as an attack vector, calling IPFS the new "hotbed" for hosting phishing sites. IPFS as a technology is both resilient to censorship and takedowns, making it a double-edged sword. Underlying it is a peer-to-peer (P2P) network which replicates content across all participating nodes so that even if a file is removed from one machine, requests for the resource can still be served via other systems. This also makes it ripe for abuse...

The Keksec threat actor has been linked to a previously undocumented malware strain, which has been observed in the wild masquerading as an extension for Chromium-based web browsers to enslave compromised machines into a botnet. Called  Cloud9  by security firm Zimperium, the malicious browser add-on comes with a wide range of features that enables it to siphon cookies, log keystrokes, inject arbitrary JavaScript code, mine crypto, and even enlist the host to carry out DDoS attacks. The extension "not only steals the information available during the browser session but can also install malware on a user's device and subsequently assume control of the entire device," Zimperium researcher Nipun Gupta  said  in a new report. The JavaScript botnet isn't distributed via Chrome Web Store or Microsoft Edge Add-ons, but rather through fake executables and rogue websites disguised as Adobe Flash Player updates. Once installed, the extension is designed to inject a JavaSc...

There are several myths and misconceptions about API security. These myths about securing APIs are crushing your business.  Why so? Because these myths are widening your security gaps. This is making it easier for attackers to abuse APIs. And API attacks are costly. Of course, you will have to bear financial losses. But there are other consequences too:  Reputational damage  Customer attrition  Loss of customer trust  Difficulty in acquiring new customers Legal costs  Massive fines and penalties for non-compliance In this article, we will debunk the top 5 myths about  securing APIs   Secure APIs Better: Top 5 API Security Myths Demystified  Myth 1: API Gateways, Existing IAM Tools, and WAFs are Enough to Secure API Reality:   These aren't enough to secure your APIs. They are layers in API security. They need to be part of a larger security solution.  API gateways monitor endpoints. They provide visibility into API usa...

An updated version of a malware loader codenamed  IceXLoader  is suspected of having compromised thousands of personal and enterprise Windows machines across the world. IceXLoader is a commodity malware that's sold for $118 on underground forums for a lifetime license. It's chiefly employed to download and execute additional malware on breached hosts. This past June, Fortinet FortiGuard Labs said it  uncovered  a version of the trojan written in the Nim programming language with the goal of evading analysis and detection. "While the version discovered in June (v3.0) looked like a work-in-progress, we recently observed a newer v3.3.3 loader which looks to be fully functionable and includes a multi-stage delivery chain," Natalie Zargarov, cybersecurity researcher at Minerva Labs,  said  in a report published Tuesday. IceXLoader is traditionally distributed through phishing campaigns, with emails containing ZIP archives functioning as a trigger to deploy...

VMware has patched five security flaws affecting its  Workspace ONE Assist  solution, some of which could be exploited to bypass authentication and obtain elevated permissions. Topping the list are three critical vulnerabilities tracked as CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687. All the shortcomings are rated 9.8 on the CVSS vulnerability scoring system. CVE-2022-31685 is an authentication bypass flaw that could be abused by an attacker with network access to VMware Workspace ONE Assist to obtain administrative access without the need to authenticate to the application. CVE-2022-31686 has been described by the virtualization services provider as a "broken authentication method" vulnerability, and CVE-2022-31687 as a "Broken Access Control" flaw. "A malicious actor with network access may be able to obtain administrative access without the need to authenticate to the application," VMware  said  in an advisory for CVE-2022-31686 and CVE-202...

Microsoft's latest round of monthly security updates has been released with fixes for  68 vulnerabilities  spanning its software portfolio, including patches for six actively exploited zero-days. 12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by  OpenSSL  the previous week. Also separately  addressed  in Microsoft Edge at the start of the month is an actively exploited flaw in Chromium-based browsers ( CVE-2022-3723 ) that was plugged by Google as part of an out-of-band update late last month. "The big news is that  two older zero-day CVEs  affecting Exchange Server, made public at the end of September, have finally been fixed," Greg Wiseman, product manager at Rapid7, said in a statement shared with The Hacker News. "Customers are advised to update their  Exchange Server systems  immediately, regardless of whether any previousl...

The Amadey malware is being used to deploy  LockBit 3.0 ransomware  on compromised systems, researchers have warned. "Amadey bot, the malware that is used to install LockBit, is being distributed through two methods: one using a malicious Word document file, and the other using an executable that takes the disguise of the Word file icon," AhnLab Security Emergency Response Center (ASEC)  said  in a new report published today. Amadey, first discovered in 2018, is a "criminal-to-criminal (C2C) botnet infostealer project," as  described  by the BlackBerry Research and Intelligence Team, and is offered for purchase on the criminal underground for as much as $600. While its primary function is to harvest sensitive information from the infected hosts, it further doubles up as a channel to deliver next-stage artifacts. Earlier this July, it was  spread using SmokeLoader , a malware with not-so-different features like itself. Just last month, ASEC also...

Cryptocurrency users are being targeted with a new clipper malware strain dubbed  Laplas  by means of another malware known as SmokeLoader. SmokeLoader, which is delivered by means of weaponized documents sent through spear-phishing emails, further acts as a conduit for other  commodity trojans  like  SystemBC  and  Raccoon Stealer 2.0 , according to an  analysis  from Cyble. Observed in the wild since circa 2013,  SmokeLoader  functions as a generic loader capable of distributing additional payloads onto compromised systems, such as information-stealing malware and other implants. In July 2022, it was found to deploy a backdoor called  Amadey . Cyble said it discovered over 180 samples of the Laplas since October 24, 2022, suggesting a wide deployment. Clippers, also called ClipBankers, fall under a category of malware that Microsoft calls  cryware , which are designed to steal crypto by keeping close tabs on a vic...