The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A large percentage of Google's own Pixel devices shipped globally since September 2017 included dormant software that could be used to stage nefarious attacks and deliver various kinds of malware. The issue manifests in the form of a pre-installed Android app called "Showcase.apk" that comes with excessive system privileges, including the ability to remotely execute code and install arbitrary packages on the device, according to mobile security firm iVerify. "The application downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level," it said in an analysis published jointly with Palantir Technologies and Trail of Bits. "The application retrieves the configuration file from a single U.S.-based, AWS-hosted domain over unsecured HTTP, which leaves the configuration vulnerable and can make the device vulnerable." The app in question is called Verizon Retail Demo Mode ("com.customermob...

SolarWinds has released patches to address a critical security vulnerability in its Web Help Desk software that could be exploited to execute arbitrary code on susceptible instances. The flaw, tracked as CVE-2024-28986 (CVSS score: 9.8), has been described as a deserialization bug. "SolarWinds Web Help Desk was found to be susceptible to a Java deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine," the company said in an advisory. "While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing." The flaw impacts all versions of SolarWinds Web Help Desk including and prior to 12.8.3. It has been addressed in hotfix version 12.8.3 HF 1 . The disclosure comes as Palo Alto Networks patched a high-severity vulnerability affecting Cortex XSOAR that could result in command injection and code execution. ...

Russian and Belarusian non-profit organizations, Russian independent media, and international non-governmental organizations active in Eastern Europe have become the target of two separate spear-phishing campaigns orchestrated by threat actors whose interests align with that of the Russian government. While one of the campaigns – dubbed River of Phish – has been attributed to COLDRIVER , an adversarial collective with ties to Russia's Federal Security Service (FSB), the second set of attacks have been deemed the work of a previously undocumented threat cluster codenamed COLDWASTREL. Targets of the campaigns also included prominent Russian opposition figures-in-exile, officials and academics in the US think tank and policy space, and a former U.S. ambassador to Ukraine, according to a joint investigation from Access Now and the Citizen Lab. "Both kinds of attacks were highly tailored to better deceive members of the target organizations," Access Now said . "The m...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

The Emergence of Identity Threat Detection and Response Identity Threat Detection and Response (ITDR) has emerged as a critical component to effectively detect and respond to identity-based attacks. Threat actors have shown their ability to compromise the identity infrastructure and move laterally into IaaS, Saas, PaaS and CI/CD environments. Identity Threat Detection and Response solutions help organizations better detect suspicious or malicious activity in their environment. ITDR solutions give security teams the ability to help teams answer the question "What's happening right now in my environment - what are my identities doing in my environments." Human and Non-Human Identities As outlined in the ITDR Solution Guide, comprehensive ITDR solutions cover both human and non-human identities. Human identities entail the workforce (employees), guests (contractors), and vendors. Non-human identities include tokens, keys, service accounts, and bots. Multi- environment ITDR solutions c...

A cybercrime group with links to the RansomHub ransomware has been observed using a new tool designed to terminate endpoint detection and response (EDR) software on compromised hosts, joining the likes of other similar programs like AuKill (aka AvNeutralizer) and Terminator . The EDR-killing utility has been dubbed EDRKillShifter by cybersecurity company Sophos, which discovered the tool in connection with a failed ransomware attack in May 2024. "The EDRKillShifter tool is a 'loader' executable – a delivery mechanism for a legitimate driver that is vulnerable to abuse (also known as a 'bring your own vulnerable driver,' or BYOVD , tool)," security researcher Andreas Klopsch said . "Depending on the threat actor's requirements, it can deliver a variety of different driver payloads." RansomHub , a suspected rebrand of the Knight ransomware, surfaced in February 2024, leveraging known security flaws to obtain initial access and drop legitimate rem...

A newly discovered attack vector in GitHub Actions artifacts dubbed ArtiPACKED could be exploited to take over repositories and gain access to organizations' cloud environments. "A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume," Palo Alto Networks Unit 42 researcher Yaron Avital said in a report published this week. "This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access." The cybersecurity company said it primarily observed the leakage of GitHub tokens (e.g., GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN), which could not only give malicious actors unauthorized access to the repositories, but also grant them the ability to poison the source code and get it pushed to production via CI/CD workflows. Artifacts in...

A previously unknown threat actor has been attributed to a spate of attacks targeting Azerbaijan and Israel with an aim to steal sensitive data. The attack campaign, detected by NSFOCUS on July 1, 2024, leveraged spear-phishing emails to single out Azerbaijani and Israeli diplomats. The activity is being tracked under the moniker Actor240524 . "Actor240524 possesses the ability to steal secrets and modify file data, using a variety of countermeasures to avoid overexposure of attack tactics and techniques," the cybersecurity company said in an analysis published last week. The attack chains commence with the use of phishing emails bearing Microsoft Word documents that, upon opening, urge the recipients to " Enable Content " and run a malicious macro responsible for executing an intermediate loader payload codenamed ABCloader ("MicrosoftWordUpdater.log"). In the next step, ABCloader acts as a conduit to decrypt and load a DLL malware called ABCsync (...

Cybersecurity researchers have discovered a new variant of the Gafgyt botnet that's targeting machines with weak SSH passwords to ultimately mine cryptocurrency on compromised instances using their GPU computational power. This indicates that the "IoT botnet is targeting more robust servers running on cloud native environments," Aqua Security researcher Assaf Morag said in a Wednesday analysis. Gafgyt (aka BASHLITE, Lizkebab, and Torlus), known to be active in the wild since 2014, has a history of exploiting weak or default credentials to gain control of devices such as routers, cameras, and digital video recorders (DVRs). It's also capable of leveraging known security flaws in Dasan, Huawei, Realtek, SonicWall, and Zyxel devices. The infected devices are corralled into a botnet capable of launching distributed denial-of-service (DDoS) attacks against targets of interest. There is evidence to suggest that Gafgyt and Necro are operated by a threat group calle...

An ongoing social engineering campaign with alleged links to the Black Basta ransomware group has been linked to "multiple intrusion attempts" with the goal of conducting credential theft and deploying a malware dropper called SystemBC. "The initial lure being utilized by the threat actors remains the same: an email bomb followed by an attempt to call impacted users and offer a fake solution," Rapid7 said , adding "external calls were typically made to the impacted users via Microsoft Teams." The attack chain then convinces the user to download and install a legitimate remote access software named AnyDesk, which acts as a channel for deploying follow-on payloads and exfiltrate sensitive data. This includes the use of an executable called "AntiSpam.exe" that purports to download email spam filters and urges users to enter their Windows credentials to complete the update. The step is followed by the execution of several binaries, DLL files, ...