Search results for watering hole | Breaking Cybersecurity News | The Hacker News

A critical security vulnerability has been disclosed in the Quarkus Java framework that could be potentially exploited to achieve remote code execution on affected systems. Tracked as  CVE-2022-4116  (CVSS score: 9.8), the shortcoming could be trivially abused by a malicious actor without any privileges. "The vulnerability is found in the Dev UI Config Editor, which is vulnerable to drive-by localhost attacks that could lead to remote-code execution (RCE)," Contrast Security researcher Joseph Beeton, who reported the bug,  said  in a write-up. Quarkus, developed by Red Hat, is an  open source project  that's used for creating Java applications in  containerized  and serverless environments. It's worth pointing out that the  issue  only impacts developers who are running Quarkus and are tricked into visiting a specially crafted website, which is embedded with malicious JavaScript code designed to install or execute arbitrary payload...

Cybersecurity researchers today uncovered a new advanced version of ComRAT backdoor, one of the earliest known backdoors used by the Turla APT group, that leverages Gmail's web interface to covertly receive commands and exfiltrate sensitive data. "ComRAT v4 was first seen in 2017 and known still to be in use as recently as January 2020," cybersecurity firm ESET said in a report shared with The Hacker News. "We identified at least three targets: two Ministries of Foreign Affairs in Eastern Europe and a national parliament in the Caucasus region." Turla , also known as Snake, has been active for over a decade with a long history of the watering hole and spear-phishing campaigns against embassies and military organizations at least since 2004. The group's espionage platform started off as Agent.BTZ , in 2007, before it evolved to ComRAT , in addition to gaining additional capabilities to achieve persistence and to steal data from a local network. It...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerabilities are listed below - CVE-2012-4792 (CVSS score: 9.3) - Microsoft Internet Explorer Use-After-Free Vulnerability CVE-2024-39891 (CVSS score: 5.3) - Twilio Authy Information Disclosure Vulnerability CVE-2012-4792 is a decade-old use-after-free vulnerability in Internet Explorer that could allow a remote attacker to execute arbitrary code via a specially crafted site. It's currently not clear if the flaw has been subjected to renewed exploitation attempts, although it was abused as part of watering hole attacks targeting the Council on Foreign Relations (CFR) and Capstone Turbine Corporation websites back in December 2012. On the other hand, CVE-2024-39891 refers to an information disclosure bug in an unauthenticated endpoint that could be exploited to "accept ...

The threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest. "These APKs continue the group's trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans," SentinelOne security researcher Alex Delamotte said in a new report shared with The Hacker News. The campaign, dubbed CapraTube, was first outlined by the cybersecurity company in September 2023, with the hacking crew employing weaponized Android apps impersonating legitimate apps like YouTube to deliver a spyware called CapraRAT, a modified version of AndroRAT with capabilities to capture a wide range of sensitive data. Transparent Tribe, suspected to be of Pakistan origin, has leveraged CapraRAT for over two years in attacks targeting the Indian government and military personnel. The group has a history of lea...

US Cloud hosting providers are constantly targeted by cyber crime according the revelations of two malware researchers Mary Landesman, a senior security researcher at Cisco Systems, and Dave Monnier security expert at Team Cymru explained during the 2013 Gartner Security and Risk Management Summit. The hackers are exploiting with a meaningful increase these architecture to organize financially motivated attacks. Landesman and Monnier explained in two distinct sessions that cyber criminals are exploiting US cloud hosting providers to deploy Command and Control servers for their malicious activities despite the great effort in monitoring activities operated by hosting cloud providers. US is one of privileged countries to host malicious architecture due high availability of its infrastructures and cyber criminals know it. " You can move your command and control servers to Kazakhstan, but that's not a very good business decision," "The U.S. has re...

A North Korean threat actor has been discovered taking advantage of two exploits in Internet Explorer to infect victims with a custom implant as part of a strategic web compromise (SWC) targeting a South Korean online newspaper. Cybersecurity firm Volexity  attributed  the watering hole attacks to a threat actor it tracks as InkySquid, and more widely known by the monikers ScarCruft and APT37. Daily NK, the publication in question, is said to have hosted the malicious code from at least late March 2021 until early June 2021. The "clever disguise of exploit code amongst legitimate code" and the use of custom malware enables the attackers to avoid detection, Volexity researchers said. The attacks involved tampering with the jQuery JavaScript libraries hosted on the website to serve additional obfuscated JavaScript code from a remote URL, using it to leverage exploits for two Internet Explorer flaws that were patched by Microsoft in  August 2020  and  March 20...

Facebook may be banned in China, but the company on Wednesday said it has disrupted a network of bad actors using its platform to target the Uyghur community and lure them into downloading malicious software that would allow surveillance of their devices. "They targeted activists, journalists and dissidents predominantly among Uyghurs from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries," Facebook's Head of Cyber Espionage Investigations, Mike Dvilyanski, and Head of Security Policy, Nathaniel Gleicher,  said . "This group used various cyber espionage tactics to identify its targets and infect their devices with malware to enable surveillance." The social media giant said the "well-resourced and persistent operation" aligned with a threat actor known as  Evil Eye  (or Earth Empusa), a China-based collective known for its history of espionage attacks against the Muslim m...

Cybersecurity researchers are warning about a new malware that's striking online gambling companies in China via a watering hole attack to deploy either Cobalt Strike beacons or a previously undocumented Python-based backdoor called BIOPASS RAT that takes advantage of Open Broadcaster Software (OBS) Studio's live-streaming app to capture the screen of its victims. The attack involves deceiving gaming website visitors into downloading a malware loader camouflaged as a legitimate installer for popular-but-deprecated apps such as Adobe Flash Player or Microsoft Silverlight, only for the loader to act as a conduit for fetching next-stage payloads. Specifically, the websites' online support chat pages are booby-trapped with malicious JavaScript code, which is used to deliver the malware to the victims. "BIOPASS RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration, and shell command execution,...

The North Korea-linked  ScarCruft  group has been attributed to a previously undocumented backdoor called Dolphin that the threat actor has used against targets located in its southern counterpart. "The backdoor [...] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers," ESET researcher Filip Jurčacko  said  in a new report published today. Dolphin is said to be selectively deployed, with the malware using cloud services like Google Drive for data exfiltration as well as command-and-control. The Slovak cybersecurity company said it found the implant deployed as a final-stage payload as part of a watering hole attack in early 2021 directed against a South Korean digital newspaper. The campaign, first uncovered by  Kaspersky  and  Volexity  last year,  entailed  the weaponization of two ...

An elusive threat actor called Earth Lusca has been observed striking organizations across the world as part of what appears to be simultaneously an espionage campaign and an attempt to reap monetary profits. "The list of its victims includes high-value targets such as government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, COVID-19 research organizations, and the media, amongst others," Trend Micro researchers  said  in a new report. "However, the threat actor also seems to be financially motivated, as it also took aim at gambling and cryptocurrency companies. The cybersecurity firm attributed the group as part of the larger China-based  Winnti cluster , which refers to a number of linked groups rather than a single discrete entity that are focused on intelligence gathering and intellectual property theft. Earth Lusca's intrusion routes are facilitated by spear-phishing and watering hole attacks...

Mozilla has revealed that a critical security flaw impacting Firefox and Firefox Extended Support Release (ESR) has come under active exploitation in the wild. The vulnerability, tracked as CVE-2024-9680 (CVSS score: 9.8), has been described as a use-after-free bug in the Animation timeline component. "An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines," Mozilla said in a Wednesday advisory.  "We have had reports of this vulnerability being exploited in the wild." Security researcher Damien Schaeffer from Slovakian company ESET has been credited with discovering and reporting the vulnerability. The issue has been addressed in the following versions of the web browser -  Firefox 131.0.2 Firefox ESR 128.3.1, and Firefox ESR 115.16.1. There are currently no details on how the vulnerability is being exploited in real-world attacks and the identity of the threat actors behind them. T...

The North Korean nation-state group Kimusky has been linked to a new set of malicious activities directed against political and diplomatic entities located in its southern counterpart since early 2022. Russian cybersecurity firm Kaspersky codenamed the cluster  GoldDragon , with the infection chains leading to the deployment of Windows malware designed to file lists, user keystrokes, and stored web browser login credentials. Included among the potential victims are South Korean university professors, think tank researchers, and government officials.  Kimsuky , also known as Black Banshee, Thallium, and Velvet Chollima, is the name given to a prolific North Korean advanced persistent threat (APT) group that targets entities globally, but with a primary focus on South Korea, to gain intelligence on various topics of interest to the regime. Known to be operating since 2012, the group has a history of employing social engineering tactics, spear-phishing, and watering hole at...

Kim Dotcom today said on Twitter that Megaupload user data in Europe has been irreversibly lost because it was deleted by a Dutch hosting company called LeaseWeb.  LeaseWeb is based in Germany and has subsidiaries also in the United States, the company.  LeaseWeb has 60,000 servers under its management and more than 15,000 clients worldwide. " The greatest massacre data of history ", The news is shocking if we consider the wealth of information contained in the files.  Leaseweb has informed Kim Dotcom that all 630 servers they rented have been wiped clean. This means that petabytes of data belonging to Megaupload users is now gone without any notice. LeaseWeb responds to Kim Dotcom " When Megaupload was taken offline, 60 servers owned by MegaUpload were directly confiscated by the FIOD and transported to the US. Next to that, MegaUpload still had 630 rented dedicated servers with LeaseWeb. For clarity, these servers were not owned by MegaUpload, t...

Urdu-speaking readers of a regional news website that caters to the Gilgit-Baltistan region have likely emerged as a target of a watering hole attack designed to deliver a previously undocumented Android spyware dubbed  Kamran . The campaign, ESET has  discovered , leverages Hunza News (urdu.hunzanews[.]net), which, when opened on a mobile device, prompts visitors of the Urdu version to install its Android app directly hosted on the website. The app, however, incorporates malicious espionage capabilities, with the attack compromising at least 20 mobile devices to date. It has been available on the website since sometime between January 7, and March 21, 2023, around when  massive protests  were held in the region over land rights, taxation, and extensive power cuts. The malware, activated upon package installation, requests for intrusive permissions, allowing it to harvest sensitive information from the devices.  This includes contacts, call logs, calendar ...

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up. "While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ significantly due to platform differences," ThreatFabric said in an analysis published this week. LightSpy, first documented in 2020 as targeting users in Hong Kong, is a modular implant that employs a plugin-based architecture to augment its capabilities and allow it to capture a wide range of sensitive information from an infected device. Attack chains distributing the malware leverage known security flaws in Apple iOS and macOS to trigger a WebKit exploit that drops a file with the extension ".PNG," but is actually a Mach-O binary responsible for retrieving next-stage payloads...

The North Korea-linked threat actor known as Andariel has been observed using a new Golang-based backdoor called Dora RAT in its attacks targeting educational institutes, manufacturing firms, and construction businesses in South Korea. "Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for the attacks," the AhnLab Security Intelligence Center (ASEC) said in a report published last week. "The threat actor probably used these malware strains to control and steal data from the infected systems." The attacks are characterized by the use of a vulnerable Apache Tomcat server to distribute the malware, the South Korean cybersecurity firm added, noting the system in question ran the 2013 version of Apache Tomcat, making it susceptible to several vulnerabilities. Andariel, also known by the names Nickel Hyatt, Onyx Sleet, and Silent Chollima, is an advanced persistent threat (APT) group that operates on behalf of North Korea's strategic...

Nine security flaws have been disclosed in electric power management products made by Schweitzer Engineering Laboratories (SEL). "The most severe of those nine vulnerabilities would allow a threat actor to facilitate remote code execution (RCE) on an engineering workstation," Nozomi Networks  said  in a report published last week. The issues, tracked as CVE-2023-34392 and from CVE-2023-31168 through CVE-2023-31175, have CVSS severity scores ranging from 4.8 to 8.8 and impact SEL-5030 acSELeratorQuickSet and SEL-5037 GridConfigurator, which are used to commission, configure, and monitor the devices. Exploitation of CVE-2023-31171 could be achieved by sending a phishing email that tricks a victim engineer into importing a specially crafted configuration file to achieve arbitrary code execution on the engineering workstation running the SEL software. What's more, the shortcoming can be chained with CVE-2023-31175 to obtain administrative privileges on the target workstation...

North Korean defectors, journalists who cover North Korea-related news, and entities in South Korea are being zeroed in on by a nation-state-sponsored advanced persistent threat (APT) as part of a new wave of highly-targeted surveillance attacks. Russian cybersecurity firm Kaspersky attributed the infiltrations to a North Korean hacker group tracked as  ScarCruft , also known as  APT37 , Reaper Group, InkySquid, and Ricochet Chollima. "The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables and Android applications," the company's Global Research and Analysis Team (GReAT)  said  in a new report published today. "Although intended for different platforms, they share a similar command and control scheme based on HTTP communication. Therefore, the malware operators can control the whole malware family through one set of command and control scripts." Likely active since at least 2012, ScarC...

The Russian nation-state actor tracked as Secret Blizzard has been observed leveraging malware associated with other threat actors to deploy a known backdoor called Kazuar on target devices located in Ukraine. The new findings come from the Microsoft threat intelligence team, which said it observed the adversary leveraging the Amadey bot malware to download custom malware onto "specifically selected" systems associated with the Ukrainian military between March and April 2024. The activity is assessed to be the second time since 2022 that Secret Blizzard, also known as Turla, has latched onto a cybercrime campaign to propagate its own tools in Ukraine. "Commandeering other threat actors' access highlights Secret Blizzard's approach to diversifying its attack vectors," the company said in a report shared with The Hacker News. Some of the other known methods employed by the hacking crew include adversary-in-the-middle ( AitM ) campaigns, strategic web compro...