The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

An updated version of a sophisticated backdoor framework called  MATA  has been used in attacks aimed at over a dozen Eastern European companies in the oil and gas sector and defense industry as part of a cyber espionage operation that took place between August 2022 and May 2023. "The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows executable malware by downloading files through an internet browser," Kaspersky  said  in a new exhaustive report published this week. "Each phishing document contains an external link to fetch a remote page containing a  CVE-2021-26411  exploit." CVE-2021-26411 (CVSS score: 8.8) refers to a  memory corruption vulnerability  in Internet Explorer that could be triggered to execute arbitrary code by tricking a victim into visiting a specially crafted site. It was previously exploited by the Lazarus Group in early 2021 to target security researchers. The cr...

The time between a vulnerability being discovered and hackers exploiting it is narrower than ever –  just 12 days . So it makes sense that organizations are starting to recognize the importance of not leaving long gaps between their scans, and the term "continuous vulnerability scanning" is becoming more popular. Hackers won't wait for your next scan One-off scans can be a simple 'one-and-done' scan to prove your security posture to customers, auditors or investors, but more commonly they refer to periodic scans kicked off at semi-regular intervals – the industry standard has traditionally been quarterly. These periodic scans give you a point-in-time snapshot of your vulnerability status – from SQL injections and XSS to misconfigurations and weak passwords. Great for compliance if they only ask for a quarterly vulnerability scan, but not so good for ongoing oversight of your security posture, or a robust attack surface management program. With a fresh CVE created ever...

Google has announced an update to its Play Protect with support for real-time scanning at the code level to tackle novel malicious apps prior to downloading and installing them on Android devices. "Google Play Protect will now recommend a real-time app scan when installing apps that have never been scanned before to help detect emerging threats," the tech giant  said . Google Play Protect is a  built-in, free threat detection service  that scans Android devices for any potentially harmful apps downloaded from the Play Store as well as other external sources. In extreme cases, an app may be blocked from being installed. The check expands on previous existing protections that alerted users when it identified an app known to be malicious from existing scanning intelligence or was identified as suspicious from heuristics gathered via on-device machine learning. With the latest safeguards, important signals from the app are extracted and sent to the Play Protect backend ...

The Iran-linked  OilRig threat actor  targeted an unnamed Middle East government between February and September 2023 as part of an eight-month-long campaign. The attack led to the theft of files and passwords and, in one instance, resulted in the deployment of a PowerShell backdoor called PowerExchange, the Symantec Threat Hunter Team, part of Broadcom,  said  in a report shared with The Hacker News. The cybersecurity firm is tracking the activity under the name  Crambus , noting that the adversary used the implant to "monitor incoming mails sent from an Exchange Server in  order to execute commands sent by the attackers in the form of emails, and surreptitiously forwarded results to the attackers." Malicious activity is said to have been detected on no less than 12 computers, with backdoors and keyloggers installed on a dozen other machines, indicating a broad compromise of the target. The use of PowerExchange was  first highlighted  by For...

North Korean threat actors are actively exploiting a critical security flaw in JetBrains TeamCity to opportunistically breach vulnerable servers, according to Microsoft. The attacks, which entail the exploitation of  CVE-2023-42793  (CVSS score: 9.8), have been  attributed  to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima). It's worth noting that both the threat activity clusters are part of the infamous North Korean nation-state actor known as  Lazarus Group . In one of the two attack paths employed by Diamond Sleet, a successful compromise of TeamCity servers is followed by the deployment of a known implant called  ForestTiger  from legitimate infrastructure previously compromised by the threat actor. A second variant of the attacks leverages the initial foothold to retrieve a malicious DLL (DSROLE.dll aka RollSling or Version.dll or FeedLoad) that's loaded by means of a technique referred to as DLL searc...

A number of state-back threat actors from Russia and China have been observed exploiting a recent security flaw in the WinRAR archiver tool for Windows as part of their operations. The vulnerability in question is  CVE-2023-38831  (CVSS score: 7.8), which allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The shortcoming has been actively exploited since at least April 2023. Google Threat Analysis Group (TAG), which  detected  the activities in recent weeks, attributed them to three different clusters it tracks under the geological monikers  FROZENBARENTS  (aka Sandworm),  FROZENLAKE  (aka APT28), and  ISLANDDREAMS  (aka APT40). The phishing attack linked to Sandworm impersonated a Ukrainian drone warfare training school in early September and distributed a malicious ZIP file exploiting CVE-2023-38831 to deliver Rhadamanthys, a commodity stealer malware which is offered for s...

The North Korea-linked  Lazarus Group  (aka Hidden Cobra or TEMP.Hermit) has been observed using trojanized versions of Virtual Network Computing (VNC) apps as lures to target the defense industry and nuclear engineers as part of a long-running campaign known as  Operation Dream Job . "The threat actor tricks job seekers on social media into opening malicious apps for fake job interviews," Kaspersky  said  in its APT trends report for Q3 2023. "To avoid detection by behavior-based security solutions, this backdoored application operates discreetly, only activating when the user selects a server from the drop-down menu of the trojanized VNC client." Once launched by the victim, the counterfeit app is designed to retrieve additional payloads, including a known Lazarus Group malware dubbed  LPEClient , which comes fitted with capabilities to profile compromised hosts. Also deployed by the adversary is an updated version of  COPPERHEDGE , a backdoor ...