The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A newly discovered evasive malware leverages the Secure Shell ( SSH ) cryptographic protocol to gain entry into targeted systems with the goal of mining cryptocurrency and carrying out distributed denial-of-service (DDoS) attacks. Dubbed  KmsdBot  by the Akamai Security Intelligence Response Team (SIRT), the Golang-based malware has been found targeting a variety of companies ranging from gaming to luxury car brands to security firms. "The botnet infects systems via an SSH connection that uses weak login credentials," Akamai researcher Larry W. Cashdollar  said . "The malware does not stay persistent on the infected system as a way of evading detection." The malware gets its name from an executable named "kmsd.exe" that's downloaded from a remote server following a successful compromise. It's also designed to support multiple architectures, such as Winx86, Arm64, mips64, and x86_64. KmsdBot comes with capabilities to perform scanning operatio...

A recently discovered cyber espionage group dubbed  Worok  has been found hiding malware in seemingly innocuous image files, corroborating a crucial link in the threat actor's infection chain. Czech cybersecurity firm Avast said the purpose of the PNG files is to conceal a payload that's used to facilitate information theft. "What is noteworthy is data collection from victims' machines using Dropbox repository, as well as attackers using Dropbox API for communication with the final stage," the company  said . The development comes a little over two months after ESET disclosed details of attacks carried out by  Worok  against high-profile companies and local governments located in Asia and Africa. Worok is believed to share tactical overlaps with a Chinese threat actor tracked as  TA428 . The Slovak cybersecurity company also documented Worok's compromise sequence, which makes use of a C++-based loader called CLRLoad to pave the way for an unknown Pow...

Two long-running surveillance campaigns have been found targeting the Uyghur community in China and elsewhere with Android spyware tools designed to harvest sensitive information and track their whereabouts. This encompasses a previously undocumented malware strain called BadBazaar and updated variants of an espionage artifact dubbed  MOONSHINE  by researchers from the University of Toronto's Citizen Lab in September 2019. "Mobile surveillance tools like BadBazaar and MOONSHINE can be used to track many of the 'pre-criminal' activities, actions considered indicative of religious extremism or separatism by the authorities in Xinjiang," Lookout  said  in a detailed write-up of the operations. The BadBazaar campaign, according to the security firm, is said to date as far back as late 2018 and comprise 111 unique apps that masquerade as benign video players, messengers, religious apps, and even TikTok. While these samples were distributed through Uyghur-language ...

Google has removed two new malicious dropper apps that have been detected on the Play Store for Android, one of which posed as a lifestyle app and was caught distributing the Xenomorph banking malware. "Xenomorph is a trojan that steals credentials from banking applications on users' devices," Zscaler ThreatLabz researchers Himanshu Sharma and Viral Gandhi  said  in an analysis published Thursday. "It is also capable of intercepting users' SMS messages and notifications, enabling it to steal one-time passwords and multi-factor authentication requests." The cybersecurity firm said it also found an expense tracker app that exhibited similar behavior, but noted that it couldn't extract the URL used to fetch the malware artifact. The two malicious apps are as follows - Todo: Day manager (com.todo.daymanager) 経費キーパー (com.setprice.expenses) Both the apps function as a dropper, meaning the apps themselves are harmless and are a conduit to retrieve t...

When you are trying to get another layer of cyber protection that would not require a lot of resources, you are most likely choosing between a VPN service & a DNS Security solution. Let's discuss both.  VPN Explained VPN stands for Virtual Private Networks and basically hides your IP and provides an encrypted server by redirecting your traffic via a server run by a VPN host. It establishes a protected connection in public networks. It does protect your actions from being seen by your ISP and potential hackers, however, it does not provide full protection and can still let intrusions happen.  Worth noting, VPN does gain access to restricted resources in your region, but bear in mind, it might be collecting your personal data. This problem relates mostly to free and cheap VPN services. In addition to that, VPNs, depending on their type, can proxy requests or not. Most of the free ones do not even encrypt your data. According to Cybernews, last year 20 million emails and...

Multiple high-severity flaws have been uncovered in the open source OpenLiteSpeed Web Server as well as its enterprise variant that could be weaponized to achieve remote code execution. "By chaining and exploiting the vulnerabilities, adversaries could compromise the web server and gain fully privileged remote code execution," Palo Alto Networks Unit 42  said  in a Thursday report. OpenLiteSpeed , the open source edition of LiteSpeed Web Server, is the sixth most popular web server, accounting for 1.9 million unique servers across the world. The first of the three flaws is a directory traversal flaw ( CVE-2022-0072 , CVSS score: 5.8), which could be exploited to access forbidden files in the web root directory. The remaining two vulnerabilities ( CVE-2022-0073  and  CVE-2022-0074 , CVSS scores: 8.8) relate to a case of privilege escalation and command injection, respectively, that could be chained to achieve privileged code execution. "A threat actor who man...

The U.S. Department of Justice (DoJ) has announced charges against a dual Russian and Canadian national for his alleged participation in  LockBit ransomware attacks  across the world. The 33-year-old Ontario resident,  Mikhail Vasiliev , has been taken into custody and is awaiting extradition to the U.S., where is likely to be sentenced for a maximum of five years in prison. Vasiliev has been charged with conspiracy to intentionally damage protected computers and to transmit ransom demands, according to a  criminal complaint  filed in the District of New Jersey. A search of the defendant's home in August and October 2022 by Canadian law enforcement unearthed a file stored on a device containing what's suspected to be a list of "prospective or historical" victims as well as screenshots of communications exchanged with "LockBitSupp" on the Tox messaging platform. Also found were a text file with instructions to deploy LockBit ransomware, the malware'...

It's no secret that antivirus software is as essential to your computer as a power cord. However, the threats don't stop at your devices. For example, criminals trying to steal your data can attack your Wi-Fi router, and phishing attempts can target your email.  ESET's latest consumer product release takes a comprehensive approach to security to guard against a full range of threats. All are built with ESET's signature light footprint for gaming, browsing, shopping and socializing with no interruptions or slowdowns. Introducing enhanced security for Windows, Mac and Android For more than 30 years, ESET® has created industry-leading IT security software and services, protecting businesses worldwide from ever-evolving digital threats.  ESET's solutions for consumers use the same advanced technologies. By protecting your digital life, ESET delivers real-world protection against criminals trying to steal your identity, hack your bank account or lock down your com...

Microsoft on Thursday attributed the recent spate of ransomware incidents targeting transportation and logistics sectors in Ukraine and Poland to a threat cluster that shares overlaps with the Russian state-sponsored  Sandworm group . The attacks, which were disclosed by the tech giant last month, involved a strain of previously undocumented malware called  Prestige  and is said to have taken place within an hour of each other across all victims. The Microsoft Threat Intelligence Center (MSTIC) is now tracking the threat actor under its element-themed moniker Iridium (née DEV-0960), a Russia-based group that's publicly tracked by the name Sandworm (aka Iron Viking, TeleBots, and Voodoo Bear). "This attribution assessment is based on forensic artifacts, as well as overlaps in victimology, tradecraft, capabilities, and infrastructure, with known Iridium activity," MSTIC  said  in an update. The company also further assessed the group to have orchestrated comp...