The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity and intelligence agencies from the Five Eyes nations have released a joint advisory detailing the evolving tactics of the Russian state-sponsored threat actor known as  APT29 . The hacking outfit, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes, is assessed to be affiliated with the Foreign Intelligence Service (SVR) of the Russian Federation. Previously attributed to the  supply chain compromise  of SolarWinds software, the cyber espionage group  attracted attention  in recent months for targeting Microsoft, Hewlett Packard Enterprise (HPE), and other organizations with an aim to further their strategic objectives. "As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment," according to the  security bulletin . These include - Obtaining access to cloud infrastructure via service a...

Cybersecurity researchers have found that it's possible to compromise the Hugging Face Safetensors conversion service to ultimately hijack the models submitted by users and result in supply chain attacks. "It's possible to send malicious pull requests with attacker-controlled data from the Hugging Face service to any repository on the platform, as well as hijack any models that are submitted through the conversion service," HiddenLayer  said  in a report published last week. This, in turn, can be accomplished using a hijacked model that's meant to be converted by the service, thereby allowing malicious actors to request changes to any repository on the platform by masquerading as the conversion bot. Hugging Face is a popular collaboration platform that helps users host pre-trained machine learning models and datasets, as well as build, deploy, and train them. Safetensors is a  format  devised by the company to store  tensors  keeping security in mind, ...

A critical security flaw has been disclosed in a popular WordPress plugin called  Ultimate Member  that has more than 200,000 active installations. The vulnerability, tracked as CVE-2024-1071, carries a CVSS score of 9.8 out of a maximum of 10. Security researcher Christiaan Swiers has been credited with discovering and reporting the flaw. In an advisory published last week, WordPress security company Wordfence  said  the plugin is "vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query." As a result, unauthenticated attackers could take advantage of the flaw to append additional SQL queries into already existing queries and extract sensitive data from the database. It's worth noting that the issue only affects users who have checked the "Enable custom table for usermeta" option in the plugin settings. ...

Ukrainian entities based in Finland have been targeted as part of a malicious campaign distributing a commercial remote access trojan known as Remcos RAT using a malware loader called IDAT Loader. The attack has been attributed to a threat actor tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) under the moniker UAC-0184. "The attack, as part of the IDAT Loader, used steganography as a technique," Morphisec researcher Michael Dereviashkin said in a report shared with The Hacker News. "While steganographic, or 'Stego' techniques are well-known, it is important to understand their roles in defense evasion, to better understand how to defend against such tactics." IDAT Loader , which overlaps with another loader family called Hijack Loader, has been used to serve additional payloads like DanaBot, SystemBC, and RedLine Stealer in recent months. It has also been used by a threat actor tracked as TA544 to distribute Remcos RAT and SystemBC...

More than 8,000 domains and 13,000 subdomains belonging to legitimate brands and institutions have been hijacked as part of a sophisticated distribution architecture for spam proliferation and click monetization. Guardio Labs is tracking the coordinated malicious activity, which has been ongoing since at least September 2022, under the name SubdoMailing. The emails range from "counterfeit package delivery alerts to outright phishing for account credentials." The Israeli security company attributed the campaign to a threat actor it calls  ResurrecAds , which is known to resuscitate dead domains of or affiliated with big brands with the end goal of manipulating the digital advertising ecosystem for nefarious gains. "'ResurrecAds' manages an extensive infrastructure encompassing a wide array of hosts, SMTP servers, IP addresses, and even private residential ISP connections, alongside many additional owned domain names," security researchers Nati Tal and Ole...

A set of fake npm packages discovered on the Node.js repository has been found to share ties with North Korean state-sponsored actors, new findings from Phylum show. The packages are named execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils. One of the packages in question,  execution-time-async , masquerades as its legitimate counterpart  execution-time , a library with more than 27,000 weekly downloads. Execution-time is a Node.js utility used to measure execution time in code. It "actually installs several malicious scripts including a cryptocurrency and credential stealer," Phylum  said , describing the campaign as a software supply chain attack targeting developers. The package was  downloaded 302 times  since February 4, 2024, before being taken down. In an interesting twist, the threat actors made efforts to conceal the obfuscated malicious code in a test file, which is designed to fetch nex...

Last year, the Open Worldwide Application Security Project (OWASP) published multiple versions of the " OWASP Top 10 For Large Language Models ," reaching a 1.0 document in August and a 1.1 document in October. These documents not only demonstrate the rapidly evolving nature of Large Language Models, but the evolving ways in which they can be attacked and defended. We're going to talk in this article about four items in that top 10 that are most able to contribute to the accidental disclosure of secrets such as passwords, API keys, and more. We're already aware that LLMs can reveal secrets because it's happened. In early 2023, GitGuardian reported it found over 10 million secrets in public Github commits. Github's Copilot AI coding tool was trained on public commits, and in September of 2023, researchers at the University of Hong Kong published a paper on how they created an algorithm that generated 900 prompts designed to get Copilot to reveal secrets from ...

Cybersecurity researchers are warning about a spike in email phishing campaigns that are weaponizing the Google Cloud Run service to deliver various banking trojans such as  Astaroth  (aka Guildma),  Mekotio , and  Ousaban  (aka Javali) to targets across Latin America (LATAM) and Europe. "The infection chains associated with these malware families feature the use of malicious Microsoft Installers (MSIs) that function as droppers or downloaders for the final malware payload(s)," Cisco Talos researchers  disclosed  last week. The high-volume malware distribution campaigns, observed since September 2023, have employed the same storage bucket within Google Cloud for propagation, suggesting potential links between the threat actors behind the distribution campaigns. Google Cloud Run is a  managed compute platform  that enables users to run frontend and backend services, batch jobs, deploy websites and applications, and queue processing workloa...

The threat actors behind the LockBit ransomware operation have resurfaced on the dark web using new infrastructure, days after an international law enforcement exercise  seized control  of its servers. To that end, the notorious group has moved its data leak portal to a new .onion address on the TOR network, listing 12 new victims as of writing. The administrator behind LockBit, in a  lengthy follow-up message , said some of their websites were confiscated by most likely exploiting a critical PHP flaw tracked as CVE-2023-3824, acknowledging that they didn't update PHP due to "personal negligence and irresponsibility." "I realize that it may not have been this CVE, but something else like 0-day for PHP, but I can't be 100% sure, because the version installed on my servers was already known to have a known vulnerability, so this is most likely how the victims' admin and chat panel servers and the blog server were accessed," they noted. They also cla...