The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

All-In-One Security (AIOS), a WordPress plugin installed on over one million sites, has issued a security update after a bug introduced in version 5.1.9 of the software caused users' passwords being added to the database in plaintext format. "A malicious site administrator (i.e. a user already logged into the site as an admin) could then have read them," UpdraftPlus, the maintainers of AIOS,  said . "This would be a problem if those site administrators were to try out those passwords on other services where your users might have used the same password. If those other services' logins are not protected by two-factor authentication, this could be a risk to the affected website." The issue surfaced nearly three weeks ago when a user of the plugin  reported  the behavior, stating they were "absolutely shocked that a security plugin is making such a basic security 101 error." AIOS also noted that the updates remove the existing logged data from th...

A malicious actor has been linked to a cloud credential stealing campaign in June 2023 that's focused on Azure and Google Cloud Platform (GCP) services, marking the adversary's expansion in targeting beyond Amazon Web Services (AWS). The findings come from  SentinelOne  and  Permiso , which said the "campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew," although it emphasized that "attribution remains challenging with script-based tools." They also overlap with an ongoing TeamTNT campaign  disclosed  by Aqua called Silentbob that leverages misconfigured cloud services to drop malware as part of what's said to be a testing effort, while also linking  SCARLETEEL  attacks to the threat actor, citing infrastructure commonalities. "TeamTNT is scanning for credentials across multiple cloud environments, including AWS, Azure, and GCP," Aqua noted. The attacks, which single out public-facing Docker instanc...

A new malware strain has been found covertly targeting small office/home office (SOHO) routers for more than two years, infiltrating over 70,000 devices and creating a botnet with 40,000 nodes spanning 20 countries. Lumen Black Lotus Labs has dubbed the malware  AVrecon , making it the third such strain to focus on SOHO routers after  ZuoRAT  and  HiatusRAT  over the past year. "This makes AVrecon one of the largest SOHO router-targeting botnets ever seen," the company  said . "The purpose of the campaign appears to be the creation of a covert network to quietly enable a range of criminal activities from password spraying to digital advertising fraud." A majority of the infections are located in the U.K. and the U.S., followed by Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia, and South Africa, among others. AVrecon was  first highlighted  by Kaspersky senior security researcher Ye (Seth) Jin in May 2021, indicating th...

Zimbra has warned of a critical zero-day security flaw in its email software that has come under active exploitation in the wild. "A security vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced," the company  said  in an advisory. It also said that the issue has been addressed and that it's expected to be delivered in the July patch release. Additional specifics about the flaw are currently unavailable, although Zimbra said it fixed the issue through input sanitization. In the interim, it is urging customers to  apply a manual fix  to eliminate the attack vector - Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto Edit this file and go to line number 40 Update the parameter value as: <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/> Before the update, the line appeared as: <input name="st...

Government entities, military organizations, and civilian users in Ukraine and Poland have been targeted as part of a series of campaigns designed to steal sensitive data and gain persistent remote access to the infected systems. The intrusion set, which stretches from April 2022 to July 2023, leverages phishing lures and decoy documents to deploy a downloader malware called PicassoLoader, which acts as a conduit to launch Cobalt Strike Beacon and njRAT. "The attacks used a multistage infection chain initiated with malicious Microsoft Office documents, most commonly using Microsoft Excel and PowerPoint file formats," Cisco Talos researcher Vanja Svajcer  said  in a new report. "This was followed by an executable downloader and payload concealed in an image file, likely to make its detection more difficult." Some  of the  activities  have been attributed to a threat actor called GhostWriter (aka UAC-0057 or UNC1151), whose priorities are said to align with th...

As many as 196 hosts have been infected as part of an aggressive cloud campaign mounted by the TeamTNT group called  Silentbob . "The botnet run by TeamTNT has set its sights on Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter applications," Aqua security researchers Ofek Itach and Assaf Morag  said  in a report shared with The Hacker News. "The focus this time seems to be more on infecting systems and testing the botnet, rather than deploying cryptominers for profit." The development arrives a week after the cloud security company  detailed  an intrusion set linked to the TeamTNT group that targets exposed JupyterLab and Docker APIs to deploy the Tsunami malware and hijack system resources to run a cryptocurrency miner. The latest findings suggest a broader campaign and the use of a larger attack infrastructure than previously thought, including various shell sc...