The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The identity of the second threat actor behind the Golden Chickens malware has been uncovered courtesy of a "fatal" operational security blunder, cybersecurity firm eSentire said. The individual in question, who lives in Bucharest, Romania, has been given the codename Jack. He is one of the two criminals operating an account on the Russian-language Exploit.in forum under the name "badbullzvenom," the other being " Chuck from Montreal ." eSentire characterized Jack as the true mastermind behind Golden Chickens. Evidence unearthed by the Canadian company shows that he is also listed as the owner of a vegetable and fruit import and export business. "Like 'Chuck from Montreal,' 'Jack' uses multiple aliases for the underground forums, social media, and Jabber accounts, and he too has gone to great lengths to disguise himself," eSentire researchers Joe Stewart and Keegan Keplinger said . "'Jack' has taken great pa...

The notorious cybercrime group known as FIN7 has been observed deploying  Cl0p  (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021. Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy  Sangria Tempest . "In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load the Lizar post-exploitation tool and get a foothold into a target network," the company's threat intelligence team  said . "They then use OpenSSH and Impacket to move laterally and deploy Clop ransomware." FIN7  (aka Carbanak, ELBRUS, and ITG14) has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit, with the threat actor acting as a precursor for Maze and Ryuk ransomware attacks.  Active since at least 2012, the group has a  track record  of  targeting  a broad spectrum of organizations spanning so...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of a medium-severity flaw affecting Samsung devices. The issue, tracked as  CVE-2023-21492  (CVSS score: 4.4), impacts select Samsung devices running Android versions 11, 12, and 13. The South Korean electronics giant described the issue as an information disclosure flaw that could be exploited by a privileged attacker to bypass address space layout randomization ( ASLR ) protections. ASLR is a  security technique  that's designed to thwart memory corruption and code execution flaws by obscuring the location of an executable in a device's memory. Samsung, in an  advisory  released this month, said it was "notified that an exploit for this issue had existed in the wild," adding it was privately disclosed to the company on January 17, 2023. Other details about how the flaw is being exploited are currently not known, but vulnerabilities in Samsung phones h...

Google has announced plans to officially flip the switch on its twice-delayed  Privacy Sandbox  initiatives as it slowly works its way to deprecate support for third-party cookies in Chrome browser. To that end, the search and advertising giant said it intends to phase out third-party cookies for 1% of Chrome users globally in the first quarter of 2024. "This will support developers in conducting real world experiments that assess the readiness and effectiveness of their products without third-party cookies," Anthony Chavez, vice president of Privacy Sandbox at Google,  said . Prior to rolling this out, Google said it would introduce the ability for third-party developers to simulate the process for a configurable subset of their users (up to 10%) in Q4 2023. Google further emphasized that the plans have been designed and developed with regulatory oversight and input from the U.K.'s Competition and Markets Authority ( CMA ), which is overseeing the implementation to...

Active Directory (AD) is among the oldest pieces of software still used in the production environment and can be found in most organizations today. This is despite the fact that its historical security gaps have never been amended. For example, because of its inability to apply any security measures beyond checking for a password and username match, AD (as well the resources it manages) is dangerously exposed to the use of compromised credentials. Furthermore, this exposure is not confined to the on-prem environment. The common practice of syncing passwords between AD and the cloud identity provider means any AD breach is a potential risk to the SaaS environment as well. In this article, we'll explore AD's inherent security weaknesses and examine their scope and potential impact. We'll then learn how Silverfort's Unified Identity Protection platform can address these weaknesses at their root and provide organizations using AD with the resiliency they need to thwart identity threa...

Two malicious packages discovered in the npm package repository have been found to conceal an open source information stealer malware called  TurkoRat . The packages – named nodejs-encrypt-agent and nodejs-cookie-proxy-agent – were collectively downloaded approximately 1,200 times and were available for more than two months before they were identified and taken down. ReversingLabs, which broke down the details of the campaign, described TurkoRat as an information stealer capable of harvesting sensitive information such as login credentials, website cookies, and data from cryptocurrency wallets.  While nodejs-encrypt-agent came fitted with the malware inside, nodejs-cookie-proxy-agent was found to disguise the trojan as a dependency under the name axios-proxy. nodejs-encrypt-agent was also engineered to masquerade as another legitimate npm module known as  agent-base , which has been downloaded over 25 million times to date. The list of the rogue packages and their a...

Malicious Google Search ads for generative AI services like OpenAI ChatGPT and Midjourney are being used to direct users to sketchy websites as part of a BATLOADER campaign designed to deliver  RedLine Stealer  malware. "Both AI services are extremely popular but lack first-party standalone apps (i.e., users interface with ChatGPT via their web interface while Midjourney uses Discord)," eSentire said in an analysis. "This vacuum has been exploited by threat actors looking to drive AI app-seekers to imposter web pages promoting fake apps." BATLOADER is a loader malware that's propagated via drive-by downloads where users searching for certain keywords on search engines are displayed bogus ads that, when clicked, redirect them to rogue landing pages hosting malware. The installer file, per eSentire, is rigged with an executable file (ChatGPT.exe or midjourney.exe) and a PowerShell script (Chat.ps1 or Chat-Ready.ps1) that downloads and loads RedLine Stealer ...

Apple on Thursday  rolled out security updates  to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to address dozens of flaws, including three new zero-days that it said are being actively exploited in the wild. The three security shortcomings are listed below - CVE-2023-32409  - A WebKit flaw that could be exploited by a malicious actor to break out of the Web Content sandbox. It was addressed with improved bounds checks. CVE-2023-28204  - An out-of-bounds read issue in WebKit that could be abused to disclose sensitive information when processing web content. It was addressed with improved input validation. CVE-2023-32373  - A use-after free bug in WebKit that could lead to arbitrary code execution when processing maliciously crafted web content. It was addressed with improved memory management. The iPhone maker credited Clément Lecigne of Google's Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International's Security Lab...

A cybercrime enterprise known as  Lemon Group  is leveraging millions of pre-infected Android smartphones worldwide to carry out their malicious operations, posing significant supply chain risks. "The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud," cybersecurity firm Trend Micro  said . The activity encompasses no fewer than 8.9 million compromised Android devices, particularly budget phones, with the highest concentration of the infections discovered in the U.S., Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina. The findings were  presented  by researchers Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, and Paul Pajares at the Black Hat Asia conference held in Singapore last week. Describing it as a  continuously evolving problem , the cybersecurity firm said...