The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A financial entity in Vietnam was the target of a previously undocumented threat actor called  Lotus Bane  as part of a cyber attack that was first detected in March 2023. Singapore-headquartered Group-IB described the hacking outfit as an advanced persistent threat group that's believed to have been active since at least 2022. The exact specifics of the infection chain remain unknown as yet, but it involves the use of various malicious artifacts that serve as the stepping stone for the next-stage. "The cybercriminals used methods such as DLL side-loading and data exchange via named pipes to run malicious executables and create remote scheduled tasks for lateral movement," the company  said . Group-IB told The Hacker News that the techniques used by Lotus Bane overlap with that of  OceanLotus , a Vietnam-aligned threat actor also known as APT32, Canvas Cyclone (formerly Bismuth), and Cobalt Kitty. This stems from the use of malware like PIPEDANCE for named pip...

Apple has released security updates to address several security flaws, including two vulnerabilities that it said have been actively exploited in the wild. The shortcomings are listed below - CVE-2024-23225  - A memory corruption issue in Kernel that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections CVE-2024-23296  - A memory corruption issue in the RTKit real-time operating system (RTOS) that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections It's currently not clear how the flaws are being weaponized in the wild. Apple said both the vulnerabilities were addressed with improved validation in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6. The updates are available for the following devices - iOS 16.7.6 and iPadOS 16.7.6  - iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation i...

North Korean threat actors have exploited the recently disclosed security flaws in ConnectWise ScreenConnect to deploy a new malware called  TODDLERSHARK . According to a report shared by Kroll with The Hacker News, TODDLERSHARK overlaps with known Kimsuky malware such as BabyShark and ReconShark. "The threat actor gained access to the victim workstation by exploiting the exposed setup wizard of the ScreenConnect application," security researchers Keith Wojcieszek, George Glass, and Dave Truman said . "They then leveraged their now 'hands on keyboard' access to use cmd.exe to execute mshta.exe with a URL to the Visual Basic (VB) based malware." The ConnectWise flaws in question are  CVE-2024-1708 and CVE-2024-1709 , which came to light last month and have since come under heavy exploitation by multiple threat actors to deliver cryptocurrency miners, ransomware, remote access trojans, and stealer malware. Kimsuky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald ...

Startups and scales-ups are often cloud-first organizations and rarely have sprawling legacy on-prem environments. Likewise, knowing the agility and flexibility that cloud environments provide, the mid-market is predominantly running in a hybrid state, partly in the cloud but with some on-prem assets. While there has been a bit of a backswing against the pricing and lock-in presented when using cloud infrastructure, cloud is still the preferred provider for the majority of SMBs. As a result, external attack surfaces are increasingly complex and distributed and, therefore, harder to monitor and secure. This expanded attack surface gives hackers plenty of blind spots and gaps to exploit. Security teams are on the back, reacting, often too slowly, to changes in their own attack surface as engineering teams continuously spin up and expose new systems, services, and data to the internet. This is compounded by the fact that the threat landscape is always changing. Thousands of new vulne...

A new DNS threat actor dubbed  Savvy Seahorse  is leveraging sophisticated techniques to entice targets into fake investment platforms and steal funds. "Savvy Seahorse is a DNS threat actor who convinces victims to create accounts on fake investment platforms, make deposits to a personal account, and then transfers those deposits to a bank in Russia," Infoblox  said  in a report published last week. Targets of the campaigns include Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers, indicating that the threat actors are casting a wide net in their attacks. Users are lured via ads on social media platforms like Facebook, while also tricking them into parting with their personal information in return for alleged high-return investment opportunities through fake ChatGPT and WhatsApp bots. The financial scam campaigns are notable for using DNS canonical name (CNAME) records to create a traffic distribution system ( TDS ), thereb...

More than 225,000 logs containing compromised OpenAI ChatGPT credentials were made available for sale on underground markets between January and October 2023, new findings from Group-IB show. These credentials were found within  information stealer logs  associated with LummaC2, Raccoon, and RedLine stealer malware. "The number of infected devices decreased slightly in mid- and late summer but grew significantly between August and September," the Singapore-headquartered cybersecurity company  said  in its Hi-Tech Crime Trends 2023/2024 report published last week. Between June and October 2023, more than 130,000 unique hosts with access to OpenAI ChatGPT were infiltrated, a 36% increase over what was observed during the first five months of 2023. The breakdown by the top three stealer families is below - LummaC2 - 70,484 hosts Raccoon - 22,468 hosts RedLine - 15,970 hosts "The sharp increase in the number of ChatGPT credentials for sale is due to the overal...

The threat actor known as  TA577  has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager ( NTLM ) hashes. The new attack chain "can be used for sensitive information gathering purposes and to enable follow-on activity," enterprise security firm Proofpoint  said  in a Monday report. At least two campaigns taking advantage of this approach were observed on February 26 and 27, 2024, the company added. The phishing waves disseminated thousands of messages and targeted hundreds of organizations across the world. The messages themselves appeared as responses to previous emails, a known technique called thread hijacking, in a bid to increase the likelihood of the attacks' success. The ZIP attachments – which are the most common delivery mechanism – come with an HTML file that's designed to contact an actor-controlled Server Message Block (SMB) server. "TA577's objective is to capture NTLMv2 Challenge/Response pairs fro...

A new pair of security vulnerabilities have been disclosed in JetBrains TeamCity On-Premises software that could be exploited by a threat actor to take control of affected systems. The flaws, tracked as CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score: 7.3), have been addressed in version 2023.11.4. They impact all TeamCity On-Premises versions through 2023.11.3. "The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server," JetBrains  said  in an advisory released Monday. TeamCity Cloud instances have already been patched against the two flaws. Cybersecurity firm Rapid7, which discovered and reported the issues on February 20, 2024, said CVE-2024-27198 is a case of authentication bypass that allows for a complete compromise of a susceptible server by a remote unauthenticated attacker. "Compromising a TeamCity server allows an at...

Cybercriminals are using a network of hired money mules in India using an Android-based application to orchestrate a massive money laundering scheme. The malicious application, called  XHelper , is a "key tool for onboarding and managing these money mules," CloudSEK researchers Sparsh Kulshrestha, Abhishek Mathew, and Santripti Bhujel  said  in a report. Details about the scam  first emerged  in late October 2023, when Chinese cyber criminals were found to take advantage of the fact that Indian Unified Payments Interface ( UPI ) service providers operate without coverage under the Prevention of Money Laundering Act (PMLA) to initiate illegal transactions under the guise of offering an instant loan. The ill-gotten proceeds from the operation are transferred to other accounts belonging to hired mules, who are recruited from Telegram in return for commissions ranging from 1-2% of the total transaction amounts. "Central to this operation are Chinese payment ga...