The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Law enforcement authorities from Germany and Ukraine have targeted suspected core members of a cybercrime group that has been behind large-scale attacks using DoppelPaymer ransomware. The operation, which took place on February 28, 2023, was carried out with support from the Dutch National Police (Politie) and the U.S. Federal Bureau of Investigation (FBI), according to Europol. This encompassed a raid of a German national's house as well as searches in the Ukrainian cities of Kiev and Kharkiv. A Ukrainian national was also interrogated. Both individuals are believed to have taken up crucial positions in the DoppelPaymer group. "Forensic analysis of the seized equipment is still ongoing to determine the exact role of the suspects and their links to other accomplices," the agency further  said . In a related development, German authorities issued arrest warrants against three alleged DoppelPaymer operatives – lgor Olegovich Turashev , Igor Garshin (aka Igor Garschin...

Malicious actors can take advantage of "insufficient" forensic visibility into Google Cloud Platform (GCP) to exfiltrate sensitive data, a new research has found. "Unfortunately, GCP does not provide the level of visibility in its storage logs that is needed to allow any effective forensic investigation, making organizations blind to potential data exfiltration attacks," cloud incident response firm Mitiga  said  in a report. The attack banks on the prerequisite that the adversary is able to gain control of an identity and access management (IAM) entity in the targeted organization by methods like social engineering to access the GCP environment. The crux of the problem is that GCP's  storage access logs  do not provide adequate transparency with regards to potential file access and read events, instead grouping them all as a single "Object Get" activity. "The same event is used for a wide variety of types of access, including: Reading a fil...

A group of researchers has revealed what it says is a vulnerability in a specific implementation of  CRYSTALS-Kyber , one of the encryption algorithms chosen by the U.S. government as quantum-resistant last year. The exploit relates to "side-channel attacks on up to the fifth-order masked implementations of CRYSTALS-Kyber in ARM Cortex-M4 CPU," Elena Dubrova, Kalle Ngo, and Joel Gärtner of KTH Royal Institute of Technology  said  in a paper. CRYSTALS-Kyber is one of four post-quantum algorithms  selected  by the U.S. National Institute of Standards and Technology (NIST) after a rigorous multi-year effort to identify a set of next-generation encryption standards that can withstand huge leaps in computing power. A side-channel attack, as the name implies, involves extracting secrets from a cryptosystem through measurement and analysis of physical parameters. Some examples of such parameters include supply current, execution time, and electromagnetic emission. ...

This past January, a SaaS Security Posture Management (SSPM) company named Wing Security (Wing) made waves with the  launch of its free SaaS-Shadow IT discovery solution . Cloud-based companies were invited to gain insight into their employees' SaaS usage through a completely free, self-service product that operates on a "freemium" model. If a user is impressed with the solution and wants to gain more insights or take remediation action, they can purchase the enterprise solution. "In today's economic reality, security budgets have not necessarily been cut down, but buyers are far more careful in their purchasing decisions and rightfully so. We believe that you cannot secure what you do not know, so knowing should be a basic commodity. Once you understand the magnitude of your SaaS attack layer, you can make an educated decision as to how you are going to solve it. Discovery is the natural and basic first step and it should be accessible to anyone." said Ga...

A new ATM malware strain dubbed  FiXS  has been observed targeting Mexican banks since the start of February 2023. "The ATM malware is hidden inside another not-malicious-looking program," Latin American cybersecurity firm Metabase Q  said  in a report shared with The Hacker News. Besides requiring interaction via an external keyboard, the Windows-based ATM malware is also vendor-agnostic and is capable of infecting any teller machine that supports  CEN/XFS  (short for eXtensions for Financial Services). The exact mode of compromise remains unknown but Metabase Q's Dan Regalado told The Hacker News that it's likely that "attackers found a way to interact with the ATM via touchscreen." FiXS is also said to be similar to another strain of  ATM malware  codenamed  Ploutus  that has enabled cybercriminals to extract cash from ATMs by using an external keyboard or by  sending an SMS message . One of the notable characteristics of F...

A pair of serious security defects has been disclosed in the Trusted Platform Module ( TPM ) 2.0 reference library specification that could potentially lead to information disclosure or privilege escalation. One of the vulnerabilities,  CVE-2023-1017 , concerns an out-of-bounds write, while the other,  CVE-2023-1018 , is described as an out-of-bounds read. Credited with discovering and reporting the issues in November 2022 is cybersecurity company Quarkslab. "These vulnerabilities can be triggered from user-mode applications by sending malicious commands to a TPM 2.0 whose firmware is based on an affected TCG reference implementation," the Trusted Computing Group (TCG)  said  in an advisory. Large tech vendors, organizations using enterprise computers, servers, IoT devices, and embedded systems that include a TPM can be impacted by the flaws, Quarkslab  noted , adding they "could affect billions of devices." TPM is a hardware-based solution (i.e., a crypto...

The China-aligned Mustang Panda actor has been observed using a hitherto unseen custom backdoor called  MQsTTang  as part of an ongoing social engineering campaign that commenced in January 2023. "Unlike most of the group's malware, MQsTTang doesn't seem to be based on existing families or publicly available projects," ESET researcher Alexandre Côté Cyr  said  in a new report. Attack chains orchestrated by the group have stepped up targeting of European entities in the wake of  Russia's full-scale invasion of Ukraine  last year. The victimology of the current activity is unclear, but the Slovak cybersecurity company said the decoy filenames are in line with the group's previous campaigns that target European political organizations. That said, ESET also observed attacks against unknown entities in Bulgaria and Australia, as well as a governmental institution in Taiwan, indicating a broader focus on Europe and Asia. Mustang Panda has a  history ...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has  released  a new advisory about  Royal ransomware , which emerged in the threat landscape last year. "After gaining access to victims' networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems," CISA  said . The custom  ransomware program , which has targeted U.S. and international organizations since September 2022, is believed to have evolved from earlier iterations that were dubbed Zeon.  What's more, it's said to be  operated  by seasoned threat actors who used to be part of Conti Team One, cybersecurity company Trend Micro disclosed in December 2022. The ransomware group employs call back phishing as a means of delivering their ransomware to victims, a technique  widely adopted  by criminal groups that splintered from the Conti enterprise last year following its...

A sophisticated attack campaign dubbed  SCARLETEEL  is targeting containerized environments to perpetrate theft of proprietary data and software. "The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials," Sysdig  said  in a new report. The advanced cloud attack also entailed the deployment of crypto miner software, which the cybersecurity company said is either an attempt to generate illicit profits or a ploy to distract defenders and throw them off the trail. The initial infection vector banked on exploiting a vulnerable public-facing service in a self-managed Kubernetes cluster hosted on Amazon Web Services (AWS). Upon gaining a successful foothold, an XMRig crypto miner was launched and a bash script was used to obtain credentials that could be used to further burrow into the AWS cloud infrastructure and exfiltrate sensitive data. "Either...