The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

In what's a novel supply chain attack, a security researcher managed to breach over 35 major companies' internal systems, including that of Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, and achieve remote code execution. The technique, called dependency confusion or a substitution attack, takes advantage of the fact that a piece of software may include components from a mix of private and public sources. These external package dependencies, which are fetched from public repositories during a build process, can pose an attack opportunity when an adversary uploads a higher version of a private module to the public feed, causing a client to automatically download the bogus "latest" version without requiring any action from the developer. "From one-off mistakes made by developers on their own machines, to misconfigured internal or cloud-based build servers, to systemically vulnerable development pipelines, one thing was clear: squatting val...

A previously known Windows remote access Trojan (RAT) with credential-stealing capabilities has now expanded its scope to set its sights on users of Android devices to further the attacker's espionage motives. "The developers of  LodaRAT  have added Android as a targeted platform," Cisco Talos researchers  said  in a Tuesday analysis. "A new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities." Kasablanca, the group behind the malware, is said to have deployed the new RAT in an ongoing hybrid campaign targeting Bangladeshi users, the researchers noted. The reason why Bangladesh-based organizations have been specifically singled out for this campaign remains unclear, as is the identity of the threat actor. First documented in May 2017 by  Proofpoint , Loda is an AutoIt malware typically delivered via phishing lures that's equipped to run a wide range of commands designed to record audio, video, and capture oth...

Apple has rolled out a fix for a critical sudo vulnerability in macOS Big Sur, Catalina, and Mojave that could allow unauthenticated local users to gain root-level privileges on the system. "A local attacker may be able to elevate their privileges," Apple  said  in a security advisory. "This issue was addressed by updating to sudo version 1.9.5p2." Sudo is a common utility built into most Unix and Linux operating systems that lets a user without security privileges access and run a program with the credentials of another user. Tracked as CVE-2021-3156 (also called " Baron Samedit "), the vulnerability first came to light last month after security auditing firm Qualys  disclosed  the existence of a heap-based buffer overflow, which it said had been "hiding in plain sight" for almost 10 years. The vulnerability, which was introduced in the code back in July 2011, impacts sudo versions 1.7.7 through 1.7.10p9, 1.8.2 through 1.8.31p2, and 1.9.0...

Microsoft on Tuesday  issued fixes for 56 flaws , including a critical vulnerability that's known to be actively exploited in the wild. In all, 11 are listed as Critical, 43 are listed as Important, and two are listed as Moderate in severity — six of which are previously disclosed vulnerabilities. The updates cover .NET Framework, Azure IoT, Microsoft Dynamics, Microsoft Edge for Android, Microsoft Exchange Server, Microsoft Office, Microsoft Windows Codecs Library, Skype for Business, Visual Studio, Windows Defender, and other core components such as Kernel, TCP/IP, Print Spooler, and Remote Procedure Call (RPC). A Windows Win32k Privilege Escalation Vulnerability The most critical of the flaws is a Windows Win32k privilege escalation vulnerability (CVE-2021-1732, CVSS score 7.8) that allows attackers with access to a target system to run malicious code with elevated permissions. Microsoft credited JinQuan, MaDongZe, TuXiaoYi, and LiHao of DBAPPSecurity for discovering and re...

Law enforcement officials in Ukraine, in coordination with authorities from the U.S. and Australia, last week shut down one of the world's largest phishing services that were used to attack financial institutions in 11 countries, causing tens of millions of dollars in losses. The Ukrainian attorney general's office  said  it worked with the National Police and its Main Investigation Department to identify a 39-year-old man from the Ternopil region who developed a phishing package and a special administrative panel for the service, which were then aimed at several banks located in Australia, Spain, the U.S., Italy, Chile, the Netherlands, Mexico, France, Switzerland, Germany, and the U.K. Computer equipment, mobile phones, and hard drives were seized as part of five authorized searches conducted during the course of the operation. Security researcher Brian Krebs  noted  the raids were in connection with  U-Admin , a phishing framework that makes use of fake ...

Hackers successfully infiltrated the computer system controlling a water treatment facility in the U.S. state of Florida and remotely changed a setting that drastically altered the levels of sodium hydroxide (NaOH) in the water. During a press conference held yesterday, Pinellas County Sheriff Bob Gualtieri said an operator managed to catch the manipulation in real-time and restored the concentration levels to undo the damage. "At no time was there a significant effect on the water being treated, and more importantly the public was never in danger," Sheriff Gualtieri  said  in a statement. The water treatment facility, which is located in the city of Oldsmar and serves about 15,000 residents, is said to have been breached for approximately 3 to 5 minutes by unknown suspects on February 5, with the remote access occurring twice at 8:00 a.m. and 1:30 p.m. The attacker briefly increased the amount of sodium hydroxide from 100 parts-per-million to 11,100 parts-per-million u...

Twin cyber operations conducted by state-sponsored Iranian threat actors demonstrate their continued focus on compiling detailed dossiers on Iranian citizens that could threaten the stability of the Islamic Republic, including dissidents, opposition forces, and ISIS supporters, and Kurdish natives. Tracing the extensive espionage operations to two advanced Iranian cyber-groups  Domestic Kitten  (or APT-C-50) and  Infy , cybersecurity firm Check Point revealed new and recent evidence of their ongoing activities that involve the use of a revamped malware toolset as well as tricking unwitting users into downloading malicious software under the guise of popular apps. "Both groups have conducted long-running cyberattacks and intrusive surveillance campaigns which target both individuals' mobile devices and personal computers," Check Point researchers said in a new analysis. "The operators of these campaigns are clearly active, responsive and constantly seeking new att...

While Gartner does not have a dedicated Magic Quadrant for Bug Bounties or Crowd Security Testing yet, Gartner Peer Insights already lists 24 vendors in the "Application Crowdtesting Services" category. We have compiled the top 5 most promising bug bounty platforms for those of you who are looking to enhance your existing software testing arsenal with knowledge and expertise from international security researchers:  1. HackerOne Being a unicorn backed by numerous reputable venture capitalists,  HackerOne  is probably the most well-known and recognized Bug Bounty brand in the world. According to their most recent annual report, over 1,700 companies trust the HackerOne platform to augment their in-house application security testing capacities. The report likewise says that their security researchers earned approximately $40 million in bounties in 2019 alone and $82 million cumulatively. HackerOne is also famous for hosting US government Bug Bounty programs, including ...