The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called  GuLoader  to evade security software. "New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings," CrowdStrike researchers Sarang Sonawane and Donato Onofri  said  in a technical write-up published last week. GuLoader, also called  CloudEyE , is a Visual Basic Script (VBS) downloader that's used to distribute remote access trojans such as Remcos on infected machines. It was first detected in the wild in 2019. In November 2021, a JavaScript malware strain dubbed RATDispenser  emerged  as a conduit for dropping GuLoader by means of a Base64-encoded VBScript dropper. Recent GuLoader samples unearthed by CrowdStrike have been found to exhibit a three-stage process wherein the VBScript is designed to deliver a next-stage ...

As we are nearing the end of 2022, looking at the most concerning threats of this turbulent year in terms of testing numbers offers a threat-based perspective on what triggers cybersecurity teams to check how vulnerable they are to specific threats. These are the threats that were most tested to validate resilience with the  Cymulate security posture management platform  between January 1st and December 1st, 2022. Manjusaka Date published: August 2022 Reminiscent of Cobalt Strike and Sliver framework (both commercially produced and designed for red teams but misappropriated and misused by threat actors), this emerging attack framework holds the potential to be widely used by malicious actors. Written in Rust and Golang with a User Interface in Simple Chinese (see the workflow diagram below), this software is of Chinese origin. Manjusaka carries Windows and Linux implants in Rust and makes a ready-made C2 server freely available, with the possibility of creating custom im...

The pay-per-install (PPI) malware downloader service known as PrivateLoader is being used to distribute a previously documented information-stealing malware dubbed  RisePro . Flashpoint spotted the newly identified stealer on December 13, 2022, after it discovered "several sets of logs" exfiltrated using the malware on an illicit cybercrime marketplace called Russian Market. A C++-based malware, RisePro is said to share similarities with another info-stealing malware referred to as Vidar stealer, itself a fork of a stealer codenamed  Arkei  that emerged in 2018. "The appearance of the stealer as a payload for a pay-per-install service may indicate a threat actor's confidence in the stealer's abilities," the threat intelligence company  noted  in a write-up last week. Cybersecurity firm SEKOIA, which  released  its own analysis of RisePro , further identified partial source code overlaps with PrivateLoader. This encompasses the string scrambling...

Python supply chain attacks are surging in 2025. Join our webinar to learn how to secure your code, dependencies, and runtime with modern tools and strategies.

Threat actors have published yet another round of malicious packages to Python Package Index (PyPI) with the goal of delivering information-stealing malware on compromised developer machines. Interestingly, while the malware goes by a variety of names like ANGEL Stealer, Celestial Stealer, Fade Stealer, Leaf $tealer, PURE Stealer, Satan Stealer, and @skid Stealer, cybersecurity company Phylum found them all to be copies of  W4SP Stealer . W4SP Stealer primarily functions to siphon user data, including credentials, cryptocurrency wallets, Discord tokens, and other files of interest. It's created and published by an actor who goes by the aliases BillyV3, BillyTheGoat, and billythegoat356. "For some reason, each deployment appears to have simply tried to do a find/replace of the W4SP references in exchange for some other seemingly arbitrary name," the researchers  said  in a report published earlier this week. The 16 rogue modules are as follows: modulesecurity, inform...

The developers behind the Brave open-source web browser have revealed a new privacy-preserving data querying and retrieval system called  FrodoPIR . The idea, the company  said , is to use the technology to build out a wide range of use cases such as safe browsing, scanning passwords against breached databases, certificate revocation checks, and streaming, among others. The scheme is called  FrodoPIR  because "the client can perform hidden queries to the server, just as Frodo remained hidden from Sauron," a reference to the characters from J. R. R. Tolkien's  The Lord of the Rings . PIR, short for  private information retrieval , is a cryptographic protocol that enables users (aka clients) to retrieve a piece of information from a database server without revealing to its owner which element was selected. In other words, the goal is to be able to query a platform for information (say, cooking videos) without letting the service provider infer from...

A new targeted phishing campaign has zoomed in on a two-factor authentication solution called Kavach that's used by Indian government officials. Cybersecurity firm Securonix dubbed the activity  STEPPY#KAVACH , attributing it to a threat actor known as SideCopy based on tactical overlaps with prior attacks. ".LNK files are used to initiate code execution which eventually downloads and runs a malicious C# payload, which functions as a remote access trojan (RAT)," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov  said  in a new report. SideCopy, a  hacking crew  believed to be of Pakistani origin and active since at least 2019, is said to share ties with another actor called  Transparent Tribe  (aka APT36 or Mythic Leopard). It's also known to impersonate attack chains leveraged by  SideWinder , a prolific nation-state group that disproportionately singles out Pakistan-based military entities, to deploy its own toolset. That s...

Tis the season for security and IT teams to send out that company-wide email: "No, our CEO does NOT want you to buy gift cards."  As much of the workforce signs off for the holidays, hackers are stepping up their game. We'll no doubt see an increase in activity as hackers continue to unleash e-commerce scams and holiday-themed phishing attacks. Hackers love to use these tactics to trick end users into compromising not only their personal data but also their organization's data.  But that doesn't mean you should spend the next couple of weeks in a constant state of anxiety.  Instead, use this moment as an opportunity to ensure that your incident response (IR) plan is rock solid.  Where to start?  First, make sure that your strategy follows the six steps to complete incident response.  Here's a refresher: The 6 steps of a complete IR Preparation:  This is the first phase and involves reviewing existing security measures and policies; performing...

The Vice Society ransomware actors have switched to yet another custom ransomware payload in their recent attacks aimed at a variety of sectors. "This ransomware variant, dubbed ' PolyVice ,' implements a robust encryption scheme, using  NTRUEncrypt  and  ChaCha20-Poly1305  algorithms," SentinelOne researcher Antonio Cocomazzi  said  in an analysis. Vice Society , which is tracked by Microsoft under the moniker DEV-0832, is an intrusion, exfiltration, and extortion hacking group that first appeared on the threat landscape in May 2021. Unlike other ransomware gangs, the cybercrime actor does not use file-encrypting malware developed in-house. Instead, it's known to deploy third-party lockers such as Hello Kitty, Zeppelin, and RedAlert ransomware in their attacks. Per SentinelOne, indications are that the threat actor behind the custom-branded ransomware is also selling similar payloads to other hacking crews based on PolyVice's extensive similarities to...

France's privacy watchdog has imposed a €60 million ($63.88 million) fine against Microsoft's Ireland subsidiary for dropping advertising cookies in users' computers without their explicit consent in violation of data protection laws in the European Union. The Commission nationale de l'informatique et des libertés (CNIL)  noted  that users visiting the home page of its Bing search engine did not have a "mechanism to refuse cookies as easily as accepting them." The authority, which carried out an online audit between September 2020 and May 2021 following a complaint it received in February 2020,  stated  the tech giant deposited cookies with an aim to serve ads and fight advertising fraud without getting a user's permission beforehand, as is required by law. Along with the fines, Microsoft has also been ordered to alter its cookie practices within three months, or risk facing an additional penalty of €60,000 per day of non-compliance following the end ...

The  August 2022 security breach  of LastPass may have been more severe than previously disclosed by the company. The popular password management service on Thursday revealed that malicious actors obtained a trove of personal information belonging to its customers that include their encrypted password vaults by using data siphoned from the earlier break-in. Among the data stolen are "basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," the company  said . The August 2022 incident, which  remains  a subject of an ongoing investigation, involved the miscreants accessing source code and proprietary technical information from its development environment via a single compromised employee account. LastPass said this permitted the unidentified attacker to obtain credentials and keys that...

An exhaustive analysis of  FIN7  has unmasked the cybercrime syndicate's organizational hierarchy, alongside unraveling its role as an affiliate for mounting ransomware attacks. It has also exposed deeper associations between the group and the larger threat ecosystem comprising the now-defunct ransomware  DarkSide ,  REvil , and  LockBit  families. The highly active threat group, also known as Carbanak, is  known  for employing an extensive arsenal of tools and tactics to expand its "cybercrime horizons," including adding ransomware to its playbook and setting up fake security companies to lure researchers into conducting ransomware attacks under the guise of penetration testing. More than 8,147 victims have been compromised by the financially motivated adversary across the world, with a majority of the entities located in the U.S. Other prominent countries include China, Germany, Canada, Italy, and the U.K. FIN7's intrusion techniques, over ...

We spent forty years defending ourselves as individuals. Trying to outsmart cybercriminals, outpower them, and when all our efforts failed, only then we considered banding together with our peers to outnumber them. Cybercriminals don't reinvent themselves each time. Their resources are limited, and they have a limited budget. Therefore they use playbooks to attack many people. Meaning most of the attacks are known to people and not innovative. Yet, all we hear about is one breach after another despite hundreds of millions of dollars being thrown into the industry. So if we know that teaming up and sharing information is the key, why aren't security vendors doing it? It's simple. Vendors don't want to give it to you; they want to sell it to you. Cyber Threat Intelligence: A better way to fight cybercrime  As the internet continues to expand and connect more people and devices than ever before, the need for effective cyber threat intelligence sharing has never been g...

Multiple high-severity vulnerabilities have been disclosed in Passwordstate password management solution that could be exploited by an unauthenticated remote adversary to obtain a user's plaintext passwords. "Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application," Swiss cybersecurity firm modzero AG  said  in a report published this week. "Some of the individual vulnerabilities can be chained to gain a shell on the Passwordstate host system and dump all stored passwords in cleartext, starting with nothing more than a valid username." Passwordstate, developed by an Australian company named Click Studios, has over  29,000 customers  and is used by more than 370,000 IT professionals. One of the flaws also impacts  Passwordstate version 9.5.8.4  for the Chrome web browser. The latest version of the browser a...

Cybersecurity researchers have detailed two security flaws in the JavaScript-based blogging platform known as  Ghost , one of which could be abused to elevate privileges via specially crafted HTTP requests. Ghost is an open source blogging platform that's used in more than 52,600 live websites, most of them located in the U.S., the U.K., German, China, France, Canada, and India. Tracked as CVE-2022-41654 (CVSS score: 9.6), the authentication bypass vulnerability allows unprivileged users (i.e., members) to make unauthorized modifications to newsletter settings. Cisco Talos, which  discovered  the shortcoming, said it could enable a member to change the system-wide default newsletter that all users are subscribed to by default. Even worse, the ability of a site administrator to inject JavaScript into the newsletter by default could be exploited to trigger the creation of arbitrary administrator accounts when attempting to edit the newsletter. "This gives unprivileg...

The  Zerobot  DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network. Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters. Zerobot,  first documented  by Fortinet FortiGuard Labs earlier this month, is a Go-based malware that propagates through vulnerabilities in web applications and IoT devices like firewalls, routers, and cameras. "The most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark ( CVE-2021-42013  and  CVE-2022-33891  respectively), and new DDoS attack capabilities," Microsoft researchers  said . Also called ZeroStresser by its operators, the malware is offered as a DDoS-for-hire service to other criminal actors, with the botnet advertised for sale on va...

Okta, a company that provides identity and access management services, disclosed on Wednesday that some of its source code repositories were accessed in an unauthorized manner earlier this month. "There is no impact to any customers, including any HIPAA, FedRAMP, or DoD customers," the company  said  in a public statement. "No action is required by customers." The security event, which was  first reported  by Bleeping Computer, involved unidentified threat actors gaining access to the Okta Workforce Identity Cloud ( WIC ) code repositories hosted on GitHub. The access was subsequently abused to copy the source code. The cloud-based identity management platform noted that it was alerted to the incident by Microsoft-owned GitHub in early December 2022. It also emphasized that the breach did not result in unauthorized access to customer data or the Okta service. Upon discovering the lapse, Okta said it placed temporary restrictions on repository access and that i...

The  Raspberry Robin  worm has been used in attacks against telecommunications and government office systems across Latin America, Australia, and Europe since at least September 2022. "The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools," Trend Micro researcher Christopher So  said  in a technical analysis published Tuesday. A majority of the infections have been detected in Argentina, followed by Australia, Mexico, Croatia, Italy, Brazil, France, India, and Colombia. Raspberry Robin, attributed to an activity cluster tracked by Microsoft as  DEV-0856 , is being increasingly  leveraged by multiple threat actors  as an initial access mechanism to deliver payloads such as  LockBit  and  Clop  ransomware. The malware is known for relying on infected USB drives as a distribution vector to download a rogue MSI ...