The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Web infrastructure and website security company Cloudflare on Thursday disclosed that it mitigated the largest ever volumetric distributed denial of service (DDoS) attack recorded to date. The attack, launched via a Mirai botnet, is said to have targeted an unnamed customer in the financial industry last month. "Within seconds, the botnet bombarded the Cloudflare edge with over 330 million attack requests," the company  noted , at one point reaching a record high of 17.2 million requests-per-second (rps), making it three times bigger than previously reported HTTP DDoS attacks. Volumetric DDoS attacks are designed to target a specific network with an intention to overwhelm its bandwidth capacity and often utilize  reflective amplification techniques  to scale their attack and cause as much operational disruption as possible. They also typically originate from a network of malware-infected systems — consisting of computers, servers, and IoT devices — enabling threat ac...

ShadowPad, an infamous Windows backdoor that allows attackers to download further malicious modules or steal data, has been put to use by five different Chinese threat clusters since 2017. "The adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors," SentinelOne researchers Yi-Jhen Hsieh and Joey Chen  said  in a detailed overview of the malware, adding "some threat groups stopped developing their own backdoors after they gained access to ShadowPad." The American cybersecurity firm dubbed ShadowPad a "masterpiece of privately sold malware in Chinese espionage." A successor to PlugX and a modular malware platform since 2015,  ShadowPad  catapulted to widespread attention in the wake of supply chain incidents targeting  NetSarang ,  CCleaner , and  ASUS , leading the operators to shift tactics and update their defensive measures with advanced anti-detection and persistence techniques. More recently, ...

A Nigerian threat actor has been observed attempting to recruit employees by offering them to pay $1 million in bitcoins to deploy Black Kingdom ransomware on companies' networks as part of an insider threat scheme. "The sender tells the employee that if they're able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin, or 40% of the presumed $2.5 million ransom," Abnormal Security  said  in a report published Thursday. "The employee is told they can launch the ransomware physically or remotely. The sender provided two methods to contact them if the employee is interested—an Outlook email account and a Telegram username." Black Kingdom, also known as DemonWare and DEMON, attracted attention earlier this March when threat actors were found  exploiting ProxyLogon flaws  impacting Microsoft Exchange Servers to infect unpatched systems with the ransomware strain. Abnormal Security, which detected and bl...

Mozi, a peer-to-peer (P2P) botnet known to target IoT devices, has gained new capabilities that allow it to achieve persistence on network gateways manufactured by Netgear, Huawei, and ZTE, according to latest findings. "Network gateways are a particularly juicy target for adversaries because they are ideal as initial access points to corporate networks," researchers at Microsoft Security Threat Intelligence Center and Section 52 at Azure Defender for IoT  said  in a technical write-up. "By infecting routers, they can perform man-in-the-middle (MITM) attacks—via HTTP hijacking and DNS spoofing—to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities." First  documented  by Netlab 360 in December 2019, Mozi has a history of infecting routers and digital video recorders in order to assemble them into an IoT botnet, which could be abused for launching distributed denial-of-service (DDoS) attacks, data exfiltration, and payload execut...

A critical vulnerability in Cisco Small Business Routers will not be patched by the networking equipment giant, since the devices reached end-of-life in 2019. Tracked as CVE-2021-34730 (CVSS score: 9.8), the issue resides in the routers' Universal Plug-and-Play (UPnP) service, enabling an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition. The vulnerability, which the company said is due to improper validation of incoming UPnP traffic, could be abused to send a specially-crafted UPnP request to an affected device, resulting in remote code execution as the root user on the underlying operating system. "Cisco has not released and will not release software updates to address the vulnerability," the company  noted  in an advisory published Wednesday. "The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have  entered the end-of-life process . ...

Cybersecurity researchers have disclosed details about an early development version of a nascent ransomware strain called Diavol that has been linked to threat actors behind the infamous TrickBot syndicate. The latest  findings  from IBM X-Force show that the ransomware sample shares similarities to other malware that has been attributed to the cybercrime gang, thus establishing a clearer connection between the two. In early July, Fortinet  revealed  specifics of an unsuccessful ransomware attack involving Diavol payload targeting one of its customers, highlighting the malware's source code overlaps with that of Conti and its technique of reusing some language from Egregor ransomware in its ransom note. "As part of a rather unique encryption procedure, Diavol operates using user-mode Asynchronous Procedure Calls (APCs) without a symmetric encryption algorithm," Fortinet researchers previously said. "Usually, ransomware authors aim to complete the encryption oper...

A security vulnerability has been found affecting several versions of ThroughTek Kalay P2P Software Development Kit (SDK), which could be abused by a remote attacker to take control of an affected device and potentially lead to remote code execution. Tracked as CVE-2021-28372 (CVSS score: 9.6) and  discovered  by FireEye Mandiant in late 2020, the weakness concerns an improper access control flaw in ThroughTek point-to-point (P2P) products, successful exploitation of which could result in the "ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality." "Successful exploitation of this vulnerability could permit remote code execution and unauthorized access to sensitive information, such as to camera audio/video feeds," the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  noted  in an advisory. There are believed to be 83 million active devices on the Kala...