The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Facebook advertisers in Vietnam are the target of a previously unknown information stealer dubbed  VietCredCare  at least since August 2022. The malware is "notable for its ability to automatically filter out Facebook session cookies and credentials stolen from compromised devices, and assess whether these accounts manage business profiles and if they maintain a positive Meta ad credit balance," Singapore-headquartered Group-IB  said  in a new report shared with The Hacker News. The end goal of the large-scale malware distribution scheme is to facilitate the takeover of corporate Facebook accounts by targeting Vietnamese individuals who manage the Facebook profiles of prominent businesses and organizations. Facebook accounts that have been successfully seized are then used by the threat actors behind the operation to post political content or to propagate phishing and affiliate scams for financial gain. VietCredCare is offered to other aspiring cybercriminals u...

On Thanksgiving Day 2023, while many Americans were celebrating, hospitals across the U.S. were doing quite the opposite. Systems were failing. Ambulances were diverted. Care was impaired. Hospitals in three states were  hit by a ransomware attack , and in that moment, the real-world repercussions came to light—it wasn't just computer networks that were brought to a halt, but actual patient care itself.  Cybercriminals are more brazen than ever, targeting smaller healthcare organizations for big payouts. Sure, it would be nice to believe thieves once lived by a code of conduct, but if one ever existed, it's been torn to shreds and tossed into the wind. Sophisticated hacker groups are now more than happy to launch cyberattacks on medical clinics, nursing homes, and other health service providers. Small- to mid-sized healthcare organizations have, unfortunately, become vulnerable targets from which cybercriminals can easily steal sensitive data, extort heavy ransoms, and, wors...

End-to-end encrypted (E2EE) messaging app Signal said it's piloting a new feature that allows users to create unique usernames (not to be confused with profile names) and keep the phone numbers away from prying eyes. "If you use Signal, your phone number will no longer be visible to everyone you chat with by default," Signal's Randall Sarafa  said . "People who have your number saved in their phone's contacts will still see your phone number since they already know it." Setting a new username requires account holders to provide two or more numbers at the end of it (e.g., axolotl.99) in an effort to keep them "egalitarian and minimize spoofing." Usernames can be changed any number of times, but it's worth noting that they are not logins or handles. Put differently, a username is an anonymous way to initiate conversations on the chat platform without having to share phone numbers. The feature is opt-in, although Signal said it's also taking steps to hide by default users' phone ...

Cybersecurity researchers have unearthed a new influence operation targeting Ukraine that leverages spam emails to propagate war-related disinformation. The activity has been linked to Russia-aligned threat actors by Slovak cybersecurity company ESET, which also identified a spear-phishing campaign aimed at a Ukrainian defense company in October 2023 and a European Union agency in November 2023 with an aim to harvest Microsoft login credentials using fake landing pages. Operation Texonto, as the entire campaign has been codenamed, has not been attributed to a specific threat actor, although some elements of it, particularly the spear-phishing attacks, overlap with  COLDRIVER , which has a history of harvesting credentials via bogus sign-in pages. The disinformation operation took place over two waves in November and December 2023, with the email messages bearing PDF attachments and content related to heating interruptions, drug shortages, and food shortages. The November wave...

VMware is urging users to uninstall the deprecated Enhanced Authentication Plugin (EAP) following the discovery of a critical security flaw. Tracked as  CVE-2024-22245  (CVSS score: 9.6), the vulnerability has been described as an arbitrary authentication relay bug. "A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs)," the company  said  in an advisory. EAP,  deprecated as of March 2021 , is a software package that's designed to allow direct login to vSphere's management interfaces and tools through a web browser. It's not included by default and is not part of vCenter Server, ESXi, or Cloud Foundation. Also discovered in the same tool is a session hijack flaw (CVE-2024-22250, CVSS score: 7.8) that could permit a malicious actor with unprivileged local access to a Windows operating system to seize a privileged EA...

A novel malware campaign has been observed targeting Redis servers for initial access with the ultimate goal of mining cryptocurrency on compromised Linux hosts. "This particular campaign involves the use of a number of novel system weakening techniques against the data store itself," Cado security researcher Matt Muir  said  in a technical report. The cryptojacking attack is facilitated by a malware codenamed Migo, a Golang ELF binary that comes fitted with compile-time obfuscation and the ability to persist on Linux machines. The cloud security company said it detected the campaign after it identified an "unusual series of commands" targeting its Redis honeypots that are engineered to lower security defenses by disabling the following configuration options - protected-mode   replica-read-only aof-rewrite-incremental-fsync , and rdb-save-incremental-fsync It's suspected that these options are turned off in order to send additional commands to the Re...

The U.K. National Crime Agency (NCA) on Tuesday confirmed that it obtained LockBit's source code as well as a wealth of intelligence pertaining to its activities and their affiliates as part of a dedicated task force called  Operation Cronos . "Some of the data on LockBit's systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised," the agency  said . It also announced the arrest of two LockBit actors in Poland and Ukraine. Over 200 cryptocurrency accounts linked to the group have been frozen. Indictments and sanctions have also been unsealed in the U.S. against two other Russian nationals who are alleged to have carried out LockBit attacks. Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord) have been accused of deploying LockBit against numerous victims throughout the U.S., including businesses nationw...

Cybersecurity researchers have discovered two malicious packages on the Python Package Index (PyPI) repository that were found leveraging a technique called  DLL side-loading  to circumvent detection by security software and run malicious code. The packages, named  NP6HelperHttptest  and  NP6HelperHttper , were each downloaded  537  and  166 times , respectively, before they were taken down. "The latest discovery is an example of DLL sideloading executed by an open-source package that suggests the scope of software supply chain threats is expanding," ReversingLabs researcher Petar Kirhmajer  said  in a report shared with The Hacker News. The name NP6 is notable as it refers to a legitimate marketing automation solution made by ChapsVision. In particular, the fake packages are typosquats of NP6HelperHttp and NP6HelperConfig, which are helper tools published by one of ChapsVision's employees to PyPI. In other words, the goal is to tr...

North Korean state-sponsored threat actors have been attributed to a cyber espionage campaign targeting the defense sector across the world. In a joint advisory published by Germany's Federal Office for the Protection of the Constitution (BfV) and South Korea's National Intelligence Service (NIS), the agencies said the goal of the attacks is to plunder advanced defense technologies in a "cost-effective" manner. "The regime is using the military technologies to modernize and improve the performance of conventional weapons and to develop new strategic weapon systems including ballistic missiles, reconnaissance satellites and submarines," they  noted .  The infamous Lazarus Group has been blamed for one of the two hacking incidents, which involved the use of social engineering to infiltrate the defense sector as part of a long-standing operation called  Dream Job . The campaign has been  ongoing since August 2020  over several waves. In these attacks, the ...