The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A sophisticated stealer-as-a-ransomware threat dubbed  RedEnergy  has been spotted in the wild targeting energy utilities, oil, gas, telecom, and machinery sectors in Brazil and the Philippines through their LinkedIn pages. The .NET malware "possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities," Zscaler researchers Shatak Jain and Gurkirat Singh  said  in a recent analysis. The objective, the researchers noted, is to couple data theft with encryption with the goal of inflicting maximum damage to the victims. The starting point for the multi-stage attack is a  FakeUpdates  (aka SocGholish) campaign that tricks users into downloading JavaScript-based malware under the guise of web browser updates. What makes it novel is the use of reputable LinkedIn pages to target victims, redirecting users clicking on the website ...

Secrets are meant to be hidden or, at the very least, only known to a specific and limited set of individuals (or systems). Otherwise, they aren't really secrets. In personal life, a secret revealed can damage relationships, lead to social stigma, or, at the very least, be embarrassing. In a developer's or application security engineer's professional life, the consequences of exposing secrets can lead to breaches of security, data leaks, and, well, also be embarrassing. And while there are tools available for detecting source code and code repositories, there are few options for identifying secrets in plain text, documents, emails, chat logs, content management systems, and more. What Are Secrets? In the context of applications, secrets are sensitive information such as passwords, API keys, cryptographic keys, and other confidential data that an application needs to function but should not be exposed to unauthorized users. Secrets are typically stored securely and access...

The npm registry for the Node.js JavaScript runtime environment is susceptible to what's called a  manifest confusion  attack that could potentially allow threat actors to conceal malware in project dependencies or perform arbitrary script execution during installation. "A npm package's manifest is published independently from its tarball," Darcy Clarke, a former GitHub and npm engineering manager,  said  in a technical write-up published last week. "Manifests are never fully validated against the tarball's contents." "The ecosystem has broadly assumed the contents of the manifest and tarball are consistent," Clarke added. The problem, at its core, stems from the fact that the manifest and package metadata are decoupled and that they are never cross-referenced against one another, thereby leading to unexpected behavior and misuse when there is a mismatch. As a result, a threat actor could exploit this loophole to publish a module with a ma...

Instagram Threads, the upcoming Twitter competitor from Meta, will not be launched in the European Union due to privacy concerns, according to Ireland's Data Protection Commission (DPC). The development was  reported  by the Irish Independent, which said the watchdog has been in contact with the social media giant about the new product and confirmed the release won't extend to the E.U. "at this point." Threads  is Meta's answer to Twitter that's set for launch on July 6, 2023. It's billed as a "text-based conversation app" that allows Instagram users to "discuss everything from the topics you care about today to what'll be trending tomorrow." It also enables users to follow the same accounts they already follow on Instagram. A listing for the app has already appeared in the  Apple App Store  and  Google Play Store , although it's yet to be available for download. The " App Privacy " section on the App Store indic...

The Swedish data protection watchdog has warned companies against using Google Analytics due to risks posed by U.S. government surveillance, following similar moves by  Austria, France , and  Italy  last year. The development comes in the aftermath of an audit initiated by the Swedish Authority for Privacy Protection (IMY) against four companies CDON, Coop, Dagens Industri, and Tele2. "In its audits, IMY considers that the data transferred to the U.S. via Google's statistics tool is personal data because the data can be linked with other unique data that is transferred," IMY  said . "The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA." The data protection authority also fined $1.1 million for Swedish telecom service provider Tele2 and less than $30,000 for local online marketplace CDON failing to ...

The threat actors behind the  DDoSia  attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down. The updated variant, written in Golang, "implements an additional security mechanism to conceal the list of targets, which is transmitted from the [command-and-control] to the users," cybersecurity company Sekoia  said  in a technical write-up. DDoSia is attributed to a pro-Russian hacker group called  NoName(057)16 . Launched in 2022 and a successor of the  Bobik botnet , the attack tool is  designed  for staging distributed denial-of-service (DDoS) attacks against targets primarily located in Europe as well as Australia, Canada, and Japan. Lithuania, Ukraine, Poland, Italy, Czechia, Denmark, Latvia, France, the U.K., and Switzerland have emerged as the most targeted countries over a period ranging from May 8 to June 26, 202...