The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Data associated with a subset of registered customers of VirusTotal, including their names and email addresses, were exposed after an employee inadvertently uploaded the information to the malware scanning platform. The security incident, which comprises a database of 5,600 names in a 313KB file, was first disclosed by  Der Spiegel  and  Der Standard  yesterday. Launched in 2004, VirusTotal is a popular service that analyzes suspicious files and URLs to detect types of malware and malicious content using antivirus engines and website scanners. It was acquired by Google in 2012 and became a subsidiary of Google Cloud's Chronicle unit in 2018. When reached for comment, Google confirmed the leak and said it took immediate steps to remove the data. "We are aware of the unintentional distribution of a small segment of customer group administrator emails and organization names by one of our employees on the VirusTotal platform," a Google Cloud spokesperson told The Ha...

Discover stories about threat actors' latest tactics, techniques, and procedures from Cybersixgill's threat experts each month. Each story brings you details on emerging underground threats, the threat actors involved, and how you can take action to mitigate risks. Learn about the top vulnerabilities and review the latest ransomware and malware trends from the deep and dark web. Stolen ChatGPT credentials flood dark web markets Over the past year, 100,000 stolen credentials for ChatGPT were advertised on underground sites, being sold for as little as $5 on dark web marketplaces in addition to being offered for free. Stolen ChatGPT credentials include usernames, passwords, and other personal information associated with accounts. This is problematic because ChatGPT accounts may store sensitive information from queries, including confidential data and intellectual property. Specifically, companies increasingly incorporate ChatGPT into daily workflows, which means employees may disclose ...

The financially motivated threat actor known as FIN8 has been observed using a "revamped" version of a backdoor called  Sardonic  to deliver the  BlackCat ransomware . According to the Symantec Threat Hunter Team, part of Broadcom, the development is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities. The intrusion attempt took place in December 2022. FIN8 is being tracked by the cybersecurity company under the name Syssphinx. Known to be active since at least 2016, the adversary was originally attributed to attacks targeting point-of-sale (PoS) systems using malware such as PUNCHTRACK and BADHATCH. The group resurfaced after more than a year in March 2021 with an updated version of BADHATCH, following it up with a completely new bespoke implant called Sardonic , which was disclosed by Bitdefender in August 2021. "The C++-based Sardonic backdoor has the ability to harvest system information and execute c...

Conor Brian Fitzpatrick , the owner of the now-defunct BreachForums website, has pleaded guilty to charges related to his operation of the cybercrime forum as well as having child pornography images. The development,  first reported  by DataBreaches.net last week, comes nearly four months after Fitzpatrick (aka pompompurin) was  formally charged  in the U.S. with conspiracy to commit access device fraud and possession of child pornography. BreachForums, launched in March 2022, operated as an illegal marketplace that allowed its members to trade hacked or stolen databases, enabling other criminal actors to gain unauthorized access to target systems. It was shut down in March 2023 shortly after  Fitzpatrick's arrest  in New York. As many as 888 databases consisting of 14 billion individual records are estimated to have been found in total. The forum had over 333,000 members prior to its takedown. "The purpose of BreachForums, and Fitzpatrick's intent in...

Threat actors are actively exploiting a recently disclosed critical security flaw in the WooCommerce Payments WordPress plugin as part of a massive targeted campaign. The flaw, tracked as  CVE-2023-28121  (CVSS score: 9.8), is a case of authentication bypass that enables unauthenticated attackers to impersonate arbitrary users and perform some actions as the impersonated user, including an administrator, potentially leading to site takeover. "Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023," Wordfence security researcher Ram Gall  said  in a Monday post. Versions 4.8.0 through 5.6.1 of WooCommerce Payments are vulnerable. The plugin is installed on over 600,000 sites. Patches for the bug were released by WooCommerce back in March 2023, with WordPress issuing auto-updates to sites using affected v...

A little over a week after  JumpCloud reset API keys of customers  impacted by a security incident, the company said the intrusion was the work of a sophisticated nation-state actor. The adversary "gained unauthorized access to our systems to target a small and specific set of our customers," Bob Phan, chief information security officer (CISO) at JumpCloud,  said  in a post-mortem report. "The attack vector used by the threat actor has been mitigated." The U.S. enterprise software firm said it identified anomalous activity on June 27, 2023, on an internal orchestration system, which it traced back to a spear-phishing campaign mounted by the attacker on June 22. While JumpCloud said it took security steps to shield its network by rotating credentials and rebuilding its systems, it wasn't until July 5 when it detected "unusual activity" in the commands framework for a small set of customers, prompting a forced-rotation of all admin API keys. The num...

Threat actors are taking advantage of Android's  WebAPK technology  to trick unsuspecting users into installing malicious web apps on Android phones that are designed to capture sensitive personal information. "The attack began with victims receiving SMS messages suggesting the need to update a mobile banking application," researchers from CSIRT KNF  said  in an analysis released last week. "The link contained in the message led to a site that used WebAPK technology to install a malicious application on the victim's device." The application impersonates PKO Bank Polski, a multinational banking and financial services company headquartered in Warsaw. Details of the campaign were  first shared  by Polish cybersecurity firm RIFFSEC. WebAPK allows users to install progressive web apps (PWAs) to their home screen on Android devices without having to use the Google Play Store. "When a user installs a PWA from Google Chrome and a WebAPK is used, the minti...

The hype around different security categories can make it difficult to discern features and capabilities from bias when researching new platforms. You want to advance your security measures, but what steps actually make sense for your business? For anyone ready to find an  attack surface management (ASM) vendor , review these six questions before getting started to understand the key features to look for in an ASM platform and the qualities of the vendor who supports it. Refer to these as your quick guide for interviewing vendors to walk away with the most suitable ASM platform for your needs.  Checklist: 6 Questions to Ask Attack Surface Management Vendors  Does your platform have the capability to discover the unknown?  How do you prevent alert fatigue, prioritize alerts and remove false positives?  Can you track attack surface changes over time?  How do you plan to evolve the platform going forward? What services related to ASM do you offer? C...

Cyber attacks using infected USB infection drives as an initial access vector have witnessed a three-fold increase in the first half of 2023,  That's according to new findings from Mandiant, which detailed two such campaigns – SOGU and SNOWYDRIVE – targeting both public and private sector entities across the world. SOGU is the "most prevalent USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals," the Google-owned threat intelligence firm  said . The activity has been attributed to a China-based cluster called TEMP.Hex, which is also tracked under the names Camaro Dragon, Earth Preta, and Mustang Panda. Targets include construction and engineering, business services, government, health, transportation, and retail in Europe, Asia, and the U.S. The infection chain detailed by Mandiant exhibits tactical commonalities with...