The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers on Monday disclosed a new malspam campaign distributing a fresh variant of a malware loader called "Buer" written in Rust, illustrating how adversaries are constantly honing their malware toolsets to evade analysis. Dubbed "RustyBuer," the malware is propagated via emails masquerading as shipping notices from DHL Support, and is said to have affected no fewer than 200 organizations across more than 50 verticals since early April. "The new Buer variant is written in Rust, an efficient and easy-to-use programming language that is becoming increasingly popular," Proofpoint researchers  said  in a report shared with The Hacker News. "Rewriting the malware in Rust enables the threat actor to better evade existing Buer detection capabilities." First introduced in August of 2019,  Buer  is a modular malware-as-a-service offering that's sold on underground forums and used as a first-stage downloader to deliver additiona...

Iran has been linked to yet another state-sponsored ransomware operation through a contracting company based in the country, according to new analysis. "Iran's Islamic Revolutionary Guard Corps ( IRGC ) was operating a state-sponsored ransomware campaign through an Iranian contracting company called 'Emen Net Pasargard' (ENP)," cybersecurity firm Flashpoint  said  in its findings summarizing three documents leaked by an anonymous entity named Read My Lips or Lab Dookhtegan between March 19 and April 1 via its Telegram channel. Dubbed "Project Signal," the initiative is said to have kickstarted sometime between late July 2020 and early September 2020, with ENP's internal research organization, named the "Studies Center," putting together a list of unspecified target websites. A second spreadsheet validated by Flashpoint explicitly spelled out the project's financial motivations, with plans to launch the ransomware operations in late...

A threat actor believed to be working on behalf of Chinese state-sponsored interests was recently observed targeting a Russia-based defense contractor involved in designing nuclear submarines for the naval arm of the Russian Armed Forces. The phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous "Royal Road" Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed " PortDoor ," according to Cybereason's Nocturnus threat intelligence team. "Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more," the researchers  said  in a write-up on Friday. Rubin Design Bureau is a submarine design center located in Saint Petersburg, accounting fo...

An "aggressive" financially motivated threat group tapped into a zero-day flaw in SonicWall VPN appliances prior to it being patched by the company to deploy a new strain of ransomware called FIVEHANDS. The group, tracked by cybersecurity firm Mandiant as UNC2447, took advantage of an "improper SQL command neutralization" flaw in the SSL-VPN SMA100 product ( CVE-2021-20016 , CVSS score 9.8) that allows an unauthenticated attacker to achieve remote code execution. "UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums," Mandiant researchers  said . "UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics." CVE-2021-20016 is the same  zero-day  that the ...

Microsoft researchers on Thursday disclosed two dozen vulnerabilities affecting a wide range of Internet of Things (IoT) and Operational Technology (OT) devices used in industrial, medical, and enterprise networks that could be abused by adversaries to execute arbitrary code and even cause critical systems to crash. "These remote code execution (RCE) vulnerabilities cover more than 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology, and industrial control systems,"  said  Microsoft's 'Section 52' Azure Defender for IoT research group. The flaws have been collectively named " BadAlloc ," for they are rooted in standard  memory allocation functions  spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. A lack of proper input validations associated with these memory allocation functions ...

Perhaps due to the nature of the position, the InfoSec leadership roles tend to be solitary ones. CISOs, or their equivalent decision-makers in organizations without the role, have so many constant drains on their attention – keeping their knowledge fresh, building plans to secure their organizations further – that they often find themselves on an island. It's even more challenging for organizations outside the Fortune 2000 that are resource-constrained. Security leaders are expected to know everything and often don't have anyone inside their organization with whom to bounce ideas or even go to for advice. When a crisis arises, they must often go with their gut or guess at the best solution based on their own experiences. Security leaders could often use advice but don't have an outlet for it. Chris Roberts, Chief Security Strategist at Cynet Security, offers a new Slack-based community for InfoSec leaders ( register here ) as a solution. The new InfoSec Leaders Community will fea...

Click Studios, the Australian software firm which confirmed a  supply chain attack  affecting its Passwordstate password management application, has warned customers of an ongoing phishing attack by an unknown threat actor. "We have been advised a bad actor has commenced a phishing attack with a small number of customers having received emails requesting urgent action," the company  said  in an updated advisory released on Wednesday. "These emails are not sent by Click Studios." Last week, Click Studios said attackers had employed sophisticated techniques to compromise Passwordstate's update mechanism, using it to drop malware on user computers. Only customers who performed In-Place Upgrades between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC are said to be affected. While Passwordstate serves about 29,000 customers, the Adelaide-based firm maintained that the total number of impacted customers is very low. It's also urging users to refrain from po...

The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "backdoor every PHP package," resulting in a supply-chain attack. Tracked as CVE-2021-29472, the security issue was discovered and reported on April 22 by researchers from  SonarSource , following which a hotfix was deployed less than 12 hours later. "Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders," Composer  said  its  release notes  for versions 2.0.13 and 1.10.22 published on Wednesday. "To the best of our knowledge the vulnerability has not been exploited." Composer  is billed as a tool for dependency management in PHP, enabling easy installation of packages relevant to a project. It also allows users to install PHP applications that are available on  Packagist , a repository that aggregates all publ...

An adversary known for its  watering hole attacks  against government entities has been linked to a slew of newly detected intrusions targeting various organizations in Central Asia and the Middle East. The malicious activity, collectively named "EmissarySoldier," has been attributed to a threat actor called LuckyMouse, and is said to have happened in 2020 with the goal of obtaining geopolitical insights in the region. The attacks involved deploying a toolkit dubbed SysUpdate (aka Soldier) in a number of breached organizations, including government and diplomatic agencies, telecom providers, a TV media company, and a commercial bank. LuckyMouse , also referred to as APT27 and Emissary Panda, is a sophisticated cyberespionage group that has a history of breaching multiple government networks in Central Asia and the Middle East. The actor has also been linked to cyberattacks aimed at transnational organizations such as the International Civil Aviation Organization ( ICAO )...