The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that two more flaws impacting the Palo Alto Networks Expedition software have come under active exploitation in the wild. To that end, it has added the vulnerabilities to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the necessary updates by December 5, 2024. The security flaws are listed below - CVE-2024-9463 (CVSS score: 9.9) - Palo Alto Networks Expedition OS Command Injection Vulnerability CVE-2024-9465 (CVSS score: 9.3) - Palo Alto Networks Expedition SQL Injection Vulnerability Successful exploitation of the vulnerabilities could allow an unauthenticated attacker to run arbitrary OS commands as root in the Expedition migration tool or reveal its database contents. This could then pave the way for disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls, or cr...

Multiple threat actors have been found taking advantage of an attack technique called Sitting Ducks to hijack legitimate domains for using them in phishing attacks and investment fraud schemes for years. The findings come from Infoblox, which said it identified nearly 800,000 vulnerable registered domains over the past three months, of which approximately 9% (70,000) have been subsequently hijacked. "Cybercriminals have used this vector since 2018 to hijack tens of thousands of domain names," the cybersecurity company said in a deep-dive report shared with The Hacker News. "Victim domains include well-known brands, non-profits, and government entities." The little-known attack vector, although originally documented by security researcher Matthew Bryant way back in 2016, didn't attract a lot of attention until the scale of the hijacks was disclosed earlier this August. "I believe there is more awareness [since then]," Dr. Renee Burton, vice pre...

Google has revealed that bad actors are leveraging techniques like landing page cloaking to conduct scams by impersonating legitimate sites. "Cloaking is specifically designed to prevent moderation systems and teams from reviewing policy-violating content which enables them to deploy the scam directly to users," Laurie Richardson, VP and Head of Trust and Safety at Google, said . "The landing pages often mimic well-known sites and create a sense of urgency to manipulate users into purchasing counterfeit products or unrealistic products." Cloaking refers to the practice of serving different content to search engines like Google and users with the ultimate goal of manipulating search rankings and deceiving users. The tech giant said it has also observed a cloaking trend wherein users clicking on ads are redirected via tracking templates to scareware sites that claim their devices are compromised with malware and lead them to other phony customer support sites, w...

Ransomware isn't just a buzzword; it's one of the most dreaded challenges businesses face in this increasingly digitized world. Ransomware attacks are not only increasing in frequency but also in sophistication, with new ransomware groups constantly emerging. Their attack methods are evolving rapidly, becoming more dangerous and damaging than ever. Almost all respondents (99.8%) in a recent survey said they are concerned about the risk of identity information, session cookies and other data being extracted from devices infected with malware, activities highly correlated to a future ransomware attack. [1] The harsh reality is that ransomware threats aren't going away anytime soon. Despite organizations' best efforts to prevent these attacks, breaches still happen. As such, backup and disaster recovery become your critical last line of defense against these growing threats. However, many organizations overlook essential disaster recovery (DR) practices, leaving them vulnerable to cybe...

Advertising on TikTok is the obvious choice for any company trying to reach a young market, and especially so if it happens to be a travel company, with 44% of American Gen Zs saying they use the platform to plan their vacations. But one online travel marketplace targeting young holidaymakers with ads on the popular video-sharing platform broke GDPR rules when a third-party partner misconfigured a TikTok pixel on one of its regional sites. An intriguing new case study reveals how the cyber security company that discovered the problem stopped a data breach from becoming a costly flood.  For the full case study, click here .  Dangers Close to Home Cyberattacks often make the headlines because hacking is a natural attention-grabber. The groups behind the attacks seem like modern-day highwaymen, shadowy figures who can rob countless victims from behind a mask of anonymity. Faceless criminals like these will always grab readers' attention, and while this is understandable, we'...

Threat actors have been found leveraging a new technique that abuses extended attributes for macOS files to smuggle a new malware called RustyAttr . The Singaporean cybersecurity company has attributed the novel activity with moderate confidence to the infamous North Korea-linked Lazarus Group, citing infrastructure and tactical overlaps observed in connection with prior campaigns, including RustBucket .  Extended attributes refer to additional metadata associated with files and directories that can be extracted using a dedicated command called xattr . They are often used to store information that goes beyond the standard attributes, such as file size, timestamps, and permissions. The malicious applications discovered by Group-IB are built using Tauri , a cross-platform desktop application framework, and signed with a leaked certificate that has since been revoked by Apple. They include an extended attribute that's configured to fetch and run a shell script. The execution of...

A newly patched security flaw impacting Windows NT LAN Manager (NTLM) was exploited as a zero-day by a suspected Russia-linked actor as part of cyber attacks targeting Ukraine. The vulnerability in question, CVE-2024-43451 (CVSS score: 6.5), refers to an NTLM hash disclosure spoofing vulnerability that could be exploited to steal a user's NTLMv2 hash. It was patched by Microsoft earlier this week. "Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this vulnerability," Microsoft revealed in its advisory. Israeli cybersecurity company ClearSky, which discovered the zero-day exploitation of the flaw in June 2024, said it's been abused as part of an attack chain that delivers the open-source Spark RAT malware. "The vulnerability activates URL files, leading to malicious activity," the company said, adding the malicious file...

A threat actor affiliated with Hamas has expanded its malicious cyber operations beyond espionage to carry out disruptive attacks that exclusively target Israeli entities. The activity, linked to a group called WIRTE , has also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, Check Point said in an analysis. "The [Israel-Hamas] conflict has not disrupted the WIRTE's activity, and they continue to leverage recent events in the region in their espionage operations," the company said . "In addition to espionage, the threat actor recently engaged in at least two waves of disruptive attacks against Israel." WIRTE is the moniker assigned to a Middle Eastern advanced persistent threat (APT) that has been active since at least August 2018, targeting a broad spectrum of entities across the region. It was first documented by Spanish cybersecurity company S2 Grupo. The hacking crew is assessed to be part of a politically motivated group ca...

Romanian cybersecurity company Bitdefender has released a free decryptor to help victims recover data encrypted using the ShrinkLocker ransomware. The decryptor is the result of a comprehensive analysis of ShrinkLocker's inner workings, allowing the researchers to discover a "specific window of opportunity for data recovery immediately after the removal of protectors from BitLocker-encrypted disks." ShrinkLocker was first documented in May 2024 by Kaspersky, which found the malware's use of Microsoft's native BitLocker utility for encrypting files as part of extortion attacks targeting Mexico, Indonesia, and Jordan. It appears to have been adapted from benign ten-year-old code. Bitdefender, which investigated a ShrinkLocker incident targeting an unnamed healthcare company in the Middle East, said the attack likely originated from a machine belonging to a contractor, once again highlighting how threat actors are increasingly abusing trusted relationships to ...