Search results for backdoor | Breaking Cybersecurity News | The Hacker News

Security researchers have discovered several severe vulnerabilities and a secret hard-coded backdoor in Western Digital's My Cloud NAS devices that could allow remote attackers to gain unrestricted root access to the device. Western Digital's My Cloud (WDMyCloud) is one of the most popular network-attached storage devices which is being used by individuals and businesses to host their files, and automatically backup and sync them with various cloud and web-based services. The device lets users not only share files in a home network, but the private cloud feature also allows them to access their data from anywhere at any time. Since these devices have been designed to be connected over the Internet, the hardcoded backdoor would leave user data open to hackers. GulfTech research and development team has recently published an advisory detailing a hardcoded backdoor and several vulnerabilities it found in WD My Cloud storage devices that could allow remote attackers to

Cybersecurity researchers have taken the wraps off a previously undocumented and stealthy custom malware called SockDetour that targeted U.S.-based defense contractors with the goal of being used as a secondary implant on compromised Windows hosts. "SockDetour is a backdoor that is designed to remain stealthily on compromised Windows servers so that it can serve as a backup backdoor in case the primary one fails," Palo Alto Networks' Unit 42 threat intelligence  said  in a report published Thursday. "It is difficult to detect, since it operates filelessly and socketlessly on compromised Windows servers." Even more concerningly, SockDetour is believed to have been used in attacks since at least July 2019, based on a compilation timestamp on the sample, implying that the backdoor successfully managed to slip past detection for over two-and-a-half years. The attacks have been attributed to a threat cluster it tracks as  TiltedTemple  (aka DEV-0322 by Microsof

Wing Security finds and ranks all SaaS applications completely for free, removing unnecessary risk.

A number of D-Link routers reportedly have an issue that makes them susceptible to unauthorized backdoor access . The researcher Craig, specialized on the embedded device hacking - demonstrated the presence of a backdoor within some DLink routers that allows an attacker to access the administration web interface of network devices without any authentication and view/change its settings. He found the backdoor inside the firmware v1 . 13 for the DIR-100 revA . Craig found and extracted the SquashFS file system loading firmware's web server file system (/bin/webs) into IDA.  Giving a look at the string listing, the Craig's attention was captured by a modified version of thttpd , the thttpd - alphanetworks /2.23, implemented to provide the rights to the administrative interface for the router.  The library is written by Alphanetworks, a spin-off company of D-Link, analyzing it Craig found many custom functions characterized by a name starting with suffix "alpha"

Note — Don't miss an important update at the bottom of this article, which includes an official statement from Xiaomi . Do you own an Android Smartphone from Xiaomi, HTC, Samsung, or OnePlus? If yes, then you must be aware that almost all smartphone manufacturers provide custom ROMs like CyanogenMod, Paranoid Android, MIUI and others with some pre-loaded themes and applications to increase the device's performance. But do you have any idea about the pre-installed apps and services your manufacturer has installed on your device?, What are their purposes? And, Do they pose any threat to your security or privacy? With the same curiosity to find answers to these questions, a Computer Science student and security enthusiast from Netherlands who own a Xiaomi Mi4 smartphone started an investigation to know the purpose of a mysterious pre-installed app, dubbed AnalyticsCore.apk , that runs 24x7 in the background and reappeared even if you delete it. Xiaomi is one of the

The investigation into how the attackers managed to compromise SolarWinds' internal network and poison the company's software updates is still underway, but we may be one step closer to understanding what appears to be a very meticulously planned and highly-sophisticated supply chain attack. A new report published by ReversingLabs today and shared in advance with The Hacker News has revealed that the operators behind the  espionage campaign  likely managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the malicious backdoor through its software release process. "The source code of the affected library was directly modified to include malicious backdoor code, which was compiled, signed, and delivered through the existing software patch release management system," ReversingLabs' Tomislav Pericin said. Cybersecurity firm FireEye earlier this week  detailed  how multiple SolarWin

A previously undocumented and mostly undetected variant of a Linux backdoor called  BPFDoor  has been spotted in the wild, cybersecurity firm Deep Instinct said in a technical report published this week. " BPFDoor  retains its reputation as an extremely stealthy and difficult-to-detect malware with this latest iteration," security researchers Shaul Vilkomir-Preisman and Eliran Nissan said . BPFDoor (aka JustForFun), first documented by  PwC  and  Elastic Security Labs  in May 2022, is a passive Linux backdoor associated with a Chinese threat actor called  Red Menshen (aka  DecisiveArchitect  or Red Dev 18), which is known to single out telecom providers across the Middle East and Asia since at least 2021. The malware is specifically geared towards  establishing persistent remote access  to compromised target environments for extended periods of time, with evidence pointing to the hacking crew operating the backdoor undetected for years. BPFDoor gets its name from the u

Multiple backdoors have been discovered during a penetration test in the firmware of a widely used voice over Internet Protocol (VoIP) appliance from Auerswald, a German telecommunications hardware manufacturer, that could be abused to gain full administrative access to the devices. "Two backdoor passwords were found in the firmware of the  COMpact 5500R PBX ," researchers from RedTeam Pentesting said in a  technical   analysis  published Monday. "One backdoor password is for the secret user ' Schandelah ', the other can be used for the highest-privileged user ' admin .' No way was discovered to disable these backdoors." The vulnerability has been assigned the identifier  CVE-2021-40859  and carries a critical severity rating of 9.8. Following responsible disclosure on September 10, Auerswald addressed the problem in a firmware update (version 8.2B) released in November 2021. "Firmware Update 8.2B contains important security updates that you

The Chinese nation-state group known as  Camaro Dragon  has been linked to yet another backdoor that's designed to meet its intelligence-gathering goals. Israeli cybersecurity firm Check Point, which  dubbed  the Go-based malware TinyNote, said it functions as a first-stage payload capable of "basic machine enumeration and command execution via PowerShell or Goroutines." What the malware lacks in terms of sophistication, it makes up for it when it comes to establishing redundant methods to retain access to the compromised host by means of multiple persistency tasks and varied methods to communicate with different servers. Camaro Dragon overlaps with a threat actor widely tracked as Mustang Panda, a state-sponsored group from China that is known to be active since at least 2012. The adversarial collective was recently in the spotlight for a custom bespoke firmware implant called  Horse Shell  that co-opts TP-Link routers into a mesh network capable of transmitting co

Last week Craig Heffner, specialized on the embedded device hacking exposed a serious backdoor in number of D-Link routers allows unauthorized backdoor access. Recently he published his another researcher, Titled ' From China, With Love ', exposed that D-Link is not only the vendor who puts backdoors in their products. According to him, China based networking device and equipment manufacturer - Tenda Technology  (www.tenda.cn) also added potential backdoors into their Wireless Routers. He unpacked the software framework update and locate the httpd binary an found that the manufacturer is using GoAhead server, which has been substantially modified. These routers are protected with standard Wi-Fi Protected Setup (WPS) and WPA encryption key, but still by sending a UDP packet with a special string , an attacker could take over the router. Routers contain a flaw in the httpd component, as the MfgThread() function spawns a backdoor service that listens fo

Russian anti-virus company Doctor Web reported about the first cross-platform backdoor to run under Linux and Mac OS X identified as " BackDoor.Wirenet.1 ". This malicious program designed to steals passwords entered by the user in Opera, Firefox, Chrome, and Chromium, and passwords stored by such applications as Thunderbird, SeaMonkey, and Pidgin. BackDoor.Wirenet.1 is the first-ever Trojan that can simultaneously work on these operating systems. BackDoor.Wirenet.1 is still under investigation. At launch BackDoor.Wirenet.1 creates a copy in the user's home directory. To interact with the command server located at 212.7.208.65, the malware uses a special encryption algorithm Advanced Encryption Standard (AES). BackDoor.

Video Demonstration : Vsftpd backdoor discovered by Mathias Kresin 2.3.4 of vsftpd's downloadable source code was compromised and a backdoor added to the code. Evans, the author of vsftpd . This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was present in the vsftpd-2.3.4.tar.gz archive sometime before July 3rd 2011. The bad tarball included a backdoor in the code which would respond to a user logging in with a user name ":)" by listening on port 6200 for a connection and launching a shell when someone connects. Read more here Affected versions : vsftpd-2.3.4 from 2011-06-30 Metasploit demo : use exploit/unix/ftp/vsftpd_234_backdoor set RHOST localhost set PAYLOAD cmd/unix/interact exploit id uname -a Video Demonstration :

An unnamed government entity associated with the United Arab Emirates (U.A.E.) was targeted by a likely Iranian threat actor to breach the victim's Microsoft Exchange Server with a "simple yet effective" backdoor dubbed  PowerExchange . According to a new report from Fortinet FortiGuard Labs, the intrusion relied on email phishing as an initial access pathway, leading to the execution of a .NET executable contained with a ZIP file attachment. The binary, which masquerades as a PDF document, functions as a dropper to execute the final payload, which then launches the backdoor. PowerExchange, written in PowerShell, employs text files attached to emails for command-and-control (C2) communication. It allows the threat actor to run arbitrary payloads and upload and download files from and to the system. The custom implant achieves this by making use of the Exchange Web Services ( EWS ) API to connect to the victim's Exchange Server and uses a mailbox on the server to

An advanced persistent threat group with links to Iran has updated its malware toolset to include a novel PowerShell-based implant called PowerLess Backdoor , according to new research published by Cybereason. The Boston-headquartered cybersecurity company attributed the malware to a hacking group known as Charming Kitten (aka Phosphorous, APT35, or  TA453 ), while also calling out the backdoor's evasive PowerShell execution. "The PowerShell code runs in the context of a .NET application, thus not launching 'powershell.exe' which enables it to evade security products," Daniel Frank, senior malware researcher at Cybereason,  said . "The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy." The threat actor, which is active since at least 2017, has been behind a series of campaigns in recent years, including those wherein the adversa

The use of small Unmanned Aerial Vehicles (UAVs) called Drones is rapidly transforming the way we go to war. Drones were once used for land surveillance, Delivering Pizza's, then equipped with bombs that changed the way nations conduct war and last year, these hovering drones were also used to hack Smartphones. Recently, a security researcher has found a backdoor in the Parrot AR Drones manufactured by a French-based company, that could allow a malicious hacker to remotely hijacked the radio controlled flying quadcopter helicopter. The Parrot AR Drone, revealed at the International CES 2010 in Las Vegas, is a quadricopter helicopter which you can control with your smartphone or tablet. It features two built-in cameras, is easy to fly, and can be controlled without too much danger of it flipping over or smashing into things. FIRST EVER MALWARE FOR DRONES Security researcher, Rahul Sasi claimed to have developed the first ever backdoor malware for AR drone ARM L

Thousands of computers and web servers running Linux and FreeBSD operating systems have been infected over past five years with sophisticated malware that turn the machines into spambots. The new Linux malware, discovered by the security researchers from the antivirus provider Eset, has been dubbed " Mumblehard " because it is Muttering spam from your servers , says Eset 23-page long report (PDF) titled "Unboxing Linux/Mumblehard." Researchers have logged more than 8,500 unique IP addresses during the seven months period of research that were hit by Mumblehard Linux malware and found over 3,000 machines joined them in the past three weeks. Mumblehard features two basic components: Backdoor  Spamming daemon  Both written in the Perl programming language and "feature the same custom packer written in assembly language." The backdoor allows hackers to infiltrate into the system and control the command and control servers, and t

Cybersecurity researchers with Qihoo 360's NetLab today unveiled details of two recently spotted zero-day cyberattack campaigns in the wild targeting enterprise-grade networking devices manufactured by Taiwan-based DrayTek. According to the report , at least two separate groups of hackers exploited two critical remote command injection vulnerabilities ( CVE-2020-8515 ) affecting DrayTek Vigor enterprise switches, load-balancers, routers and VPN gateway devices to eavesdrop on network traffic and install backdoors. The zero-day attacks started somewhere at the end of last November or at the beginning of December and are potentially still ongoing against thousands of publicly exposed DrayTek switche s, Vigor 2960, 3900, 300B devices that haven't yet been patched with the latest firmware updates released last month. The zero-day vulnerabilities in question can be exploited by any unauthorized remote attackers to inject and execute arbitrary commands on the system, as als