The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers are sounding the alarm over an ongoing campaign that's leveraging internet-exposed Selenium Grid services for illicit cryptocurrency mining. Cloud security firm Wiz is tracking the activity under the name SeleniumGreed . The campaign, which is targeting older versions of Selenium (3.141.59 and prior), is believed to be underway since at least April 2023 . "Unbeknownst to most users, Selenium WebDriver API enables full interaction with the machine itself, including reading and downloading files, and running remote commands," Wiz researchers Avigayil Mechtinger, Gili Tikochinski, and Dor Laska said . "By default, authentication is not enabled for this service. This means that many publicly accessible instances are misconfigured and can be accessed by anyone and abused for malicious purposes." Selenium Grid, part of the Selenium automated testing framework, enables parallel execution of tests across multiple workloads, different bro...

CrowdStrike is alerting about an unfamiliar threat actor attempting to capitalize on the Falcon Sensor update fiasco to distribute dubious installers targeting German customers as part of a highly targeted campaign. The cybersecurity company said it identified what it described as an unattributed spear-phishing attempt on July 24, 2024, distributing an inauthentic CrowdStrike Crash Reporter installer via a website impersonating an unnamed German entity. The imposter website is said to have been created on July 20, a day after the botched update crashed nearly 9 million Windows devices, causing extensive IT disruptions across the world. "After the user clicks the Download button, the website leverages JavaScript (JS) that masquerades as JQuery v3.7.1 to download and deobfuscate the installer," CrowdStrike's Counter Adversary Operations team said . "The installer contains CrowdStrike branding, German localization, and a password [is] required to continue install...

Progress Software is urging users to update their Telerik Report Server instances following the discovery of a critical security flaw that could result in remote code execution. The vulnerability, tracked as CVE-2024-6327 (CVSS score: 9.9), impacts Report Server version 2024 Q2 (10.1.24.514) and earlier. "In Progress Telerik Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability," the company said in an advisory. Deserialization flaws occur when an application reconstructs untrusted data that an attacker has control over without adequate validation in place, resulting in the execution of unauthorized commands. Progress Software said the flaw has been addressed in version 10.1.24.709. As temporary mitigation, it's recommended to change the user for the Report Server Application Pool to one with limited permission. Administrators can check if their servers are vulnerable ...

A North Korea-linked threat actor known for its cyber espionage operations has gradually expanded into financially-motivated attacks that involve the deployment of ransomware, setting it apart from other nation-state hacking groups linked to the country. Google-owned Mandiant is tracking the activity cluster under a new moniker APT45 , which overlaps with names such as Andariel, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Silent Chollima, and Stonefly. "APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009," researchers Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, and Michael Barnhart said . "APT45 has been the most frequently observed targeting critical infrastructure." It's worth mentioning that APT45, along with APT38 (aka BlueNoroff), APT43 (aka Kimsuky), and Lazarus Group (aka TEMP.Hermit), are elements within North Korea's Reconnaissance General Bureau ...

Application security testing is a critical component of modern software development, ensuring that applications are robust and resilient against malicious attacks. As cyber threats continue to evolve in complexity and frequency, the need to integrate comprehensive security measures throughout the SDLC has never been more essential. Traditional pentesting provides a crucial snapshot of an application's security posture, but when integrated across the SDLC, it allows for early detection and mitigation of vulnerabilities, reducing the risk of costly post-deployment fixes and enhancing overall security.  While the specifics for security testing vary for applications, web applications, and APIs, a holistic and proactive applications security strategy is essential for all three types. There are six core types of testing that every security professional should know about to secure their applications, regardless of what phase they are in in development or deployment.  In this artic...

Meta Platforms on Wednesday said it took steps to remove around 63,000 Instagram accounts in Nigeria that were found to target people with financial sextortion scams. "These included a smaller coordinated network of around 2,500 accounts that we were able to link to a group of around 20 individuals," the company said . "They targeted primarily adult men in the U.S. and used fake accounts to mask their identities." In cases where some of these accounts attempted to target minors, Meta said it reported them to the National Center for Missing and Exploited Children (NCMEC). Separately, Meta said it also removed 7,200 assets, including 1,300 Facebook accounts, 200 Facebook Pages and 5,700 Facebook Groups, based in Nigeria that were used to organize, recruit and train new scammers. "Their efforts included offering to sell scripts and guides to use when scamming people, and sharing links to collections of photos to use when populating fake accounts," it sai...

The browser is the nerve center of the modern workspace. Ironically, however, the browser is also one of the least protected threat surfaces of the modern enterprise. Traditional security tools provide little protection against browser-based threats, leaving organizations exposed. Modern cybersecurity requires a new approach based on the protection of the browser itself, which offers both security and frictionless deployment.  In an upcoming live webinar ( Register here ), Or Eshed, CEO of browser security company LayerX, and Christopher Smedberg, Director of Cybersecurity at Advance Publishing, will discuss the challenges facing modern enterprise in the new hybrid-work world, the gaps found in existing security solutions, and a new approach to securing the modern enterprise workspace, which is centered on the browser. The Browser is Where Work Takes Place The browser is the key to the organization's critical assets. It connects all organizational devices, identities, and SaaS ...

Cybersecurity researchers have disclosed a privilege escalation vulnerability impacting Google Cloud Platform's Cloud Functions service that an attacker could exploit to access other services and sensitive data in an unauthorized manner. Tenable has given the vulnerability the name ConfusedFunction. "An attacker could escalate their privileges to the Default Cloud Build Service Account and access numerous services such as Cloud Build, storage (including the source code of other functions), artifact registry and container registry," the exposure management company said in a statement. "This access allows for lateral movement and privilege escalation in a victim's project, to access unauthorized data and even update or delete it." Cloud Functions refers to a serverless execution environment that allows developers to create single-purpose functions that are triggered in response to specific Cloud events without the need to manage a server or update frame...

Docker is warning of a critical flaw impacting certain versions of Docker Engine that could allow an attacker to sidestep authorization plugins (AuthZ) under specific circumstances. Tracked as CVE-2024-41110 , the bypass and privilege escalation vulnerability carries a CVSS score of 10.0, indicating maximum severity. "An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly," the Moby Project maintainers said in an advisory. Docker said the issue is a regression in that the issue was originally discovered in 2018 and addressed in Docker Engine v18.09.1 in January 2019, but never got carried over to subsequent versions (19.03 and later). The issue has been resolved in versions 23.0.14 and 27.1.0 as of July 23, 2024, after the problem was identified in April 2024. The following versions of Docker Engine are impacte...