The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers have uncovered an updated version of a backdoor called  LODEINFO  that's distributed via spear-phishing attacks. The findings come from Japanese company ITOCHU Cyber & Intelligence, which  said  the malware "has been updated with new features, as well as changes to the anti-analysis (analysis avoidance) techniques." LODEINFO (versions 0.6.6 and 0.6.7) was  first documented  by Kaspersky in November 2022, detailing its capabilities to execute arbitrary shellcode, take screenshots, and exfiltrate files back to an actor-controlled server. A month later, ESET  disclosed attacks  targeting Japanese political establishments that led to the deployment of LODEINFO. The backdoor is the work of a Chinese nation-state actor known as Stone Panda (aka APT10, Bronze Riverside, Cicada, Earth Tengshe, MirrorFace, and Potassium), which has a history of orchestrating attacks targeting Japan since 2021. Attack chains commence wit...

The 2023/2024 Axur Threat Landscape Report provides a comprehensive analysis of the latest cyber threats. The information combines data from the platform's surveillance of the Surface, Deep, and Dark Web with insights derived from the in-depth research and investigations conducted by the Threat Intelligence team. Discover the full scope of digital threats in the Axur Report 2023/2024. Overview In 2023, the cybersecurity landscape witnessed a remarkable rise in cyberattacks.  One notable shift was the cyber risk integration with business risk, a concept gaining traction in boardrooms worldwide. As the magnitude of losses due to cyberattacks became evident, organizations started reevaluating their strategies.  Geopolitical factors played a significant role in shaping information security. The conflicts between nations like Russia and Ukraine had ripple effects, influencing the tactics of cybercriminals. It was a year where external factors intertwined with digital threats....

A previously undocumented China-aligned threat actor has been linked to a set of adversary-in-the-middle (AitM) attacks that hijack update requests from legitimate software to deliver a sophisticated implant named NSPX30. Slovak cybersecurity firm ESET is tracking the advanced persistent threat (APT) group under the name  Blackwood . It's said to be active since at least 2018. The NSPX30 implant has been observed deployed via the update mechanisms of known software such as Tencent QQ, WPS Office, and Sogou Pinyin, with the attacks targeting Chinese and Japanese manufacturing, trading, and engineering companies as well as individuals located in China, Japan, and the U.K. "NSPX30 is a multistage implant that includes several components such as a dropper, an installer, loaders, an orchestrator, and a backdoor," security researcher Facundo Muñoz  said . "Both of the latter two have their own sets of plugins." "The implant was designed around the attackers...

A new Go-based malware loader called  CherryLoader  has been discovered by threat hunters in the wild to deliver additional payloads onto compromised hosts for follow-on exploitation. Arctic Wolf Labs, which discovered the new attack tool in two recent intrusions, said the loader's icon and name masquerades as the legitimate CherryTree note-taking application to dupe potential victims into installing it. "CherryLoader was used to drop one of two privilege escalation tools,  PrintSpoofer  or  JuicyPotatoNG , which would then run a batch file to establish persistence on the victim device," researchers Hady Azzam, Christopher Prest, and Steven Campbell  said . In another novel twist, CherryLoader also packs modularized features that allow the threat actor to swap exploits without recompiling code. It's currently not known how the loader is distributed, but the attack chains examined by the cybersecurity firm show that CherryLoader ("cherrytree.exe") and ...

Hackers with links to the Kremlin are suspected to have infiltrated information technology company Hewlett Packard Enterprise's (HPE) cloud email environment to exfiltrate mailbox data. "The threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions," the company  said  in a regulatory filing with the U.S. Securities and Exchange Commission (SEC). The intrusion has been attributed to the Russian state-sponsored group known as APT29, and which is also tracked under the monikers BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. The disclosure arrives days after Microsoft  implicated the same threat actor  to the breach of its corporate systems in late November 2023 to steal emails and attachments from senior executives and other individuals in the company's cybersecurity and legal ...

Cybersecurity researchers have discovered a loophole impacting Google Kubernetes Engine (GKE) that could be potentially exploited by threat actors with a Google account to take control of a Kubernetes cluster. The critical shortcoming has been codenamed Sys:All by cloud security firm Orca. As many as 250,000 active GKE clusters in the wild are estimated to be susceptible to the attack vector. In a report shared with The Hacker News, security researcher Roi Nisimi said it "stems from a likely widespread misconception that the system:authenticated group in Google Kubernetes Engine includes only verified and deterministic identities, whereas in fact, it includes any Google authenticated account (even outside the organization)." The system:authenticated group is a special group that includes all authenticated entities, counting human users and service accounts. As a result, this could have serious consequences when administrators inadvertently bestow it with overly permis...

The ransomware group known as Kasseika has become the latest to leverage the Bring Your Own Vulnerable Driver ( BYOVD ) attack to disarm security-related processes on compromised Windows hosts, joining the likes of other groups like Akira , AvosLocker, BlackByte, and RobbinHood . The tactic allows "threat actors to terminate antivirus processes and services for the deployment of ransomware," Trend Micro said in a Tuesday analysis. Kasseika, first discovered by the cybersecurity firm in mid-December 2023, exhibits overlaps with the now-defunct BlackMatter , which emerged in the aftermath of DarkSide's shutdown. There is evidence to suggest that the ransomware strain could be the handiwork of an experienced threat actor that acquired or purchased access to BlackMatter, given that the latter's source code has never publicly leaked post its demise in November 2021. Attack chains involving Kasseika commence with a phishing email for initial access, subsequently ...

In a world where more & more organizations are adopting open-source components as foundational blocks in their application's infrastructure, it's difficult to consider traditional SCAs as complete protection mechanisms against open-source threats. Using open-source libraries saves tons of coding and debugging time, and by that - shortens the time to deliver our applications. But, as codebases become increasingly composed of open-source software, it's time to respect the entire attack surface - including attacks on the supply chain itself - when choosing an  SCA platform  to depend upon. The Impact of One Dependency When a company adds an open-source library, they are probably adding not just the library they intended to, but also many other libraries as well. This is due to the way open-source libraries are built: just like every other application on the planet, they aim for a speed of delivery and development and, as such, rely on code other people built - i.e., ot...

Governments from Australia, the U.K., and the U.S. have imposed financial sanctions on a Russian national for his alleged role in the 2022 ransomware attack against health insurance provider Medibank. Alexander Ermakov (aka blade_runner, GistaveDore, GustaveDore, or JimJones), 33, has been tied to the breach of the Medibank network as well as the theft and release of Personally Identifiable Information (PII) belonging to the Australian company. The ransomware attack, which  took place in late October 2022  and attributed to the  now-defunct REvil ransomware crew , led to the unauthorized access of approximately 9.7 million of its current and former customers. The stolen information included names, dates of birth, Medicare numbers, and sensitive medical information, including records on mental health, sexual health and drug use. Some of these records were leaked on the dark web. As part of the trilateral action, the sanctions  make  it a criminal offense t...