The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

High-profile entities in India have become the target of malicious campaigns orchestrated by the Pakistan-based Transparent Tribe threat actor and a previously unknown China-nexus cyber espionage group dubbed IcePeony. The intrusions linked to Transparent Tribe involve the use of a malware called ElizaRAT and a new stealer payload dubbed ApoloStealer on specific victims of interest, Check Point said in a technical write-up published this week. "ElizaRAT samples indicate a systematic abuse of cloud-based services, including Telegram, Google Drive, and Slack, to facilitate command-and-control communications," the Israeli company said . ElizaRAT is a Windows remote access tool (RAT) that Transparent Tribe was first observed using in July 2023 as part of cyber attacks targeting Indian government sectors. Active since at least 2013, the adversary is also tracked under the names APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and PROJECTM. Its malware ar...

We've all heard a million times: growing demand for robust cybersecurity in the face of rising cyber threats is undeniable. Globally small and medium-sized businesses (SMBs) are increasingly targeted by cyberattacks but often lack the resources for full-time Chief Information Security Officers (CISOs). This gap is driving the rise of the virtual CISO (vCISO) model, offering a cost-effective solution, and giving SMBs access to strategic security leadership.  For MSPs and MSSPs this shift represents both a challenge and an opportunity. Over 94% of service providers recognize the increasing need for vCISO services, yet, over 25% of providers report lacking the cybersecurity and compliance expertise needed to offer vCISO services.  This gap is exactly why the vCISO Academy was created —to empower service providers with the knowledge and skills they need to thrive in this evolving landscape.  The vCISO Academy is a free, professional learning platform designed to equip ...

A new campaign has targeted the npm package repository with malicious JavaScript libraries that are designed to infect Roblox users with open-source stealer malware such as Skuld and Blank-Grabber . "This incident highlights the alarming ease with which threat actors can launch supply chain attacks by exploiting trust and human error within the open source ecosystem, and using readily available commodity malware, public platforms like GitHub for hosting malicious executables, and communication channels like Discord and Telegram for C2 operations to bypass traditional security measures," Socket security researcher Kirill Boychenko said in a report shared with The Hacker News. The list of malicious packages is as follows - node-dlls (77 downloads) ro.dll (74 downloads) autoadv (66 downloads) rolimons-api (107 downloads) It's worth pointing out that "node-dlls" is an attempt on part of the threat actor to masquerade as the legitimate node-dll packa...

Python supply chain attacks are surging in 2025. Join our webinar to learn how to secure your code, dependencies, and runtime with modern tools and strategies.

Cybersecurity researchers have flagged a new malware campaign that infects Windows systems with a Linux virtual instance containing a backdoor capable of establishing remote access to the compromised hosts. The "intriguing" campaign, codenamed CRON#TRAP , starts with a malicious Windows shortcut (LNK) file likely distributed in the form of a ZIP archive via a phishing email. "What makes the CRON#TRAP campaign particularly concerning is that the emulated Linux instance comes pre-configured with a backdoor that automatically connects to an attacker-controlled command-and-control (C2) server," Securonix researchers Den Iuzvyk and Tim Peck said in an analysis. "This setup allows the attacker to maintain a stealthy presence on the victim's machine, staging further malicious activity within a concealed environment, making detection challenging for traditional antivirus solutions." The phishing messages purport to be an "OneAmerica survey" th...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical security flaw impacting Palo Alto Networks Expedition to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-5910 (CVSS score: 9.3), concerns a case of missing authentication in the Expedition migration tool that could lead to an admin account takeover. "Palo Alto Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data," CISA said in an alert. The shortcoming impacts all versions of Expedition prior to version 1.2.92, which was released in July 2024 to plug the problem. There are currently no reports on how the vulnerability is being weaponized in real-world attacks, but Palo Alto Networks has since revised its original adviso...

A threat actor with ties to the Democratic People's Republic of Korea (DPRK) has been observed targeting cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices . Cybersecurity company SentinelOne, which dubbed the campaign Hidden Risk , attributed it with high confidence to BlueNoroff, which has been previously linked to malware families such as RustBucket , KANDYKORN , ObjCShellz , RustDoor (aka Thiefbucket ), and TodoSwift . The activity "uses emails propagating fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file," researchers Raffaele Sabato, Phil Stokes, and Tom Hegel said in a report shared with The Hacker News. "The campaign likely began as early as July 2024 and uses email and PDF lures with fake news headlines or stories about crypto-related topics." As revealed by the U.S. Federal Bureau of Investigation (FBI) in a September 2024 advisory, the...

Defending your organization's security is like fortifying a castle—you need to understand where attackers will strike and how they'll try to breach your walls. And hackers are always searching for weaknesses, whether it's a lax password policy or a forgotten backdoor. To build a stronger defense, you must think like a hacker and anticipate their moves. Read on to learn more about hackers' strategies to crack passwords, the vulnerabilities they exploit, and how you can reinforce your defenses to keep them at bay. Analysis of the worst passwords Weak, commonly used passwords represent the easiest targets for hackers. Every year, experts provide  lists of the most frequently used passwords , with classics like " 123456 " and " password " appearing year after year. These passwords are the low-hanging fruit of a hacker's attack strategy. Despite years of security warnings, users still use simple, easy-to-remember passwords—often based on predictable patterns or personal details ...

Tactics, techniques, and procedures (TTPs) form the foundation of modern defense strategies. Unlike indicators of compromise (IOCs), TTPs are more stable, making them a reliable way to identify specific cyber threats. Here are some of the most commonly used techniques, according to ANY.RUN's Q3 2024 report on malware trends, complete with real-world examples. Disabling of Windows Event Logging (T1562.002) Disrupting Windows Event Logging helps attackers prevent the system from recording crucial information about their malicious actions. Without event logs, important details such as login attempts, file modifications, and system changes go unrecorded, leaving security solutions and analysts with incomplete or missing data. Windows Event Logging can be manipulated in different ways, including by changing registry keys or using commands like "net stop eventlog". Altering group policies is another common method. Since many detection mechanisms rely on log analysis to identify s...

An ongoing phishing campaign is employing copyright infringement-related themes to trick victims into downloading a newer version of the Rhadamanthys information stealer since July 2024. Cybersecurity firm Check Point is tracking the large-scale campaign under the name CopyRh(ight)adamantys . Targeted regions include the United States, Europe, East Asia, and South America. "The campaign impersonates dozens of companies, while each email is sent to a specific targeted entity from a different Gmail account, adapting the impersonated company and the language per targeted entity," the company said in a technical analysis. "Almost 70% of the impersonated companies are from the Entertainment /Media and Technology/Software sectors." The attacks are notable for the deployment of version 0.7 of the Rhadamanthys stealer, which, as detailed by Recorded Future's Insikt Group early last month, incorporates artificial intelligence (AI) for optical character recognition ...

The China-aligned threat actor known as MirrorFace has been observed targeting a diplomatic organization in the European Union, marking the first time the hacking crew has targeted an entity in the region. "During this attack, the threat actor used as a lure the upcoming World Expo, which will be held in 2025 in Osaka, Japan," ESET said in its APT Activity Report for the period April to September 2024. "This shows that even considering this new geographic targeting, MirrorFace remains focused on Japan and events related to it." MirrorFace, also tracked as Earth Kasha , is assessed to be part of an umbrella group known as APT10, which also comprises clusters tracked as Earth Tengshe and Bronze Starlight. It's known for its targeting of Japanese organizations at least since 2019, although a new campaign observed in early 2023 expanded its operations to include Taiwan and India. Over the years, the hacking crew's malware arsenal has evolved to include bac...

Cisco has released security updates to address a maximum severity security flaw impacting Ultra-Reliable Wireless Backhaul ( URWB ) Access Points that could permit unauthenticated, remote attackers to run commands with elevated privileges. Tracked as CVE-2024-20418 (CVS score: 10.0), the vulnerability has been described as stemming from a lack of input validation to the web-based management interface of the Cisco Unified Industrial Wireless Software. "An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system," Cisco said in an advisory released Wednesday. "A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system of the affected device." The shortcoming impacts following Cisco products in scenarios where the URWB operating mode is enabled - Catalyst IW9165D Heavy Duty Access Points Catalyst IW9165E Rugge...

Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) that has racked up thousands of downloads for over three years while stealthily exfiltrating developers' Amazon Web Services (AWS) credentials. The package in question is " fabrice ," which typosquats a popular Python library known as " fabric ," which is designed to execute shell commands remotely over SSH.  While the legitimate package has over 202 million downloads, its malicious counterpart has been downloaded more than 37,100 times to date. As of writing, "fabrice" is still available for download from PyPI. It was first published in March 2021. The typosquatting package is designed to exploit the trust associated with "fabric," incorporating "payloads that steal credentials, create backdoors, and execute platform-specific scripts," security firm Socket said . "Fabrice" is designed to carry out its malicious actions ...

The Canadian government on Wednesday ordered ByteDance-owned TikTok to dissolve its operations in the country, citing national security risks, but stopped short of instituting a ban on the popular video-sharing platform. "The decision was based on the information and evidence collected over the course of the review and on the advice of Canada's security and intelligence community and other government partners," François-Philippe Champagne, Minister of Innovation, Science and Industry, said in a statement. The government said it does not intend to block Canadians' access to the app itself or curtail their ability to create new content, stating the use of a social media application is a "personal choice." The use of the app has already been banned on Canadian government devices since February 2023. That having said, it urged Canadians to adopt good cyber security practices and assess the possible risks that could arise from using social media platforms,...