The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Earlier this week, ServiceNow  announced on its support site  that misconfigurations within the platform could result in “unintended access” to sensitive data. For organizations that use ServiceNow, this security exposure is a critical concern that could have resulted in major data leakage of sensitive corporate data.  ServiceNow has since taken steps to fix this issue .  This article fully analyzes the issue, explains why this critical application misconfiguration could have had serious consequences for businesses, and remediation steps companies would take, if not for the ServiceNow fix. (Although, recommended to double check that the fix has closed the organization’s exposure.) In a Nutshell ServiceNow is a cloud-based platform used for automating IT service management, IT operations management, and IT business management for customer service, as well as HR, security operations, and a wide variety of additional domains. This SaaS application is considered to b...

A new ongoing campaign dubbed  EleKtra-Leak  has set its eyes on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities. "As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist  said  in a technical report shared with The Hacker News. The operation, active since at least December 2020, is designed to mine Monero from as many as 474 unique Amazon EC2 instances between August 30 and October 6, 2023. A standout aspect of the attacks is the automated targeting of AWS IAM credentials within four minutes of their initial exposure on GitHub, indicating that threat actors are  programmatically cloning and scanning the repositories  to captur...

Three unpatched high-severity security flaws have been disclosed in the  NGINX Ingress controller  for Kubernetes that could be weaponized by a threat actor to steal secret credentials from the cluster. The vulnerabilities are as follows -  CVE-2022-4886  (CVSS score: 8.8) -  Ingress-nginx  path sanitization can be bypassed to obtain the credentials of the ingress-nginx controller CVE-2023-5043  (CVSS score: 7.6) - Ingress-nginx annotation injection causes arbitrary command execution CVE-2023-5044  (CVSS score: 7.6) - Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation "These vulnerabilities enable an attacker who can control the configuration of the Ingress object to steal secret credentials from the cluster," Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, said of CVE-2023-5043 and CVE-2023-5044. Successful exploitation of the flaws could allow an adversary to inject arbitrary code into...

A new cyber attack campaign has been observed using spurious  MSIX  Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed  GHOSTPULSE . "MSIX is a Windows app package format that developers can leverage to package, distribute, and install their applications to Windows users," Elastic Security Labs researcher Joe Desimone  said  in a technical report published last week. "However, MSIX requires access to purchased or stolen code signing certificates making them viable to groups of above-average resources." Based on the installers used as lures, it's suspected that potential targets are  enticed  into downloading the MSIX packages through known techniques such as compromised websites, search engine optimization (SEO) poisoning, or malvertising. Launching the MSIX file opens a Windows prompting the users to click the Install button, doing so...

New findings have shed light on what's said to be a lawful attempt to covertly intercept traffic originating from jabber[.]ru (aka xmpp[.]ru), an  XMPP -based instant messaging service, via servers hosted on Hetzner and Linode (a subsidiary of Akamai) in Germany. "The attacker has issued several new TLS certificates using Let's Encrypt service which were used to hijack encrypted  STARTTLS connections  on port 5222 using transparent [man-in-the-middle] proxy," a security researcher who goes by the alias ValdikSS  said  earlier this week. "The attack was discovered due to the expiration of one of the MiTM certificates, which haven't been reissued." Evidence gathered so far points to the traffic redirection being configured on the hosting provider network, ruling out other possibilities, such as a server breach or a spoofing attack. The wiretapping is estimated to have lasted for as long as six months, from April 18, 2023, although it's been confi...

The North Korea-aligned  Lazarus Group  has been attributed as behind a new campaign in which an unnamed software vendor was compromised through the exploitation of known security flaws in another high-profile software. The attack sequences, according to Kaspersky, culminated in the deployment of malware families such as SIGNBT and  LPEClient , a known hacking tool used by the threat actor for victim profiling and payload delivery. "The adversary demonstrated a high level of sophistication, employing advanced evasion techniques and introducing SIGNBT malware for victim control," security researcher Seongsu Park  said . "The SIGNBT malware used in this attack employed a diverse infection chain and sophisticated techniques." The Russian cybersecurity vendor said the company that developed the exploited software had been a victim of a Lazarus attack several times, indicating an attempt to steal source code or poison the software supply chain, as in the case of the...