The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has  published  four Industrial Control Systems (ICS) advisories, calling out several security flaws affecting products from Siemens, GE Digital, and Contec. The most critical of the issues have been identified in Siemens SINEC INS that could lead to remote code execution via a path traversal flaw ( CVE-2022-45092 , CVSS score: 9.9) and command injection ( CVE-2022-2068 , CVSS score: 9.8). Also patched by Siemens is an authentication bypass vulnerability in llhttp parser ( CVE-2022-35256 , CVSS score: 9.8) as well as an out-of-bounds write bug in the OpenSSL library ( CVE-2022-2274 , CVSS score: 9.8) that could be exploited to trigger remote code execution. The German automation company, in December 2022,  released  Service Pack 2 Update 1 software to mitigate the flaws. Separately, a critical flaw has also been revealed in GE Digital's Proficy Historian solution that could result in code executio...

Four different Microsoft Azure services have been found vulnerable to server-side request forgery ( SSRF ) attacks that could be exploited to gain unauthorized access to cloud resources. The security issues, which were discovered by Orca between October 8, 2022 and December 2, 2022 in Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins, have since been addressed by Microsoft. "The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports, find new services, endpoints, and sensitive files - providing valuable information on possibly vulnerable servers and services to exploit for initial entry and the location of sensitive information to target," Orca researcher Lidor Ben Shitrit  said  in a report shared with The Hacker News. Two of the vulnerabilities affecting Azure Functions and Azure Digital Twins could be abused without requiring any authentication, enabling a threat actor to seize control of a server without eve...

New research has found that it is possible for threat actors to abuse a legitimate feature in GitHub Codespaces to deliver malware to victim systems. GitHub Codespaces  is a cloud-based configurable development environment that allows users to debug, maintain, and commit changes to a given codebase from a web browser or via an integration in Visual Studio Code. It also comes with a port forwarding feature that makes it possible to access a web application that's running on a particular port within the codespace directly from the browser on a local machine for testing and debugging purposes. "You can also forward a port manually, label forwarded ports, share forwarded ports with members of your organization, share forwarded ports publicly, and add forwarded ports to the codespace configuration," GitHub  explains  in its documentation. It's  important  to note here that any forwarded port that's made public will also permit any party with knowledge of the UR...

It's no secret that the job of SOC teams continues to become increasingly difficult. Increased volume and sophistication of attacks are plaguing under-resourced teams with false positives and analyst burnout. However, like many other industries, cybersecurity is now beginning to lean on and benefit from advancements in automation to not only maintain the status quo, but to attain better security outcomes. Automation across multiple phases of the SOC workflow The need for automation is clear, and it is apparent that it is becoming table stakes for the industry. Of all cyber resilient organizations, IBM estimates that  62%  have deployed automation, AI and machine learning tools and processes.  Up until now, much of these advancements in automation have been focused on response, with SOAR and incident response tools playing an instrumental role in tackling the most urgent phase of the SOC workflow.  Centering the focus only on response, however, means we're treat...

Users of Zoho ManageEngine are being urged to patch their instances against a critical security vulnerability ahead of the release of a proof-of-concept ( PoC ) exploit code. The issue in question is  CVE-2022-47966 , an unauthenticated remote code execution vulnerability affecting several products due to the use of an outdated third-party dependency, Apache Santuario. "This vulnerability allows an unauthenticated adversary to execute arbitrary code," Zoho  warned  in an advisory issued late last year, noting that it affects all ManageEngine setups that have the SAML single sign-on (SSO) feature enabled, or had it enabled in the past. Horizon3.ai has now released Indicators of Compromise (IOCs) associated with the flaw, stating that it was able to successfully reproduce the exploit against ManageEngine ServiceDesk Plus and ManageEngine Endpoint Central products. "The vulnerability is easy to exploit and a good candidate for attackers to 'spray and pray' acr...

A threat actor by the name  Lolip0p  has uploaded three rogue packages to the Python Package Index (PyPI) repository that are designed to drop malware on compromised developer systems. The packages – named  colorslib  (versions 4.6.11 and 4.6.12),  httpslib  (versions 4.6.9 and 4.6.11), and  libhttps  (version 4.6.12) – by the author between January 7, 2023, and January 12, 2023. They have since been yanked from PyPI but not before they were cumulatively downloaded over 550 times. The modules come with identical setup scripts that are designed to invoke PowerShell and run a malicious binary (" Oxzy.exe ") hosted on Dropbox, Fortinet  disclosed  in a report published last week. The executable, once launched, triggers the retrieval of a next-stage, also a binary named  update.exe , that runs in the Windows temporary folder ("%USER%\AppData\Local\Temp\"). update.exe is flagged by antivirus vendors on VirusTotal as an information ...

A "large and resilient infrastructure" comprising over 250 domains is being used to distribute information-stealing malware such as  Raccoon  and  Vidar  since early 2020. The infection chain "uses about a hundred of fake cracked software catalogue websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub," cybersecurity firm SEKOIA  said  in an analysis published earlier this month. The French cybersecurity company assessed the domains to be operated by a threat actor running a traffic direction system ( TDS ), which allows other cybercriminals to rent the service to distribute their malware. The attacks target users searching for cracked versions of software and games on search engines like Google, surfacing fraudulent websites on top by leveraging a technique called search engine optimization (SEO) poisoning to lure victims into downloading and executing the malicious payloads. The poisone...

When considering authentication providers, many organizations consider the ease of configuration, ubiquity of usage, and technical stability. Organizations cannot always be judged on those metrics alone. There is an increasing need to evaluate company ownership, policies and the stability, or instability, that it brings. How Leadership Change Affects Stability In recent months, a salient example is that of Twitter. The Twitter platform has been around since 2006 and is used by millions worldwide. With many users and a seemingly robust authentication system, organizations used Twitter as a primary or secondary authentication service. Inconsistent leadership and policies mean the stability of a platform is subject to change, which is especially true with Twitter as of late. The ownership change to Elon Musk precipitated widespread changes to staffing and policies. Due to those changes,  a large portion of staff was let go , but this included many individuals responsible for the t...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released several Industrial Control Systems (ICS)  advisories  warning of critical security flaws affecting products from Sewio, InHand Networks, Sauter Controls, and Siemens. The most severe of the flaws relate to Sewio's RTLS Studio, which could be exploited by an attacker to "obtain unauthorized access to the server, alter information, create a denial-of-service condition, gain escalated privileges, and execute arbitrary code,"  according to CISA . This includes CVE-2022-45444 (CVSS score: 10.0), a case of hard-coded passwords for select users in the application's database that potentially grant remote adversaries unrestricted access. Also notable are two command injection flaws (CVE-2022-47911 and CVE-2022-43483, CVSS scores: 9.1) and an out-of-bounds write vulnerability (CVE-2022-41989, CVSS score: 9.1) that could result in denial-of-service condition or code execution. The vulnerabilities...

Unidentified threat actors have deployed a new backdoor that borrows its features from the U.S. Central Intelligence Agency (CIA)'s  Hive  multi-platform  malware suite , the source code of which was  released  by WikiLeaks in November 2017. "This is the first time we caught a variant of the CIA Hive attack kit in the wild, and we named it  xdr33  based on its embedded Bot-side certificate CN=xdr33," Qihoo Netlab 360's Alex Turing and Hui Wang  said  in a technical write-up published last week. xdr33 is said to be propagated by exploiting an unspecified N-day security vulnerability in F5 appliances. It communicates with a command-and-control (C2) server using SSL with forged Kaspersky certificates. The intent of the backdoor, per the Chinese cybersecurity firm, is to harvest sensitive information and act as a launchpad for subsequent intrusions. It improves upon Hive by adding new C2 instructions and functionalities, among other implemen...

DevOps platform CircleCI on Friday disclosed that unidentified threat actors compromised an employee's laptop and leveraged malware to steal their two-factor authentication-backed credentials to breach the company's systems and data last month. The CI/CD service CircleCI said the "sophisticated attack" took place on December 16, 2022, and that the malware went undetected by its antivirus software. "The malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems," Rob Zuber, CircleCI's chief technology officer,  said  in an incident report. Further analysis of the security lapse revealed that the unauthorized third-party pilfered data from a subset of its databases by abusing the elevated permissions granted to the targeted employee. This included customer environment variables, tokens, and keys. The threat actor is believed t...

A majority of internet-exposed Cacti servers have not been patched against a recently patched critical security vulnerability that has come under active exploitation in the wild. That's according to attack surface management platform Censys, which  found  only 26 out of a total of 6,427 servers to be running a  patched version  of Cacti (1.2.23 and 1.3.0). The  issue  in question relates to  CVE-2022-46169  (CVSS score: 9.8), a combination of authentication bypass and command injection that enables an unauthenticated user to execute arbitrary code on an affected version of the open-source, web-based monitoring solution. Details about the flaw, which impacts versions 1.2.22 and below, were first revealed by SonarSource. The flaw was reported to the project maintainers on December 2, 2022. "A hostname-based authorization check is not implemented safely for most installations of Cacti," SonarSource researcher Stefan Schiller  noted  e...

Popular short-form video hosting service TikTok has been fined €5 million (about $5.4 million) by the French data protection watchdog for breaking cookie consent rules, making it the latest platform to face similar penalties after  Amazon, Google, Meta , and  Microsoft  since 2020. "Users of 'tiktok[.]com' could not refuse cookies as easily as accepting them and they were not informed in a sufficiently precise way of the objectives of the different cookies," the Commission nationale de l'informatique et des libertés (CNIL)  said  in a statement. The regulator said it conducted several audits between May 2020 and June 2022, finding that the ByteDance-owned company did not offer a straightforward option to refuse all cookies as opposed to just one click for accepting them. The option to "refuse all" cookies was introduced by TikTok in February 2022. "Making the opt-out mechanism more complex is in fact discouraging users from refusing cookies and...

Cisco has warned of two security vulnerabilities affecting end-of-life (EoL) Small Business RV016, RV042, RV042G, and RV082 routers that it said will not be fixed, even as it acknowledged the public availability of proof-of-concept (PoC) exploit. The  issues  are rooted in the router's web-based management interface, enabling a remote adversary to sidestep authentication or execute malicious commands on the underlying operating system. The most severe of the two is CVE-2023-20025 (CVSS score: 9.0), which is the result of improper validation of user input within incoming HTTP packets. A threat actor could exploit it remotely by sending a specially crafted HTTP request to vulnerable routers' web-based management interface to bypass authentication and obtain elevated permissions. The lack of adequate validation is also the reason behind the second flaw tracked as CVE-2023-20026 (CVSS score: 6.5), permitting an attacker with valid admin credentials to achieve root-level priv...

Tainted VPN installers are being used to deliver a piece of surveillanceware dubbed  EyeSpy  as part of a malware campaign that started in May 2022. It uses "components of SecondEye – a legitimate monitoring application – to spy on users of 20Speed VPN, an Iranian-based VPN service, via trojanized installers," Bitdefender  said  in an analysis. A majority of the infections are said to originate in Iran, with smaller detections in Germany and the U.S., the Romanian cybersecurity firm added. SecondEye, according to  snapshots  captured via the Internet Archive, claims to be a commercial monitoring software that can work as a "parental control system or as an online watchdog." As of November 2021, it's offered for sale anywhere between $99 to $200. It comes with a wide range of features that allows it to take screenshots, record microphone, log keystrokes, gather files and saved passwords from web browsers, and remotely control the machines to run arbitr...

Remote access trojans such as StrRAT and Ratty are being distributed as a combination of polyglot and malicious Java archive ( JAR ) files, once again highlighting how threat actors are continuously finding new ways to fly under the radar. "Attackers now use the polyglot technique to confuse security solutions that don't properly validate the JAR file format," Deep Instinct security researcher Simon Kenin  said  in a report. Polyglot files  are files that combine syntax from two or more different formats in a manner such that each format can be parsed without raising any error. One such 2022 campaign spotted by the cybersecurity firm involves the use of JAR and MSI formats – i.e., a file that's valid both as a JAR and an MSI installer – to deploy the StrRAT payload. This also means that the file can be executed by both Windows and Java Runtime Environment (JRE) based on how it's interpreted. Another instance involves the use of CAB and JAR polyglots to deli...

As the new year begins, it's more important than ever to protect your business from the constantly evolving cyber threats that could compromise your valuable assets.  But who wants to pay an arm and a leg for top-tier security? With this Uptycs introductory offer, you do not have to. Kickstart the new year by securing your business with Uptycs. Starting now, for just $1, you can get comprehensive agentless and runtime cloud security coverage for all of 2023, covering up to 1,000 eligible assets. That's right, for just $1 —  Learn more about the 'Uptycs Secret Dollar Menu.' But that's not all. This offer also includes: Professionally managed onboarding and unlimited customer support to ensure seamless setup and ongoing assistance Advanced security features such as Unified CNAPP (Cloud-Native Application Protection Platform) and XDR (eXtended Detection and Response) that provide state-of-the-art threat protection Automated CI/CD image and registry scans to e...

A zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting governments and other large organizations. "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers  said  in a post-mortem analysis published this week. The attacks entailed the exploitation of  CVE-2022-42475 , a heap-based buffer overflow flaw that could enable an unauthenticated remote attacker to execute arbitrary code via specifically crafted requests. The infection chain analyzed by the company shows that the end goal was to deploy a generic Linux implant modified for FortiOS that's equipped to compromise Fortinet's intrusion prevention system ( IPS ) software and establish connections with a remote server to download additional malware and execute commands. Fortinet said it was unable to recover the payloads used in the subs...

A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access, while also borrowing techniques from other groups like Conti to meet its goals. "Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host," Cybereason researchers  said  in a report published this week. IcedID , also known by the name BokBot, started its life as a banking trojan in 2017 before evolving into a  dropper for other malware , joining the likes of  Emotet ,  TrickBot ,  Qakbot ,  Bumblebee , and  Raspberry Robin . Attacks involving the delivery of IcedID have  leveraged a variety of methods , especially in the wake of  Microsoft's decision to block macros  from Office files downloaded from the web. The intrusion d...