The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Apple has announced plans to require developers to submit reasons to use certain APIs in their apps starting later this year with the release of iOS 17, iPadOS 17, macOS Sonoma, tvOS 17, and watchOS 10 to prevent their abuse for data collection. "This will help ensure that apps only use these APIs for their intended purpose," the company  said  in a statement. "As part of this process, you'll need to select one or more approved reasons that accurately reflect how your app uses the API, and your app can only use the API for the reasons you've selected." The APIs that  require  reasons for use relate to the following - File timestamp APIs System boot time APIs Disk space APIs Active keyboard APIs, and User defaults APIs The iPhone maker said it's making the move to ensure that such APIs are not abused by app developers to collect device signals to carry out  fingerprinting , which could be employed to  uniquely identify users  across different...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday disclosed details of a "novel persistent backdoor" called  SUBMARINE  deployed by threat actors in connection with the hack on Barracuda Email Security Gateway (ESG) appliances. "SUBMARINE comprises multiple artifacts — including a SQL trigger, shell scripts, and a loaded library for a Linux daemon — that together enable execution with root privileges, persistence, command and control, and cleanup," the agency  said . The findings come from an analysis of malware samples obtained from an unnamed organization that had been compromised by threat actors exploiting a critical flaw in ESG devices,  CVE-2023-2868  (CVSS score: 9.8), which allows for remote command injection. Evidence gathered so far shows that the attackers behind the activity, a suspected China nexus-actor tracked by Mandiant as  UNC4841 , leveraged the flaw as a zero-day in October 2022 to gain initial access to vic...

Ivanti has disclosed yet another security flaw impacting Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, that it said has been weaponized as part of an exploit chain by malicious actors in the wild. The new vulnerability, tracked as  CVE-2023-35081  (CVSS score: 7.8), impacts supported versions 11.10, 11.9, and 11.8, as well as those that are currently end-of-life (EoL). "CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server," the company  said  in an advisory. "This vulnerability can be used in conjunction with  CVE-2023-35078 , bypassing administrator authentication and ACLs restrictions (if applicable)." A successful exploit could allow a threat actor to write arbitrary files on the appliance, thereby enabling the malicious party to execute OS commands on the appliance as the tomcat user. "As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078...

The threat actors linked to the malware loader known as IcedID have made updates to the BackConnect (BC) module that's used for post-compromise activity on hacked systems, new findings from Team Cymru reveal. IcedID, also called BokBot , is a strain of malware similar to  Emotet  and  QakBot  that started off as a banking trojan in 2017, before switching to the role of an initial access facilitator for other payloads. Recent versions of the malware have been  observed  removing functionality related to online banking fraud to prioritize ransomware delivery. The BackConnect (BC) module,  first documented  by Netresec in October 2022, relies on a proprietary command-and-control (C2) protocol to exchange commands between a server and the infected host. The protocol, which comes with a VNC component for remote access, has also been identified in other malware such as the now-discontinued  BazarLoader  and QakBot. In December 2022, Team ...

An ongoing cyber attack campaign has set its sights on Korean-speaking individuals by employing U.S. Military-themed document lures to trick them into running malware on compromised systems. Cybersecurity firm Securonix is tracking the activity under the name STARK#MULE . The scale of the attacks is currently not known, and it's not clear if any of these attack attempts turned out to be successful. "Based on the source and likely targets, these types of attacks are on par with past attacks stemming from typical North Korean groups such as APT37 as South Korea has historically been a primary target of the group, especially its government officials," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News. APT37, also known by the names Nickel Foxcroft, Reaper, Ricochet Chollima, and ScarCruft, is a  North Korean nation-state actor  that's known to exclusively focus on targets in its southern counterpart, specific...

As part of  Checkmarx's mission  to help organizations develop and deploy secure software, the Security Research team started looking at the security posture of major car manufacturers. Porsche has a well-established Vulnerability Reporting Policy (Disclosure Policy) [1] , it was considered in scope for our research, so we decided to start there, and see what we could find. What we found is an attack scenario that results from chaining security issues found on different Porsche's assets, a website and a GraphQL API, that could lead to data exfiltration. Data exfiltration is an attack technique that can impact businesses and organizations, regardless of size. When malicious users breach a company's or organization's systems and exfiltrate data, it can be a jarring and business-critical moment. Porsche has a diverse online presence - deploying several microsites, websites, and web applications. The Porsche Experience [2] is one website that allows registered users to ...

A legitimate Windows search feature is being exploited by unknown malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT. The novel attack technique, per Trellix, takes advantage of the " search-ms: " URI protocol handler, which offers the ability for applications and HTML links to launch custom local searches on a device, and the " search: " application protocol, a mechanism for calling the desktop search application on Windows. "Attackers are directing users to websites that exploit the 'search-ms' functionality using JavaScript hosted on the page," security researchers Mathanraj Thangaraju and Sijo Jacob  said  in a Thursday write-up. "This technique has even been extended to HTML attachments, expanding the attack surface." In such attacks, threat actors have been observed creating deceptive emails that embed hyperlinks or  HTML ...

The Russian nation-state actor known as  BlueBravo  has been observed targeting diplomatic entities throughout Eastern Europe with the goal of delivering a new backdoor called GraphicalProton, exemplifying the continuous evolution of the threat. The phishing campaign is characterized by the use of legitimate internet services (LIS) for command-and-control (C2) obfuscation, Recorded Future said in a new report published Thursday. The activity was observed between March and May 2023. BlueBravo , also known by the names APT29, Cloaked Ursa, and Midnight Blizzard (formerly Nobelium), is attributed to Russia's Foreign Intelligence Service (SVR), and has in the past  used  Dropbox, Firebase, Google Drive, Notion, and Trello to evade detection and stealthily establish communications with infected hosts. To that end, GraphicalProton is the latest addition to a long list of malware targeting diplomatic organizations after  GraphicalNeutrino  (aka SNOWYAMBER),...

Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an "extremely severe" flaw that could result in pre-authenticated remote code execution on affected installations. Tracked as CVE-2023-38646 , the issue impacts open-source editions prior to 0.46.6.1 and Metabase Enterprise versions before 1.46.6.1. "An unauthenticated attacker can run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase on," Metabase said in an advisory released last week. The issue has also been addressed in the following older versions - 0.45.4.1 and 1.45.4.1 0.44.7.1 and 1.44.7.1, and 0.43.7.2 and 1.43.7.2 While there is no evidence that the issue has been exploited in the wild, data gathered by the Shadowserver Foundation shows that 5,488 out of the total 6,936 Metabase instances are vulnerable as of July 26, 202...

Cybersecurity agencies in Australia and the U.S. have  published  a joint cybersecurity advisory warning against security flaws in web applications that could be exploited by malicious actors to orchestrate data breach incidents and steal confidential data. This includes a specific class of bugs called Insecure Direct Object Reference ( IDOR ), a type of access control flaw that occurs when an application utilizes user-supplied input or an identifier for direct access to an internal resource, such as a database record, without any additional validations. A  typical example  of an IDOR flaw is the ability of a user to trivially change the URL (e.g., https://example[.]site/details.php?id= 12345 ) to obtain unauthorized data of another transaction (i.e., https://example[.]site/details.php?id= 67890 ). "IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website ...

Cybersecurity researchers have disclosed two high-severity security flaws in the Ubuntu kernel that could pave the way for local privilege escalation attacks. Cloud security firm Wiz, in a  report  shared with The Hacker News, said the easy-to-exploit shortcomings have the potential to impact 40% of Ubuntu users. "The impacted Ubuntu versions are prevalent in the cloud as they serve as the default operating systems for multiple [cloud service providers]," security researchers Sagi Tzadik and Shir Tamari said. The  vulnerabilities  – tracked as CVE-2023-2640 and CVE-2023-32629 (CVSS scores: 7.8) and dubbed  GameOver(lay)  – are present in a module called  OverlayFS  and arise as a result of inadequate permissions checks in certain scenarios, enabling a local attacker to gain elevated privileges. Overlay Filesystem refers to a union mount file system that makes it possible to combine multiple directory trees or file systems into a single, unif...

A new malvertising campaign has been observed leveraging ads on Google Search and Bing to target users seeking IT tools like AnyDesk, Cisco AnyConnect VPN, and WinSCP, and trick them into downloading trojanized installers with an aim to breach enterprise networks and likely carry out future ransomware attacks. Dubbed  Nitrogen , the "opportunistic" activity is designed to deploy second-stage attack tools such as Cobalt Strike, Sophos  said  in a Wednesday analysis. Nitrogen was  first documented  by eSentire in June 2023, detailing an infection chain that redirects users to compromised WordPress sites hosting malicious ISO image files that ultimately culminate in the delivery of Python scripts and Cobalt Strike Beacons onto the targeted system. Then earlier this month, Trend Micro  uncovered  a similar attack sequence in which a fraudulent WinSCP application functioned as a stepping stone for a BlackCat ransomware attack. "Throughout the infection...

As cloud applications are built, tested and updated, they wind their way through an ever-complex series of different tools and teams. Across hundreds or even thousands of technologies that make up the patchwork quilt of development and cloud environments, security processes are all too often applied in only the final phases of software development.  Placing security at the very end of the production pipeline puts both devs and security on the back foot. Developers want to build and ship secure apps; security teams want to support this process by strengthening application security. However, today's security processes are legacy approaches that once worked brilliantly for the tight constraints of on-prem production, but struggle in ever-shifting cloud environments. As a result, security is an afterthought, and any attempt to squeeze siloed security into agile SDLC can  swell the cost of patching by 600% . A new cloud security operating model is long overdue. Shift-left is an ...

Misconfigured and poorly secured Apache Tomcat servers are being targeted as part of a new campaign designed to deliver the  Mirai botnet malware  and cryptocurrency miners. The findings come courtesy of Aqua, which detected more than 800 attacks against its Tomcat server honeypots over a two-year time period, with 96% of the attacks linked to the Mirai botnet. Of these attack attempts, 20% (or 152) entailed the use of a web shell script dubbed "neww" that originated from 24 unique IP addresses, with 68% of them originating from a single IP address (104.248.157[.]218). "The threat actor scanned for Tomcat servers and launched a brute force attack against it, attempting to gain access to the Tomcat web application manager by trying different combinations of credentials associated with it," Aqua security researcher Nitzan Yaakov  said . Upon gaining a successful foothold, the threat actors have been observed deploying a  WAR file  that contains a malicious w...

A city court in Moscow on Wednesday convicted Group-IB co-founder and CEO Ilya Sachkov of "high treason" and jailed him for 14 years in a "strict regime colony" over accusations of passing information to foreign spies. "The court found Sachkov guilty under Article 275 of the Russian Criminal Code (high treason) sentencing him to 14 years of incarceration in a maximum-security jail, restriction of freedom for one year and a fine of 500,000 rubles (about $5,550)," state news agency TASS  reported . Sachkov, who has been in custody  since September 2021  and denied wrongdoing, had been accused of handing over classified information to foreign intelligence in 2011, which the prosecutors said caused reputational damage to Russia's national interests. The exact nature of the charges is unclear. The 37-year-old is expected to appeal the decision, Bloomberg  said , adding, "Sachkov was alleged to have  given the U.S. government  information regardin...

The U.S. Securities and Exchange Commission (SEC) on Wednesday approved new rules that require publicly traded companies to publicize details of a cyber attack within four days of identifying that it has a "material" impact on their finances, marking a major shift in how computer breaches are disclosed. "Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors," SEC chair Gary Gensler  said . "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way." To that end, the new obligations mandate that companies reveal the incident's nature, scope, and timing, as well as its impact. This disclosure, however, may be delayed by an additional period of up to 60 days should it be determined that giving out such specific...