The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Threat actors with suspected ties to Iran have been found to leverage instant messaging and VPN apps like Telegram and Psiphon to install a Windows remote access trojan (RAT) capable of stealing sensitive information from targets' devices since at least 2015. Russian cybersecurity firm Kaspersky, which pieced together the activity, attributed the campaign to an advanced persistent threat (APT) group it tracks as Ferocious Kitten, a group that has singled out Persian-speaking individuals allegedly based in the country while successfully operating under the radar. "The targeting of Psiphon and Telegram, both of which are quite popular services in Iran, underlines the fact that the payloads were developed with the purpose of targeting Iranian users in mind," Kaspersky's Global Research and Analysis Team (GReAT)  said . "Moreover, the decoy content displayed by the malicious files often made use of political themes and involved images or videos of resistance bas

A solid password policy is the first line of defense for your corporate network. Protecting your systems from unauthorized users may sound easy on the surface, but it can actually be quite complicated. You have to balance password security with usability, while also following various regulatory requirements. Companies in the EU must have password policies that are compliant with the General Data Protection Regulation (GDPR). Even if your company isn't based in the EU, these requirements apply if you have employees or customers residing in the EU or customers purchasing there. In this post, we will look at GDPR requirements for passwords and provide practical tips on how to design your password policy. Remember, even if GDPR isn't required for you now, the fundamentals of a data protection regulation plan can help strengthen your organization's security.  Password requirements for GDPR compliance You may be surprised to discover that the GDPR laws do not actually mentio

Over the past two years, a shocking  51% of organizations surveyed in a leading industry report have been compromised by a cyberattack.  Yes, over half.  And this, in a world where enterprises deploy  an average of 53 different security solutions  to safeguard their digital domain.  Alarming? Absolutely. A recent survey of CISOs and CIOs, commissioned by Pentera and conducted by Global Surveyz Research, offers a quantifiable glimpse into this evolving battlefield, revealing a stark contrast between the growing risks and the tightening budget constraints under which cybersecurity professionals operate. With this report, Pentera has once again taken a magnifying glass to the state of pentesting to release its annual report about today's pentesting practices. Engaging with 450 security executives from North America, LATAM, APAC, and EMEA—all in VP or C-level positions at organizations with over 1,000 employees—the report paints a current picture of modern security validation prac

Cybersecurity researchers have disclosed a new executable image tampering attack dubbed "Process Ghosting" that could be potentially abused by an attacker to circumvent protections and stealthily run malicious code on a Windows system. "With this technique, an attacker can write a piece of malware to disk in such a way that it's difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk," Elastic Security researcher Gabriel Landau  said . "This technique does not involve code injection, Process Hollowing, or Transactional NTFS (TxF)." Process Ghosting expands on previously documented  endpoint bypass  methods such as  Process Doppelgänging  and  Process Herpaderping , thereby enabling the veiled execution of malicious code that may evade anti-malware defenses and detection. Process Doppelgänging, analogous to  Process Hollowing , involves injecting arbitrary code in the address space of

Ukrainian law enforcement officials on Wednesday announced the arrest of the  Clop ransomware  gang, adding it disrupted the infrastructure employed in attacks targeting victims worldwide since at least 2019. As part of an international operation between the National Police of Ukraine and authorities from Interpol, Korea, and the U.S., six defendants have been accused of running a double extortion scheme wherein victims refusing to pay a ransom were threatened with the leak of sensitive financial, customer, or personal data stolen from them prior to encrypting the files. The ransomware attacks amount to $500 million in monetary damages, the National Police  said , noting that "law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies." Police officials are said to have conducted 21 searches in the Ukrainian capital of Kyiv, including the homes of the defendants, resulti

A malware campaign targeting South Korean entities that came to light earlier this year has been attributed to a North Korean nation-state hacking group called Andariel, once again indicating that  Lazarus  attackers are following the trends and their  arsenal  is in  constant development . "The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity," Russian cybersecurity firm Kaspersky  said  in a deep-dive published Tuesday. Victims of the attack are in the manufacturing, home network service, media, and construction sectors. Designated as part of the Lazarus constellation, Andariel is known for unleashing attacks on South Korean organizations and businesses using specifically tailored methods created for maximum effectivity. In September 2019, the sub-group, along with Lazarus and Bluenoroff, was  sanctioned by the U.S. Treasury Department  for their malicious cyber activity on critical infrastructure. Anda

As ransomware attacks against critical infrastructure skyrocket, new research shows that threat actors behind such disruptions are increasingly shifting from using email messages as an intrusion route to purchasing access from cybercriminal enterprises that have already infiltrated major targets. "Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains," researchers from Proofpoint said in a write-up shared with The Hacker News. "Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network." Besides angling for a piece of the illegal profits, the email and cloud security firm said it is currently tracking at least 10 different threat actors who play the role of "initial access facilitators" to supply affiliates and other cybercrime groups with an e

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday issued an advisory regarding a critical software supply-chain flaw impacting ThroughTek's software development kit (SDK) that could be abused by an adversary to gain improper access to audio and video streams. "Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds," CISA  said  in the alert. ThroughTek's point-to-point ( P2P ) SDK is widely used by IoT devices with video surveillance or audio/video transmission capability such as IP cameras, baby and pet monitoring cameras, smart home appliances, and sensors to provide remote access to the media content over the internet. Tracked as CVE-2021-32934 (CVSS score: 9.1), the shortcoming affects ThroughTek P2P products, versions 3.1.5 and before as well as SDK versions with nossl tag, and stems from a lack of sufficient protection when transferring data between

Cybersecurity researchers on Tuesday disclosed "distinctive" tactics, techniques, and procedures (TTPs) adopted by operators of Hades ransomware that set it apart from the rest of the pack, attributing it to a financially motivated threat group called  GOLD WINTER . "In many ways, the GOLD WINTER threat group is a typical post-intrusion ransomware threat group that pursues high-value targets to maximize how much money it can extort from its victims," researchers from SecureWorks Counter Threat Unit (CTU) said in an analysis shared with The Hacker News. "However, GOLD WINTER's operations have quirks that distinguish it from other groups." The findings come from a study of incident response efforts the Atlanta-based cybersecurity firm engaged in the first quarter of 2021. Since first emerging in the threat landscape in December 2020, Hades has been classified as INDRIK SPIDER's successor to  WastedLocker  ransomware with "additional code o

Instagram has patched a new flaw that allowed anyone to view archived posts and stories posted by private accounts without having to follow them. "This bug could have allowed a malicious user to view targeted media on Instagram," security researcher Mayur Fartade  said  in a Medium post today. "An attacker could have been able to see details of private/archived posts, stories, reels, IGTV without following the user using Media ID." Fartade disclosed the issue to Facebook's security team on April 16, 2021, following which the shortcoming was patched on June 15. He was also awarded $30,000 as part of the company's bug bounty program. Although the attack requires knowing the media ID associated with an image, video, or album, by brute-forcing the identifiers, Fartade demonstrated that it was possible to craft a POST request to a GraphQL endpoint and retrieve sensitive data. As a consequence of the flaw, details such as like/comment/save count, display_

Apple on Monday shipped out-of-band security patches to address two zero-day vulnerabilities in iOS 12.5.3 that it says are being actively exploited in the wild. The latest update, iOS 12.5.4 , comes with fixes for three security bugs, including a memory corruption issue in ASN.1 decoder (CVE-2021-30737) and two flaws concerning its WebKit browser engine that could be abused to achieve remote code execution — CVE-2021-30761  - A memory corruption issue that could be exploited to gain arbitrary code execution when processing maliciously crafted web content. The flaw was addressed with improved state management. CVE-2021-30762  - A use-after-free issue that could be exploited to gain arbitrary code execution when processing maliciously crafted web content. The flaw was resolved with improved memory management. Both CVE-2021-30761 and CVE-2021-30762 were reported to Apple anonymously, with the Cupertino-based company stating in its advisory that it's aware of reports that th

Google on Monday announced that it's rolling out client-side encryption to Google Workspace (formerly G Suite), thereby giving its enterprise customers direct control of encryption keys and the identity service they choose to access those keys. "With client-side encryption, customer data is indecipherable to Google, while users can continue to take advantage of Google's native web-based collaboration, access content on mobile devices, and share encrypted files externally," the search giant  said .  "When combined with our other encryption capabilities, customers can add new levels of data protection for their Google Workspace data." The development coincides with the Google Workspace and Google Chat's  broader availability to all users  with a Google account. Workspace is the company's enterprise offering consisting of Gmail, Chat, Calendar, Drive, Docs, Sheets, Slides, Meet, and other tools. Businesses using Google Workspace have the choice o

A new cyber espionage group named Gelsemium has been linked to a  supply chain attack targeting the NoxPlayer  Android emulator that was disclosed earlier this year. The findings come from a systematic analysis of multiple campaigns undertaken by the APT crew, with evidence of the earliest attack dating back all the way to 2014 under the codename  Operation TooHash  based on malware payloads deployed in those intrusions. "Victims of these campaigns are located in East Asia as well as the Middle East and include governments, religious organizations, electronics manufacturers and universities," cybersecurity firm ESET  said  in an analysis published last week. "Gelsemium's whole chain might appear simple at first sight, but the exhaustive configurations, implanted at each stage, modify on-the-fly settings for the final payload, making it harder to understand." Targeted countries include China, Mongolia, North and South Korea, Japan, Turkey, Iran, Iraq, Saudi

In response to malicious actors targeting US federal IT systems and their supply chain, the President released the " Executive Order on Improving the Nation's Cybersecurity  (Executive Order)." Although directed at Federal departments and agencies, the Executive Order will likely have a ripple effect through the Federal technology supply stream. Private companies and enterprises will look to the Executive Order to build their best practices. At a high level, the Executive Order includes information-sharing requirements, a push toward cloud and Zero Trust architectures, and enhancing transparency throughout the software supply chain. Understanding the fundamentals of the White House Executive Order on Improving the Nation's Cybersecurity The bulk of the Executive Order focuses on administrative tasks associated with it, including redefining contract language, setting timelines, and defining agency roles and responsibilities. For enterprises that don't supply technolog

Even as a massive data breach affecting Air India came to light the previous month, India's flag carrier airline appears to have suffered a separate cyber assault that lasted for a period of at least two months and 26 days, new research has revealed, which attributed the incident with moderate confidence to a Chinese nation-state threat actor called APT41. Group-IB dubbed the campaign "ColunmTK" based on the names of command-and-control (C2) server domains that were used for facilitating communications with the compromised systems.  "The potential ramifications of this incident for the entire airline industry and carriers that might yet discover traces of ColunmTK in their networks are significant," the Singapore-headquartered threat hunting company  said . While Group-IB alluded that this may have been a supply chain attack targeting SITA, the Swiss aviation information technology company told The Hacker News that they are two different security incidents.

Google's upcoming plans to replace third-party cookies with a less invasive ad targeted mechanism have a number of issues that could defeat its privacy objectives and allow for significant linkability of user behavior, possibly even identifying individual users. "FLoC is premised on a compelling idea: enable ad targeting without exposing users to risk,"  said  Eric Rescorla, author of TLS standard and chief technology officer of Mozilla. "But the current design has a number of privacy properties that could create significant risks if it were to be widely deployed in its current form." Short for Federated Learning of Cohorts,  FLoC  is part of Google's fledgling  Privacy Sandbox  initiative that aims to develop alternate solutions to satisfy cross-site use cases without resorting to third-party cookies or other opaque tracking mechanisms. Essentially, FLoC allows marketers to guess users' interests without having to uniquely identify them, thereby eli

Multiple critical security flaws have been disclosed in Samsung's pre-installed Android apps, which, if successfully exploited, could have allowed adversaries access to personal data without users' consent and take control of the devices.  "The impact of these bugs could have allowed an attacker to access and edit the victim's contacts, calls, SMS/MMS, install arbitrary apps with device administrator rights, or read and write arbitrary files on behalf of a system user which could change the device's settings," Sergey Toshin, founder of mobile security startup Oversecured,  said  in an analysis published Thursday. Toshin reported the flaws to Samsung in February 2021, following which  patches were issued  by the manufacturer as part of its monthly security updates for April and May. The list of the seven vulnerabilities is as follows - CVE-2021-25356  - Third-party authentication bypass in Managed Provisioning CVE-2021-25388  - Arbitrary app installation