The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems. "If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Russian security vendor Doctor Web  said  in a report published last week. "As a result, when users click on any area of an attacked page, they are redirected to other sites." The attacks involve weaponizing a list of known security vulnerabilities in 19 different plugins and themes that are likely installed on a WordPress site, using it to deploy an implant that can target a specific website to further expand the network. It's also capable of injecting JavaScript code retrieved from a remote server in order to redirect the site visitors to an arbitrary website of the attacker's choice. Doctor Web said it identified a second version of the backdoor...

Google has agreed to pay a total of $29.5 million to settle two different lawsuits brought by Indiana and Washington, D.C., over its "deceptive" location tracking practices. The search and advertising giant is required to pay  $9.5 million to D.C.  and  $20 million to Indiana  after the states sued the company for charges that the company tracked users' locations without their express consent. The settlement adds to the  $391.5 million  Google agreed to pay to 40 states over similar allegations two months ago. The company is still facing two more location-tracking lawsuits in  Texas  and  Washington . The lawsuits came in response to revelations in 2018 that the internet company continued to track users' whereabouts on Android and iOS through a setting called  Web & App Activity  despite turning  Location History  options off. Google was also accused of employing  dark patterns , which refer to design choice...

A security researcher was awarded a bug bounty of $107,500 for identifying security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into wiretapping devices. The flaws "allowed an attacker within wireless proximity to install a 'backdoor' account on the device, enabling them to send commands to it remotely over the internet, access its microphone feed, and make arbitrary HTTP requests within the victim's LAN," the researcher, who goes by the name Matt Kunze,  disclosed  in a technical write-up published this week. In making such malicious requests, not only could the Wi-Fi password get exposed, but also provide the adversary direct access to other devices connected to the same network. Following responsible disclosure on January 8, 2021, the issues were remediated by Google in April 2021. The problem, in a nutshell, has to do with how the Google Home software architecture can be leveraged to add a rogue Google us...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has  added  two years-old security flaws impacting TIBCO Software's JasperReports product to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The flaws, tracked as  CVE-2018-5430  (CVSS score: 7.7) and  CVE-2018-18809  (CVSS score: 9.9), were addressed by TIBCO in April 2018 and March 2019, respectively. TIBCO  JasperReports  is a Java-based reporting and data analytics platform for creating, distributing, and managing reports and dashboards. The first of the two issues, CVE-2018-5430, relates to an  information disclosure bug  in the server component that could enable an authenticated user to gain read-only access to arbitrary files, including key configurations. "The impact includes the possible read-only access by authenticated users to web application configuration files that contain the credentials used by the server,"...

Thousands of Citrix Application Delivery Controller (ADC) and Gateway endpoints remain vulnerable to two critical security flaws disclosed by the company over the last few months. The issues in question are  CVE-2022-27510  and  CVE-2022-27518  (CVSS scores: 9.8), which were addressed by the virtualization services provider on November 8 and December 13, 2022, respectively. While CVE-2022-27510 relates to an  authentication bypass  that could be exploited to gain unauthorized access to Gateway user capabilities, CVE-2022-27518 concerns a remote code execution bug that could enable the takeover of affected systems. Citrix and the U.S. National Security Agency (NSA), earlier this month,  warned  that CVE-2022-27518 is being actively exploited in the wild by threat actors, including the China-linked APT5 state-sponsored group. Now, according to a  new analysis  from NCC Group's Fox-IT research team, thousands of internet-facing Citri...

Users searching for popular software are being targeted by a new malvertising campaign that abuses Google Ads to serve trojanized variants that deploy malware, such as Raccoon Stealer and Vidar. The activity makes use of seemingly credible websites with typosquatted domain names that are surfaced on top of Google search results in the form of malicious ads by hijacking searches for specific keywords. The ultimate objective of such attacks is to  trick   unsuspecting   users  into downloading malevolent programs or potentially unwanted applications. In one campaign disclosed by Guardio Labs, threat actors have been observed creating a network of benign sites that are promoted on the search engine, which when clicked, redirect the visitors to a phishing page containing a trojanized ZIP archive hosted on Dropbox or OneDrive. "The moment those 'disguised' sites are being visited by targeted visitors (those who actually click on the promoted search result) the serve...

Decentralized multi-chain crypto wallet BitKeep on Wednesday confirmed a cyber attack that allowed threat actors to distribute fraudulent versions of its Android app with the goal of stealing users' digital currencies. "With maliciously implanted code, the altered APK led to the leak of user's private keys and enabled the hacker to move funds," BitKeep CEO Kevin Como  said , describing it as a "large-scale hacking incident." According to blockchain security company  PeckShield  and multi-chain blockchain explorer  OKLink , an estimated  $9.9 million  worth of assets have been plundered so far. "Funds stolen are on BNB Chain, Ethereum, TRON and Polygon," BitKeep further  noted  in a series of tweets. "More than 200 addresses on the other three chains were used in the heist, and all funds were transferred to two main addresses in the end." The incident is said to have taken place on December 26, 2022, with the threat actor exploiting ...

Microsoft's decision to block Visual Basic for Applications (VBA) macros by default for Office files downloaded from the internet has led many threat actors to improvise their attack chains in recent months. Now according to Cisco Talos , advanced persistent threat (APT) actors and commodity malware families alike are increasingly using Excel add-in (.XLL) files as an initial intrusion vector. Weaponized Office documents delivered via spear-phishing emails and other social engineering attacks have remained one of the widely used entry points for criminal groups looking to execute malicious code. These documents traditionally prompt the victims to enable macros to view seemingly innocuous content, only to activate the execution of malware stealthily in the background. To counter this misuse, the Windows maker enacted a crucial change starting in July 2022 that blocks macros in Office files attached to email messages, effectively severing a crucial attack vector. While this ...

BlueNoroff , a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows Mark of the Web ( MotW ) protections. This includes the use of optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of a novel infection chain, Kaspersky disclosed in a report published today. "BlueNoroff created numerous fake domains impersonating venture capital companies and banks," security researcher Seongsu Park said , adding the new attack procedure was flagged in its telemetry in September 2022. Some of the bogus domains have been found to imitate ABF Capital, Angel Bridge, ANOBAKA, Bank of America, and Mitsubishi UFJ Financial Group, most of which are located in Japan, signalling a "keen interest" in the region. It's worth pointing out that although MotW bypasses have been documented in the wild before, this is the first time they have been incorporated by ...