The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A legitimate Windows tool used for creating software packages called Advanced Installer is being abused by threat actors to drop cryptocurrency-mining malware on infected machines since at least November 2021. "The attacker uses  Advanced Installer  to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro, with malicious scripts and uses Advanced Installer's Custom Actions feature to make the software installers execute the malicious scripts," Cisco Talos researcher Chetan Raghuprasad  said  in a technical report. The nature of the applications trojanized indicates that the victims likely span architecture, engineering, construction, manufacturing, and entertainment sectors. The software installers predominantly use the French language, a sign that French-speaking users are being singled out. This  campaign  is strategic in that these industries rely on computers with high Graphics Processing Unit (G...

The U.K. and U.S. governments on Thursday sanctioned 11 individuals who are alleged to be part of the notorious Russia-based TrickBot cybercrime gang. "Russia has long been a safe haven for cybercriminals, including the TrickBot group," the U.S. Treasury Department  said , adding it has "ties to Russian intelligence services and has targeted the U.S. Government and U.S. companies, including hospitals." The targets of the sanctions are administrators, managers, developers, and coders who are believed to have provided material assistance in its operations. Their names and roles are as follows - Andrey Zhuykov (aka Adam, Defender, and Dif), senior administrator Maksim Sergeevich Galochkin (aka Bentley, Crypt, Manuel, Max17, and Volhvb), software development and testing Maksim Rudenskiy (aka Binman, Buza, and Silver), team lead for coders Mikhail Tsarev (aka Alexander Grachev, Fr*ances, Ivanov Mixail, Mango, Misha Krutysha, Nikita Andreevich Tsarev, and Super Misha), human reso...

Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware. The issues are described as below - CVE-2023-41061  - A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment. CVE-2023-41064  - A buffer overflow issue in the  Image I/O component  that could result in arbitrary code execution when processing a maliciously crafted image. While CVE-2023-41064 was found by the Citizen Lab at the University of Torontoʼs Munk School, CVE-2023-41061 was discovered internally by Apple, with "assistance" from the Citizen Lab. The updates are available for the following devices and operating systems - iOS 16.6.1 and iPadOS 16.6.1  - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5t...

Cisco has released security fixes to address multiple security flaws, including a critical bug, that could be exploited by a threat actor to take control of an affected system or cause a denial-of service (DoS) condition. The most severe of the issues is CVE-2023-20238, which has the maximum CVSS severity rating of 10.0. It's described as an authentication bypass flaw in the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform. Successful exploitation of the vulnerability -- a weakness in the single sign-on (SSO) implementation and discovered during internal testing -- could allow an unauthenticated, remote attacker to forge the credentials required to access an affected system. "This vulnerability is due to the method used to validate SSO tokens," Cisco  said . "An attacker could exploit this vulnerability by authenticating to the application with forged credentials. A successful exploit could allow the attacker to commit toll fraud or ...

Microsoft Internet Information Services (IIS) is a web server software package designed for Windows Server. Organizations commonly use Microsoft IIS servers to host websites, files, and other content on the web. Threat actors increasingly target these Internet-facing resources as low-hanging fruit for finding and exploiting vulnerabilities that facilitate access to IT environments.  Recently, a slew of activity by the advanced persistent threat (APT) group Lazarus has focused on finding vulnerable Microsoft IIS servers and infecting them with malware or using them to distribute malicious code. This article describes the details of the malware attacks and offers actionable suggestions for protecting Microsoft IIS servers against them.  An Overview on Microsoft IIS Servers IIS was first introduced with Windows NT 3.51 as an optional package back in 1995. Since then, it has seen several iterations, improvements, and features added to align with the evolving Internet, includin...

Threat actors associated with North Korea are  continuing  to  target  the cybersecurity community using a zero-day bug in an unspecified software over the past several weeks to infiltrate their machines. The findings come from Google's Threat Analysis Group (TAG), which found the adversary setting up fake accounts on social media platforms like  X  (formerly Twitter) and  Mastodon  to forge relationships with potential targets and build trust. "In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest," security researchers Clement Lecigne and Maddie Stone  said . "After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp, or Wire." The social engineering exercise ultimately paved the way for a malicious file containing at least one zero-day in a popular software package. The vulnerability is currently in the process of b...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that multiple nation-state actors are exploiting security flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems. "Nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network," according to a  joint alert  published by the agency, alongside Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF). The identities of the threat groups behind the attacks have not been disclosed, although the U.S. Cyber Command (USCYBERCOM)  hinted  at the involvement of Iranian nation-state crews. The findings are based on an incident response engagement conducted by CISA at an unnamed aeronautical sector organi...

A new malvertising campaign has been observed distributing an updated version of a macOS stealer malware called  Atomic Stealer  (or AMOS), indicating that it's being actively maintained by its author. An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer  first came  to light in April 2023. Shortly after that, new variants with an expanded set of information-gathering features were detected in the wild, targeting gamers and cryptocurrency users. Malvertising via Google Ads has been observed as the primary distribution vector in which users searching for popular software, legitimate or cracked, on search engines are shown bogus ads that direct to websites hosting rogue installers. The latest campaign involves the use of a fraudulent website for TradingView, prominently featuring three buttons to download the software for Windows, macOS, and Linux operating systems. "Both the Windows and Linux buttons point to an MSIX installer hosted on...

By the end of 2024, the number of MSPs and MSSPs offering vCISO services is expected to grow by almost 5 fold, as can be seen in figure 1. This incredible surge reflects the growing business demand for specialized cybersecurity expertise and the lucrative opportunities for MSPs and MSSPs in vCISO services. Figure 1: Timeline for offering vCISO services The State of the Virtual CISO Survey Report  by Global Surveyz, an independent survey company, which was commissioned by Cynomi, provides a deep understanding of the challenges facing MSPs and MSSPs today. The report shares insights from 200 security and IT leaders in MSPs and MSSPs of all sizes, all of which are security-focused. It shines a light on the growing trend of the vCISO offering, including the reasons behind this trend, potential blockers for MSPs/MSSPs and how to overcome them. 480% Expected Increase in vCISO Service Offerings Currently, only 19% of MSPs and MSSPs are offering vCISO services. This relatively low per...