The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

An investigation undertaken in the aftermath of the  Oldsmar water plant hack  earlier this year has revealed that an infrastructure contractor in the U.S. state of Florida hosted malicious code on its website in what's known as a watering hole attack. "This malicious code seemingly targeted water utilities, particularly in Florida, and more importantly, was visited by a browser from the city of Oldsmar on the same day of the poisoning event," Dragos researcher Kent Backman  said  in a write-up published on Tuesday. The site, which belongs to a Florida-based general contractor involved in building water and wastewater treatment facilities, had no bearing on the intrusion, the American industrial cybersecurity firm said. Watering hole attacks typically allow an adversary to compromise a specific group of end-users by compromising a carefully selected website, which members of that group are known to visit, with an intention to gain access to the victim's system a...

Google on Wednesday updated its May 2021 Android Security Bulletin to disclose that four of the security vulnerabilities that were patched earlier this month by Arm and Qualcomm may have been exploited in the wild as zero-days. "There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation," the search giant  said  in an updated alert. The four flaws impact  Qualcomm Graphics  and  Arm Mali GPU Driver  modules — CVE-2021-1905  (CVSS score: 8.4) - A use-after-free flaw in Qualcomm's graphics component due to improper handling of memory mapping of multiple processes simultaneously. CVE-2021-1906  (CVSS score: 6.2) - A flaw concerning inadequate handling of address deregistration that could lead to new GPU address allocation failure. CVE-2021-28663  (CVSS score: NA) - A vulnerability in Arm Mali GPU kernel that could permit a non-privileged user to make improper ope...

DarkSide, the hacker group behind the  Colonial Pipeline ransomware attack  earlier this month, received $90 million in bitcoin payments following a nine-month ransomware spree, making it one of the most profitable cybercrime groups. "In total, just over $90 million in bitcoin ransom payments were made to DarkSide, originating from 47 distinct wallets," blockchain analytics firm Elliptic  said . "According to  DarkTracer , 99 organisations have been infected with the DarkSide malware - suggesting that approximately 47% of victims paid a ransom, and that the average payment was $1.9 million." Of the total $90 million haul, the DarkSide's developer is said to have received $15.5 million in bitcoins, while the remaining $74.7 million was split among its various affiliates. FireEye's research into DarkSide's affiliate program had  previously revealed  that its creators take a 25% cut for payments under $500,000 and 10% for ransoms above $5 million, with t...

Mozilla has begun rolling out a new security feature for its Firefox browser in nightly and beta channels that aims to protect users against a new class of side-channel attacks from malicious sites. Called "Site Isolation," the implementation loads each website separately in its own operating system process and, as a result, prevents untrusted code from a rogue website from accessing confidential information stored in other sites. "This fundamental redesign of Firefox's Security architecture extends current security mechanisms by creating operating system process-level boundaries for all sites loaded in Firefox for Desktop," Mozilla  said  in a statement. "Isolating each site into a separate operating system process makes it even harder for malicious sites to read another site's secret or private data." The motivation for Site Isolation can be traced all the way back to January 2018 when  Spectre and Meltdown vulnerabilities  were publicly dis...

Google on Tuesday  announced  a new feature to its password manager that could be used to change a stolen password automatically with a single tap. Automated password changes build on the tool's ability to  check the safety  of saved passwords. Thus when Chrome finds a password that may have been compromised as part of a data breach, it will prompt users with an alert containing a "Change Password" button, tapping which "Chrome will not only navigate to the site, but also go through the entire process of changing your password." Enabling this in the background is Google's  Duplex  technology, which it debuted in 2018 and expanded in 2019 to support various functions in Google Assistant like booking a rental car, ordering food, and buying movie tickets. The search giant, however, noted that users could take over control at any point during the process and change the password manually. The feature is currently being rolled out in Chrome for Android to a...

In July 2018, when Guizhou-Cloud Big Data (GCBD)  agreed to a deal  with state-owned telco China Telecom to move iCloud data belonging to Apple's China-based users to the latter's servers, the shift raised concerns that it could make user data vulnerable to state surveillance. Now, according to a  deep-dive report  from The New York Times, Apple's privacy and security concessions have "made it nearly impossible for the company to stop the Chinese government from gaining access to the emails, photos, documents, contacts and locations of millions of Chinese residents." The revelations stand in stark contrast to Apple's commitment to privacy, while also highlighting a pattern of  conceding  to the  demands  of the Chinese government in order to continue its operations in the country. Apple, in 2018, announced iCloud data of users in mainland China would move to a new data center in Guizhou province as part of a partnership with GCBD. The transit...

Leaders in the InfoSec field face a strange dilemma. On the one hand, there are hundreds of thousands of resources available to find online to read (or watch) if they have questions – that's a benefit of a digital-first field. On the other hand, most leaders face challenges that – while not entirely unique each time – tend to require a specific touch or solution. For most, it would be great to have a sympathetic ear or a fresh perspective that has faced similar challenges. Where does the tip of the spear turn to for a helping hand? One popular avenue is to turn to a virtual CISO (or vCISO), an external consultant who can offer strategic advice, suggestions and help find insights that can be instrumental in building better security systems. For many organizations, having the benefits of a CISO, even on a temporary basis, can be incredibly helpful and valuable. With that in mind, Chris Roberts, Cynet's chief security strategist, is offering a new program ( you can learn more...

A total of 158 privacy and security issues have been identified in 58 Android stalkware apps from various vendors that could enable a malicious actor to take control of a victim's device, hijack a stalker's account, intercept data, achieve remote code execution, and even frame the victim by uploading fabricated evidence. The new findings, which come from an analysis of 86 stalkerware apps for the Android platform undertaken by Slovak cybersecurity firm ESET, highlight the unintended consequences of a practice that's not only unethical but in the process could also expose private and intimate information of the victims and leave them at risk of cyberattacks and fraud. "Since there could be a close relationship between stalker and victim, the stalker's private information could also be exposed," ESET researcher Lukas Stefanko  said  in a Monday write-up. "During our research, we identified that some stalkerware keeps information about the stalkers using ...

A financially motivated cybercrime gang has unleashed a previously undocumented banking trojan, which can steal credentials from customers of 70 banks located in various European and South American countries. Dubbed " Bizarro " by Kaspersky researchers, the Windows malware is "using affiliates or recruiting money mules to operationalize their attacks, cashing out or simply to helping [sic] with transfers." The campaign consists of multiple moving parts, chief among them being the ability to trick users into entering two-factor authentication codes in fake pop-up windows that are then sent to the attackers, as well as its reliance on social engineering lures to convince visitors of banking websites into downloading a malicious smartphone app. Bizarro, which uses compromised WordPress, Amazon, and Azure servers to host the malware, is distributed via MSI packages downloaded by victims from sketchy links in spam emails. Launching the package downloads a ZIP archiv...