The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

If you have an online account with Foxit Software, you need to reset your account password immediately—as an unknown attacker has compromised your personal data and log-in credentials. Foxit Software, a company known for its popular lightweight Foxit PDF Reader and PhantomPDF applications being used by over 525 million users, today announced a data breach exposing the personal information of 'My Account' service users. Though for using free versions of any Foxit PDF software doesn't require users to sign up with an account, the membership is mandatory for customers who want to access "software trial downloads, order histories, product registration information, and troubleshooting and support information." According to a blog post published today by Foxit, unknown third-parties gained unauthorized access to its data systems recently and accessed its "My Account" registered users' data, including their email addresses, passwords, users' n...

THIS WEEK IN THE IRONIC NEWS: DDS Safe, an online cloud-based data backup system that hundreds of dental practice offices across the United States are using to safeguard medical records and other information of their patients from ransomware attacks has been hit with ransomware. Provided by two Wisconsin-based companies, Digital Dental Record and PerCSoft, the backend system of affected medical records retention and backup solutions has probably been hit by Sodinokibi ransomware , also known as Sodin or REvil malware. Though it's not yet clear how attackers managed to compromise the company's infrastructure, the latest ransomware attack is yet another example of successful supply chain attack, crippling computer systems in 400 dental practice offices around the United States this week. According to statements released by both companies, the ransomware virus hit a remote data management software on Monday, August 26, that DDS Safe uses to back up its client data and ...

Beware Apple users! Your iPhone can be hacked just by visiting an innocent-looking website, confirms a terrifying report Google researchers released earlier today. The story goes back to a widespread iPhone hacking campaign that cybersecurity researchers from Google's Project Zero discovered earlier this year in the wild, involving at least five unique iPhone exploit chains capable of remotely jailbreaking an iPhone and implanting spyware on it. Those iOS exploit chains were found exploiting a total of 14 separate vulnerabilities in Apple's iOS mobile operating system—of which 7 flaws resided in Safari web browser, 5 in the iOS kernel and 2 separate sandbox escape issues—targeting devices with almost every version in that time-frame from iOS 10 through to the latest version of iOS 12. According to a deep-dive blog post published by Project Zero researcher Ian Beer, only two of the 14 security vulnerabilities were zero-days, CVE-2019-7287 and CVE-2019-7286, and unpat...

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk.  A gap in access control in Microsoft Entra's subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them.  All the guest user needs are the permissions to create subscriptions in their home tenant, and an invitation as a guest user into an external tenant. Once inside, the guest user can create subscriptions in their home tenant, transfer them into the external tenant, and retain full ownership rights. This stealthy privilege escalation tactic allows a guest user to gain a privileged foothold in an environment where they should only have limited access. Many organizations treat guest accounts as low-risk based on their temporary, limited access, but this behavior, which works as designed, opens the door to known attack paths and lateral movement within the resource t...

In the wake of data abuse scandals and several instances of malware app being discovered on the Play Store, Google today expanded its bug bounty program to beef up the security of Android apps and Chrome extensions distributed through its platform. The expansion in Google's vulnerability reward program majorly includes two main announcements. First, a new program, dubbed 'Developer Data Protection Reward Program' (DDPRP), wherein Google will reward security researchers and hackers who find "verifiably and unambiguous evidence" of data abuse issues in Android apps, OAuth projects, and Chrome extensions. Second, expanding the scope of its Google Play Security Rewards Program (GPSRP) to include all Android apps from the Google Play Store with over 100 million or more installs, helping affected app developers fix vulnerabilities through responsibly disclosures.' Get Bounty to Find Data-Abusing Android & Chrome Apps The data abuse bug bounty progr...

Former Amazon employee Paige Thompson , who was arrested last month in relation to the Capital One data breach , has been accused of hacking not only the U.S. credit card issuer, but also more than 30 other companies. An indictment unsealed on Wednesday revealed that Thompson not just stole data from misconfigured servers hosted with a cloud-computing company, but also used the computing power of hacked servers to mine for cryptocurrency, a practice commonly known as " Cryptojacking ." Thompson, known online as "erratic," was arrested by the FBI on July 29 concerning a massive breach in Capital One Financial Corp that exposed the personal information of more than 100 million credit card applicants in the United States and 6 million in Canada. The stolen data included approximately 140,000 Social Security numbers and 80,000 bank account numbers linked to United States customers, and 1 million Social Insurance numbers belonged to Canadian citizens, along wit...

Apple today announced some major changes to its controversial 'Siri audio grading program' following criticism for employing humans to listen to audio recordings of users collected via its voice-controlled Siri personal assistant without their knowledge or consent. The move came a month after The Guardian reported that third-party contractors were regularly listening to private conversations of Apple users giving voice commands to Siri in a bid to improve the quality of its product's response. While the data received by the contractors were anonymized and not associated to Apple devices, the private conversations—which also includes private discussions between doctors and patients, business deals, seemingly criminal dealings, people having sex and so on—sometimes reveal identifiable details like a person's name or medical records. In response to the backlash Apple received after the report went public, the company initially responded by temporarily suspending ...

Cybersecurity researchers have discovered over 80 Magecart compromised e-commerce websites that were actively sending credit card information of online shoppers to the attackers-controlled servers. Operating their businesses in the United States, Canada, Europe, Latin America, and Asia, many of these compromised websites are reputable brands in the motorsports industry and high fashion, researchers at Aite Group and Arxan Technologies revealed today in a report shared with The Hacker News. In a world that's growing increasingly digital, Magecart attacks have emerged as a key cybersecurity threat to e-commerce websites. Magecart is an umbrella term given to different cybercriminal groups that are specialized in secretly implanting online credit card skimmers on compromised e-commerce websites with an intent to steal payment card details of their customers. These virtual credit card skimmers, also known as formjacking attack , are basically JavaScript code that hackers ...

The French law enforcement agency, National Gendarmerie, today announced the successful takedown of one of the largest wide-spread RETADUP botnet malware and how it remotely disinfected more than 850,000 computers worldwide with the help of researchers. Earlier this year, security researchers at Avast antivirus firm, who were actively monitoring the activities of RETADUP botnet, discovered a design flaw in the malware's C&C protocol that could have been exploited to remove the malware from victims' computer without executing any extra code. However, to do that, the plan required researchers to have control over the malware's C&C server, which was hosted with a hosting provider located in the Ile-de-France region in north-central France. Therefore, the researchers contacted the Cybercrime Fighting Center (C3N) of the French National Gendarmerie at the end of March this year, shared their findings, and proposed a secret plan to put an end to the RETADUP vir...

Imperva, one of the leading cybersecurity startups that helps businesses protect critical data and applications from cyberattacks, has suffered a data breach that has exposed sensitive information for some of its customers, the company revealed today. The security breach particularly affects customers of Imperva's Cloud Web Application Firewall (WAF) product, formerly known as Incapsula , a security-focused CDN service known for its DDoS mitigation and web application security features that protect websites from malicious activities. In a blog post published today, Imperva CEO Chris Hylen revealed that the company learned about the incident on August 20, 2019, only after someone informed it about the data exposure that "impacts a subset of customers of its Cloud WAF product who had accounts through September 15, 2017." The exposed data includes email addresses and hashed and salted passwords for all Cloud WAF customers who registered before 15th September 2017...