The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

An advanced persistent threat (APT) actor with suspected ties to India has sprung forth with a flurry of attacks against high-profile entities and strategic infrastructures in the Middle East and Africa. The activity has been attributed to a group tracked as SideWinder , which is also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04. "The group may be perceived as a low-skilled actor due to the use of public exploits, malicious LNK files and scripts as infection vectors, and the use of public RATs, but their true capabilities only become apparent when you carefully examine the details of their operations," Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov said . Targets of the attacks include government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities, and oil trading companies located in Bangladesh, Djibouti, Jordan, Malaysia, the...

Federal prosecutors in the U.S. have charged two Sudanese brothers with running a distributed denial-of-service (DDoS) botnet for hire that conducted a record 35,000 DDoS attacks in a single year, including those that targeted Microsoft's services in June 2023. The attacks, which were facilitated by Anonymous Sudan's "powerful DDoS tool," singled out critical infrastructure, corporate networks, and government agencies in the United States and around the world, the U.S. Department of Justice (DoJ) said. Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, have been charged with one count of conspiracy to damage protected computers. Ahmed Salah has also been charged with three counts of damaging protected computers. If convicted on all charges, Ahmed Salah faces a statutory maximum sentence of life in federal prison, while Alaa Salah faces a maximum sentence of five years in federal prison. The DDoS tool is said to have been disabled in March 2024, the same...

A critical security flaw has been disclosed in the Kubernetes Image Builder that, if successfully exploited, could be abused to gain root access under certain circumstances. The vulnerability, tracked as CVE-2024-9486 (CVSS score: 9.8), has been addressed in version 0.1.38. The project maintainers acknowledged Nicolai Rybnikar for discovering and reporting the vulnerability. "A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process," Red Hat's Joel Smith said in an alert. "Additionally, virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access." That having said, Kubernetes clusters are only impacted by the flaw if their nodes use virtual machine (VM) images created via the Image Builder project with the Prox...

Threat actors are attempting to abuse the open-source EDRSilencer tool as part of efforts to tamper endpoint detection and response (EDR) solutions and hide malicious activity. Trend Micro said it detected "threat actors attempting to integrate EDRSilencer in their attacks, repurposing it as a means of evading detection." EDRSilencer , inspired by the NightHawk FireBlock tool from MDSec, is designed to block outbound traffic of running EDR processes using the Windows Filtering Platform ( WFP ). It supports terminating various processes related to EDR products from Microsoft, Elastic, Trellix, Qualys, SentinelOne, Cybereason, Broadcom Carbon Black, Tanium, Palo Alto Networks, Fortinet, Cisco, ESET, HarfangLab, and Trend Micro. By incorporating such legitimate red teaming tools into their arsenal, the goal is to render EDR software ineffective and make it a lot more challenging to identify and remove malware. "The WFP is a powerful framework built into Windows for ...

The FIDO Alliance said it's working to make passkeys and other credentials more easier to export across different providers and improve credential provider interoperability, as more than 12 billion online accounts become accessible with the passwordless sign-in method. To that end, the alliance said it has published a draft for a new set of specifications for secure credential exchange, following commitments among members of its Credential Provider Special Interest Group (SIG). This includes 1Password, Apple, Bitwarden, Dashlane, Enpass, Google, Microsoft, NordPass, Okta, Samsung, and SK Telecom. "Secure credential exchange is a focus for the FIDO Alliance because it can help further accelerate passkey adoption and enhance user experience," the FIDO Alliance said in a statement. "Sign-ins with passkeys reduce phishing and eliminate credential reuse while making sign-ins up to 75% faster, and 20% more successful than passwords or passwords plus a second facto...

AI from the attacker's perspective: See how cybercriminals are leveraging AI and exploiting its vulnerabilities to compromise systems, users, and even other AI applications Cybercriminals and AI: The Reality vs. Hype "AI will not replace humans in the near future. But humans who know how to use AI are going to replace those humans who don't know how to use AI," says Etay Maor, Chief Security Strategist at Cato Networks and founding member of Cato CTRL . "Similarly, attackers are also turning to AI to augment their own capabilities." Yet, there is a lot more hype than reality around AI's role in cybercrime. Headlines often sensationalize AI threats, with terms like "Chaos-GPT" and "Black Hat AI Tools," even claiming they seek to destroy humanity. However, these articles are more fear-inducing than descriptive of serious threats. For instance, when explored in underground forums, several of these so-called "AI cyber tools" were found to be nothing...

The North Korean threat actor known as ScarCruft has been linked to the zero-day exploitation of a now-patched security flaw in Windows to infect devices with malware known as RokRAT . The vulnerability in question is CVE-2024-38178 (CVSS score: 7.5), a memory corruption bug in the Scripting Engine that could result in remote code execution when using the Edge browser in Internet Explorer Mode. It was patched by Microsoft as part of its Patch Tuesday updates for August 2024. However, successful exploitation requires an attacker to convince a user to click on a specially crafted URL in order to initiate the execution of malicious code. The AhnLab Security Intelligence Center (ASEC) and the National Cyber Security Center (NCSC) of the Republic of Korea, which were credited with discovering and reporting the shortcoming, have assigned the activity cluster the name Operation Code on Toast. The organizations are tracking ScarCruft under the moniker TA-RedAnt, which was previously...

To defend your organization against cyber threats, you need a clear picture of the current threat landscape. This means constantly expanding your knowledge about new and ongoing threats. There are many techniques analysts can use to collect crucial cyber threat intelligence. Let's consider five that can greatly improve your threat investigations. Pivoting on С2 IP addresses to pinpoint malware IP addresses used by malware to communicate with its command and control (C2) servers are valuable indicators. They can help not only update your defenses, but also identify related infrastructure and tools belonging to threat actors.  This is done using the pivoting method, which lets analysts find additional context on the threat at hand with an existing indicator. To perform pivoting, analysts use various sources, including threat intelligence databases that store large volumes of fresh threat data and offer search capabilities. One useful tool is Threat Intelligence Lookup from AN...

A new spear-phishing campaign targeting Brazil has been found delivering a banking malware called Astaroth (aka Guildma) by making use of obfuscated JavaScript to slip past security guardrails. "The spear-phishing campaign's impact has targeted various industries, with manufacturing companies, retail firms, and government agencies being the most affected," Trend Micro said in a new analysis. "The malicious emails often impersonate official tax documents, using the urgency of personal income tax filings to trick users into downloading the malware." The cybersecurity company is tracking the threat activity cluster under the name Water Makara. It's worth pointing out that Google's Threat Analysis Group (TAG) has assigned the moniker PINEAPPLE to a similar intrusion set that delivers the same malware to Brazilian users. Both these campaigns share a point of commonality in that they commence with phishing messages that impersonate official entities su...

GitHub has released security updates for Enterprise Server (GHES) to address multiple issues, including a critical bug that could allow unauthorized access to an instance. The vulnerability, tracked as CVE-2024-9487, carries a CVS score of 9.5 out of a maximum of 10.0 "An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server," GitHub said in an alert. The Microsoft-owned company characterized the flaw as a regression that was introduced as part of follow-up remediation from CVE-2024-4985 (CVSS score: 10.0), a maximum severity vulnerability that was patched back in May 2024. Also fixed by GitHub are two other shortcomings - CVE-2024-9539 (CVSS score: 5.7) - An information disclosure vulnerability that could enable an attacker to ret...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting SolarWinds Web Help Desk (WHD) software to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. Tracked as CVE-2024-28987 (CVSS score: 9.1), the vulnerability relates to a case of hard-coded credentials that could be abused to gain unauthorized access and make modifications. "SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data," CISA said in an advisory. Details of the flaw were first disclosed by SolarWinds in late August 2024, with cybersecurity firm Horizon3.ai releasing additional technical specifics a month later. The vulnerability "allows unauthenticated attackers to remotely read and modify all help desk ticket details – often containing sensitive information like passwords from reset req...

New variants of an Android banking trojan called TrickMo have been found to harbor previously undocumented features to steal a device's unlock pattern or PIN. "This new addition enables the threat actor to operate on the device even while it is locked," Zimperium security researcher Aazim Yaswant said in an analysis published last week. First spotted in the wild in 2019, TrickMo is so named for its associations with the TrickBot cybercrime group and is capable of granting remote control over infected devices, as well as stealing SMS-based one-time passwords (OTPs) and displaying overlay screens to capture credentials by abusing Android's accessibility services. Last month, Italian cybersecurity company Cleafy disclosed updated versions of the mobile malware with improved mechanisms to evade analysis and grant itself additional permissions to perform various malicious actions on the device, including carrying out unauthorized transactions. Some of the new varia...

Cybersecurity researchers have disclosed a new malware campaign that leverages a malware loader named PureCrypter to deliver a commodity remote access trojan (RAT) called DarkVision RAT. The activity, observed by Zscaler ThreatLabz in July 2024, involves a multi-stage process to deliver the RAT payload. "DarkVision RAT communicates with its command-and-control (C2) server using a custom network protocol via sockets," security researcher Muhammed Irfan V A said in an analysis. "DarkVision RAT supports a wide range of commands and plugins that enable additional capabilities such as keylogging, remote access, password theft, audio recording, and screen captures." PureCrypter, first publicly disclosed in 2022, is an off-the-shelf malware loader that's available for sale on a subscription basis, offering customers the ability to distribute information stealers, RATs, and ransomware. The exact initial access vector used to deliver PureCrypter and, by extensio...

North Korean threat actors have been observed using a Linux variant of a known malware family called FASTCash to steal funds as part of a financially-motivated campaign. The malware is "installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs," a security researcher who goes by HaxRob said . FASTCash was first documented by the U.S. government in October 2018 as used by adversaries linked to North Korea in connection with an ATM cashout scheme targeting banks in Africa and Asia since at least late 2016. "FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions," the agencies noted at the time. "In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enab...

In recent years, the number and sophistication of zero-day vulnerabilities have surged, posing a critical threat to organizations of all sizes. A zero-day vulnerability is a security flaw in software that is unknown to the vendor and remains unpatched at the time of discovery. Attackers exploit these flaws before any defensive measures can be implemented, making zero-days a potent weapon for cybercriminals. A recent example is, for instance, CVE-2024-0519 in Google Chrome: this high-severity vulnerability was actively exploited in the wild and involved an out-of-bounds memory access issue in the V8 JavaScript engine. It allowed remote attackers to access sensitive information or trigger a crash by exploiting heap corruption.  Also, the zero-day vulnerability at Rackspace caused massive trouble. This incident was a zero-day remote code execution vulnerability in ScienceLogic's monitoring application that led to the compromise of Rackspace's internal systems. The breach expose...