The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A new Android malware strain named  Goldoson  has been detected in the official Google Play Store spanning more than 60 legitimate apps that collectively have over 100 million downloads. An additional eight million installations have been tracked through ONE store, a leading third-party app storefront in South Korea. The rogue component is part of a third-party software library used by the apps in question and is capable of gathering information about installed apps, Wi-Fi and Bluetooth-connected devices, and GPS locations. "Moreover, the library is armed with the functionality to perform ad fraud by clicking advertisements in the background without the user's consent," McAfee security researcher SangRyol Ryu  said  in a report published last week. What's more, it includes the ability to stealthily load web pages, a feature that could be abused to load ads for financial profit. It achieves this by loading HTML code in a hidden  WebView  and driving tr...

Rapid technological evolution requires security that is resilient, up to date and adaptable. In this article, we will cover the transformation in the field of DFIR (digital forensics and incident response) in the last couple years, focusing on the digital forensics' aspect and how XDR fits into the picture. Before we dive into the details, let's first break down the main components of DFIR and define the differences between them. Digital Forensics vs Incident Response Digital forensics:  the practice of using scientific techniques and tools to identify, preserve, and analyze digital evidence from various sources, such as computers, smartphones, and other electronic devices, in a way that is admissible in a court of law. Incident response:  the process of responding to and managing the aftermath of a security breach or cyberattack. This involves identifying the nature and scope of the incident, containing the damage, eradicating the threat, and restoring the affected sys...

The Iranian threat actor known as MuddyWater is continuing its time-tested tradition of relying on legitimate remote administration tools to commandeer targeted systems. While the nation-state group has previously employed  ScreenConnect, RemoteUtilities, and Syncro , a  new analysis  from Group-IB has revealed the adversary's use of the SimpleHelp remote support software in June 2022. MuddyWater, active since at least 2017, is assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Some of the top targets include Turkey, Pakistan, the U.A.E., Iraq, Israel, Saudi Arabia, Jordan, the U.S., Azerbaijan, and Afghanistan. "MuddyWater uses SimpleHelp, a legitimate remote device control and management tool, to ensure persistence on victim devices," Nikita Rostovtsev, senior threat analyst at Group-IB, said. "SimpleHelp is not compromised and is used as intended. The threat actors found a way to download the tool from the of...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

Threat actors behind the LockBit ransomware operation have developed new artifacts that can encrypt files on devices running Apple's macOS operating system. The development, which was  reported  by the MalwareHunterTeam over the weekend, appears to be the first time a big-game ransomware crew has created a macOS-based payload. Additional samples identified by  vx-underground  show that the macOS variant has been available since November 11, 2022, and has managed to evade detection by anti-malware engines until now. LockBit is a  prolific cybercrime crew  with ties to Russia that has been active since late 2019, with the threat actors releasing two major updates to the locker in 2021 and 2022. According to statistics  released by Malwarebytes  last week, LockBit emerged as the second most used ransomware in March 2023 after Cl0p, accounting for 93 successful attacks. An analysis of the new macOS version ("locker_Apple_M1_64") reveals that it...

Israeli spyware vendor QuaDream is allegedly shutting down its operations in the coming days, less than a week after its hacking toolset was exposed by Citizen Lab and Microsoft. The development was reported by the Israeli business newspaper  Calcalist , citing unnamed sources, adding the company "hasn't been fully active for a while" and that it "has been in a difficult situation for several months." The company's board of directors are looking to sell off its intellectual property, the report further added. QuaDream, which specializes in hacking Apple devices that don't require any action on the part of the victim, is also said to have fired all its employees, with the firm undergoing significant downsizing, according to Haaretz and The Jerusalem Post . News of the purported shutdown comes as the firm's spyware framework – dubbed REIGN – was outed as  having been used  against journalists, political opposition figures, and NGO workers across...

A new QBot malware campaign is leveraging hijacked business correspondence to trick unsuspecting victims into installing the malware, new findings from Kaspersky reveal. The latest activity, which commenced on April 4, 2023, has primarily targeted users in Germany, Argentina, Italy, Algeria, Spain, the U.S., Russia, France, the U.K., and Morocco. QBot  (aka Qakbot or Pinkslipbot) is a  banking trojan  that's known to be active since at least 2007. Besides stealing passwords and cookies from web browsers, it doubles up as a backdoor to inject next-stage payloads such as Cobalt Strike or ransomware. Distributed via phishing campaigns, the malware has seen  constant   updates   during its lifetime  that pack in anti-VM, anti-debugging, and anti-sandbox techniques to evade detection. It has also emerged as the  most prevalent malware  for the month of March 2023, per Check Point. "Early on, it was distributed through infected websites and p...

A new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to use by the members of the now-defunct Conti ransomware gang, indicating collaboration between the two crews. The malware, dubbed  Domino , is primarily designed to facilitate follow-on exploitation on compromised systems, including delivering a lesser-known information stealer that has been advertised for sale on the dark web since December 2021. "Former members of the  TrickBot/Conti syndicate  [...] have been using Domino since at least late February 2023 to deliver either the Project Nemesis information stealer or more capable backdoors such as Cobalt Strike," IBM Security X-Force security researcher Charlotte Hammond  said  in a report published last week. FIN7 , also called Carbanak and ITG14, is a prolific  Russian-speaking cybercriminal syndicate  that's known to employ an array of custom malware to deploy additional payloads ...

Cloud Security Posture Management (CSPM) and  SaaS Security Posture Management (SSPM)  are frequently confused. The similarity of the acronyms notwithstanding, both security solutions focus on securing data in the cloud. In a world where the terms cloud and SaaS are used interchangeably, this confusion is understandable. This confusion, though, is dangerous to organizations that need to secure data that exists within cloud infrastructures like AWS, Google Cloud, and Microsoft Azure, as well as data within SaaS applications like Salesforce, Microsoft 365, Google Workspace, Jira, Zoom, Slack and more. Assuming that either your CSPM or SSPM will secure your company resources that live off-premises is misplaced trust in a security tool that was only designed to secure either your cloud or your SaaS stack.  It's absolutely vital for decision makers to understand the difference between CSPM and SSPM, the value derived from each solution, and that both complement each other....

A Chinese nation-state group targeted an unnamed Taiwanese media organization to deliver an open source red teaming tool known as Google Command and Control ( GC2 ) amid broader abuse of Google's infrastructure for malicious ends. The tech giant's Threat Analysis Group (TAG) attributed the campaign to a threat actor it tracks under the  geological  and  geographical-themed  moniker  HOODOO , which is also known by the names  APT41 , Barium, Bronze Atlas, Wicked Panda, and  Winnti . The starting point of the attack is a phishing email that contains links to a password-protected file hosted on Google Drive, which, in turn, incorporates the Go-based GC2 tool to read commands from Google Sheets and exfiltrate data using the cloud storage service. "After installation on the victim machine, the malware queries Google Sheets to obtain attacker commands," Google's cloud division  said  in its sixth Threat Horizons Report. "In addition to exfiltr...