The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The suspected Pakistan-linked threat actor known as  Transparent Tribe  is using malicious Android apps mimicking YouTube to distribute the CapraRAT mobile remote access trojan (RAT), demonstrating the continued evolution of the activity. "CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects," SentinelOne security researcher Alex Delamotte  said  in a Monday analysis. Transparent Tribe , also known as APT36, is known to  target Indian entities  for intelligence-gathering purposes, relying on an arsenal of tools capable of infiltrating Windows, Linux, and Android systems. A crucial component of its toolset is  CapraRAT , which has been propagated in the form of trojanized secure messaging and calling apps branded as MeetsApp and MeetUp. These weaponized apps are distributed using social engineering lures. The latest set of Android package (APK) files discovered by SentinelO...

A novel cloud-native cryptojacking operation has set its eyes on uncommon Amazon Web Services (AWS) offerings such as AWS Amplify, AWS Fargate, and Amazon SageMaker to illicitly mine cryptocurrency. The malicious cyber activity has been codenamed  AMBERSQUID  by cloud and container security firm Sysdig. "The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances," Sysdig security researcher Alessandro Brucato said in a report shared with The Hacker News. "Targeting multiple services also poses additional challenges, like incident response, since it requires finding and killing all miners in each exploited service." Sysdig said it discovered the campaign following an  analysis of 1.7 million images  on Docker Hub, attributing it with moderate confidence to Indonesian attackers based on the use of Indonesian language in scripts and use...

When you roll out a security product, you assume it will fulfill its purpose. Unfortunately, however, this often turns out not to be the case. A new report, produced by Osterman Research and commissioned by Silverfort, reveals that MFA (Multi-Factor Authentication) and PAM (Privileged Access Management) solutions are almost never deployed comprehensively enough to provide resilience to identity threats. As well, service accounts – which are typically beyond the scope of protection of these controls – are alarmingly exposed to malicious compromise. These findings and many more can be found in  "The State of the Identity Attack Surface: Insights Into Critical Protection Gaps ,"  the first report that analyzes organizational resilience to identity threats.  What is the "Identity Attack Surface"?  The identity attack surface is any organizational resource that can be accessed via username and password. The main way that attackers target this attack surface is through ...

A new analysis of the Android banking trojan known as Hook has revealed that it's based on its predecessor called ERMAC. "The ERMAC source code was used as a base for Hook," NCC Group security researchers Joshua Kamp and Alberto Segura  said  in a technical analysis published last week. "All commands (30 in total) that the malware operator can send to a device infected with ERMAC malware, also exist in Hook. The code implementation for these commands is nearly identical." Hook was  first documented  by ThreatFabric in January 2023, describing it as a " ERMAC  fork" that's offered for sale for $7,000 per month. Both the strains are the work of a malware author called DukeEugene. That said, Hook expands on ERMAC's functionalities with more capabilities, supporting as many as 38 additional commands when compared to the latter. ERMAC's core features are designed to send SMS messages, display a phishing window on top of a legitimate app, e...

Software development company Retool has disclosed that the accounts of 27 of its cloud customers were compromised following a targeted and SMS-based social engineering attack. The San Francisco-based firm blamed a  Google Account cloud synchronization feature  recently introduced in April 2023 for making the breach worse, calling it a "dark pattern." "The fact that Google Authenticator syncs to the cloud is a novel attack vector," Snir Kodesh, Retool's head of engineering,  said . "What we had originally implemented was multi-factor authentication. But through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single-factor-authentication." Retool said that the incident, which took place on August 27, 2023, did not allow unauthorized access to on-prem or managed accounts. It also coincided with the company migrating their logins to Okta. It all started with an SMS phishing attack aimed at i...

The financially motivated threat actor known as  UNC3944  is pivoting to ransomware deployment as part of an expansion to its monetization strategies, Mandiant has revealed. "UNC3944 has demonstrated a stronger focus on stealing large amounts of sensitive data for extortion purposes and they appear to understand Western business practices, possibly due to the geographical composition of the group," the threat intelligence firm  said . "UNC3944 has also consistently relied on publicly available tools and legitimate software in combination with malware available for purchase on underground forums." The group, also known by the names 0ktapus, Scatter Swine, and Scattered Spider, has been active since early 2022, adopting phone-based social engineering and SMS-based phishing to obtain employees' valid credentials using bogus sign-in pages and infiltrate victim organizations, mirroring tactics adopted by another group called  LAPSUS$ . While the group originall...

The North Korea-affiliated Lazarus Group has stolen nearly $240 million in cryptocurrency since June 2023, marking a significant escalation of its hacks. According to multiple reports from  Certik ,  Elliptic , and  ZachXBT , the infamous hacking group is said to be suspected behind the theft of $31 million in digital assets from the  CoinEx exchange  on September 12, 2023. The crypto heist aimed at CoinEx  adds  to a  string of recent attacks  targeting Atomic Wallet ($100 million), CoinsPaid ($37.3 million), Alphapo ($60 million), and Stake.com ($41 million). "Some of the funds stolen from CoinEx were sent to an address which was used by the Lazarus group to launder funds stolen from Stake.com, albeit on a different blockchain," Elliptic said. "Following this, the funds were bridged to Ethereum, using a bridge previously used by Lazarus, and then sent back to an address known to be controlled by the CoinEx hacker." The blockchain anal...

The Irish Data Protection Commission (DPC) slapped TikTok with a €345 million (about $368 million) fine for violating the European Union's General Data Protection Regulation (GDPR) in relation to its handling of children's data. The investigation, initiated in September 2021,  examined  how the popular short-form video platform processed personal data relating to child users (those between the ages of 13 and 17) between July 31 and December 31, 2020. Some of the major findings include - The content posted by child users was set to public by default, thereby allowing any individual (with or without TikTok) to view the material and exposing them to additional risks A failure to provide transparency information to child users The implementation of dark patterns to steer users towards opting for privacy-intrusive options during the registration process, and when posting videos A weakness in the Family Sharing setting that allowed any non-child user (someone who could not b...

The volume of cybersecurity vulnerabilities is rising, with close to  30% more vulnerabilities found in 2022 vs. 2018 . Costs are also rising, with a data breach in 2023 costing  $4.45M on average vs. $3.62M in 2017 . In Q2 2023,  a total of 1386 victims were claimed  by ransomware attacks compared with just 831 in Q1 2023. The  MOVEit attack has claimed over 600 victims  so far and that number is still rising. To people working in cybersecurity today, the value of automated threat intelligence is probably pretty obvious. The rising numbers specified above, combined with the  lack of cybersecurity professionals availabl e, mean automation is a clear solution. When threat intelligence operations can be automated, threats can be identified and responded to, and with less effort on the part of engineers. However, a mistake that organizations sometimes make is assuming that once they've automated threat intelligence workflows, humans are out of the pic...