The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The threat actor behind the attacks on  Twilio  and  Cloudflare  earlier this month has been linked to a broader phishing campaign aimed at 136 organizations that resulted in a cumulative compromise of 9,931 accounts. The activity has been condemned  0ktapus  by Group-IB because the initial goal of the attacks was to "obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations." Calling the attacks well designed and executed, the Singapore-headquartered company said the adversary singled out employees of companies that are customers of identity services provider Okta. The modus operandi involved sending targets text messages containing links to phishing sites that impersonated the Okta authentication page of the respective targeted entities. "This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations," Group-IB  said ...

The threat actor behind the SolarWinds supply chain attack has been linked to yet another "highly targeted" post-exploitation malware that could be used to maintain persistent access to compromised environments. Dubbed  MagicWeb  by Microsoft's threat intelligence teams, the development reiterates Nobelium's commitment to developing and maintaining purpose-built capabilities. Nobelium is the tech giant's moniker for a cluster of activities that came to light with the  sophisticated attack targeting SolarWinds  in December 2020, and which overlaps with the Russian nation-state hacking group widely known as  APT29 , Cozy Bear, or The Dukes. "Nobelium remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia," Microsoft  said . MagicWeb, which shares similarities with another t...

In recent months, the House of Representatives has been hard at work drafting various spending bills for the 2023 fiscal year. While these bills provide funding for a vast array of government programs and agencies, there was one thing that really stands out. Collectively, the bills that are making their way through the house  allocate a staggering $15.6 billion to cybersecurity spending . As you could probably guess, the lion's share of this spending ($11.2 billion) is being allocated to the Department of Defense. It is worth noting, however, that nearly $3 billion is going to the Cyber Security and Infrastructure Security Agency (CISA). Although it may be tempting to think of these cybersecurity budget allocations as just another example of excessive government spending, it's worth considering what a $15.6 billion cash infusion will mean for the IT security industry. It's equally important to consider why the US government finds it necessary to ramp up its cybersecurity...

The North Korean nation-state group Kimusky has been linked to a new set of malicious activities directed against political and diplomatic entities located in its southern counterpart since early 2022. Russian cybersecurity firm Kaspersky codenamed the cluster  GoldDragon , with the infection chains leading to the deployment of Windows malware designed to file lists, user keystrokes, and stored web browser login credentials. Included among the potential victims are South Korean university professors, think tank researchers, and government officials.  Kimsuky , also known as Black Banshee, Thallium, and Velvet Chollima, is the name given to a prolific North Korean advanced persistent threat (APT) group that targets entities globally, but with a primary focus on South Korea, to gain intelligence on various topics of interest to the regime. Known to be operating since 2012, the group has a history of employing social engineering tactics, spear-phishing, and watering hole at...

The Python Package Index, PyPI, on Wednesday sounded the alarm about an ongoing phishing campaign that aims to steal developer credentials and inject malicious updates to legitimate packages. "This is the first known phishing attack against PyPI," the maintainers of the official third-party software repository  said  in a series of tweets. The social engineering attack entails sending security-themed messages that create a false sense of urgency by informing recipients that Google is implementing a mandatory validation process on all packages and that they need to click on a link to complete the validation before September, or risk getting their PyPI modules removed. Should an unsuspecting developer fall for the scheme, users are directed to a lookalike landing page that mimics PyPI's login page and is hosted on Google Sites, from where the entered credentials are captured and abused to unauthorizedly access the accounts and compromise the packages to include malware...

Threat actors have begun to use the Tox peer-to-peer instant messaging service as a command-and-control method, marking a shift from its earlier role as a contact method for ransomware negotiations. The findings from Uptycs, which analyzed an Executable and Linkable Format (ELF) artifact (" 72client ") that functions as a bot and can run scripts on the compromised host using the Tox protocol. Tox is a  serverless protocol  for online communications that offers end-to-end encryption (E2EE) protections by making use of the Networking and Cryptography library ( NaCl , pronounced "salt") for encryption and authentication. "The binary found in the wild is a stripped but dynamic executable, making decompilation easier," researchers Siddharth Sharma and Nischay Hedge  said . "The entire binary appears to be written in C, and has only  statically linked  the c-toxcore library." It's worth noting that c-toxcore is a  reference implementation  of...

A security researcher who has a long line of work demonstrating novel data exfiltration methods from air-gapped systems has come up with yet another technique that involves sending Morse code signals via LEDs on network interface cards ( NICs ). The approach, codenamed  ETHERLED , comes from Dr. Mordechai Guri , the head of R&D in the Cyber Security Research Center in the Ben Gurion University of the Negev in Israel, who recently outlined  GAIROSCOPE , a method for transmitting data ultrasonically to smartphone gyroscopes. "Malware installed on the device could programmatically control the status LED by blinking or alternating its colors, using documented methods or undocumented firmware commands," Dr. Guri said. "Information can be encoded via simple encoding such as Morse code and modulated over these optical signals. An attacker can intercept and decode these signals from tens to hundreds of meters away." A network interface card, also known as a netwo...