The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Click Studios, the Australian software company behind the Passwordstate password management application, has notified customers to reset their passwords following a supply chain attack. The Adelaide-based firm said a bad actor used sophisticated techniques to compromise the software's update mechanism and used it to drop malware on user computers. The breach is said to have occurred between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC, for a total period of about 28 hours. "Only customers that performed In-Place Upgrades between the times stated above are believed to be affected," the company  said  in an advisory. "Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested." The development was first reported by the Polish tech news site  Niebezpiecznik . It's not immediately clear who the attackers are or how they compromised the password manager's update feature. Click Studios said an i...

A new ransomware strain called " Qlocker " is targeting QNAP network attached storage (NAS) devices as part of an ongoing campaign and encrypting files in password-protected 7zip archives. First reports of the  infections   emerged on April 20, with the adversaries behind the operations demanding a bitcoin payment (0.01 bitcoins or about $500.57) to receive the decryption key. In response to the ongoing attacks, the Taiwanese company has released an advisory prompting users to apply updates to QNAP NAS running Multimedia Console, Media Streaming Add-on, and HBS 3 Hybrid Backup Sync to secure the devices from any attacks. "QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS," the company  said . "The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks....

Attackers are exploiting the ProxyLogon Microsoft Exchange Server flaws to co-opt vulnerable machines to a cryptocurrency botnet named Prometei, according to new research. "Prometei exploits the recently disclosed Microsoft Exchange vulnerabilities associated with the HAFNIUM attacks to penetrate the network for malware deployment, credential harvesting and more," Boston-based cybersecurity firm Cybereason  said  in an analysis summarizing its findings. First documented by Cisco Talos in July 2020,  Prometei  is a multi-modular botnet, with the actor behind the operation employing a wide range of specially-crafted tools and known exploits such as EternalBlue and BlueKeep to harvest credentials, laterally propagate across the network and "increase the amount of systems participating in its Monero-mining pool." "Prometei has both Windows-based and Linux-Unix based versions, and it adjusts its payload based on the detected operating system, on the targeted in...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed details of a new advanced persistent threat (APT) that's leveraging the Supernova backdoor to compromise SolarWinds Orion installations after gaining access to the network through a connection to a Pulse Secure VPN device. "The threat actor connected to the entity's network via a Pulse Secure virtual private network (VPN) appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA (a .NET web shell), and collected credentials," the agency  said  on Thursday. CISA said it identified the threat actor during an incident response engagement at an unnamed organization and found that the attacker had access to the enterprise's network for nearly a year through the use of the VPN credentials between March 2020 and February 2021. Interestingly, the adversary is said to have used valid accounts that had multi-factor authent...

The sprawling  SolarWinds cyberattack  which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure, so much so that Microsoft went on to call the threat actor behind the campaign "skillful and methodic operators who follow operations security (OpSec) best practices to minimize traces, stay under the radar, and avoid detection." As further proof of this, new research published today shows that the threat actor carefully planned each stage of the operation to "avoid creating the type of patterns that make tracking them simple," thus deliberately making forensic analysis difficult. By analyzing telemetry data associated with previously published indicators of compromise, RiskIQ said it identified an additional set of 18 servers with high confidence that likely communicated with the targeted, secondary Cobalt Strike payloads delivered via the TEARDROP and RAINDROP malware, r...