The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

So far 2022 confirms that passwords are not dead yet. Neither will they be anytime soon. Even though Microsoft and Apple are championing passwordless authentication methods, most applications and websites will not remove this option for a very long time. Think about it, internal apps that you do not want to integrate with third-party identity providers, government services, legacy applications, and even SaaS providers may not want to invest in new integrations or restrict their existing authentication methods. After all, online businesses are interested in user traction, and security usually brings friction. For example, a few days ago,  Kickstarter sent out millions of password reset  emails "simplifying its login process," including for people that used social login without a password.  Though you may be able to remove passwords from many enterprise components, a large portion of third-party providers, government portals, business suppliers, and SaaS services will st...

The operators of the emerging cross-platform BianLian ransomware have increased their command-and-control (C2) infrastructure this month, a development that alludes to an increase in the group's operational tempo. BianLian, written in the Go programming language, was first discovered in mid-July 2022 and has claimed 15 victim organizations as of September 1, cybersecurity firm [redacted] said in a  report  shared with The Hacker News. It's worth noting that the double extortion ransomware family has no connection to an  Android banking trojan  of the same name, which targets mobile banking and cryptocurrency apps to siphon sensitive information. Initial access to victim networks is achieved via successful exploitation of the  ProxyShell  Microsoft Exchange Server flaws, leveraging it to either drop a web shell or an ngrok payload for follow-on activities. "BianLian has also targeted SonicWall VPN devices for exploitation, another common target for ran...

Researchers have identified 1,859 apps across Android and iOS containing hard-coded Amazon Web Services (AWS) credentials, posing a major security risk. "Over three-quarters (77%) of the apps contained valid AWS access tokens allowing access to private AWS cloud services," Symantec's Threat Hunter team, a part of Broadcom Software, said in a  report  shared with The Hacker News. Interestingly, a little more than 50% of the apps were found using the same AWS tokens found in other apps maintained by other developers and companies, highlighting a supply chain issue with serious implications. "The AWS access tokens could be traced to a shared library, third-party SDK, or other shared component used in developing the apps," the researchers said. These credentials are typically used for downloading appropriate resources necessary for the app's functions as well as accessing configuration files and authenticating to other cloud services. To make matters wors...

The attack infrastructure used to  target Cisco  in the May 2022 incident was also employed against an attempted compromise of an unnamed workforce management solutions holding company a month earlier in April 2022. Cybersecurity firm eSentire, which  disclosed  the findings, raised the possibility that the intrusions could be the work of a criminal actor known as mx1r, who is said to be a member of the Evil Corp affiliate cluster dubbed  UNC2165 . Evil Corp, the progenitors of the infamous Dridex banking trojan, have, over the years, refined their modus operandi to run a series of ransomware operations to sidestep sanctions imposed by the U.S. Treasury in December 2019. Initial access to the company's IT network was made possible by using stolen Virtual Private Network (VPN) credentials, followed by leveraging off-the-shelf tools for lateral movement and gaining deeper access into the victim's environment. "Using Cobalt Strike, the attackers were able to ...

Microsoft on Wednesday disclosed details of a now-patched "high severity vulnerability" in the TikTok app for Android that could let attackers take over accounts when victims clicked on a malicious link. "Attackers could have leveraged the vulnerability to hijack an account without users' awareness if a targeted user simply clicked a specially crafted link," Dimitrios Valsamaras of the Microsoft 365 Defender Research Team  said  in a write-up. Successful exploitation of the flaw could have permitted malicious actors to access and modify users' TikTok profiles and sensitive information, leading to the unauthorized exposure of private videos. Attackers could also have abused the bug to send messages and upload videos on behalf of users. The issue, addressed in version 23.7.3, impacts two flavors of its Android app com.ss.android.ugc.trill (for East and Southeast Asian users) and com.zhiliaoapp.musically (for users in other countries except for India, wher...

Apple on Wednesday backported security updates to older iPhones, iPads, and iPod touch devices to address a  critical security flaw  that has been actively exploited in the wild. The shortcoming, tracked as  CVE-2022-32893  (CVSS score: 8.8), is an out-of-bounds write issue affecting WebKit that could lead to arbitrary code execution when processing maliciously crafted web content. WebKit is the browser engine that powers Safari and every other third-party browser available on iOS and iPadOS, meaning a flaw uncovered in the platform poses a security risk to users of Google Chrome, Mozilla Firefox, and Microsoft Edge as well. The tech giant said it fixed the bug with improved bounds checking. An anonymous researcher has been credited for reporting the vulnerability. The iOS 12.5.6 update is available for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). "iOS 12 is not impacted by CVE-2022-32894," Apple...

Five imposter extensions for the Google Chrome web browser masquerading as Netflix viewers and others have been found to track users' browsing activity and profit off retail affiliate programs. "The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website," McAfee researchers Oliver Devane and Vallabh Chole  said . "The latter borrows several phrases from another popular extension called GoFullPage." The browser add-ons in question – available via the Chrome Web Store and downloaded 1.4 million times – are as follows - Netflix Party (mmnbenehknklpbendgmgngeaignppnbe) - 800,000 downloads Netflix Party (flijfnhifgdcbhglkneplegafminjnhn) - 300,000 downloads Full Page Screenshot Capture – Screenshotting (pojgkmkfincpdkdgjepkmdekcahmckjp) - 200,000 downloads AutoBuy Flash Sales (gbnahglfafmhaehbdmjedfhdmimjcbed) - 20,000 downloads The extensions are designed to load a pi...