The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers have discovered a new phishing campaign that spreads a new fileless variant of known commercial malware called Remcos RAT . Remcos RAT "provides purchases with a wide range of advanced features to remotely control computers belonging to the buyer," Fortinet FortiGuard Labs researcher Xiaopeng Zhang said in an analysis published last week. "However, threat actors have abused Remcos to collect sensitive information from victims and remotely control their computers to perform further malicious acts." The starting point of the attack is a phishing email that uses purchase order-themed lures to convince recipients to open a Microsoft Excel attachment. The malicious Excel document is designed to exploit a known remote code execution flaw in Office ( CVE-2017-0199 , CVSS score: 7.8) to download an HTML Application (HTA) file ("cookienetbookinetcahce.hta") from a remote server ("192.3.220[.]22") and launch it using mshta.e...

Palo Alto Networks on Friday issued an informational advisory urging customers to ensure that access to the PAN-OS management interface is secured because of a potential remote code execution vulnerability. "Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface," the company said . "At this time, we do not know the specifics of the claimed vulnerability. We are actively monitoring for signs of any exploitation." In the interim, the network security vendor has recommended that users correctly configure the management interface in line with the best practices, and make sure that access to it is possible only via trusted internal IPs to limit the attack surface. It goes without saying that the management interface should not be exposed to the Internet. Some of the other guidelines to reduce exposure are listed below - Isolate the management interface on a dedicated management VLAN Use jump servers...

The 36-year-old founder of the Bitcoin Fog cryptocurrency mixer has been sentenced to 12 years and six months in prison for facilitating money laundering activities between 2011 and 2021. Roman Sterlingov, a dual Russian-Swedish national, pleaded guilty to charges of money laundering and operating an unlicensed money-transmitting business earlier this March. The U.S. Department of Justice (DoJ) described Bitcoin Fog as the darknet's longest-running cryptocurrency mixer , allowing cybercriminals to conceal the source of their cryptocurrency proceeds. "Over the course of its decade-long operation, Bitcoin Fog gained notoriety as a go-to money laundering service for criminals seeking to hide their illicit proceeds from law enforcement and processed transactions involving over 1.2 million bitcoin, valued at approximately $400 million at the time the transactions occurred," the DoJ said . "The bulk of this cryptocurrency came from darknet marketplaces and was tied ...

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk.  A gap in access control in Microsoft Entra's subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them.  All the guest user needs are the permissions to create subscriptions in their home tenant, and an invitation as a guest user into an external tenant. Once inside, the guest user can create subscriptions in their home tenant, transfer them into the external tenant, and retain full ownership rights. This stealthy privilege escalation tactic allows a guest user to gain a privileged foothold in an environment where they should only have limited access. Many organizations treat guest accounts as low-risk based on their temporary, limited access, but this behavior, which works as designed, opens the door to known attack paths and lateral movement within the resource t...

Let's face it—traditional security training can feel as thrilling as reading the fine print on a software update. It's routine, predictable, and, let's be honest, often forgotten the moment it's over. Now, imagine cybersecurity training that's as unforgettable as your favorite show. Remember how "Hamilton" made history come alive, or how "The Office" taught us CPR (Staying Alive beat, anyone?)? That's the transformative power of storytelling—and it's exactly what Huntress Managed Security Awareness Training (SAT) is bringing to cybersecurity. Why Storytelling is the Secret Weapon in Security Training: Human brains are wired for stories; it's how we process complex information and retain it. Stories give lessons meaning and make concepts stick, so why not apply this to something as vital as cybersecurity awareness? In our upcoming webinar, " Storytime with Huntress Managed Security Awareness Training ," we're diving into why storytelling isn't just ...

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a new report. AndroxGh0st is the name given to a Python-based cloud attack tool that's known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services (AWS), SendGrid, and Twilio. Active since at least 2022, it has previously leveraged flaws in the Apache web server ( CVE-2021-41773 ), Laravel Framework ( CVE-2018-15133 ), and PHPUnit ( CVE-2017-9841 ) to gain initial access, escalate privileges, and establish persistent control over compromised systems. Earlier this January, U.S. cybersecurity and intelligence a...

High-profile entities in India have become the target of malicious campaigns orchestrated by the Pakistan-based Transparent Tribe threat actor and a previously unknown China-nexus cyber espionage group dubbed IcePeony. The intrusions linked to Transparent Tribe involve the use of a malware called ElizaRAT and a new stealer payload dubbed ApoloStealer on specific victims of interest, Check Point said in a technical write-up published this week. "ElizaRAT samples indicate a systematic abuse of cloud-based services, including Telegram, Google Drive, and Slack, to facilitate command-and-control communications," the Israeli company said . ElizaRAT is a Windows remote access tool (RAT) that Transparent Tribe was first observed using in July 2023 as part of cyber attacks targeting Indian government sectors. Active since at least 2013, the adversary is also tracked under the names APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and PROJECTM. Its malware ar...

We've all heard a million times: growing demand for robust cybersecurity in the face of rising cyber threats is undeniable. Globally small and medium-sized businesses (SMBs) are increasingly targeted by cyberattacks but often lack the resources for full-time Chief Information Security Officers (CISOs). This gap is driving the rise of the virtual CISO (vCISO) model, offering a cost-effective solution, and giving SMBs access to strategic security leadership.  For MSPs and MSSPs this shift represents both a challenge and an opportunity. Over 94% of service providers recognize the increasing need for vCISO services, yet, over 25% of providers report lacking the cybersecurity and compliance expertise needed to offer vCISO services.  This gap is exactly why the vCISO Academy was created —to empower service providers with the knowledge and skills they need to thrive in this evolving landscape.  The vCISO Academy is a free, professional learning platform designed to equip ...

A new campaign has targeted the npm package repository with malicious JavaScript libraries that are designed to infect Roblox users with open-source stealer malware such as Skuld and Blank-Grabber . "This incident highlights the alarming ease with which threat actors can launch supply chain attacks by exploiting trust and human error within the open source ecosystem, and using readily available commodity malware, public platforms like GitHub for hosting malicious executables, and communication channels like Discord and Telegram for C2 operations to bypass traditional security measures," Socket security researcher Kirill Boychenko said in a report shared with The Hacker News. The list of malicious packages is as follows - node-dlls (77 downloads) ro.dll (74 downloads) autoadv (66 downloads) rolimons-api (107 downloads) It's worth pointing out that "node-dlls" is an attempt on part of the threat actor to masquerade as the legitimate node-dll packa...

Cybersecurity researchers have flagged a new malware campaign that infects Windows systems with a Linux virtual instance containing a backdoor capable of establishing remote access to the compromised hosts. The "intriguing" campaign, codenamed CRON#TRAP , starts with a malicious Windows shortcut (LNK) file likely distributed in the form of a ZIP archive via a phishing email. "What makes the CRON#TRAP campaign particularly concerning is that the emulated Linux instance comes pre-configured with a backdoor that automatically connects to an attacker-controlled command-and-control (C2) server," Securonix researchers Den Iuzvyk and Tim Peck said in an analysis. "This setup allows the attacker to maintain a stealthy presence on the victim's machine, staging further malicious activity within a concealed environment, making detection challenging for traditional antivirus solutions." The phishing messages purport to be an "OneAmerica survey" th...