The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

A coordinated law enforcement effort has dismantled an online phone number spoofing service called  iSpoof  and arrested 142 individuals linked to the operation. The websites, ispoof[.]me and ispoof[.]cc, allowed the crooks to "impersonate trusted corporations or contacts to access sensitive information from victims," Europol  said  in a press statement. Worldwide losses exceeded €115 million ($ 119.8 million), with over 200,000 potential victims believed to have been directly targeted through iSpoof in the U.K. alone, the Metropolitan Police  noted .  Among the 142 people arrested is the administrator of the website, who was apprehended in the U.K. on November 6, 2022. The website and its server were subsequently seized and taken offline two days later by Ukrainian and U.S. agencies. Per the National Police Corps, the helpdesk fraud  allowed  registered subscribers on the online portal to mask their phone numbers and make calls impersonating banks, retail companies, an

Interpol on Thursday  announced  the seizure of $130 million worth of virtual assets in connection with a global crackdown on cyber-enabled financial crimes and money laundering. The international police operation, dubbed  HAECHI-III , transpired between June 28 and November 23, 2022, resulting in the arrests of 975 individuals and the closure of more than 1,600 cases. This comprised two fugitives wanted by South Korea for their supposed involvement in a Ponzi scheme to embezzle €28 million from 2,000 victims. Another instance pertained to a call center scam based out of India, wherein a group of criminals impersonated Interpol and Europol officers to trick victims in Austria into transferring funds. The call centers operated from New Delhi and Noida. The illegal activity informed the victims that their "identities were stolen and crime pertaining to narcotics drugs were committed in their names," forcing them to make a money transfer. "In order to clear themselve

Super Low RPO with Continuous Data Protection: Dial Back to Just Seconds Before an Attack Zerto , a Hewlett Packard Enterprise company, can help you detect and recover from ransomware in near real-time. This solution leverages continuous data protection (CDP) to ensure all workloads have the lowest recovery point objective (RPO) possible. The most valuable thing about CDP is that it does not use snapshots, agents, or any other periodic data protection methodology. Zerto has no impact on production workloads and can achieve RPOs in the region of 5-15 seconds across thousands of virtual machines simultaneously. For example, the environment in the image below has nearly 1,000 VMs being protected with an average RPO of just six seconds! Application-Centric Protection: Group Your VMs to Gain Application-Level Control   You can protect your VMs with the Zerto application-centric approach using Virtual Protection Groups (VPGs). This logical grouping of VMs ensures that your whole applica

The operators of the RansomExx ransomware have become the latest to develop a new variant fully rewritten in the Rust programming language, following other strains like  BlackCat ,  Hive , and  Luna . The latest version, dubbed RansomExx2 by the threat actor known as Hive0091 (aka DefrayX), is primarily designed to run on the Linux operating system, although it's expected that a Windows version will be released in the future. RansomExx, also known as Defray777 and Ransom X, is a  ransomware   family  that's known to be active since 2018. It has since been linked to a number of attacks on government agencies, manufacturers, and other high-profile entities like Embraer and GIGABYTE. "Malware written in Rust often benefits from lower [antivirus] detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language," IBM Security X-Force researcher Charlotte Hammond  said  in a report published this week.

A set of five medium-severity security flaws in Arm's Mali GPU driver has continued to remain unpatched on Android devices for months, despite fixes released by the chipmaker. Google Project Zero, which discovered and reported the bugs, said Arm addressed the shortcomings in July and August 2022. "These fixes have not yet made it downstream to affected Android devices (including Pixel, Samsung, Xiaomi, Oppo, and others)," Project Zero researcher Ian Beer  said  in a report. "Devices with a Mali GPU are currently vulnerable." The vulnerabilities, collectively tracked under the identifiers  CVE-2022-33917  (CVSS score: 5.5) and  CVE-2022-36449  (CVSS score: 6.5), concern a case of improper memory processing, thereby allowing a non-privileged user to gain access to freed memory. The second flaw, CVE-2022-36449, can be further weaponized to write outside of buffer bounds and disclose details of memory mappings, according to an  advisory  issued by Arm. The lis

As 2022 comes to an end, now's the time to level up your bug bounty program with Intigriti. Are you experiencing slow bug bounty lead times, gaps in security skills, or low-quality reports from researchers? Intigriti's expert triage team and global community of ethical hackers are enabling businesses to protect themselves against every emerging cybersecurity threat. Join the likes of Intel, Yahoo, and Sixt who levelled up their security with Intigriti to enjoy higher quality bug bounty reports, faster lead times, and an intuitive platform. Our expert triage team, renowned community management, and impact-focused customer support are enabling businesses to protect themselves against emerging cybersecurity threats. Build a better bug bounty program   Intigriti is more than a bug bounty platform. Our managed security service takes the pain out of vulnerability disclosure and uses our active hacking community to suit your exact security needs. Moving bug bounties can feel li

The cyber espionage group known as Bahamut has been attributed as behind a highly targeted campaign that infects users of Android devices with malicious apps designed to extract sensitive information. The activity, which has been active since January 2022, entails distributing rogue VPN apps through a fake SecureVPN website set up for this purpose, Slovak cybersecurity firm ESET  said  in a new report shared with The Hacker News. At least eight different variants of the spyware apps have been discovered to date, with them being trojanized versions of legitimate VPN apps like SoftVPN and OpenVPN . None of these apps are available on Google Play Store. The tampered apps and their updates are pushed to users through the fraudulent website. It's also suspected that the targets are carefully selected, since launching the app requires the victim to enter an activation key to enable the features. This implies the use of an undetermined distribution vector, although past evidence s

The Android banking fraud malware known as SharkBot has reared its head once again on the official Google Play Store, posing as file managers to bypass the app marketplace's restrictions. A majority of the users who downloaded the rogue apps are located in the U.K. and Italy, Romanian cybersecurity company Bitdefender  said  in an analysis published this week. SharkBot, first  discovered  towards the end of 2021 by Cleafy, is a  recurring   mobile   threat  distributed both on the Google Play Store and other third-party app stores. One of the trojan's primary goals is to initiate money transfers from compromised devices via a technique called "Automatic Transfer System" ( ATS ), in which a transaction triggered via a banking app is intercepted to swap the payee account with an actor-controlled account in the background. It's also capable of serving a fake login overlay when users attempt to open legitimate banking apps, stealing the credentials in the proce

Companies based in the U.S. have been at the receiving end of an "aggressive" Qakbot malware campaign that leads to Black Basta ransomware infections on compromised networks. "In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization's network," Cybereason researchers Joakim Kandefelt and Danielle Frankel  said  in a report shared with The Hacker News. Black Basta, which emerged in April 2022, follows the tried-and-tested approach of double extortion to steal sensitive data from targeted companies and use it as a leverage to extort cryptocurrency payments by threatening to release the stolen information. This is not the first time the ransomware crew has been observed using Qakbot (aka QBot, QuackBot, or Pinkslipbot). Last month, Trend Micro  disclosed  similar attacks that entailed the use of Qakbot to deliver the  Brute Ratel C4  framework, which, in turn,

As many as 34 Russian-speaking gangs distributing information-stealing malware under the stealer-as-a-service model stole no fewer than 50 million passwords in the first seven months of 2022. "The underground market value of stolen logs and compromised card details is estimated around $5.8 million," Singapore-headquartered Group-IB  said  in a report shared with The Hacker News. Aside from looting passwords, the stealers also harvested 2.11 billion cookie files, 113,204 crypto wallets, and 103,150 payment cards. A majority of the victims were located in the U.S., followed by Brazil, India, Germany, Indonesia, the Philippines, France, Turkey, Vietnam, and Italy. In total, over 890,000 devices in 111 countries were infected during the time frame. Group-IB said the members of several scam groups who are propagating the information stealers previously participated in the  Classiscam  operation. These groups, which are active on Telegram and have around 200 members on aver

The operators of the Ducktail information stealer have demonstrated a "relentless willingness to persist" and continued to update their malware as part of an ongoing financially driven campaign. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem Hassan Nejad  said  in a new analysis. "The operation ultimately hijacks Facebook Business accounts to which the victim has sufficient access. The threat actor uses their gained access to run ads for monetary gain." Attributed to a Vietnamese threat actor, the Ducktail campaign is designed to target businesses in the digital marketing and advertising sectors which are active on the Facebook Ads and Business platform. Also targeted are individuals within prospective companies that are likely to have high-level access to Facebook Business accounts. This includes

Delivering a superior customer experience is essential for any e-commerce business. For those companies, there's a lot at stake this holiday season. According to Digital Commerce 360, nearly $1.00 of every $4.00 spent on retail purchases during the 2022 holiday season will be spent online, resulting in $224 billion in e-commerce sales. To ensure your e-commerce site is ready for the holiday rush, it's vital to ensure it is secure.  While safety and security are top priorities for businesses of all sizes, it is essential for those who operate in the e-commerce space. To deliver the experience customers crave, many websites embed third-party solutions at every stage of the customer journey. In fact, for certain e-commerce businesses, their suite of third-party plugins is how they create and sustain a competitive advantage.  Yet many e-commerce sites are inherently insecure and vulnerable to attack due to their reliance on untrustworthy third-party solutions. Consequently,  cli

Microsoft on Tuesday disclosed the intrusion activity aimed at Indian power grid entities earlier this year likely involved the exploitation of security flaws in a now-discontinued web server called Boa . The tech behemoth's cybersecurity division  said  the vulnerable component poses a "supply chain risk that may affect millions of organizations and devices." The findings build on a prior report  published  by Recorded Future in April 2022, which delved into a sustained campaign orchestrated by suspected China-linked adversaries to strike critical infrastructure organizations in India. The cybersecurity firm attributed the attacks to a previously undocumented threat cluster called Threat Activity Group 38. While the Indian government described the attacks as unsuccessful "probing attempts," China denied it was behind the campaign. The connections to China stem from the use of a modular backdoor dubbed  ShadowPad , which is known to be shared among several

Meta Platforms on Tuesday said it took down a network of accounts and pages across Facebook and Instagram that were operated by people associated with the U.S. military to spread narratives that depicted the country in a favorable light in the Middle East and Central Asia. The network, which originated from the U.S., primarily singled out Afghanistan, Algeria, Iran, Iraq, Kazakhstan, Kyrgyzstan, Russia, Somalia, Syria, Tajikistan, Uzbekistan, and Yemen. The social media giant stated the individuals behind the activity impersonated the communities they targeted, propagating content in Arabic, Farsi, and Russian that floated themes of increased military cooperation with the U.S., and criticized Iran, China, and Russia. These narratives spanned "Russia's invasion of Ukraine, China's treatment of the Uyghur people, Iran's influence in the Middle East, and the support of the Taliban regime in Afghanistan by Russia and China," Meta  said  in its Quarterly Adversaria

A nascent and legitimate penetration testing framework known as Nighthawk is likely to gain threat actors' attention for its Cobalt Strike-like capabilities. Enterprise security firm Proofpoint said it detected the use of the software in mid-September 2022 by a red team with a number of test emails sent using generic subject lines such as "Just checking in" and "Hope this works2." However, there are no indications that a leaked or cracked version of Nighthawk is being weaponized by threat actors in the wild, Proofpoint researcher Alexander Rausch  said  in a write-up. Nighthawk, launched in December 2021 by a company called MDSec, is analogous to its counterparts  Cobalt Strike ,  Sliver , and  Brute Ratel , offering a red team toolset for adversary threat simulation. It's licensed for £7,500 (or $10,000) per user for a year. "Nighthawk is the most advanced and evasive command-and-control framework available on the market," MDSec  notes . &qu

A malicious extension for Chromium-based web browsers has been observed to be distributed via a long-standing Windows information stealer called ViperSoftX . Czech-based cybersecurity company dubbed the rogue browser add-on VenomSoftX owing to its standalone features that enable it to access website visits, steal credentials and clipboard data, and even swap cryptocurrency addresses via an adversary-in-the-middle (AiTM) attack. ViperSoftX, which first  came to light  in February 2020, was characterized by  Fortinet  as a JavaScript-based remote access trojan and cryptocurrency stealer. The malware's use of a browser extension to advance its information-gathering goals was documented by Sophos threat analyst  Colin Cowie  earlier this year. "This multi-stage stealer exhibits interesting hiding capabilities, concealed as small PowerShell scripts on a single line in the middle of otherwise innocent-looking large log files, among others," Avast researcher Jan Rubín  said

A nascent Go-based malware known as Aurora Stealer is being increasingly deployed as part of multiple campaigns designed to steal sensitive information from compromised hosts. "These infection chains leveraged phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites," cybersecurity firm SEKOIA  said . First advertised on Russian cybercrime forums in April 2022 by a threat actor calling themselves Cheshire, Aurora was offered as a commodity malware for other threat actors, describing it as a "multi-purpose botnet with stealing, downloading and remote access capabilities." In the intervening months, the malware has been scaled down to a stealer that can harvest files of interest, data from 40 cryptocurrency wallets, and applications like Telegram. Aurora also comes with a loader that can deploy

The best line of defense against holiday hacking schemes is a comprehensive  incident response strategy  that focuses on end-user vulnerabilities.  The holiday season is upon us and with it a slew of cybersecurity scams preying on end-user vulnerabilities. Because employees often use their business emails and cell phones as their primary point of contact, these scams quickly become a threat to employer computer systems. With so many people shopping online, tracking shipments, and entering sensitive data across multiple websites, holiday hackers are primed and ready to attack your networks by taking advantage of your employees' online actions and cell phone usage. According to the FBI, the two most frequent types of  holiday scams  include non-delivery and non-payment crimes – when a consumer either pays for a product or service that is never delivered or products being shipped without the seller receiving payment. Cybercriminals are also keen on gift card fraud and auction fraud, a

The Luna Moth campaign has extorted hundreds of thousands of dollars from several victims in the legal and retail sectors. The attacks are notable for employing a technique called  callback phishing  or telephone-oriented attack delivery ( TOAD ), wherein the victims are social engineered into making a phone call through phishing emails containing invoices and subscription-themed lures. Palo Alto Networks Unit 42 said the attacks are the "product of a single highly organized campaign," adding, "this threat actor has significantly invested in call centers and infrastructure that's unique to each victim." The cybersecurity firm  described  the activity as a "pervasive multi-month campaign that is actively evolving." What's notable about callback phishing is that the email messages are completely devoid of any malicious attachment or booby-trapped link, allowing them to evade detection and slip past email protection solutions. These messages ty

The U.S. Justice Department (DoJ) on Monday  announced  the takedown of seven domain names in connection to a "pig butchering" cryptocurrency scam. The fraudulent scheme, which operated from May to August 2022, netted the actors over $10 million from five victims, the DoJ said. Pig butchering, also called Sha Zhu Pan, is a type of scam in which swindlers lure unsuspecting investors into sending their crypto assets. The criminals encounter potential victims on dating apps, social media sites, and through SMS messages. These individuals initiate fake relationships in an attempt to build trust, only to trick them into making a cryptocurrency investment on a bogus platform. But upon transferring the funds to wallet addresses supposedly provided by these domains, the digital currencies are said to have been immediately moved through an array of private wallets and swapping services to conceal the trail. "Once the money is sent to the fake investment app, the scammer van