The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

A new cyber mercenary hacker-for-hire group dubbed " Void Balaur " has been linked to a string of cyberespionage and data theft activities targeting thousands of entities as well as human rights activists, politicians, and government officials around the world at least since 2015 for financial gain while lurking in the shadows. Named after a  many-headed dragon  from Romanian folklore, the adversary has been unmasked advertising its services in Russian-speaking underground forums dating all the way back to 2017 and selling troves of sensitive information such as cell tower phone logs, passenger flight records, credit reports, banking data, SMS messages, and passport details. The threat actor calls itself "Rockethack." "This hacker-for-hire group does not operate out of a physical building, nor does it have a shiny prospectus that describes its services," Trend Micro researcher Feike Hacquebord  said  in a newly published profile of the collective. &qu

The operators of TrickBot trojan are collaborating with the Shathak threat group to distribute their wares, ultimately leading to the deployment of Conti ransomware on infected machines. "The implementation of  TrickBot  has evolved over the years, with recent versions of TrickBot implementing malware-loading capabilities," Cybereason security analysts Aleksandar Milenkoski and Eli Salem  said  in a report analysing recent malware distribution campaigns undertaken by the group. "TrickBot has played a major role in many attack campaigns conducted by different threat actors, from common cybercriminals to nation-state actors." The latest report builds on a report from IBM X-Force last month, which  revealed  TrickBot's partnerships with other cybercrime gangs, including Shathak, to deliver proprietary malware. Also tracked under the moniker TA551, Shathak is a sophisticated cybercrime actor targeting end-users on a global scale, acting as a malware distributor

Though we are recovering from the worst pandemic, cyber threats have shown no sign of downshifting, and cybercriminals are still not short of malicious and advanced ways to achieve their goals.  The  Global Threat Landscape Report  indicates a drastic rise in sophisticated cyberattacks targeting digital infrastructures, organizations, and individuals in 2021. Threats can take different forms with the intent to commit fraud and damage businesses and people. Ransomware,  DDoS attacks , phishing, malware, and man-in-the-middle attacks represent the greatest threat to businesses today. When new threats emerge, attackers take advantage of them – however, most businesses are only aware of the current threats. Organizations struggle to address these threats due to their resource sophistication and their lack of understanding of evolving threat landscapes. For these reasons, organizations need visibility on the advanced threats especially targeting their infrastructure. This article will o

There's a natural human desire to avoid threatening scenarios. The irony, of course, is if you hope to attain any semblance of security, you've got to remain prepared to confront those very same threats. As a decision-maker for your organization, you know this well. But no matter how many experts or trusted cybersecurity tools your organization has a standing guard, you're only as secure as your weakest link. There's still one group that can inadvertently open the gates to unwanted threat actors—your own people. Security must be second nature for your first line of defense For your organization to thrive, you need capable employees. After all, they're your source for great ideas, innovation, and ingenuity. However, they're also human. And humans are fallible. Hackers understand no one is perfect, and that's precisely what they seek to exploit. This is why your people must become your first line of defense against cyber threats. But to do so, they need to learn how to defend thems

A state-sponsored threat actor allegedly affiliated with Iran has been linked to a series of targeted attacks aimed at internet service providers (ISPs) and telecommunication operators in Israel, Morocco, Tunisia, and Saudi Arabia, as well as a ministry of foreign affairs (MFA) in Africa, new findings reveal. The intrusions, staged by a group tracked as Lyceum, are believed to have occurred between July and October 2021, researchers from Accenture Cyber Threat Intelligence (ACTI) group and Prevailion's Adversarial Counterintelligence Team (PACT) said in a technical report. The names of the victims were not disclosed. The latest revelations throw light on the web-based infrastructure used by Lyceum, over 20 of them, enabling the identification of "additional victims and provide further visibility into Lyceum's targeting methodology," the researchers  noted , adding "at least two of the identified compromises are assessed to be ongoing despite prior public discl

A new zero-day vulnerability has been disclosed in Palo Alto Networks GlobalProtect VPN that could be abused by an unauthenticated network-based attacker to execute arbitrary code on affected devices with root user privileges. Tracked as CVE-2021-3064 (CVSS score: 9.8), the security weakness impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Massachusetts-based cybersecurity firm Randori has been credited with discovering and reporting the issue. "The vulnerability chain consists of a method for bypassing validations made by an external web server (HTTP smuggling) and a stack-based buffer overflow," Randori researchers  said . "Exploitation of the vulnerability chain has been proven and allows for remote code execution on both physical and virtual firewall products." However, in a troubling turn of events, the company said it used this exploit as part of its red team engagements for nearly 10 months before disclosing it to Palo Alto Networks in late Septem

An ongoing mobile spyware campaign has been uncovered snooping on South Korean residents using a family of 23 malicious Android apps to siphon sensitive information and gain remote control of the devices. "With more than a thousand South Korean victims, the malicious group behind this invasive campaign has had access to all the data, communications, and services on their devices," Zimperium researcher Aazim Yaswant said. "The victims were broadcasting their private information to the malicious actors with zero indication that something was amiss." The Dallas-based mobile security company dubbed the campaign " PhoneSpy ." Zimperium did not attribute the spyware to a known threat actor. "The evidence surrounding PhoneSpy shows a familiar framework that has been passed around for years, updated by individuals and shared within private communities and back channels until assembled into what we see in this variation today," Richard Melick, the co

As many as 13 security vulnerabilities have been discovered in the Nucleus TCP/IP stack, a software library now maintained by Siemens and used in three billion operational technology and IoT devices that could allow for remote code execution, denial-of-service (DoS), and information leak. Collectively called " NUCLEUS:13 ," successful attacks abusing the flaws can "result in devices going offline and having their logic hijacked," and "spread[ing] malware to wherever they communicate on the network," researchers from Forescout and Medigate said in a technical report published Tuesday, with one proof-of-concept (PoC) successfully  demonstrating  a scenario that could potentially disrupt medical care and critical processes. Siemens has since released  security updates  to remediate the weaknesses in Nucleus ReadyStart versions 3 (v2017.02.4 or later) and 4 (v4.1.1 or later). Primarily deployed in automotive, industrial, and medical applications, Nucleus

Cybersecurity researchers on Tuesday disclosed 14 critical vulnerabilities in the BusyBox Linux utility that could be exploited to result in a denial-of-service (DoS) condition and, in select cases, even lead to information leaks and remote code execution. The security weaknesses, tracked from CVE-2021-42373 through CVE-2021-42386, affect multiple versions of the tool ranging from 1.16-1.33.1, DevOps company JFrog and industrial cybersecurity company Claroty  said  in a joint report. Dubbed "the Swiss Army Knife of Embedded Linux,"  BusyBox  is a widely used software suite combining a variety of common Unix utilities or applets (e.g.,  cp ,  ls ,  grep ) into a single executable file that can run on Linux systems such as programmable logic controllers (PLCs), human-machine interfaces (HMIs), and remote terminal units (RTUs). A quick list of the flaws and the applets they impact is below — man  - CVE-2021-42373 lzma/unlzma  - CVE-2021-42374 ash  - CVE-2021-42375 hus

Microsoft has released security updates as part of its monthly  Patch Tuesday  release cycle to address 55 vulnerabilities across Windows, Azure, Visual Studio, Windows Hyper-V, and Office, including fixes for two actively exploited zero-day flaws in Excel and Exchange Server that could be abused to take control of an affected system. Of the 55 glitches, six are rated Critical and 49 are rated as Important in severity, with four others listed as publicly known at the time of release.  The most critical of the flaws are  CVE-2021-42321  (CVSS score: 8.8) and  CVE-2021-42292  (CVSS score: 7.8), each concerning a  post-authentication remote code execution flaw  in Microsoft Exchange Server and a security bypass vulnerability impacting Microsoft Excel versions 2013-2021 respectively. The Exchange Server issue is also one of the bugs that was demonstrated at the  Tianfu Cup  held in China last month. However, the Redmond-based tech giant did not provide any details on how the two aforem

No business is out of danger of cyberattacks today. However, specific industries are particularly at risk and a favorite of attackers. For years, the healthcare industry has taken the brunt of ransomware attacks, data breaches, and other cyberattacks. Why is the healthcare industry particularly at risk for a cyberattack? What are the unique challenges to cybersecurity in healthcare, and how can healthcare organizations address these? Healthcare at risk Attackers are targeting various industries across the board. However, attackers seem to have a particular affinity for healthcare organizations. For eleven consecutive years, in the  IBM Cost of a Data Breach Report 2021 , healthcare had the highest industry cost of a breach. Additionally, Healthcare data breach costs increased from an average total cost of $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase. However, the tremendous cost sustained by healthcare organizations for data breach events is not only due to the

Robinhood on Monday disclosed a security breach affecting approximately 7 million customers, roughly a  third of its user base , that resulted in unauthorized access of personal information by an unidentified threat actor. The commission-free stock trading and investing platform said the incident happened "late in the evening of November 3," adding it's in the process of notifying affected users. "Based on our investigation, the attack has been contained and we believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident," the Silicon Valley financial company  noted . The malicious third-party is believed to have socially engineered a customer service representative to gain access to internal support systems, using it to obtain the email addresses of five million users, full names for a different group of about two million people, and

The U.S. government on Monday charged a Ukrainian suspect, arrested in Poland last month, with deploying REvil ransomware to target multiple businesses and government entities in the country, including perpetrating the attack against software company Kaseya, marking the latest action to crack down on the cybercrime group and curb further attacks. According to unsealed court documents, 22-year-old Yaroslav Vasinskyi is  alleged  to have been part of the ransomware operation at least since March 2019 and deployed about 2,500 attacks against businesses worldwide. Vasinskyi (aka Profcomserv, Rabotnik, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22) was apprehended at the Polish border on October 8 after an international arrest warrant was issued at the behest of U.S. authorities. In another major development, the Justice Department disclosed the seizure of $6.1 million in alleged ransomware payments received by Russian national Yevgeniy Polyanin, who is currently at large and has

Romanian law enforcement authorities have  announced  the arrest of two individuals for their roles as affiliates of the REvil ransomware family, dealing a severe blow to one of the most prolific cybercrime gangs in history. The suspects are believed to have  orchestrated  more than 5,000 ransomware attacks and extorted close to $600,000 from victims, according to Europol. The arrests, which happened on November 4, are part of a coordinated operation called GoldDust , which has resulted in the arrest of three other REvil affiliates and two suspects connected to GandCrab in Kuwait and South Korea since February 2021. This also includes a 22-year-old Ukrainian national, Yaroslav Vasinskyi, who was arrested in early October and has been accused of perpetrating the  devastating attack  on Florida-based software firm Kaseya in July 2021, affecting up to 1,500 downstream businesses. In all, the seven suspects linked to the two ransomware families are said to have targeted about 7,000 vic

At least nine entities across the technology, defense, healthcare, energy, and education industries were compromised by leveraging a  recently patched critical vulnerability  in Zoho's ManageEngine ADSelfService Plus self-service password management and single sign-on (SSO) solution. The spying campaign, which was observed starting September 22, 2021, involved the threat actor taking advantage of the flaw to gain initial access to targeted organizations, before moving laterally through the network to carry out post-exploitation activities by deploying malicious tools designed to harvest credentials and exfiltrate sensitive information via a backdoor. "The actor heavily relies on the Godzilla web shell, uploading several variations of the open-source web shell to the compromised server over the course of the operation," researchers from Palo Alto Networks' Unit 42 threat intelligence team  said  in a report. "Several other tools have novel characteristics or ha

A previously undocumented initial access broker has been unmasked as providing entry points to three different threat actors for mounting intrusions that range from financially motivated ransomware attacks to phishing campaigns. BlackBerry's research and intelligence team dubbed the entity " Zebra2104 ," with the group responsible for offering a means of a digital approach to ransomware syndicates such as MountLocker and Phobos, as well as the advanced persistent threat (APT) tracked under the moniker  StrongPity  (aka Promethium). The threat landscape as we know it has been increasingly dominated by a category of players known as the initial access brokers ( IABs ), who are known to provide other cyber-criminal groups, including ransomware affiliates, with a  foothold to an infinite pool of potential organizations  belonging to diverse geographies and sectors via persistent backdoors into the victim networks, effectively building a pricing model for remote access. &