The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Since the first edition of  The Ultimate SaaS Security Posture Management (SSPM) Checklist  was released three years ago, the corporate SaaS sprawl has been growing at a double-digit pace. In large enterprises, the number of SaaS applications in use today is in the hundreds, spread across departmental stacks, complicating the job of security teams to protect organizations against evolving threats. As SaaS security becomes a top priority, enterprises are turning to SaaS Security Posture Management (SSPM) as an enabler. The  2025 Ultimate SaaS Security Checklist , designed to help organizations choose an SSPM, covers all the features and capabilities that should be included in these solutions. Before diving into each attack surface, when implementing an SSPM solution, it's essential to cover a breadth of integrations, including out-of-the-box and custom app integrations, as well as in-depth security checks. While there are apps that are more sensitive and complex to secu...

Cybersecurity researchers have discovered a new cryptojacking campaign that employs vulnerable drivers to disable known security solutions (EDRs) and thwart detection in what's called a Bring Your Own Vulnerable Driver ( BYOVD ) attack. Elastic Security Labs is tracking the campaign under the name REF4578 and the primary payload as GHOSTENGINE. Previous research from Chinese cybersecurity firm Antiy Labs has codenamed the activity as HIDDEN SHOVEL. "GHOSTENGINE leverages vulnerable drivers to terminate and delete known EDR agents that would likely interfere with the deployed and well-known coin miner," Elastic researchers Salim Bitam, Samir Bousseaden, Terrance DeJesus, and Andrew Pease said . "This campaign involved an uncommon amount of complexity to ensure both the installation and persistence of the XMRig miner." It all starts with an executable file ("Tiworker.exe"), which is used to run a PowerShell script that retrieves an obfuscated Power...

An unknown threat actor is exploiting known security flaws in Microsoft Exchange Server to deploy a keylogger malware in attacks targeting entities in Africa and the Middle East. Russian cybersecurity firm Positive Technologies said it identified over 30 victims spanning government agencies, banks, IT companies, and educational institutions. The first-ever compromise dates back to 2021. "This keylogger was collecting account credentials into a file accessible via a special path from the internet," the company  said  in a report published last week. Countries targeted by the intrusion set include Russia, the U.A.E., Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon. The attack chains commence with the exploitation of  ProxyShell flaws  (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) that were originally patched by Microsoft in May 2021. Successful  exploitation of the vulnerabilities  could allow an attacker to bypass authent...

Taiwanese company QNAP has rolled out fixes for a set of medium-severity flaws impacting QTS and QuTS hero, some of which could be exploited to achieve code execution on its network-attached storage (NAS) appliances. The  issues , which impact QTS 5.1.x and QuTS hero h5.1.x, are listed below - CVE-2024-21902  - An incorrect permission assignment for critical resource vulnerability that could allow authenticated users to read or modify the resource via a network CVE-2024-27127  - A double free vulnerability that could allow authenticated users to execute arbitrary code via a network CVE-2024-27128, CVE-2024-27129, and CVE-2024-27130  - A set of buffer overflow vulnerabilities that could allow authenticated users to execute arbitrary code via a network All the shortcomings, that require a valid account on NAS devices, have been addressed in QTS 5.1.7.2770 build 20240520 and QuTS hero h5.1.7.2770 build 20240520. Aliz Hammond of watchTowr Labs has...

Popular enterprise services provider Zoom has announced the rollout of post-quantum end-to-end encryption (E2EE) for Zoom Meetings, with support for Zoom Phone and Zoom Rooms coming in the future. "As adversarial threats become more sophisticated, so does the need to safeguard user data," the company  said  in a statement. "With the launch of post-quantum E2EE, we are doubling down on security and providing leading-edge features for users to help protect their data." Zoom's post-quantum E2EE uses  Kyber-768 , which aims at security roughly equivalent to AES-192. Kyber was  chosen  by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) in July 2022 as the quantum-resistant cryptographic algorithm for general encryption. However, for post-quantum E2EE to be enabled by default, it  requires  all meeting participants to be on Zoom desktop or mobile app version 6.0.10 or higher. In the e...

Users of Veeam Backup Enterprise Manager are being urged to update to the latest version following the discovery of a critical security flaw that could permit an adversary to bypass authentication protections. Tracked as  CVE-2024-29849  (CVSS score: 9.8), the  vulnerability  could allow an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user. The company has also disclosed three other shortcomings impacting the same product - CVE-2024-29850  (CVSS score: 8.8), which allows account takeover via NTLM relay CVE-2024-29851  (CVSS score: 7.2), which allows a privileged user to steal NTLM hashes of a Veeam Backup Enterprise Manager service account if it's not configured to run as the default Local System account CVE-2024-29852  (CVSS score: 2.7), which allows a privileged user to read backup session logs All the flaws have been addressed in version 12.1.2.172. However, Veeam noted that deploying Veeam ...

GitHub has rolled out fixes to address a maximum severity flaw in the GitHub Enterprise Server (GHES) that could allow an attacker to bypass authentication protections. Tracked as  CVE-2024-4985  (CVSS score: 10.0), the issue could permit unauthorized access to an instance without requiring prior authentication. "On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges," the company said in an advisory. GHES is a self-hosted platform for software development, allowing organizations to store and build software using Git version control as well as automate the deployment pipeline. The issue impacts all versions of GHES prior to 3.13.0 and has been  addressed  in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4. GitHub further noted that encrypted assertions are not enabled by default...

A new attack campaign dubbed  CLOUD#REVERSER  has been observed leveraging legitimate cloud storage services like Google Drive and Dropbox to stage malicious payloads. "The VBScript and PowerShell scripts in the CLOUD#REVERSER inherently involves command-and-control-like activities by using Google Drive and Dropbox as staging platforms to manage file uploads and downloads," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov  said  in a report shared with The Hacker News. "The scripts are designed to fetch files that match specific patterns, suggesting they are waiting for commands or scripts placed in Google Drive or Dropbox." The starting point of the attack chain is a phishing email bearing a ZIP archive file, which contains an executable that masquerades as a Microsoft Excel file. In an interesting twist, the filename makes use of the hidden right-to-left override ( RLO ) Unicode character (U+202E) to reverse the order of the characters that co...

The persistent threat actors behind the  SolarMarker  information-stealing malware have established a multi-tiered infrastructure to complicate law enforcement takedown efforts, new findings from Recorded Future show. "The core of SolarMarker's operations is its layered infrastructure, which consists of at least two clusters: a primary one for active operations and a secondary one likely used for testing new strategies or targeting specific regions or industries," the company  said  in a report published last week. "This separation enhances the malware's ability to adapt and respond to countermeasures, making it particularly difficult to eradicate." SolarMarker , known by the names Deimos, Jupyter Infostealer, Polazert, and Yellow Cockatoo, is a sophisticated threat that has  exhibited a continuous evolution  since its emergence in September 2020. It has the capability to steal data from several web browsers and cryptocurrency wallets, as well...

One of the enduring challenges of building modern applications is to make them more secure without disrupting high-velocity DevOps processes or degrading the developer experience. Today's cyber threat landscape is rife with sophisticated attacks aimed at all different parts of the software supply chain and the urgency for software-producing organizations to adopt DevSecOps practices that deeply integrate security throughout the software development life cycle has never been greater.  However, HOW organizations go about it is of critical importance. For example, locking down the development platform, instituting exhaustive code reviews, and enforcing heavyweight approval processes may improve the security posture of pipelines and code, but don't count on applications teams to operate fluidly enough to innovate. The same goes for application security testing; uncovering a mountain of vulnerabilities does little good if developers have inadequate time or guidance to fix them. At a ...

File Integrity Monitoring (FIM) is an IT security control that monitors and detects file changes in computer systems. It helps organizations audit important files and system configurations by routinely scanning and verifying their integrity. Most information security standards mandate the use of FIM for businesses to ensure the integrity of their data. IT security compliance involves adhering to applicable laws, policies, regulations, procedures, and standards issued by governments and regulatory bodies such as PCI DSS, ISO 27001, TSC, GDPR, and HIPAA. Failure to comply with these regulations can lead to severe consequences such as cyber breaches, confidential data loss, financial loss, and reputational damage. Therefore, organizations must prioritize adherence to IT regulations and standards to mitigate risks and safeguard their information systems effectively. The rapid pace of technological advancement and a shortage of skilled cybersecurity professionals contribute to compliance...

A critical security flaw has been disclosed in the  llama_cpp_python  Python package that could be exploited by threat actors to achieve arbitrary code execution. Tracked as  CVE-2024-34359  (CVSS score: 9.7), the flaw has been codenamed Llama Drama by software supply chain security firm Checkmarx. "If exploited, it could allow attackers to execute arbitrary code on your system, compromising data and operations," security researcher Guy Nachshon  said . llama_cpp_python, a Python binding for the  llama.cpp library , is a popular package with over 3 million downloads to date, allowing developers to integrate AI models with Python.  Security researcher Patrick Peng (retr0reg) has been credited with discovering and reporting the flaw, which has been addressed in version 0.2.72. The  core issue  stems from the misuse of the Jinja2 template engine within the llama_cpp_python package, allowing for server-side template injection that le...