The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A new wave of international law enforcement actions has led to four arrests and the takedown of nine servers linked to the LockBit (aka Bitwise Spider) ransomware operation, marking the latest salvo against what was once a prolific financially motivated group. This includes the arrest of a suspected LockBit developer in France while on holiday outside of Russia, two individuals in the U.K. who allegedly supported an affiliate, and an administrator of a bulletproof hosting service in Spain used by the ransomware group, Europol said in a statement. In conjunction, authorities outed a Russian national named Aleksandr Ryzhenkov (aka Beverley, Corbyn_Dallas, G, Guester, and Kotosel) as one of the high-ranking members of the Evil Corp cybercrime group, while simultaneously painting him as a LockBit affiliate. Sanctions have also been announced against seven individuals and two entities linked to the e-crime gang. "The United States, in close coordination with our allies and part...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting Ivanti Endpoint Manager (EPM) that the company patched in May to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2024-29824 , carries a CVSS score of 9.6 out of a maximum of 10.0, indicating critical severity. "An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code," the software service provider said in an advisory released on May 21, 2024. Horizon3.ai, which released a proof-of-concept (PoC) exploit for the flaw in June, said the issue is rooted in a function called RecordGoodApp() within a DLL named PatchBiz.dll. Specifically, it concerns how the function handles an SQL query statement, thereby allowing an attacker to gain remote code execution via xp_cmdshe...

A large-scale fraud campaign leveraged fake trading apps published on the Apple App Store and Google Play Store, as well as phishing sites, to defraud victims, per findings from Group-IB. The campaign is part of a consumer investment fraud scheme that's also widely known as pig butchering , in which prospective victims are lured into making investments in cryptocurrency or other financial instruments after gaining their trust under the guise of a romantic relationship or an investment advisor. Such manipulative and social engineering operations often end with the victims losing their funds, and in some cases, the extraction of even more money from them by requesting various fees and other payments. The Singapore-headquartered company said the campaign has a global reach, with victims reported across Asia-Pacific, European, Middle East, and Africa. The bogus apps, built using the UniApp Framework, have been classified under the moniker UniShadowTrade . The activity cluster i...

A previously undocumented threat actor called CeranaKeeper has been linked to a string of data exfiltration attacks targeting Southeast Asia. Slovak cybersecurity firm ESET, which observed campaigns targeting governmental institutions in Thailand starting in 2023, attributed the activity cluster as aligned to China, leveraging tools previously identified as used by the Mustang Panda actor. "The group constantly updates its backdoor to evade detection and diversifies its methods to aid massive data exfiltration," security researcher Romain Dumont said in an analysis published today. "CeranaKeeper abuses popular, legitimate cloud and file-sharing services such as Dropbox and OneDrive to implement custom backdoors and extraction tools." Some of the other countries targeted by the adversary include Myanmar, the Philippines, Japan, and Taiwan, all of which have been targeted by Chinese state-sponsored threat actors in recent years. ESET described CeranaKeeper a...

A spear-phishing email campaign has been observed targeting recruiters with a JavaScript backdoor called More_eggs, indicating persistent efforts to single out the sector under the guise of fake job applications. "A sophisticated spear-phishing lure tricked a recruitment officer into downloading and executing a malicious file disguised as a resume, leading to a more_eggs backdoor infection," Trend Micro researchers Ryan Soliven, Maria Emreen Viray, and Fe Cureg said in an analysis. More_eggs, sold as a malware-as-a-service (MaaS), is a malicious software that comes with capabilities to siphon credentials, including those related to online bank accounts, email accounts, and IT administrator accounts. It's attributed to a threat actor called the Golden Chickens group (aka Venom Spider), and has been put to use by several other e-crime groups like FIN6 (aka ITG08 ), Cobalt, and Evilnum. Earlier this June, eSentire disclosed details of a similar attack that leverages ...

A little over a dozen new security vulnerabilities have been discovered in residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices. "These vulnerabilities could enable attackers to take control of a router by injecting malicious code, allowing them to persist on the device and use it as a gateway into enterprise networks," Forescout Vedere Labs said in a technical report shared with The Hacker News. Of the 14 security flaws – collectively called DRAY:BREAK – two are rated critical, nine are rated high, and three are rated medium in severity. The most critical of the shortcomings is a flaw that has been awarded the maximum CVSS score of 10.0. CVE-2024-41592 concerns a buffer overflow bug in the "GetCGI()" function in the Web user interface that could lead to a denial-of-service (DoS) or remote code execution (RCE) when processing the query string parameters. Another critical vulnerability (CVE-2024-41...

Cybersecurity researchers have disclosed that 5% of all Adobe Commerce and Magento stores have been hacked by malicious actors by exploiting a security vulnerability dubbed CosmicSting. Tracked as CVE-2024-34102 (CVSS score: 9.8), the critical flaw relates to an improper restriction of XML external entity reference (XXE) vulnerability that could result in remote code execution. The shortcoming, credited to a researcher named " spacewasp ," was patched by Adobe in June 2024. Dutch security firm Sansec, which has described CosmicSting as the "worst bug to hit Magento and Adobe Commerce stores in two years," said the e-commerce sites are being compromised at the rate of three to five per hour. The flaw has since come under widespread exploitation , prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog in mid-July 2024. Some of these attacks involve weaponizing the flaw to ste...

Dynamic malware analysis is a key part of any threat investigation. It involves executing a sample of a malicious program in the isolated environment of a malware sandbox to monitor its behavior and gather actionable indicators. Effective analysis must be fast, in-depth, and precise. These five tools will help you achieve it with ease. 1. Interactivity Having the ability to interact with the malware and the system in real-time is a great advantage when it comes to dynamic analysis. This way, you can not only observe its execution but also see how it responds to your inputs and triggers specific behaviors.  Plus, it saves time by allowing you to download samples hosted on file-sharing websites or open those packed inside an archive, which is a common way to deliver payloads to victims. The initial phishing email containing the malicious pdf and password for the archive Check out this sandbox session in the ANY.RUN sandbox that shows how interactivity is used for analyzing th...

Three different organizations in the U.S. were targeted in August 2024 by a North Korean state-sponsored threat actor called Andariel as part of a likely financially motivated attack. "While the attackers didn't succeed in deploying ransomware on the networks of any of the organizations affected, it is likely that the attacks were financially motivated," Symantec, part of Broadcom, said in a report shared with The Hacker News. Andariel is a threat actor that's assessed to be a sub-cluster within the infamous Lazarus Group. It's also tracked as APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly. It's been active since at least 2009. An element within North Korea's Reconnaissance General Bureau (RGB), the hacking crew has a track record of deploying ransomware strains such as SHATTEREDGLASS and Maui , while also developing an arsenal of custom backdoors like Dtrack (aka Valefor and Preft), ...