The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

An unnamed media organization in South Asia was targeted in November 20233 using a previously undocumented Go-based backdoor called GoGra. "GoGra is written in Go and uses the Microsoft Graph API to interact with a command-and-control (C&C) server hosted on Microsoft mail services," Symantec, part of Broadcom, said in a report shared with The Hacker News. It's currently not clear how it's delivered to target environments. However, GoGra is specifically configured to read messages from an Outlook username "FNU LNU" whose subject line starts with the word "Input." The message contents are then decrypted using the AES-256 algorithm in Cipher Block Chaining (CBC) mode using a key, following which it executes the commands via cmd.exe. The results of the operation are then encrypted and sent to the same user with the subject "Output." GoGra is said to be the work of a nation-state hacking group known as Harvester owing to its simila...

Cybersecurity company CrowdStrike has published its root cause analysis detailing the Falcon Sensor software update crash that crippled millions of Windows devices globally. The "Channel File 291" incident, as originally highlighted in its Preliminary Post Incident Review (PIR), has been traced back to a content validation issue that arose after it introduced a new Template Type to enable visibility into and detection of novel attack techniques that abuse named pipes and other Windows interprocess communication (IPC) mechanisms. Specifically, it's related to a problematic content update deployed over the cloud, with the company describing it as a "confluence" of several shortcomings that led to a crash – the most prominent of them is a mismatch between the 21 inputs passed to the Content Validator via the IPC Template Type as opposed to the 20 supplied to the Content Interpreter. CrowdStrike said the parameter mismatch was not discovered during "multi...

Cybersecurity researchers have lifted the lid on a new technique adopted by threat actors behind the Chameleon Android banking trojan targeting users in Canada by masquerading as a Customer Relationship Management (CRM) app. "Chameleon was seen masquerading as a CRM app, targeting a Canadian restaurant chain operating internationally," Dutch security outfit ThreatFabric said in a technical report published Monday. The campaign, spotted in July 2024, targeted customers in Canada and Europe, indicating an expansion of its victimology footprint from Australia, Italy, Poland, and the U.K. The use of CRM-related themes for the malicious dropper apps containing the malware points to the targets being customers in the hospitality sector and Business-to-Consumer (B2C) employees. The dropper artifacts are also designed to bypass Restricted Settings imposed by Google in Android 13 and later in order to prevent sideloaded apps from requesting for dangerous permissions (e.g., acc...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

Apple on Tuesday announced an update to its next-generation macOS version that makes it a little more difficult for users to override Gatekeeper protections. Gatekeeper is a crucial line of defense built into macOS designed to ensure that only trusted apps run on the operating system. When an app is downloaded from outside of the App Store and opened for the first time, it verifies that the software is from an identified developer. It also runs checks to ensure that the app is notarized and has not been tampered with to install malware on macOS systems. Furthermore, it requires user approval before allowing any such third-party app to be run. It's this user approval mechanism that Apple has now tightened further with macOS Sequoia, the next iteration of the Mac operating system that's expected to be released next month. "In macOS Sequoia, users will no longer be able to Control-click to override Gatekeeper when opening software that isn't signed correctly or no...

INTERPOL said it devised a "global stop-payment mechanism" that helped facilitate the largest-ever recovery of funds defrauded in a business email compromise ( BEC ) scam.  The development comes after an unnamed commodity firm based in Singapore fell victim to a BEC scam in mid-July 2024. It refers to a type of cybercrime where a malicious actor poses as a trusted figure and uses email to trick targets into sending money or divulging confidential company information. Such attacks can take place in myriad ways, including gaining unauthorized access to a finance employee or a law firm's email account to send fake invoices or impersonating a third-party vendor to email a phony bill. "On 15 July, the firm had received an email from a supplier requesting that a pending payment be sent to a new bank account based in Timor-Leste," INTERPOL said in a press statement. "The email, however, came from a fraudulent account spelled slightly different to the supplier...

The North Korea-linked threat actor known as Moonstone Sleet has continued to push malicious npm packages to the JavaScript package registry with the aim of infecting Windows systems, underscoring the persistent nature of their campaigns. The packages in question, harthat-api and harthat-hash , were published on July 7, 2024, according to Datadog Security Labs. Both the libraries did not attract any downloads and were shortly pulled after a brief period of time. The security arm of the cloud monitoring firm is tracking the threat actor under the name Stressed Pungsan, which exhibits overlaps with a newly discovered North Korean malicious activity cluster dubbed Moonstone Sleet. "While the name resembles the Hardhat npm package (an Ethereum development utility), its content does not indicate any intention to typosquat it," Datadog researchers Sebastian Obregoso and Zack Allen said . "The malicious package reuses code from a well-known GitHub repository called node-...

Everyone loves the double-agent plot twist in a spy movie, but it's a different story when it comes to securing company data. Whether intentional or unintentional, insider threats are a legitimate concern. According to CSA research , 26% of companies who reported a SaaS security incident were struck by an insider.  The challenge for many is detecting those threats before they lead to full breaches. Many security professionals assume there is nothing they can do to protect themselves from a legitimate managed user who logs in with valid credentials using a company MFA method. Insiders can log in during regular business hours, and can easily justify their access within the application.  Cue the plot twist: With the right tools in place, businesses can protect themselves from the enemy from within (and without).  Learn how to secure your entire SaaS stack from both internal and external threats Subduing Identity-Centric Threats with ITDR  In SaaS security, an Ide...

Users in Russia have been the target of a previously undocumented Android post-compromise spyware called LianSpy since at least 2021. Cybersecurity vendor Kaspersky, which discovered the malware in March 2024, noted its use of Yandex Cloud, a Russian cloud service, for command-and-control (C2) communications as a way to avoid having a dedicated infrastructure and evade detection. "This threat is equipped to capture screencasts, exfiltrate user files, and harvest call logs and app lists," security researcher Dmitry Kalinin said in a new technical report published Monday. It's currently not clear how the spyware is distributed, but the Russian company said it's likely deployed through either an unknown security flaw or direct physical access to the target phone. The malware-laced apps are disguised as Alipay or an Android system service. LianSpy, once activated, determines if it's running as a system app to operate in the background using administrator privi...

Google has addressed a high-severity security flaw impacting the Android kernel that it said has been actively exploited in the wild. The vulnerability, tracked as CVE-2024-36971, has been described as a case of remote code execution impacting the kernel. "There are indications that CVE-2024-36971 may be under limited, targeted exploitation," the tech giant noted in its monthly Android security bulletin for August 2024. As is typically the case, the company did not share any additional specifics on the nature of the cyber attacks exploiting the flaw or attribute the activity to a particular threat actor or group. Google's own Pixel line is also impacted by the bug, according to its Pixel update bulletin . That said, Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw, suggesting that it's likely being exploited by commercial spyware vendors to infiltrate Android devices in narrowly targeted attacks. The Augus...