The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A new malware campaign has been observed targeting Italy with phishing emails designed to deploy an information stealer on compromised Windows systems. "The info-stealer malware steals sensitive information like system info, crypto wallet and browser histories, cookies, and credentials of crypto wallets from victim machines," Uptycs security researcher Karthickkumar Kathiresan  said  in a report. Details of the campaign were first  disclosed  by Milan-based IT services firm SI.net last month. The multi-stage infection sequence commences with an invoice-themed phishing email containing a link that, when clicked, downloads a password-protected ZIP archive file, which harbors two files: A shortcut (.LNK) file and a batch (.BAT) file. Irrespective of which file is launched, the attack chain remains the same, as opening the shortcut file fetches the same batch script designed to install the information stealer payload from a GitHub repository. This is achieved by l...

UPDATE: CVE-2022-23529 Retracted Following Review Auth0 and Unit 42 said they are formally retracting CVE-2022-23529 (CVSS score: 7.6) based on the fact that several prerequisites are essential for exploitation. The cybersecurity company said "important security checks" have been added to fix the problem. "The security issue remains a concern only when the jsonwebtoken library is used in an insecure way," the maintainers said in an advisory. "In such a scenario, if all the prerequisites are met, the issue may be exploitable; however, the source of this risk is the calling code and not the library itself." A high-severity security flaw has been disclosed in the open source jsonwebtoken (JWT) library that, if successfully exploited, could lead to remote code execution on a target server. "By exploiting this  vulnerability , attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) reques...

The threat actors behind the  Kinsing  cryptojacking operation have been spotted exploiting misconfigured and exposed PostgreSQL servers to obtain initial access to Kubernetes environments. A second initial access vector technique entails the use of vulnerable images, Sunders Bruskin, security researcher at Microsoft Defender for Cloud,  said  in a report last week. Kinsing has a  storied history  of targeting  containerized environments , often leveraging misconfigured open Docker daemon API ports as well as abusing newly disclosed exploits to drop cryptocurrency mining software. The threat actor, in the past, has also been discovered  employing a rootkit  to hide its presence, in addition to terminating and uninstalling competing resource-intensive services and processes. Now according to Microsoft, misconfigurations in  PostgreSQL servers  have been co-opted by the Kinsing actor to gain an initial foothold, with the company...

A group of academics has demonstrated novel attacks that leverage Text-to-SQL models to produce malicious code that could enable adversaries to glean sensitive information and stage denial-of-service (DoS) attacks. "To better interact with users, a wide range of database applications employ AI techniques that can translate human questions into SQL queries (namely  Text-to-SQL ),"  Xutan Peng , a researcher at the University of Sheffield, told The Hacker News. "We found that by asking some specially designed questions, crackers can fool Text-to-SQL models to produce malicious code. As such code is automatically executed on the database, the consequence can be pretty severe (e.g., data breaches and DoS attacks)." The  findings , which were validated against two commercial solutions  BAIDU-UNIT  and  AI2sql , mark the first empirical instance where natural language processing (NLP) models have been exploited as an attack vector in the wild. The black box ...

Earlier this year, threat actors infiltrated  Mailchimp , the popular SaaS email marketing platform. They viewed over 300 Mailchimp customer accounts and exported audience data from 102 of them. The breach was preceded by a successful phishing attempt and led to malicious attacks against Mailchimp's customers' end users. Three months later, Mailchimp was hit with  another attack . Once again, an employee's account was breached following a successful phishing attempt. While the identity of the Mailchimp accounts that had been compromised wasn't released, it's easy to see how user permission settings could have played a role in the attack. Once threat detectors breached the system, they had the access needed to utilize an internal tool that enabled them to find the data they were looking for. The attack ended when security teams were able to terminate user access, although data which had already been downloaded remained in the threat actor's hands. Introducing user permissio...

Multiple bugs affecting millions of vehicles from 16 different manufacturers could be abused to unlock, start, and track cars, plus impact the privacy of car owners. The  security vulnerabilities  were found in the automotive APIs powering Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, Toyota as well as in software from Reviver, SiriusXM, and Spireon. The flaws run a wide gamut, ranging from those that give access to internal company systems and user information to weaknesses that would allow an attacker to remotely send commands to achieve code execution. The research builds on earlier findings from late last year, when Yuga Labs researcher Sam Curry et al  detailed  security flaws in a connected vehicle service provided by SiriusXM that could potentially put cars at risk of remote attacks. The most serious of the issues, which concern Spireon's telematics solution, could have...

In yet another campaign targeting the Python Package Index (PyPI) repository, six malicious packages have been found deploying information stealers on developer systems. The now-removed packages, which were  discovered  by Phylum between December 22 and December 31, 2022, include pyrologin, easytimestamp, discorder, discord-dev, style.py, and pythonstyles. The malicious code, as is  increasingly the case , is concealed in the setup script (setup.py) of these libraries, meaning running a "pip install" command is enough to activate the malware deployment process. The malware is designed to launch a PowerShell script that retrieves a ZIP archive file, install invasive dependencies such as pynput, pydirectinput, and pyscreenshot, and run a Visual Basic Script extracted from the archive to execute more PowerShell code. "These libraries allow one to control and monitor mouse and keyboard input and capture screen contents," Phylum said in a technical report published...