The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A version of an open source ransomware toolkit called  Cryptonite  has been observed in the wild with wiper capabilities due to its "weak architecture and programming." Cryptonite , unlike other ransomware strains, is not available for sale on the cybercriminal underground, and was instead offered for free by an actor named CYBERDEVILZ until recently through a GitHub repository. The source code and its forks have since been taken down. Written in Python, the malware employs the  Fernet module  of the cryptography package to encrypt files with a ".cryptn8" extension. But a  new sample  analyzed by Fortinet FortiGuard Labs has been found to lock files with no option to decrypt them back, essentially acting as a destructive data wiper. But this change isn't a deliberate act on part of the threat actor, but rather stems from a lack of quality assurance that causes the program to crash when attempting to display the ransom note after completing the encrypt...

Three different security flaws have been disclosed in American Megatrends (AMI) MegaRAC  Baseboard Management Controller (BMC) software that could lead to remote code execution on vulnerable servers. "The impact of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking)," firmware and hardware security company Eclypsium  said  in a report shared with The Hacker News. BMCs are privileged independent systems within servers that are used to control low-level hardware settings and manage the host operating system, even in scenarios when the machine is powered off. These capabilities make BMCs an enticing target for threat actors looking to plant persistent malware on devices that can survive operating system reinstalls and hard drive replacements. Some of the major server manufacturers that are known to have used MegaRAC BMC include AMD, Ampere C...

A new data wiper malware called  CryWiper  has been found targeting Russian government agencies, including mayor's offices and courts. "Although it disguises itself as a ransomware and extorts money from the victim for 'decrypting' data, [it] does not actually encrypt, but purposefully destroys data in the affected system," Kaspersky researchers Fedor Sinitsyn and Janis Zinchenko  said  in a write-up. Additional details of the attacks were shared by the Russian-language news publication  Izvestia . The intrusions have not been attributed to a specific adversarial group so far. A C++-based malware, CryWiper is configured to establish persistence via a scheduled task and communicate with a command-and-control (C2) server to initiate the malicious activity. Besides terminating processes related to database and email servers, the malware is equipped with capabilities to delete shadow copies of files and modify the Windows Registry to prevent RDP connections in...

In the era of digitization and ever-changing business needs, the production environment has become a living organism. Multiple functions and teams within an organization can ultimately impact the way an attacker sees the organization's assets, or in other words, the external attack surface. This dramatically increases the need to define an exposure management strategy. To keep up with business needs while effectively assessing and managing cybersecurity risk, there are two primary elements that organizations should consider regarding their external attack surface: its  size  and its  attractiveness to attackers . While organizations are typically focused on accounting for the size of their attack surface, its attractiveness is not typically top of mind, though it may have a significant impact on risk. Attack Surface Size How many assets are accessible from the outside world?  There is a delicate balance between business needs and security. While there are good r...

Cybersecurity researchers have discovered a security vulnerability that exposes cars from Honda, Nissan, Infiniti, and Acura to remote attacks through a connected vehicle service provided by SiriusXM. The issue could be exploited to unlock, start, locate, and honk any car in an unauthorized manner just by knowing the vehicle's vehicle identification number (VIN), researcher Sam Curry said in a  Twitter thread  last week. SiriusXM's Connected Vehicles (CV) Services are  said  to be used by more than 10 million vehicles in North America, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota. The system is  designed  to enable a wide range of safety, security, and convenience services such as automatic crash notification, enhanced roadside assistance, remote door unlock, remote engine start, stolen vehicle recovery assistance, turn-by-turn navigation, and integration with smart home devices, among others. T...

The Lazarus Group threat actor has been observed leveraging fake cryptocurrency apps as a lure to deliver a previously undocumented version of the AppleJeus malware, according to new findings from Volexity. "This activity notably involves a campaign likely targeting cryptocurrency users and organizations with a variant of the AppleJeus malware by way of malicious Microsoft Office documents," researchers Callum Roxan, Paul Rascagneres, and Robert Jan Mora  said . The North Korean government is known to adopt a three-pronged approach by employing malicious cyber activity that's orchestrated to collect intelligence, conduct attacks, and generate illicit revenue for the sanctions hit nation. The threats are collectively tracked under the name  Lazarus Group  (aka Hidden Cobra or  Zinc ). "North Korea has conducted cyber theft against financial institutions and cryptocurrency exchanges worldwide, potentially stealing hundreds of millions of dollars, probably to fund ...

The maintainers of the FreeBSD operating system have released updates to remediate a security vulnerability impacting the ping module that could be potentially exploited to crash the program or trigger remote code execution. The issue, assigned the identifier  CVE-2022-23093 , impacts all supported versions of FreeBSD and concerns a  stack-based buffer overflow  vulnerability in the  ping service . "ping reads raw IP packets from the network to process responses in the pr_pack() function," according to an  advisory  published last week. "The pr_pack() copies received IP and  ICMP  headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet." As a consequence, the destination buffer could be overflowed by up to 40 bytes when the IP option headers are present. The FreeBSD Project noted that the ping ...