The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers have discovered a previously undocumented advanced backdoor dubbed  Deadglyph  employed by a threat actor known as Stealth Falcon as part of a cyber espionage campaign. "Deadglyph's architecture is unusual as it consists of cooperating components – one a native x64 binary, the other a .NET assembly," ESET  said  in a  new report  shared with The Hacker News. "This combination is unusual because malware typically uses only one programming language for its components. This difference might indicate separate development of those two components while also taking advantage of unique features of the distinct programming languages they utilize." It's also suspected that the use of different programming languages is a deliberate tactic to hinder analysis, making it a lot more challenging to navigate and debug. Unlike other traditional backdoors of its kind, the commands are received from an actor-controlled server in the form of...

The  three zero-day flaws  addressed by Apple on September 21, 2023, were leveraged as part of an iPhone exploit chain in an attempt to deliver a spyware strain called  Predator  targeting former Egyptian member of parliament Ahmed Eltantawy between May and September 2023. "The targeting took place after Eltantawy publicly  stated his plans  to run for President in the 2024 Egyptian elections," the Citizen Lab  said , attributing the attack with high confidence to the Egyptian government owing to it being a known customer of the commercial spying tool. According to a joint investigation conducted by the Canadian interdisciplinary laboratory and Google's Threat Analysis Group (TAG), the mercenary surveillance tool is said to have been delivered via links sent on SMS and WhatsApp. "In August and September 2023, Eltantawy's Vodafone Egypt mobile connection was persistently selected for targeting via network injection; when Eltantawy visited certain we...

An active malware campaign targeting Latin America is dispensing a new variant of a banking trojan called  BBTok , particularly users in Brazil and Mexico. "The BBTok banker has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian banks, and tricks the victims into entering its 2FA code to their bank accounts or into entering their payment card number," Check Point  said  in research published this week. The payloads are generated by a custom server-side PowerShell script and are unique for each victim based on the operating system and country, while being delivered via phishing emails that leverage a variety of file types. BBTok is a Windows-based banking malware that  first surfaced  in 2020. It's equipped with features that run the typical trojan gamut, allowing it to enumerate and kill processes, issue remote commands, manipulate keyboard, and serve fake login pages for banks operating in the two countries. The ...

Thorough, independent tests are a vital resource as cybersecurity leaders and their teams evaluate vendors' abilities to guard against increasingly sophisticated threats to their organization. And perhaps no assessment is more widely trusted than the annual  MITRE Engenuity ATT&CK Evaluations: Enterprise .  This testing is critical for evaluating vendors because it's virtually impossible to evaluate cybersecurity vendors based on their own performance claims. Along with vendor reference checks and proof of value evaluations (POV) — a live trial — in their environment, the MITRE results add additional objective input to holistically assess cybersecurity vendors. Let's dive into the 2023 results. In this blog, we'll unpack MITRE's methodology to test security vendors against real-world threats, offer our interpretation of the results and identify top takeaways emerging from Cynet's evaluation. How does MITRE Engenuity test vendors during the evaluation? The MITRE ATT...

Israeli organizations were targeted as part of two different campaigns orchestrated by the Iranian nation-state actor known as  OilRig  in 2021 and 2022. The campaigns, dubbed Outer Space and Juicy Mix, entailed the use of two previously undocumented first-stage backdoors called Solar and Mango, which were deployed to collect sensitive information from major browsers and the Windows Credential Manager. "Both backdoors were deployed by VBS droppers, presumably spread via spear-phishing emails," ESET security researcher Zuzana Hromcová  said  in a Thursday analysis. OilRig (aka APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten) is the name assigned to an  intrusion set  affiliated with Iran's Ministry of Intelligence and Security (MOIS). Active since 2014, the threat actor has used a wide range of tools at its disposal to carry out information theft. Earlier this February, Trend Micro  discovered  OilRig's use of a simple backdoor to stea...

Atlassian and the Internet Systems Consortium (ISC) have disclosed several security flaws impacting their products that could be exploited to achieve denial-of-service (DoS) and remote code execution. The Australian software services provider  said  that the four high-severity flaws were fixed in new versions shipped last month. This includes - CVE-2022-25647  (CVSS score: 7.5) - A deserialization flaw in the Google Gson package impacting Patch Management in Jira Service Management Data Center and Server CVE-2023-22512  (CVSS score: 7.5) - A DoS flaw in Confluence Data Center and Server CVE-2023-22513  (CVSS score: 8.5) - A RCE flaw in Bitbucket Data Center and Server CVE-2023-28709  (CVSS score: 7.5) - A DoS flaw in Apache Tomcat server impacting Bamboo Data Center and Server The flaws have been addressed in the following versions - Jira Service Management Server and Data Center (versions 4.20.25, 5.4.9, 5.9.2, 5.10.1, 5.11.0, or later) Conflue...

Apple has released yet another round of security patches to address three actively exploited zero-day flaws impacting iOS, iPadOS, macOS, watchOS, and Safari, taking the total tally of zero-day bugs discovered in its software this year to 16. The list of security vulnerabilities is as follows - CVE-2023-41991  - A certificate validation issue in the Security framework that could allow a malicious app to bypass signature validation. CVE-2023-41992  - A security flaw in Kernel that could allow a local attacker to elevate their privileges. CVE-2023-41993  - A WebKit flaw that could result in arbitrary code execution when processing specially crafted web content. Apple did not provide additional specifics barring an acknowledgement that the "issue may have been actively exploited against versions of iOS before iOS 16.7." The updates are available for the following devices and operating systems - iOS 16.7 and iPadOS 16.7  - iPhone 8 and later, iPad Pro (all mo...

A previously undocumented threat actor dubbed  Sandman  has been attributed to a set of cyber attacks targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent. Notably, the intrusions leverage a just-in-time (JIT) compiler for the Lua programming language known as LuaJIT as a vehicle to deploy a novel implant called LuaDream . "The activities we observed are characterized by strategic lateral movement to specific targeted workstations and minimal engagement, suggesting a deliberate approach aimed at achieving the set objectives while minimizing the risk of detection," SentinelOne security researcher Aleksandar Milenkoski  said  in an analysis published in collaboration with QGroup. "The implementation of LuaDream indicates a well-executed, maintained, and actively developed project of a considerable scale." Neither the campaign nor its tactics have been correlated with any known threat actor or group, although a...

The peer-to-peer (P2) worm known as  P2PInfect  has witnessed a surge in activity since late August 2023, witnessing a 600x jump between September 12 and 19, 2023. "This increase in P2PInfect traffic has coincided with a growing number of variants seen in the wild, suggesting that the malware's developers are operating at an extremely high development cadence," Cado Security researcher Matt Muir said in a report published Wednesday. A majority of the compromises have been reported in China, the U.S., Germany, the U.K., Singapore, Hong Kong, and Japan. P2PInfect first came to light in July 2023 for its ability to breach poorly secured Redis instances. The threat actors behind the campaign have since resorted to different approaches for initial access, including the abuse of the database's replication feature to deliver the malware. Cado Security said it has observed an increase in initial access events attributable to P2PInfect in which the Redis SLAVEOF command...

Security teams are familiar with threats emanating from third-party applications that employees add to improve their productivity. These apps are inherently designed to deliver functionality to users by connecting to a "hub" app, such as Salesforce, Google Workspace, or Microsoft 365. Security concerns center on the permission scopes that are granted to the third party apps, and the potential for a threat actor to take over the core apps and abuse those permissions. There's no real concern that the app, on its own, will start deleting files or sharing data. As such, SaaS Security Posture Management (SSPM) solutions are able to identify integrated third party applications and present their permission scopes. The security team then makes a risk assessment, balancing the benefits the app offers with its permission scopes before deciding whether to keep or decouple the applications. However, threat actors have changed the playing field with the introduction of malicious apps. These appl...

China's Ministry of State Security (MSS) has accused the U.S. of breaking into Huawei's servers, stealing critical data, and implanting backdoors since 2009, amid mounting geopolitical tensions between the two countries. In a  message  posted on WeChat, the government authority said U.S. intelligence agencies have "done everything possible" to conduct surveillance, secret theft, and intrusions on many countries around the world, including China, using a "powerful cyber attack arsenal." Specifics about the alleged hacks were not shared. It explicitly singled out the U.S. National Security Agency's (NSA) Computer Network Operations (formerly the Office of Tailored Access Operations or TAO) as having "repeatedly carried out systematic and platform-based attacks" against the country to plunder its "important data resources." The post went on to claim that the cyber-warfare intelligence-gathering unit hacked Huawei's servers in 200...

A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group  Gold Melody , which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant). "This financially motivated group has been active since at least 2017, compromising organizations by exploiting vulnerabilities in unpatched internet-facing servers," the cybersecurity company  said . "The victimology suggests opportunistic attacks for financial gain rather than a targeted campaign conducted by a state-sponsored threat group for espionage, destruction, or disruption." Gold Melody has been  previously   linked  to  attacks  exploiting security flaws in JBoss Messaging (CVE-2017-7504), Citrix ADC (CVE-2019-19781), Oracle WebLogic (CVE-2020-14750 and CVE-2020-14882), ...

The maintainers of Free Download Manager (FDM) have acknowledged a security incident dating back to 2020 that led to its website being used to distribute malicious Linux software. "It appears that a specific web page on our site was compromised by a Ukrainian hacker group, exploiting it to distribute malicious software," it  said  in an alert last week. "Only a small subset of users, specifically those who attempted to download FDM for Linux between 2020 and 2022, were potentially exposed." Less than 0.1% of its visitors are estimated to have encountered the issue, adding it may have been why the problem went undetected until now. The disclosure comes as Kaspersky  revealed  that the project's website was infiltrated at some point in 2020 to redirect select Linux users who attempted to download the software to a malicious site hosting a Debian package. The package was further configured to deploy a DNS-based backdoor and ultimately serve a Bash stealer mal...

A malicious actor released a fake proof-of-concept (PoC) exploit for a recently disclosed WinRAR vulnerability on GitHub with an aim to infect users who downloaded the code with Venom RAT malware. "The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as  CVE-2023-25157 ," Palo Alto Networks Unit 42 researcher Robert Falcone  said . While  bogus PoCs  have become a  well-documented gambit  for targeting the  research community , the cybersecurity firm suspected that the threat actors are opportunistically targeting other crooks who may be adopting the latest vulnerabilities into their arsenal. whalersplonk, the  GitHub account  that hosted the repository, is no longer accessible. The PoC is said to have been committed on August 21, 2023, four days after the vulnerability was publicly announced. ...

Finnish law enforcement authorities have announced the takedown of PIILOPUOTI, a dark web marketplace that specialized in illegal narcotics trade since May 2022. "The site operated as a hidden service in the encrypted TOR network," the Finnish Customs (aka Tulli)  said  in a brief announcement on Tuesday. "The site has been used in anonymous criminal activities such as narcotics trade." The agency said that the drugs sold on the site were smuggled to Finland from abroad, adding a criminal investigation is underway in coordination with international partners from Germany and Lithuania, along with Europol and Eurojust. It's not immediately clear if any arrests were made. Romanian cybersecurity firm Bitdefender said it provided additional support that helped with the seizure of PIILOPUOTI. "We are extremely pleased that PIILOPUOTI has been seized and would like to congratulate law enforcement, Finnish Customs, and everyone involved," Alexandru Catal...

Multiple security flaws have been disclosed in the Nagios XI network monitoring software that could result in privilege escalation and information disclosure. The four security vulnerabilities, tracked from CVE-2023-40931 through CVE-2023-40934, impact Nagios XI versions 5.11.1 and lower. Following responsible disclosure on August 4, 2023, They have been  patched  as of September 11, 2023, with the release of version 5.11.2. "Three of these vulnerabilities (CVE-2023-40931, CVE-2023-40933 and CVE-2023-40934) allow users, with various levels of privileges, to access database fields via SQL Injections," Outpost24 researcher Astrid Tedenbrant  said . "The data obtained from these vulnerabilities may be used to further escalate privileges in the product and obtain sensitive user data such as password hashes and API tokens." CVE-2023-40932, on the other hand, relates to a cross-site scripting (XSS) flaw in the Custom Logo component that could be used to read sensiti...

Well, you shouldn't. It may already be hiding vulnerabilities. It's the modular nature of modern web applications that has made them so effective. They can call on dozens of third-party web components, JS frameworks, and open-source tools to deliver all the different functionalities that keep their customers happy, but this chain of dependencies is also what makes them so vulnerable. Many of those components in the web application supply chain are controlled by a third party—the company that created them. This means that no matter how rigorous you were with your own static code analysis, code reviews, penetration testing, and other SSDLC processes, most of your supply chain's security is in the hands of whoever built its third-party components. With their huge potential for weak spots, and their widespread use in the lucrative ecommerce, financial and medical industries, web application supply chains present a juicy target for cyber attackers. They can target any one of the doz...