The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Two more supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software, nearly two months after  three security vulnerabilities  were brought to light in the same product. Firmware security firm Eclypsium  said  the two shortcomings were held back until now to provide AMI additional time to engineer appropriate mitigations. The issues, collectively tracked as  BMC&C , could act as a springboard for cyber attacks, enabling threat actors to obtain remote code execution and unauthorized device access with superuser permissions. The two new flaws in question are as follows - CVE-2022-26872  (CVSS score: 8.3) - ​​Password reset interception via API CVE-2022-40258  (CVSS score: 5.3) - Weak password hashes for Redfish and API Specifically, MegaRAC has been found to use the MD5 hashing algorithm with a global salt for older devices, or  SHA-512 with per user salts  on newer appliances, pot...

Do you know where your secrets are? If not, I can tell you: you are not alone. Hundreds of CISOs, CSOs, and security leaders, whether from small or large companies, don't know either. No matter the organization's size, the certifications, tools, people, and processes: secrets are not visible in 99% of cases. It might sound ridiculous at first: keeping secrets is an obvious first thought when thinking about security in the development lifecycle. Whether in the cloud or on-premise, you know that your secrets are safely stored behind hard gates that few people can access. It is not just a matter of common sense since it's also an essential compliance requirement for security audits and certifications. Developers working in your organization are well-aware that secrets should be handled with special care. They have put in place specific tools and procedures to correctly create, communicate, and rotate human or machine credentials. Still, do you know where your secrets are?...

The Russia-affiliated Sandworm used yet another wiper malware strain dubbed  NikoWiper  as part of an attack that took place in October 2022 targeting an energy sector company in Ukraine. "The NikoWiper is based on  SDelete , a command line utility from Microsoft that is used for securely deleting files," cybersecurity company ESET  revealed  in its latest APT Activity Report shared with The Hacker News. The Slovak cybersecurity firm said the attacks coincided with  missile strikes  orchestrated by the Russian armed forces aimed at the Ukrainian energy infrastructure, suggesting overlaps in objectives. The disclosure comes merely days after ESET attributed Sandworm to a Golang-based data wiper known as  SwiftSlicer  that was deployed against an unnamed Ukrainian entity on January 25, 2023. The advanced persistent threat (APT) group linked to Russia's foreign military intelligence agency GRU has also been implicated in a partially success...

A shellcode-based  packer  dubbed  TrickGate  has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years. "TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically," Check Point Research's Arie Olshtein  said , calling it a "master of disguises." Offered as a service to other threat actors since at least late 2016, TrickGate helps conceal payloads behind a layer of wrapper code in an attempt to get past security solutions installed on a host. Packers can also function as crypters by encrypting the malware as an obfuscation mechanism. "Packers have different features that allow them to circumvent detection mechanisms by appearing as benign files, being difficult to reverse engineer, or incorporating sandbox evasion tec...

Taiwanese company QNAP has released updates to remediate a critical security flaw affecting its network-attached storage (NAS) devices that could lead to arbitrary code injection. Tracked as  CVE-2022-27596 , the vulnerability is rated 9.8 out of a maximum of 10 on the CVSS scoring scale. It affects QTS 5.0.1 and QuTS hero h5.0.1. "If exploited, this vulnerability allows remote attackers to inject malicious code," QNAP  said  in an advisory released Monday. The exact technical specifics surrounding the flaw are unclear, but the NIST National Vulnerability Database (NVD) has categorized it as an SQL injection vulnerability. This means an attacker could send specially crafted SQL queries such that they could be weaponized to bypass security controls and access or alter valuable information. "Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL injection attack," according to  MI...

GitHub on Monday disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps. As a result, the company is  taking the step  of revoking the exposed certificates out of abundance of caution. The following versions of GitHub Desktop for Mac have been invalidated: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2. Versions 1.63.0 and 1.63.1 of Atom are also expected to stop working as of February 2, 2023, requiring that users downgrade to a  previous version  (1.60.0) of the source code editor. Atom was officially discontinued in December 2022. GitHub Desktop for Windows is not affected. The Microsoft-owned subsidiary said it detected unauthorized access to a set of repositories, including those from deprecated GitHub-owned organizations, used in the planning and development of GitHub Desktop and Atom on December 7, 2022. The repositories ...

A new Golang-based information stealer malware dubbed  Titan Stealer  is being advertised by threat actors through their Telegram channel. "The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files," Uptycs security researchers Karthickkumar Kathiresan and Shilpesh Trivedi  said  in a recent report. Details of the malware were  first documented  by cybersecurity researcher Will Thomas (@BushidoToken) in November 2022 by querying the IoT search engine Shodan. Titan is offered as a builder, enabling customers to customize the malware binary to include specific functionalities and the kind of information to be exfiltrated from a victim's machine. The malware, upon execution, employs a technique known as  process hollowing  to inject the malicious payload into the memory of a legitima...

Researchers are warning about a spike in exploitation attempts weaponizing a now-patched critical remote code execution flaw in Realtek Jungle SDK since the start of August 2022. According to Palo Alto Networks Unit 42, the ongoing campaign is said to have recorded 134 million exploit attempts as of December 2022, with 97% of the attacks occurring in the past four months. Close to 50% of the attacks originated from the U.S. (48.3%), followed by Vietnam (17.8%), Russia (14.6%), The Netherlands (7.4%), France (6.4%), Germany (2.3%0, and Luxembourg (1.6%). What's more, 95% of the attacks leveraging the security shortcoming that emanated from Russia singled out organizations in Australia. "Many of the attacks we observed tried to deliver malware to infect vulnerable IoT devices," Unit 42 researchers  said  in a report, adding "threat groups are using this vulnerability to carry out large-scale attacks on smart devices around the world." The vulnerability in q...

The threat actors associated with the Gootkit malware have made "notable changes" to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is  monitoring  the activity cluster under the moniker  UNC2565 , noting that the usage of the malware is "exclusive to this group." Gootkit , also called Gootloader, is spread through compromised websites that victims are tricked into visiting when searching for business-related documents like agreements and contracts via a technique called search engine optimization (SEO) poisoning. The purported documents take the form of ZIP archives that harbor the JavaScript malware, which, when launched, paves the way for additional payloads such as  Cobalt Strike Beacon , FONELAUNCH, and SNOWCONE. FONELAUNCH is a .NET-based loader designed to load an encoded payload into memory, whereas SNOWCONE is a downloader that's tasked with retrieving next-stage payloads, typically  IcedID ,...