The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A new spear-phishing campaign targeting Brazil has been found delivering a banking malware called Astaroth (aka Guildma) by making use of obfuscated JavaScript to slip past security guardrails. "The spear-phishing campaign's impact has targeted various industries, with manufacturing companies, retail firms, and government agencies being the most affected," Trend Micro said in a new analysis. "The malicious emails often impersonate official tax documents, using the urgency of personal income tax filings to trick users into downloading the malware." The cybersecurity company is tracking the threat activity cluster under the name Water Makara. It's worth pointing out that Google's Threat Analysis Group (TAG) has assigned the moniker PINEAPPLE to a similar intrusion set that delivers the same malware to Brazilian users. Both these campaigns share a point of commonality in that they commence with phishing messages that impersonate official entities su...

GitHub has released security updates for Enterprise Server (GHES) to address multiple issues, including a critical bug that could allow unauthorized access to an instance. The vulnerability, tracked as CVE-2024-9487, carries a CVS score of 9.5 out of a maximum of 10.0 "An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server," GitHub said in an alert. The Microsoft-owned company characterized the flaw as a regression that was introduced as part of follow-up remediation from CVE-2024-4985 (CVSS score: 10.0), a maximum severity vulnerability that was patched back in May 2024. Also fixed by GitHub are two other shortcomings - CVE-2024-9539 (CVSS score: 5.7) - An information disclosure vulnerability that could enable an attacker to ret...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting SolarWinds Web Help Desk (WHD) software to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. Tracked as CVE-2024-28987 (CVSS score: 9.1), the vulnerability relates to a case of hard-coded credentials that could be abused to gain unauthorized access and make modifications. "SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data," CISA said in an advisory. Details of the flaw were first disclosed by SolarWinds in late August 2024, with cybersecurity firm Horizon3.ai releasing additional technical specifics a month later. The vulnerability "allows unauthenticated attackers to remotely read and modify all help desk ticket details – often containing sensitive information like passwords from reset req...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

New variants of an Android banking trojan called TrickMo have been found to harbor previously undocumented features to steal a device's unlock pattern or PIN. "This new addition enables the threat actor to operate on the device even while it is locked," Zimperium security researcher Aazim Yaswant said in an analysis published last week. First spotted in the wild in 2019, TrickMo is so named for its associations with the TrickBot cybercrime group and is capable of granting remote control over infected devices, as well as stealing SMS-based one-time passwords (OTPs) and displaying overlay screens to capture credentials by abusing Android's accessibility services. Last month, Italian cybersecurity company Cleafy disclosed updated versions of the mobile malware with improved mechanisms to evade analysis and grant itself additional permissions to perform various malicious actions on the device, including carrying out unauthorized transactions. Some of the new varia...

Cybersecurity researchers have disclosed a new malware campaign that leverages a malware loader named PureCrypter to deliver a commodity remote access trojan (RAT) called DarkVision RAT. The activity, observed by Zscaler ThreatLabz in July 2024, involves a multi-stage process to deliver the RAT payload. "DarkVision RAT communicates with its command-and-control (C2) server using a custom network protocol via sockets," security researcher Muhammed Irfan V A said in an analysis. "DarkVision RAT supports a wide range of commands and plugins that enable additional capabilities such as keylogging, remote access, password theft, audio recording, and screen captures." PureCrypter, first publicly disclosed in 2022, is an off-the-shelf malware loader that's available for sale on a subscription basis, offering customers the ability to distribute information stealers, RATs, and ransomware. The exact initial access vector used to deliver PureCrypter and, by extensio...

North Korean threat actors have been observed using a Linux variant of a known malware family called FASTCash to steal funds as part of a financially-motivated campaign. The malware is "installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs," a security researcher who goes by HaxRob said . FASTCash was first documented by the U.S. government in October 2018 as used by adversaries linked to North Korea in connection with an ATM cashout scheme targeting banks in Africa and Asia since at least late 2016. "FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions," the agencies noted at the time. "In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enab...

In recent years, the number and sophistication of zero-day vulnerabilities have surged, posing a critical threat to organizations of all sizes. A zero-day vulnerability is a security flaw in software that is unknown to the vendor and remains unpatched at the time of discovery. Attackers exploit these flaws before any defensive measures can be implemented, making zero-days a potent weapon for cybercriminals. A recent example is, for instance, CVE-2024-0519 in Google Chrome: this high-severity vulnerability was actively exploited in the wild and involved an out-of-bounds memory access issue in the V8 JavaScript engine. It allowed remote attackers to access sensitive information or trigger a crash by exploiting heap corruption.  Also, the zero-day vulnerability at Rackspace caused massive trouble. This incident was a zero-day remote code execution vulnerability in ScienceLogic's monitoring application that led to the compromise of Rackspace's internal systems. The breach expose...

China's National Computer Virus Emergency Response Center (CVERC) has doubled down on claims that the threat actor known as Volt Typhoon is a fabrication of the U.S. and its allies. The agency, in collaboration with the National Engineering Laboratory for Computer Virus Prevention Technology, went on to accuse the U.S. federal government, intelligence agencies, and Five Eyes countries of conducting cyber espionage activities against China, France, Germany, Japan, and internet users globally. It also said there's "ironclad evidence" indicating that the U.S. carries out false flag operations in an attempt to conceal its own malicious cyber attacks, adding it's inventing the "so-called danger of Chinese cyber attacks" and that it has established a "large-scale global internet surveillance network." "And the fact that the U.S. adopted supply chain attacks, implanted backdoors in internet products and 'pre-positioned' has completely...

Cybersecurity researchers have disclosed a new malware campaign that delivers Hijack Loader artifacts that are signed with legitimate code-signing certificates. French cybersecurity company HarfangLab, which detected the activity at the start of the month, said the attack chains aim to deploy an information stealer known as Lumma. Hijack Loader , also known as DOILoader, IDAT Loader, and SHADOWLADDER, first came to light in September 2023. Attack chains involving the malware loader typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies. Recent variations of these campaigns have been found to direct users to fake CAPTCHA pages that urge site visitors to prove they are human by copying and running an encoded PowerShell command that drops the malicious payload in the form of a ZIP archive. HarfangLab said it observed three different versions of the PowerShell script starting mid-September 2024 - A PowerShell script ...