The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Threat actors have begun to use the Tox peer-to-peer instant messaging service as a command-and-control method, marking a shift from its earlier role as a contact method for ransomware negotiations. The findings from Uptycs, which analyzed an Executable and Linkable Format (ELF) artifact (" 72client ") that functions as a bot and can run scripts on the compromised host using the Tox protocol. Tox is a  serverless protocol  for online communications that offers end-to-end encryption (E2EE) protections by making use of the Networking and Cryptography library ( NaCl , pronounced "salt") for encryption and authentication. "The binary found in the wild is a stripped but dynamic executable, making decompilation easier," researchers Siddharth Sharma and Nischay Hedge  said . "The entire binary appears to be written in C, and has only  statically linked  the c-toxcore library." It's worth noting that c-toxcore is a  reference implementation  of...

A security researcher who has a long line of work demonstrating novel data exfiltration methods from air-gapped systems has come up with yet another technique that involves sending Morse code signals via LEDs on network interface cards ( NICs ). The approach, codenamed  ETHERLED , comes from Dr. Mordechai Guri , the head of R&D in the Cyber Security Research Center in the Ben Gurion University of the Negev in Israel, who recently outlined  GAIROSCOPE , a method for transmitting data ultrasonically to smartphone gyroscopes. "Malware installed on the device could programmatically control the status LED by blinking or alternating its colors, using documented methods or undocumented firmware commands," Dr. Guri said. "Information can be encoded via simple encoding such as Morse code and modulated over these optical signals. An attacker can intercept and decode these signals from tens to hundreds of meters away." A network interface card, also known as a netwo...

From ransomware to breaches, from noncompliance penalties to reputational damage – cyberthreats pose an existential risk to any business. But for SMEs and SMBs, the danger is compounded. These companies realize they  need  an in-house Chief Information Security Officer (CISO) – someone who can assess risks and vulnerabilities, create and execute a comprehensive cybersecurity plan, ensure compliance and safeguard business continuity. Yet unlike large enterprises, most don't have the budget to bring a full-time experienced CISO on board. To bridge this gap, managed service providers (MSPs), managed security service providers (MSSPs), and consulting firms offer virtual CISO (vCISO), or 'CISO-as-a-service' services. The model is simple: instead of hiring a full-time CISO, SMEs and SMBs pay a subscription or a retainer to gain access to expert cyber assistance in the form of a virtual CISO. Staffed by seasoned veteran executives, vCISOs offer C-level assistance in devising and...

WordPress sites are being hacked to display fraudulent Cloudflare DDoS protection pages that lead to the delivery of malware such as NetSupport RAT and Raccoon Stealer. "A recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware," Sucuri's Ben Martin  said  in a write-up published last week. Distributed denial-of-service (DDoS) protection pages are essential browser verification checks designed to deter bot-driven unwanted and malicious traffic from eating up bandwidth and taking down websites. The new attack vector involves hijacking WordPress sites to display fake DDoS protection pop-ups that, when clicked, ultimately lead to the download of a malicious ISO file ("security_install.iso") to the victim's systems. This is achieved by injecting three lines of code into a JavaScript file ("jquery.min.js"), or alternatively into the active...

The threat actors behind a large-scale adversary-in-the-middle (AiTM)  phishing campaign  targeting enterprise users of Microsoft email services have also set their sights on Google Workspace users. "This campaign specifically targeted chief executives and other senior members of various organizations which use [Google Workspace]," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu  detailed  in a report published this month. The AiTM phishing attacks are said to have commenced in mid-July 2022, following a similar modus operandi as that of a  social engineering campaign  designed to siphon users' Microsoft credentials and even bypass multi-factor authentication. The low-volume Gmail AiTM phishing campaign also entails using the compromised emails of chief executives to conduct further social engineering, with the attacks also utilizing several compromised domains as an intermediate URL redirector to take the victims to the final landing pag...

DevOps platform GitLab this week issued patches to address a critical security flaw in its software that could lead to arbitrary code execution on affected systems. Tracked as  CVE-2022-2884 , the issue is rated 9.9 on the CVSS vulnerability scoring system and impacts all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) starting from 11.3.4 before 15.1.5, 15.2 before 15.2.3, and 15.3 before 15.3.1. At its core, the security weakness is a case of authenticated remote code execution that can be triggered via the GitHub import API. GitLab credited  yvvdwf  with discovering and reporting the flaw. A successful exploitation of the critical flaw could enable a malicious actor to run malicious code on the target machine, inject malware and backdoors, and seize complete control of the susceptible devices. While the issue has been resolved in versions 15.3.1, 15.2.3, 15.1.5, users also have the option of securing against the flaw by temporarily disabling...

The Iranian government-backed actor known as Charming Kitten has added a new tool to its malware arsenal that allows it to retrieve user data from Gmail, Yahoo!, and Microsoft Outlook accounts. Dubbed  HYPERSCRAPE  by Google Threat Analysis Group (TAG), the actively in-development malicious software is said to have been used against less than two dozen accounts in Iran, with the oldest known sample dating back to 2020. The tool was first discovered in December 2021. Charming Kitten, a prolific advanced persistent threat (APT), is believed to be  associated  with Iran's Islamic Revolutionary Guard Corps (IRGC) and has a history of conducting espionage aligned with the interests of the government. Tracked as APT35, Cobalt Illusion, ITG18, Phosphorus, TA453, and Yellow Garuda, elements of the group have also carried out ransomware attacks, suggesting that the threat actor's motives are both espionage and financially driven. "HYPERSCRAPE requires the victim's accou...