The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

An unnamed high-profile government organization in Southeast Asia emerged as the target of a "complex, long-running" Chinese state-sponsored cyber espionage operation codenamed Crimson Palace . "The overall goal behind the campaign was to maintain access to the target network for cyberespionage in support of Chinese state interests," Sophos researchers Paul Jaramillo, Morgan Demboski, Sean Gallagher, and Mark Parsons said in a report shared with The Hacker News. "This includes accessing critical IT systems, performing reconnaissance of specific users, collecting sensitive military and technical information, and deploying various malware implants for command-and-control (C2) communications." The name of the government organization was not disclosed, but the company said the country is known to have repeated conflict with China over territory in the South China Sea , raising the possibility that it may be the Philippines, which has been targeted by Chi

Early in 2024, Wing Security released its State of SaaS Security report , offering surprising insights into emerging threats and best practices in the SaaS domain. Now, halfway through the year, several SaaS threat predictions from the report have already proven accurate. Fortunately, SaaS Security Posture Management (SSPM) solutions have prioritized mitigation capabilities to address many of these issues, ensuring security teams have the necessary tools to face these challenges head-on. In this article, we will revisit our predictions from earlier in the year, showcase real-world examples of these threats in action, and offer practical tips and best practices to help you prevent such incidents in the future. It's also worth noting the overall trend of an increasing frequency of breaches in today's dynamic SaaS landscape, leading organizations to demand timely threat alerts as a vital capability. Industry regulations with upcoming compliance deadlines are demanding similar time-sens

An analysis of a nascent ransomware strain called RansomHub has revealed it to be an updated and rebranded version of Knight ransomware, itself an evolution of another ransomware known as Cyclops. Knight (aka Cyclops 2.0) ransomware first arrived in May 2023, employing double extortion tactics to steal and encrypt victims' data for financial gain. It's operational across multiple platforms, including Windows, Linux, macOS, ESXi, and Android. Advertised and sold on the RAMP cybercrime forum, attacks involving the ransomware have been found to leverage phishing and spear-phishing campaigns as a distribution vector in the form of malicious attachments. The ransomware-as-a-service (RaaS) operation has since shut down as of late February 2024, when its source code was put up for sale , raising the possibility that it may have changed hands to a different actor, who subsequently decided to update and relaunch it under the RansomHub brand. RansomHub, which posted its first v

You're probably familiar with the term "critical assets". These are the technology assets within your company's IT infrastructure that are essential to the functioning of your organization. If anything happens to these assets, such as application servers, databases, or privileged identities, the ramifications to your security posture can be severe.  But is every technology asset considered a critical asset? Moreover, is every technology asset considered a  business -critical asset? How much do we really know about the risks to our  business -critical assets?  Business-critical assets are the underlying technology assets of your business in general – and we all know that technology is just one of the 3 essential pillars needed for a successful business operation. In order to have complete cybersecurity governance, organizations should consider: 1) Technology, 2) Business processes, and 3) Key People. When these 3 pillars come together, organizations can begin to understand the

Zyxel has released security updates to address critical flaws impacting two of its network-attached storage (NAS) devices that have currently reached end-of-life (EoL) status. Successful exploitation of three of the five vulnerabilities could permit an unauthenticated attacker to execute operating system (OS) commands and arbitrary code on affected installations. Impacted models include NAS326 running versions V5.21(AAZF.16)C0 and earlier, and NAS542 running versions V5.21(ABAG.13)C0 and earlier. The shortcomings have been resolved in versions V5.21(AAZF.17)C0 and V5.21(ABAG.14)C0, respectively. A brief description of the flaws is as follows - CVE-2024-29972 - A command injection vulnerability in the CGI program "remote_help-cgi" that could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request CVE-2024-29973 - A command injection vulnerability in the 'setCookie' parameter that could allow a

Popular video-sharing platform TikTok has acknowledged a security issue that has been exploited by threat actors to take control of high-profile accounts on the platform. The development was first reported by Semafor and Forbes , which detailed a zero-click account takeover campaign that allows malware propagated via direct messages to compromise brand and celebrity accounts without having to click or interact with it. It's currently unclear how many users have been affected, although a TikTok spokesperson said that the company has taken preventive measures to stop the attack and stop it from happening again in the future. The company further said that it's working directly with impacted account holders to restore access and that the attack only managed to compromise a "very small" number of users. It did not provide any specifics about the nature of the attack or the mitigation techniques it had employed. This is not the first time security issues have been un

Russian organizations are at the receiving end of cyber attacks that have been found to deliver a Windows version of a malware called Decoy Dog . Cybersecurity company Positive Technologies is tracking the activity cluster under the name Operation Lahat, attributing it to an advanced persistent threat (APT) group called HellHounds . "The Hellhounds group compromises organizations they select and gain a foothold on their networks, remaining undetected for years," security researchers Aleksandr Grigorian and Stanislav Pyzhov said . "In doing so, the group leverages primary compromise vectors, from vulnerable web services to trusted relationships." HellHounds was first documented by the firm in late November 2023 following the compromise of an unnamed power company with the Decoy Dog trojan. It's confirmed to have infiltrated 48 victims in Russia to date, including IT companies, governments, space industry firms, and telecom providers. There is evidence indi

Progress Software has rolled out updates to address a critical security flaw impacting the Telerik Report Server that could be potentially exploited by a remote attacker to bypass authentication and create rogue administrator users. The issue, tracked as CVE-2024-4358 , carries a CVSS score of 9.8 out of a maximum of 10.0. "In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability," the company said in an advisory. The shortcoming has been addressed in Report Server 2024 Q2 (10.1.24.514). Sina Kheirkhah of Summoning Team, who is credited with discovering and reporting the flaw, described it as a "very simple" bug that could be exploited by a "remote unauthenticated attacker to create an administrator user and login." Besides updating to the latest version, Progress Software is urging cust

The landscape of browser security has undergone significant changes over the past decade. While Browser Isolation was once considered the gold standard for protecting against browser exploits and malware downloads, it has become increasingly inadequate and insecure in today's SaaS-centric world. The limitations of Browser Isolation, such as degraded browser performance and inability to tackle modern web-borne threats like phishing and malicious extensions, necessitate a shift towards more advanced solutions. These are the findings of a new report, titled " The Next Generation of RBI (Remote Browser Isolation) " ( Download here ). The Roots of Browser Isolation In the past, traditional signature-based antiviruses were commonly used to protect against on-device malware infections. However, they failed to block two main types of threats. The first, browser exploit, especially in Microsoft's Internet Explorer. The second, drive-by malware downloads, i.e using social e

A new sophisticated cyber attack has been observed targeting endpoints geolocated to Ukraine with an aim to deploy Cobalt Strike and seize control of the compromised hosts. The attack chain, per Fortinet FortiGuard Labs, involves a Microsoft Excel file that carries an embedded VBA macro to initiate the infection, "The attacker uses a multi-stage malware strategy to deliver the notorious 'Cobalt Strike' payload and establish communication with a command-and-control (C2) server," security researcher Cara Lin said in a Monday report. "This attack employs various evasion techniques to ensure successful payload delivery." Cobalt Strike , developed and maintained by Fortra, is a legitimate adversary simulation toolkit used for red teaming operations. However, over the years, cracked versions of the software have been extensively exploited by threat actors for malicious purposes. The starting point of the attack is the Excel document that, when launched, dis

Cloud computing and analytics company Snowflake said a "limited number" of its customers have been singled out as part of a targeted campaign. "We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake's platform," the company said in a joint statement along with CrowdStrike and Google-owned Mandiant. "We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel." It further said the activity is directed against users with single-factor authentication, with the unidentified threat actors leveraging credentials previously purchased or obtained through information-stealing malware. "Threat actors are actively compromising organizations' Snowflake customer tenants by using stolen credentials obtained by infostealing malware and logging into databases that are configured with single factor authenticat

Cyber attacks involving the DarkGate malware-as-a-service (MaaS) operation have shifted away from AutoIt scripts to an AutoHotkey mechanism to deliver the last stages, underscoring continued efforts on the part of the threat actors to continuously stay ahead of the detection curve. The updates have been observed in version 6 of DarkGate released in March 2024 by its developer RastaFarEye, who has been selling the program on a subscription basis to as many as 30 customers. The malware has been active since at least 2018. A fully-featured remote access trojan (RAT), DarkGate is equipped with command-and-control (C2) and rootkit capabilities, and incorporates various modules for credential theft, keylogging, screen capturing, and remote desktop. "DarkGate campaigns tend to adapt really fast, modifying different components to try to stay off security solutions," Trellix security researcher Ernesto Fernández Provecho said in a Monday analysis. "This is the first time

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting the Oracle WebLogic Server to the Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. Tracked as CVE-2017-3506 (CVSS score: 7.4), the issue concerns an operating system (OS) command injection vulnerability that could be exploited to obtain unauthorized access to susceptible servers and take complete control. "Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document," CISA said. While the agency did not disclose the nature of attacks exploiting the vulnerability, the China-based cryptojacking group known as the 8220 Gang (aka Water Sigbin) has a history of leveraging it since early last year to co-opt unpatched devices into a crypto-mining bot

Cybersecurity researchers have uncovered a new suspicious package uploaded to the npm package registry that's designed to drop a remote access trojan (RAT) on compromised systems. The package in question is glup-debugger-log , which targets users of the gulp toolkit by masquerading as a "logger for gulp and gulp plugins." It has been downloaded 175 times to date. Software supply chain security firm Phylum, which discovered the package, said the software comes fitted with two obfuscated files that work in tandem to deploy the malicious payload. "One worked as a kind of initial dropper setting the stage for the malware campaign by compromising the target machine if it met certain requirements, then downloading additional malware components, and the other script providing the attacker with a persistent remote access mechanism to control the compromised machine," it said . Phylum's closer examination of the library's package.json file – which acts as

Law enforcement authorities behind Operation Endgame are seeking information related to an individual who goes by the name Odd and is allegedly the mastermind behind the Emotet malware.  Odd is also said to go by the nicknames Aron, C700, Cbd748, Ivanov Odd, Mors, Morse, and Veron over the past few years, according to a video released by the agencies. "Who is he working with? What is his current product?," the video continues, suggesting that he is likely not acting alone and may be collaborating with others on malware other than Emotet. The threat actor(s) behind Emotet has been tracked by the cybersecurity community under the monikers Gold Crestwood, Mealybug, Mummy Spider, and TA542. Originally conceived as a banking trojan, it evolved into a broader-purpose tool capable of delivering other payloads, along the lines of malware such as TrickBot, IcedID, QakBot, and others. It re-emerged in late 2021, albeit as part of low-volume campaigns, following a law enforceme

Threat actors are evolving, yet Cyber Threat Intelligence (CTI) remains confined to each isolated point solution. Organizations require a holistic analysis across external data, inbound and outbound threats and network activity. This will enable evaluating the true state of cybersecurity in the enterprise. Cato's Cyber Threat Research Lab (Cato CTRL, see more details below) has recently released its first SASE threat report , offering a comprehensive view of and insights into enterprise and network threats. This is based on Cato's capabilities to analyze networks extensively and granularly (see report sources below).  About the Report The SASE Threat Report covers threats across a strategic, tactical and operational standpoint, utilizing the MITRE ATT&CK framework. It includes malicious and suspicious activities, as well as the applications, protocols and tools running on the networks. The report is based on: Granular data on every traffic flow from every endpoint communica

Now-patched authorization bypass issues impacting Cox modems could have been abused as a starting point to gain unauthorized access to the devices and run malicious commands. "This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could've executed commands and modified the settings of millions of modems, accessed any business customer's PII, and gained essentially the same permissions of an ISP support team," security researcher Sam Curry said in a new report published today. Following responsible disclosure on March 4, 2024, the authorization bypass issues were addressed by the U.S. broadband provider within 24 hours. There is no evidence that these shortcomings were exploited in the wild. "I was really surprised by the seemingly unlimited access that ISPs had behind the scenes to customer devices," Curry told The Hacker News via email. "It makes sense in retrospect that an ISP should be able

The North Korea-linked threat actor known as Andariel has been observed using a new Golang-based backdoor called Dora RAT in its attacks targeting educational institutes, manufacturing firms, and construction businesses in South Korea. "Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for the attacks," the AhnLab Security Intelligence Center (ASEC) said in a report published last week. "The threat actor probably used these malware strains to control and steal data from the infected systems." The attacks are characterized by the use of a vulnerable Apache Tomcat server to distribute the malware, the South Korean cybersecurity firm added, noting the system in question ran the 2013 version of Apache Tomcat, making it susceptible to several vulnerabilities. Andariel, also known by the names Nickel Hyatt, Onyx Sleet, and Silent Chollima, is an advanced persistent threat (APT) group that operates on behalf of North Korea's strategic