The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

In what's being described as an "unprecedented" twist, the operators of the TrickBot malware have resorted to systematically targeting Ukraine since the onset of the war in late February 2022. The group is believed to have orchestrated at least six phishing campaigns aimed at targets that align with Russian state interests, with the emails acting as lures for delivering malicious software such as IcedID, CobaltStrike, AnchorMail, and  Meterpreter . Tracked under the names ITG23,  Gold Blackburn , and Wizard Spider, the  financially motivated cybercrime gang  is known for its development of the TrickBot banking trojan and was  subsumed  into the now-discontinued  Conti ransomware cartel  earlier this year. But merely weeks later, the actors associated with the group resurfaced with a revamped version of the  AnchorDNS  backdoor called  AnchorMail  that uses SMTPS and IMAP protocols for command-and-control communications. "...

In a new joint cybersecurity advisory, U.S. cybersecurity and intelligence agencies have warned about the use of Maui ransomware by North Korean government-backed hackers to target the healthcare sector since at least May 2021. "North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services," the authorities  noted . The  alert  comes courtesy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the Treasury. Cybersecurity firm Stairwell, whose findings formed the basis of the advisory, said the lesser-known ransomware family stands out because of a lack of several key features commonly associated with ransomware-as-a-service (RaaS) groups. This includes the absence of "embedded ransom note to provide recov...

Researchers have disclosed what they say could be an attempt to kick-off a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. The malicious activity, attributed to a software supply chain threat actor dubbed  CuteBoi , involves an array of 1,283 rogue modules that were published in an automated fashion from over 1,000 different user accounts. "This was done using automation which includes the ability to pass the NPM 2FA challenge," Israeli application security testing company Checkmarx  said . "This cluster of packages seems to be a part of an attacker experimenting at this point." All the released packages in question are said to harbor near-identical source code from an already existing package named eazyminer that's used to mine Monero by means of utilizing unused resources on web servers. One notable modification entails the URL to which the mined cryptocurrency should be sent, although installing the rogue ...

Apple on Wednesday announced it plans to introduce an enhanced security setting called  Lockdown Mode  in iOS 16, iPadOS 16, and macOS Ventura to safeguard high-risk users against "highly targeted cyberattacks." The "extreme, optional protection" feature, now available for preview in beta versions of its upcoming software, is designed to counter a surge in threats posed by private companies developing state-sponsored surveillanceware such as  Pegasus ,  DevilsTongue ,  Predator , and  Hermit . Lockdown Mode, when enabled, "hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware," Apple  said  in a statement. This includes blocking most message attachment types other than images and disabling link previews in Messages; rendering inoperative just-in-time ( JIT ) JavaScript compilation; removing support for shared albums in ...

Disclaimer: This article is meant to give insight into cyber threats as seen by the community of users of CrowdSec. What can tens of thousands of machines tell us about illegal hacker activities? Do you remember that scene in Batman - The Dark Knight, where Batman uses a system that aggregates active sound data from countless mobile phones to create a meta sonar feed of what is going on at any given place?  It is an interesting analogy with what we do at CrowdSec. By aggregating intrusion signals from our community, we can offer a clear picture of what is going on in terms of illegal hacking in the world. After 2 years of activity and analyzing 1 million intrusion signals daily from tens of thousands of users in 160 countries, we start having an accurate "Batman sonar" global feed of cyber threats. And there are some interesting takeaways to outline. A cyber threat with many faces  First of all, the global cyber threat is highly versatile. What do we see when looking at...

Cybersecurity researchers have taken the wraps off a new and entirely undetected Linux threat dubbed  OrBit , signally a growing trend of malware attacks geared towards the popular operating system. The malware gets its name from one of the filenames that's utilized to temporarily store the output of executed commands ("/tmp/.orbit"), according to cybersecurity firm Intezer. "It can be installed either with persistence capabilities or as a volatile implant," security researcher Nicole Fishbein  said . "The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands." OrBit is the fourth Linux malware to have come to light in a short span of three months after  BPFDoor ,  Symbiote , and  Syslogk . The malware also functions a lot like Symbiote in that it's designed to infect all of t...

Cisco on Wednesday rolled out patches for  10 security flaws  spanning multiple products, one of which is rated Critical in severity and could be weaponized to conduct absolute path traversal attacks. The issues, tracked as  CVE-2022-20812 and CVE-2022-20813 , affect Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) and "could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device," the company  said  in an advisory. CVE-2022-20812 (CVSS score: 9.0), which concerns a case of arbitrary file overwrite in the cluster database API, requires the authenticated, remote attacker to have Administrator read-write privileges on the application so as to be able to mount path traversal attacks as a root user. "This vulnerability is due to insufficient input validation of user-supplied command arguments," the company said. "An attacker could exploit this vulnerability by authenticati...