The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Microsoft on Monday said it's taking steps to disable Visual Basic for Applications (VBA) macros by default across its products, including Word, Excel, PowerPoint, Access, and Visio, for documents downloaded from the web in an attempt to eliminate an entire class of attack vector. "Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss, and remote access," Kellie Eickmeyer  said  in a post announcing the move. While the company does warn users about permitting macros in Office files, unsuspecting victims — e.g., recipients of phishing emails — can still be lured into enabling the feature, effectively granting the attackers the ability to gain an initial foothold into the system. As part of the new change, when a user opens an attachment or downloads from the internet an untrusted Office file containing macros, the app displays a ...

Microsoft last week announced that it's temporarily disabling the MSIX ms-appinstaller protocol handler in Windows following evidence that a security vulnerability in the installer component was exploited by threat actors to deliver malware such as Emotet, TrickBot, and Bazaloader. MSIX , based on a combination of .msi, .appx, App-V and ClickOnce installation technologies, is a universal Windows app package format that allows developers to distribute their applications for the desktop operating system and  other platforms . ms-appinstaller, specifically, is designed to help users  install a Windows app  by simply clicking a link on a website. But a spoofing vulnerability uncovered in Windows App Installer ( CVE-2021-43890 , CVSS score: 7.1) meant that it could be tricked into installing a rogue app that was never intended to be installed by the user via a malicious attachment used in phishing campaigns. Although Microsoft released initial patches to address this fla...

A politically motivated advanced persistent threat (APT) group has expanded its malware arsenal to include a new remote access trojan (RAT) in its espionage attacks aimed at Indian military and diplomatic entities. Called  CapraRAT  by Trend Micro, the implant is an Android RAT that exhibits a high "degree of crossover" with another Windows malware known as CrimsonRAT that's associated with Earth Karkaddan, a threat actor that's also tracked under the monikers APT36, Operation C-Major, PROJECTM, Mythic Leopard, and Transparent Tribe. The first concrete signs of APT36's existence  appeared  in  2016  as the group began distributing information-stealing malware through phishing emails with malicious PDF attachments targeting Indian military and government personnel. The group is believed to be of  Pakistani origin  and operational since at least 2013. The threat actor is also known to be consistent in its modus operandi, with the attacks predom...

Systems hosting content pertaining to the National Games of China were successfully breached last year by an unnamed Chinese-language-speaking hacking group. Cybersecurity firm Avast, which  dissected  the intrusion, said that the attackers gained access to a web server 12 days prior to the start of the event on September 3 to drop multiple reverse web shells for remote access and achieve permanent foothold in the network. The  National Games of China , a multi-sport event held every four years, took place in the Shaanxi Province between September 15 and 27, 2021. The Czech company said it was unable to determine the nature of the information stolen by the hackers, adding it has "reason to believe [the attackers] are either native Chinese-language speakers or show high fluency in Chinese." The breach is said to have been resolved ahead of the start of the games. The initial access was facilitated by exploiting a vulnerability in the webserver. But before dropping th...

Today's enterprise networks are complex environments with different types of wired and wireless devices being connected and disconnected. The current device discovery solutions have been mainly focused on identifying and monitoring servers, workstation PCs, laptops and infrastructure devices such as network firewalls, switches and routers, because the most valuable information assets of organizations are being stored, processed and transferred over those devices, hence making them the prime target of security breaches and intrusions. However, a new trend has been emerging in the past four years,  where attackers have been targeting purpose-built connected devices  such as network printers and video conferencing systems as an entry point and data exfiltration route. These devices cannot be identified properly by the current IT asset discovery solutions for the following main reasons: Proprietary protocols are often used for managing and monitoring such devices that are not...

A Chinese advanced persistent threat (APT) group has been targeting Taiwanese financial institutions as part of a "persistent campaign" that lasted for at least 18 months. The intrusions, whose primary intent was espionage, resulted in the deployment of a backdoor called xPack , granting the adversary extensive control over compromised machines, Broadcom-owned Symantec said in a  report  published last week. What's notable about this campaign is the amount of time the threat actor lurked on victim networks, affording the operators ample opportunity for detailed reconnaissance and exfiltrate potentially sensitive information pertaining to business contacts and investments without raising any red flags. In one of the unnamed financial organizations, the attackers spent close to 250 days between December 2020 and August 2021, while a manufacturing entity had its network under their watch for roughly 175 days. Although the initial access vector used to the breach the ta...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies to secure their systems against an actively exploited security vulnerability in Windows that could be abused to gain elevated permissions on affected hosts. To that end, the agency has added  CVE-2022-21882  (CVSS score: 7.0) to the  Known Exploited Vulnerabilities Catalog , necessitating that Federal Civilian Executive Branch (FCEB) agencies patch all systems against this vulnerability by February 18, 2022. "These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise," CISA  said  in an advisory published last week. CVE-2022-21882 , which has been tagged with an "Exploitation More Likely" exploitability index assessment, concerns a case of elevation of privilege vulnerability affecting the Win32k component. The bug was addressed by Microsoft as part of its January 2022 ...

Users of the Argo continuous deployment (CD) tool for Kubernetes are being urged to push through updates after a zero-day vulnerability was found that could allow an attacker to extract sensitive information such as passwords and API keys. The flaw, tagged as  CVE-2022-24348  (CVSS score: 7.7), affects all versions and has been addressed in versions 2.3.0, 2.2.4, and 2.1.9. Cloud security firm Apiiro has been credited with discovering and reporting the bug on January 30, 2022s. Continuous deployment, also called continuous delivery, refers to a process that automatically deploys all code changes to the testing and/or production environment after they are tested and merged to a shared repository. Argo CD is officially used by  191 organizations , including Alibaba Group, BMW Group, Deloitte, Gojek, IBM, Intuit, LexisNexis, Red Hat, Skyscanner, Swisscom, and Ticketmaster. The path-traversal vulnerability "allows malicious actors to load a Kubernetes  Helm Chart Y...