The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A mix of banking applications, cryptocurrency wallets, and shopping apps from the U.S. and Spain are the target of a newly discovered Android trojan that could enable attackers to siphon personally identifiable information from infected devices, including banking credentials and open the door for on-device fraud. Dubbed S.O.V.A. (referring to the Russian word for owl), the current version of the banking malware comes with myriad features to steal credentials and session cookies through web overlay attacks, log keystrokes, hide notifications, and manipulate the clipboard to insert modified cryptocurrency wallet addresses, with future plans to incorporate  on-device fraud through VNC , carry out DDoS attacks, deploy ransomware, and even intercept two-factor authentication codes. The malware was discovered in the beginning of August 2021 by researchers from Amsterdam-based cybersecurity firm ThreatFabric. Overlay attacks typically involve the theft of confidential user informatio...

A previously undocumented backdoor that was recently found targeting an unnamed computer retail company based in the U.S. has been linked to a longstanding Chinese espionage operation dubbed Grayfly. In late August, Slovakian cybersecurity firm ESET  disclosed  details of an implant called SideWalk, which is designed to load arbitrary plugins sent from an attacker-controlled server, gather information about running processes in the compromised systems, and transmit the results back to the remote server. The cybersecurity firm attributed the intrusion to a group it tracks as SparklingGoblin, an adversary believed to be connected to the Winnti (aka APT41) malware family. But latest research published by researchers from Broadcom's Symantec has pinned the SideWalk backdoor on the China-linked espionage group, pointing out the malware's overlaps with the older Crosswalk malware, with the latest Grayfly hacking activities singling out a number of organizations in Mexico, Taiwa...

Microsoft on Wednesday said it remediated a vulnerability in its Azure Container Instances ( ACI ) services that could have been weaponized by a malicious actor "to access other customers' information" in what the researchers described as the "first cross-account container takeover in the public cloud." An attacker exploiting the weakness could execute malicious commands on other users' containers, steal customer secrets and images deployed to the platform. The Windows maker did not share any additional specifics related to the flaw, save that  affected customers  "revoke any privileged credentials that were deployed to the platform before August 31, 2021." Azure Container Instances is a managed service that allows users to run Docker  containers  directly in a serverless cloud environment, without requiring the use of virtual machines, clusters, or orchestrators. Palo Alto Networks' Unit 42 threat intelligence team dubbed the vulnerabilit...

While phishing and ransomware dominate headlines, another critical risk quietly persists across most enterprises: exposed Git repositories leaking sensitive data. A risk that silently creates shadow access into core systems Git is the backbone of modern software development, hosting millions of repositories and serving thousands of organizations worldwide. Yet, amid the daily hustle of shipping code, developers may inadvertently leave behind API keys, tokens, or passwords in configuration files and code files, effectively handing attackers the keys to the kingdom. This isn't just about poor hygiene; it's a systemic and growing supply chain risk. As cyber threats become more sophisticated, so do compliance requirements. Security frameworks like NIS2, SOC2, and ISO 27001 now demand proof that software delivery pipelines are hardened and third-party risk is controlled. The message is clear: securing your Git repositories is no longer optional, it's essential. Below, we look at the ris...

The operators behind the REvil ransomware-as-a-service (RaaS)  staged  a surprise return after a two-month hiatus following the widely publicized attack on technology services provider Kaseya on July 4. Two of the dark web portals, including the gang's Happy Blog data leak site and its payment/negotiation site, have resurfaced online, with the most recent victim added on July 8, five days before the sites  mysteriously went off the grid  on July 13. It's not immediately clear if REvil is back in the game or if they have launched new attacks. "Unfortunately, the Happy Blog is back online," Emsisoft threat researcher Brett Callow  tweeted  on Tuesday. The development comes a little over two months after a  wide-scale supply chain ransomware attack  aimed at Kaseya, which saw the Russia-based cybercrime gang encrypting approximately 60 managed service providers (MSPs) and over 1,500 downstream businesses using a zero-day vulnerability in the Kas...

There are plenty of pop culture references to rogue AI and robots, and appliances turning on their human masters. It is the stuff of science fiction, fun, and fantasy, but with IoT and connected devices becoming more prevalent in our homes, we need more discussion around cybersecurity and safety. Software is all around us, and it's very easy to forget just how much we're relying on lines of code to do all those clever things that provide us so much innovation and convenience. Much like web-based software, APIs, and mobile devices, vulnerable code in embedded systems can be exploited if it is uncovered by an attacker.  While it's unlikely that an army of toasters is coming to enslave the human race (although, the  Tesla bot  is a bit concerning) as the result of a cyberattack, malicious cyber events are still possible. Some of our cars, planes, and medical devices also rely on intricate embedded systems code to perform key tasks, and the prospect of these objects being...

Network security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices. "These credentials were obtained from systems that remained unpatched against  CVE-2018-13379  at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable," the company  said  in a statement on Wednesday. The disclosure comes after the threat actor leaked a list of Fortinet credentials for free on a new Russian-speaking forum called  RAMP  that launched in July 2021 as well as on Groove ransomware's data leak site, with Advanced Intel  noting  that the "breach list contains raw access to the top companies" spanning across 74 countries, including India, Taiwan, Italy, France, and Israel. "2,959 out of 22,500 victims are U.S. entities," the researchers said. CVE-2018-13379  relates to a ...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued a bulletin warning of a zero-day flaw affecting Zoho ManageEngine ADSelfService Plus deployments that is currently being actively exploited in the wild. The flaw, tracked as  CVE-2021-40539 , concerns a REST API authentication bypass that could lead to arbitrary remote code execution (RCE). ADSelfService Plus builds up to 6113 are impacted. ManageEngine ADSelfService Plus is an integrated self-service password management and a single sign-on solution for Active Directory and cloud apps, enabling admins to enforce two-factor authentication for application logins and users to reset their passwords. "CVE-2021-40539 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system," CISA  said , urging companies to apply the latest security update to their ManageEngine servers and "ensure ADSelfService Plus is not directl...

The work-from-anywhere economy has opened up the possibility for your human resources team to source the best talent from anywhere. To scale their operations, organizations are leveraging the cloud to accelerate essential HR functions such as recruiting, onboarding, evaluating, and more. SAP is leading this HR transformation with its human capital management (HCM) solution, SAP SuccessFactors. Delivering HR solutions from the cloud enables employees and administrators to not only automate typical tasks, such as providing a report on employee attrition, but also allows them to complete these tasks from anywhere and on any device. SuccessFactors makes it easy for employees to access what they need. But the wide range of sensitive employee data within SuccessFactors creates additional security and compliance challenges. Whether it's personal and financial information used for payroll or health information for benefits, you need the right cybersecurity to ensure that sensitive data,...

A critical security vulnerability has been disclosed in  HAProxy , a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks. Tracked as  CVE-2021-40346 , the Integer Overflow vulnerability has a severity rating of 8.6 on the CVSS scoring system and has been rectified in HAProxy versions 2.0.25, 2.2.17, 2.3.14 and 2.4.4. HTTP Request Smuggling, as the name implies, is a web application attack that tampers the manner a website processes sequences of HTTP requests received from more than one user. Also called HTTP desynchronization, the technique takes advantage of parsing inconsistencies in how front-end servers and back-end servers process requests from the senders. Front-end servers are typically load balancers or reverse proxies that are used by websites to mana...