The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A new phishing campaign is targeting e-commerce shoppers in Europe and the United States with bogus pages that mimic legitimate brands with the goal of stealing their personal information ahead of the Black Friday shopping season. "The campaign leveraged the heightened online shopping activity in November, the peak season for Black Friday discounts. The threat actor used fake discounted products as phishing lures to deceive victims into providing their Cardholder Data (CHD) and Sensitive Authentication Data (SAD) and Personally Identifiable Information (PII)," EclecticIQ said . The activity, first observed in early October 2024, has been attributed with high confidence to a Chinese financially motivated threat actor codenamed SilkSpecter. Some of the impersonated brands include IKEA, L.L.Bean, North Face, and Wayfare. The phishing domains have been found to use top-level domains (TLDs) such as .top, .shop, .store, and .vip, often typosquatting legitimate e-commerce organi...

Legal documents released as part of an ongoing legal tussle between Meta's WhatsApp and NSO Group have revealed that the Israeli spyware vendor used multiple exploits targeting the messaging app to deliver Pegasus, including one even after it was sued by Meta for doing so. They also show that NSO Group repeatedly found ways to install the invasive surveillance tool on the target's devices as WhatsApp erected new defenses to counter the threat. In May 2019, WhatsApp said it blocked a sophisticated cyber attack that exploited its video calling system to deliver Pegasus malware surreptitiously. The attack leveraged a then zero-day flaw tracked as CVE-2019-3568 (CVSS score: 9.8), a critical buffer overflow bug in the voice call functionality. The documents now show that NSO Group "developed yet another installation vector (known as Erised) that also used WhatsApp servers to install Pegasus." The attack vector – a zero-click exploit that could compromise a victim...

A critical authentication bypass vulnerability has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress that, if successfully exploited, could grant an attacker to remotely gain full administrative access to a susceptible site. The vulnerability, tracked as CVE-2024-10924 (CVSS score: 9.8), impacts both free and premium versions of the plugin. The software is installed on over 4 million WordPress sites.  "The vulnerability is scriptable, meaning that it can be turned into a large-scale automated attack, targeting WordPress websites," Wordfence security researcher István Márton said . Following responsible disclosure on November 6, 2024, the shortcoming has been patched in version 9.1.2 released a week later. This risk of possible abuse has prompted the plugin maintainers to work with WordPress to force-update all sites running this plugin prior to public disclosure. According to Wordfence, the authentication bypass vulnerabilit...

Python supply chain attacks are surging in 2025. Join our webinar to learn how to secure your code, dependencies, and runtime with modern tools and strategies.

Palo Alto Networks has released new indicators of compromise (IoCs) a day after the network security vendor confirmed that a zero-day vulnerability impacting its PAN-OS firewall management interface has been actively exploited in the wild. To that end, the company said it observed malicious activity originating from below IP addresses and targeting PAN-OS management web interface IP addresses that are accessible over the internet - 136.144.17[.]* 173.239.218[.]251 216.73.162[.]* The company, however, warned that these IP addresses may possibly represent "third-party VPNs with legitimate user activity originating from these IPs to other destinations." Palo Alto Networks' updated advisory indicates that the flaw is being exploited to deploy a web shell on compromised devices, allowing threat actors to gain persistent remote access. The vulnerability, which is yet to be assigned a CVE identifier, carries a CVSS score of 9.3, indicating critical severity. It allow...

A threat actor known as BrazenBamboo has exploited an unresolved security flaw in Fortinet's FortiClient for Windows to extract VPN credentials as part of a modular framework called DEEPDATA . Volexity, which disclosed the findings Friday, said it identified the zero-day exploitation of the credential disclosure vulnerability in July 2024, describing BrazenBamboo as the developer behind DEEPDATA, DEEPPOST, and LightSpy . "DEEPDATA is a modular post-exploitation tool for the Windows operating system that is used to gather a wide range of information from target devices," security researchers Callum Roxan, Charlie Gardner, and Paul Rascagneres said in a technical report. The malware first came to light earlier this week, when BlackBerry detailed the Windows-based surveillance framework as used by the China-linked APT41 threat actor to harvest data from WhatsApp, Telegram, Signal, WeChat, LINE, QQ, Skype, Microsoft Outlook, DingDing, Feishu, KeePass, as well as applic...

Cybersecurity researchers have shed light on a new remote access trojan and information stealer used by Iranian state-sponsored actors to conduct reconnaissance of compromised endpoints and execute malicious commands. Cybersecurity company Check Point has codenamed the malware WezRat , stating it has been detected in the wild since at least September 1, 2023, based on artifacts uploaded to the VirusTotal platform. "WezRat can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files," it said in a technical report. "Some functions are performed by separate modules retrieved from the command and control (C&C) server in the form of DLL files, making the backdoor's main component less suspicious." WezRat is assessed to be the work of Cotton Sandstorm, an Iranian hacking group that's better known under the cover names Emennet Pasargad and, more recently, Aria Sepehr Ayandehsazan (ASA). The malware w...

Cybersecurity researchers have disclosed two security flaws in Google's Vertex machine learning (ML) platform that, if successfully exploited, could allow malicious actors to escalate privileges and exfiltrate models from the cloud. "By exploiting custom job permissions, we were able to escalate our privileges and gain unauthorized access to all data services in the project," Palo Alto Networks Unit 42 researchers Ofir Balassiano and Ofir Shaty said in an analysis published earlier this week. "Deploying a poisoned model in Vertex AI led to the exfiltration of all other fine-tuned models, posing a serious proprietary and sensitive data exfiltration attack risk." Vertex AI is Google's ML platform for training and deploying custom ML models and artificial intelligence (AI) applications at scale. It was first introduced in May 2021. Crucial to leveraging the privilege escalation flaw is a feature called Vertex AI Pipelines , which allows users to automat...

In the fast-paced digital world, trust is everything—but what happens when that trust is disrupted? Certificate revocations, though rare, can send shockwaves through your operations, impacting security, customer confidence, and business continuity. Are you prepared to act swiftly when the unexpected happens? Join DigiCert's exclusive webinar, " When Shift Happens: Are You Ready for Rapid Certificate Replacement? " , and discover how automation, crypto agility, and best practices can transform revocation challenges into opportunities for growth and resilience. Here's what you'll uncover: Revocations Uncovered: Understand why they happen, their ripple effects, and the role of post-quantum cryptography in mitigating risks. Automation to the Rescue: Learn how to minimize downtime and streamline certificate replacements with cutting-edge tools. Crypto Agility in Action: Stay ahead of evolving cryptographic standards with strategies that keep your organization secure and ...

A Vietnamese-speaking threat actor has been linked to an information-stealing campaign targeting government and education entities in Europe and Asia with a new Python-based malware called PXA Stealer . The malware "targets victims' sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software," Cisco Talos researchers Joey Chen, Alex Karkins, and Chetan Raghuprasad said . "PXA Stealer has the capability to decrypt the victim's browser master password and uses it to steal the stored credentials of various online accounts" The connections to Vietnam stem from the presence of Vietnamese comments and a hard-coded Telegram account named " Lone None " in the stealer program, the latter of which includes an icon of Vietnam's national flag and a picture of the emblem for Vietnam's Ministry of Public Security. Cisco Talos said it observed th...

In recent years, artificial intelligence (AI) has begun revolutionizing Identity Access Management (IAM), reshaping how cybersecurity is approached in this crucial field. Leveraging AI in IAM is about tapping into its analytical capabilities to monitor access patterns and identify anomalies that could signal a potential security breach. The focus has expanded beyond merely managing human identities — now, autonomous systems, APIs, and connected devices also fall within the realm of AI-driven IAM, creating a dynamic security ecosystem that adapts and evolves in response to sophisticated cyber threats. The Role of AI and Machine Learning in IAM AI and machine learning (ML) are creating a more robust, proactive IAM system that continuously learns from the environment to enhance security. Let's explore how AI impacts key IAM components: Intelligent Monitoring and Anomaly Detection AI enables continuous monitoring of both human and non-human identities , including APIs, service acc...

Cybersecurity researchers have disclosed a high-severity security flaw in the PostgreSQL open-source database system that could allow unprivileged users to alter environment variables, and potentially lead to code execution or information disclosure. The vulnerability, tracked as CVE-2024-10979 , carries a CVSS score of 8.8. Environment variables are user-defined values that can allow a program to dynamically fetch various kinds of information, such as access keys and software installation paths, during runtime without having to hard-code them. In certain operating systems, they are initialized during the startup phase. "Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g., PATH )," PostgreSQL said in an advisory released Thursday. "That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user." ...

Ilya Lichtenstein, who pleaded guilty to the 2016 hack of cryptocurrency stock exchange Bitfinex, has been sentenced to five years in prison, the U.S. Department of Justice (DoJ) announced Thursday. Lichtenstein was charged for his involvement in a money laundering scheme that led to the theft of nearly 120,000 bitcoins (valued at over $10.5 billion at current prices) from the crypto exchange. Heather Rhiannon Morgan, his wife, also pleaded guilty to the same crimes last year. They were both arrested in February 2022. Morgan is scheduled to be sentenced on November 18. "Lichtenstein, 35, hacked into Bitfinex's network in 2016, using advanced hacking tools and techniques," the DoJ said in a press statement. "Once inside the network, Lichtenstein fraudulently authorized more than 2,000 transactions transferring 119,754 bitcoin from Bitfinex to a cryptocurrency wallet in Lichtenstein's control." TRM Labs said Lichtenstein exploited a vulnerability in Bit...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that two more flaws impacting the Palo Alto Networks Expedition software have come under active exploitation in the wild. To that end, it has added the vulnerabilities to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the necessary updates by December 5, 2024. The security flaws are listed below - CVE-2024-9463 (CVSS score: 9.9) - Palo Alto Networks Expedition OS Command Injection Vulnerability CVE-2024-9465 (CVSS score: 9.3) - Palo Alto Networks Expedition SQL Injection Vulnerability Successful exploitation of the vulnerabilities could allow an unauthenticated attacker to run arbitrary OS commands as root in the Expedition migration tool or reveal its database contents. This could then pave the way for disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls, or cr...

Multiple threat actors have been found taking advantage of an attack technique called Sitting Ducks to hijack legitimate domains for using them in phishing attacks and investment fraud schemes for years. The findings come from Infoblox, which said it identified nearly 800,000 vulnerable registered domains over the past three months, of which approximately 9% (70,000) have been subsequently hijacked. "Cybercriminals have used this vector since 2018 to hijack tens of thousands of domain names," the cybersecurity company said in a deep-dive report shared with The Hacker News. "Victim domains include well-known brands, non-profits, and government entities." The little-known attack vector, although originally documented by security researcher Matthew Bryant way back in 2016, didn't attract a lot of attention until the scale of the hijacks was disclosed earlier this August. "I believe there is more awareness [since then]," Dr. Renee Burton, vice pre...

Google has revealed that bad actors are leveraging techniques like landing page cloaking to conduct scams by impersonating legitimate sites. "Cloaking is specifically designed to prevent moderation systems and teams from reviewing policy-violating content which enables them to deploy the scam directly to users," Laurie Richardson, VP and Head of Trust and Safety at Google, said . "The landing pages often mimic well-known sites and create a sense of urgency to manipulate users into purchasing counterfeit products or unrealistic products." Cloaking refers to the practice of serving different content to search engines like Google and users with the ultimate goal of manipulating search rankings and deceiving users. The tech giant said it has also observed a cloaking trend wherein users clicking on ads are redirected via tracking templates to scareware sites that claim their devices are compromised with malware and lead them to other phony customer support sites, w...