The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The notorious Emotet malware has returned with renewed vigor as part of a high-volume malspam campaign designed to drop payloads like  IcedID  and  Bumblebee . "Hundreds of thousands of emails per day" have been sent since early November 2022, enterprise security company Proofpoint  said  last week, adding, "the new activity suggests Emotet is returning to its full functionality acting as a delivery network for major malware families." Among the primary countries targeted are the U.S., the U.K., Japan, Germany, Italy, France, Spain, Mexico, and Brazil. The Emotet-related activity was last observed in July 2022, although  sporadic   infections  have been  reported  since then. In mid-October, ESET  revealed  that Emotet may be readying for a new wave of attacks, pointing out updates to its "systeminfo" module. The malware, which is attributed to a threat actor known as Mummy Spider (aka Gold Crestwood or TA542), staged a r...

As IT professionals, we all reach a certain point in our IT career where we realize that some of our everyday tasks are done the same way year after year without anyone questioning why it's done that way. Despite the constant change and improvement in technology, some things just get done the same ineffective way without any real thought behind it because "that's the way it's always been done." A typical example: patching Month in, month out, a day comes along that is dedicated to patching.  Patching may be more automated than before because you no longer need to log into each system to patch and reboot tediously. It's a step forward, but the patching process remains the same.  Patching is disruptive, slow, error-prone, and rarely fast enough to keep up with new vulnerabilities. Why disruptive? We all know that every time a maintenance window comes along, Bob from accounting will remind everyone how "the company's IT is going to mess up our week...

Google has won a lawsuit filed against two Russian nationals in connection with the operation of a botnet called Glupteba , the company  said  last week. The U.S. District Court for the Southern District of New York imposed monetary sanctions against the defendants and their U.S.-based legal counsel. The defendants have also been asked to pay Google's attorney fees. The defendants' move to press sanctions against Google was denied. The development comes nearly a year after the tech giant  took down  the malware's command-and-control infrastructure and initiated legal proceedings against Dmitry Starovikov and Alexander Filippov , who are said to have been in charge of running the illegal botnet. The defendants, along with 15 others, have also been accused of using the malware to create a hacked network of devices to mine cryptocurrencies, harvest victims' personal and financial data, and place disruptive ads. Gluteba is distinguished from its botnet counterpart...

Google Cloud last week disclosed that it identified 34 different hacked release versions of the Cobalt Strike tool in the wild, the earliest of which  shipped  in November 2012. The versions, spanning 1.44 to 4.7, add up to a total of 275 unique JAR files, according to findings from the Google Cloud Threat Intelligence (GCTI) team. The  latest version  of Cobalt Strike is version 4.7.2. Cobalt Strike, developed by  Fortra  (née HelpSystems), is a popular adversarial framework used by red teams to simulate attack scenarios and test the resilience of their cyber defenses. It comprises a Team Server that acts as the command-and-control (C2) hub to remotely commandeer infected devices and a stager that's designed to deliver a next-stage payload called the Beacon, a fully-featured implant that reports back to the C2 server. Given its wide-ranging suite of features, unauthorized versions of the software have been  increasingly   weaponized  ...

The Indian government on Friday released a draft version of the much-awaited data protection regulation, making it the fourth such effort since it was first proposed in July 2018. The  Digital Personal Data Protection Bill, 2022 , as it's called,  aims  to secure personal data, while also seeking users' consent in what the draft claims is "clear and plain language" describing the exact kinds of information that will be collected and for what purpose. The draft is open for public consultation until December 17, 2022. India has over 760 million active internet users, necessitating that data generated and used by online platforms are subject to privacy rules to prevent abuse and increase accountability and trust. "The Bill will establish the comprehensive legal framework governing digital personal data protection in India," the government  said . "The Bill provides for the processing of digital personal data in a manner that recognizes the right of in...

A developing threat activity cluster has been found using Google Ads in one of its campaigns to distribute various post-compromise payloads, including the recently discovered  Royal ransomware . Microsoft, which spotted the updated malware delivery method in late October 2022, is tracking the group under the name  DEV-0569 . "Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation," the Microsoft Security Threat Intelligence team  said  in an analysis. The threat actor is known to rely on malvertising to point unsuspecting victims to malware downloader links that pose as software installers for legitimate apps like Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom. The malware downloader, a strain referred to as  BATLOADER , is a dropper that functions as a conduit to distribute...

A notorious advanced persistent threat actor known as  Mustang Panda  has been linked to a spate of spear-phishing attacks targeting government, education, and research sectors across the world. The primary targets of the intrusions from May to October 2022 included counties in the Asia Pacific region such as Myanmar, Australia, the Philippines, Japan, and Taiwan, cybersecurity firm Trend Micro  said  in a Friday report.  Mustang Panda, also called Bronze President, Earth Preta, HoneyMyte, and Red Lich, is a China-based espionage actor believed to be active since at least July 2018. The group is known for its use of malware such as China Chopper and PlugX to collect data from compromised environments. Activities of the group chronicled by  ESET ,  Google, Proofpoint ,  Cisco Talos , and  Secureworks  this year have revealed the threat actor's pattern of using PlugX (and its variant called Hodur) to infect a wide range of entities in...

Australian software company Atlassian has rolled out security updates to address  two critical flaws  affecting Bitbucket Server, Data Center, and Crowd products. The issues, tracked as  CVE-2022-43781  and  CVE-2022-43782 , are both rated 9 out of 10 on the CVSS vulnerability scoring system. CVE-2022-43781, which Atlassian said was introduced in version 7.0.0 of Bitbucket Server and Data Center, affects versions 7.0 to 7.21 and 8.0 to 8.4 (only if mesh.enabled is set to false in bitbucket.properties). The weakness has been described as a case of command injection using environment variables in the software, which could allow an adversary with permission to control their username to gain code execution on the affected system. As a temporary workaround, the company is recommending users turn off the "Public Signup" option (Administration > Authentication). "Disabling public signup would change the attack vector from an unauthenticated attack to an authe...

Meta Platforms is said to have fired or disciplined over two dozen employees and contractors over the past year for allegedly compromising and taking over user accounts, The Wall Street Journal reported Thursday. Some of these cases involved bribery, the publication said, citing sources and documents. Included among those fired were contractors who worked as security guards at the social media firm's facilities and were given access to an internal tool that allowed employees to help "users they know" gain access to accounts after forgetting their passwords, or had their accounts locked out. The system, called "Oops" and short for Online Operations, is off limits to a vast majority of the platform's users, leading to the rise of a "cottage industry of intermediaries" who charge users thousands of dollars and reach out to insiders who are willing to reset the accounts. "You really have to have someone on the inside who will actually do it...

The LodaRAT malware has resurfaced with new variants that are being deployed in conjunction with other sophisticated malware, such as RedLine Stealer and Neshta. "The ease of access to its source code makes LodaRAT an attractive tool for any threat actor who is interested in its capabilities," Cisco Talos researcher Chris Neal  said  in a write-up published Thursday. Aside from being dropped alongside other malware families, LodaRAT has also been observed being delivered through a previously unknown variant of another commodity trojan called  Venom RAT , which has been codenamed S500. An AutoIT-based malware, LodaRAT (aka  Nymeria ) is attributed to a group called Kasablanca and is capable of harvesting sensitive information from compromised machines. In February 2021, an  Android version  of the malware sprang forth as a way for the threat actors to expand their attack surface. Then in September 2022, Zscaler ThreatLabz uncovered a new delivery mecha...

Threat hunting is the process of looking for malicious activity and its artifacts in a computer system or network. Threat hunting is carried out intermittently in an environment regardless of whether or not threats have been discovered by automated security solutions. Some threat actors may stay dormant in an organization's infrastructure, extending their access while waiting for the right opportunity to exploit discovered weaknesses. Therefore it is important to perform threat hunting to identify malicious actors in an environment and stop them before they achieve their ultimate goal.  To effectively perform threat hunting, the threat hunter must have a systematic approach to emulating possible adversary behavior. This adversarial behavior determines what artifacts can be searched for that indicate ongoing or past malicious activity. MITRE ATT&CK Over the years, the security community has observed that threat actors have commonly used many tactics, techniques, and procedu...

The threat actors behind the Hive ransomware-as-a-service (RaaS) scheme have launched attacks against over 1,300 companies across the world, netting the gang $100 million in illicit payments as of November 2022. "Hive ransomware has targeted a wide range of businesses and critical infrastructure sectors, including government facilities, communications, critical manufacturing, information technology, and — especially — Healthcare and Public Health (HPH)," U.S. cybersecurity and intelligence authorities  said  in an alert. Active since June 2021, Hive's RaaS operation involves a mix of developers, who create and manage the malware, and affiliates, who are responsible for conducting the attacks on target networks by often purchasing initial access from initial access brokers (IABs). In most cases, gaining a foothold involves the exploitation of  ProxyShell flaws  in Microsoft Exchange Server, followed by taking steps to terminate processes associated with antivirus...

An ongoing supply chain attack has been leveraging malicious Python packages to distribute malware called W4SP Stealer, with over hundreds of victims ensnared to date. "The threat actor is still active and is releasing more malicious packages," Checkmarx researcher Jossef Harush  said  in a technical write-up, calling the adversary  WASP . "The attack seems related to cybercrime as the attacker claims that these tools are undetectable to increase sales." The findings from Checkmarx build on recent reports from  Phylum  and  Check Point , which flagged 30 different modules published on the Python Package Index (PyPI) that were designed to propagate malicious code under the guise of benign-looking packages. The attack is just the latest threat to target the software supply chain. What makes it notable is the use of steganography to extract a  polymorphic malware  payload hidden within an image file hosted on Imgur. The installation of the pac...

A China-based financially motivated group is leveraging the trust associated with popular international brands to orchestrate a large-scale phishing campaign dating back as far as 2019. The threat actor, dubbed Fangxiao by Cyjax, is said to have registered over  42,000 imposter domains , with initial activity observed in 2017. "It targets businesses in multiple verticals including retail, banking, travel, and energy," researchers Emily Dennison and Alana Witten  said . "Promised financial or physical incentives are used to trick victims into further spreading the campaign via WhatsApp." Users clicking on a link sent through the messaging app are directed to an actor-controlled site, which, in turn, sends them to a landing domain impersonating a well-known brand, from where the victims are once again taken to sites distributing fraudulent apps and bogus rewards. These sites prompt the visitors to complete a survey to claim cash prizes, in exchange for which the...

A Ukrainian national who has been wanted by the U.S for over a decade has been arrested by Swiss authorities for his role in a notorious cybercriminal ring that stole millions of dollars from victims' bank accounts using malware called Zeus . Vyacheslav Igorevich Penchukov, who went by online pseu­do­nyms "tank" and "father," is alleged to have been involved in the day-to-day operations of the group. He was apprehended in Geneva on October 23, 2022, and is pending extradition to the U.S. Details of the arrest were  first reported  by independent security journalist Brian Krebs. Penchukov, along with Ivan Viktorovich Klepikov (aka "petrovich" and "nowhere") and Alexey Dmitrievich Bron (aka "thehead"), was originally charged in the District of Nebraska in August 2012. According to court documents released by the U.S. Department of Justice (DoJ) in 2014, Penchukov and eight other members of the cybercriminal group  infected  ...

On average, organizations  report  using 102 business-critical SaaS applications, enabling operations of most departments across an organization, such as IT and Security, Sales, Marketing, R&D, Product Management, HR, Legal, Finance, and Enablement. An attack can come from any app, no matter how robust the app is. Without visibility and control over a critical mass of an organization's entire SaaS app stack, security teams are flying blind. This is why it's important that all SaaS apps across the organization be managed at scale.  While this breadth of coverage is critical, each app has its own characteristics, UI, and terminology. Mitigating these threats requires a deep understanding of all security controls its configurations.  Learn how to automate SaaS security management . Security teams need to map out the entire SaaS ecosystem within the organization, including the core SaaS apps and the numerous additional apps that employees connect to without check...

Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems. Cybersecurity firm Rapid7 said the  flaws  could be abused to remote access to the devices and defeat security constraints. The issues impact BIG-IP versions 13.x, 14.x, 15.x, 16.x, and 17.x, and BIG-IQ Centralized Management versions 7.x and 8.x. The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows - CVE-2022-41622  (CVSS score: 8.8) - A cross-site request forgery ( CSRF ) vulnerability through iControl SOAP, leading to unauthenticated remote code execution. CVE-2022-41800  (CVSS score: 8.7) - An iControl REST vulnerability that could allow an authenticated user with an Administrator role to bypass  Appliance mode  restrictions. "By successfully exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker could gain persistent root access...

Iranian government-sponsored threat actors have been blamed for compromising a U.S. federal agency by taking advantage of the Log4Shell vulnerability in an unpatched VMware Horizon server. The details, which were shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), come in response to incident response efforts undertaken by the authority from mid-June through mid-July 2022. "Cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence," CISA  noted . LogShell, aka  CVE-2021-44228 , is a critical remote code execution flaw in the widely-used Apache Log4j Java-based logging library. It was addressed by the open source project maintainers in December 2021. The latest development  marks  the  continued   ab...