The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

A security researcher was awarded a bug bounty of $107,500 for identifying security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into wiretapping devices. The flaws "allowed an attacker within wireless proximity to install a 'backdoor' account on the device, enabling them to send commands to it remotely over the internet, access its microphone feed, and make arbitrary HTTP requests within the victim's LAN," the researcher, who goes by the name Matt Kunze,  disclosed  in a technical write-up published this week. In making such malicious requests, not only could the Wi-Fi password get exposed, but also provide the adversary direct access to other devices connected to the same network. Following responsible disclosure on January 8, 2021, the issues were remediated by Google in April 2021. The problem, in a nutshell, has to do with how the Google Home software architecture can be leveraged to add a rogue Google us

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has  added  two years-old security flaws impacting TIBCO Software's JasperReports product to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The flaws, tracked as  CVE-2018-5430  (CVSS score: 7.7) and  CVE-2018-18809  (CVSS score: 9.9), were addressed by TIBCO in April 2018 and March 2019, respectively. TIBCO  JasperReports  is a Java-based reporting and data analytics platform for creating, distributing, and managing reports and dashboards. The first of the two issues, CVE-2018-5430, relates to an  information disclosure bug  in the server component that could enable an authenticated user to gain read-only access to arbitrary files, including key configurations. "The impact includes the possible read-only access by authenticated users to web application configuration files that contain the credentials used by the server," TIBCO noted at the time. "Tho

Follow this real-life network attack simulation, covering 6 steps from Initial Access to Data Exfiltration. See how attackers remain undetected with the simplest tools and why you need multiple choke points in your defense strategy. Surprisingly, most network attacks are not exceptionally sophisticated, technologically advanced, or reliant on zero-day tools that exploit edge-case vulnerabilities. Instead, they often use commonly available tools and exploit multiple vulnerability points. By simulating a real-world network attack, security teams can test their detection systems, ensure they have multiple choke points in place, and demonstrate the value of networking security to leadership. In this article, we demonstrate a real-life attack that could easily occur in many systems. The attack simulation was developed based on the MITRE ATT&CK framework, Atomic Red Team,  Cato Networks ' experience in the field, and public threat intel. In the end, we explain why a holistic secur

Thousands of Citrix Application Delivery Controller (ADC) and Gateway endpoints remain vulnerable to two critical security flaws disclosed by the company over the last few months. The issues in question are  CVE-2022-27510  and  CVE-2022-27518  (CVSS scores: 9.8), which were addressed by the virtualization services provider on November 8 and December 13, 2022, respectively. While CVE-2022-27510 relates to an  authentication bypass  that could be exploited to gain unauthorized access to Gateway user capabilities, CVE-2022-27518 concerns a remote code execution bug that could enable the takeover of affected systems. Citrix and the U.S. National Security Agency (NSA), earlier this month,  warned  that CVE-2022-27518 is being actively exploited in the wild by threat actors, including the China-linked APT5 state-sponsored group. Now, according to a  new analysis  from NCC Group's Fox-IT research team, thousands of internet-facing Citrix servers are still unpatched, making them an

Users searching for popular software are being targeted by a new malvertising campaign that abuses Google Ads to serve trojanized variants that deploy malware, such as Raccoon Stealer and Vidar. The activity makes use of seemingly credible websites with typosquatted domain names that are surfaced on top of Google search results in the form of malicious ads by hijacking searches for specific keywords. The ultimate objective of such attacks is to  trick   unsuspecting   users  into downloading malevolent programs or potentially unwanted applications. In one campaign disclosed by Guardio Labs, threat actors have been observed creating a network of benign sites that are promoted on the search engine, which when clicked, redirect the visitors to a phishing page containing a trojanized ZIP archive hosted on Dropbox or OneDrive. "The moment those 'disguised' sites are being visited by targeted visitors (those who actually click on the promoted search result) the server imme

Decentralized multi-chain crypto wallet BitKeep on Wednesday confirmed a cyber attack that allowed threat actors to distribute fraudulent versions of its Android app with the goal of stealing users' digital currencies. "With maliciously implanted code, the altered APK led to the leak of user's private keys and enabled the hacker to move funds," BitKeep CEO Kevin Como  said , describing it as a "large-scale hacking incident." According to blockchain security company  PeckShield  and multi-chain blockchain explorer  OKLink , an estimated  $9.9 million  worth of assets have been plundered so far. "Funds stolen are on BNB Chain, Ethereum, TRON and Polygon," BitKeep further  noted  in a series of tweets. "More than 200 addresses on the other three chains were used in the heist, and all funds were transferred to two main addresses in the end." The incident is said to have taken place on December 26, 2022, with the threat actor exploiting

Microsoft's decision to block Visual Basic for Applications (VBA) macros by default for Office files downloaded from the internet has led many threat actors to improvise their attack chains in recent months. Now according to Cisco Talos , advanced persistent threat (APT) actors and commodity malware families alike are increasingly using Excel add-in (.XLL) files as an initial intrusion vector. Weaponized Office documents delivered via spear-phishing emails and other social engineering attacks have remained one of the widely used entry points for criminal groups looking to execute malicious code. These documents traditionally prompt the victims to enable macros to view seemingly innocuous content, only to activate the execution of malware stealthily in the background. To counter this misuse, the Windows maker enacted a crucial change starting in July 2022 that blocks macros in Office files attached to email messages, effectively severing a crucial attack vector. While this

BlueNoroff , a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows Mark of the Web ( MotW ) protections. This includes the use of optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of a novel infection chain, Kaspersky disclosed in a report published today. "BlueNoroff created numerous fake domains impersonating venture capital companies and banks," security researcher Seongsu Park said , adding the new attack procedure was flagged in its telemetry in September 2022. Some of the bogus domains have been found to imitate ABF Capital, Angel Bridge, ANOBAKA, Bank of America, and Mitsubishi UFJ Financial Group, most of which are located in Japan, signalling a "keen interest" in the region. It's worth pointing out that although MotW bypasses have been documented in the wild before, this is the first time they have been incorporated by

Meta Platforms, the parent company of Facebook, Instagram, and WhatsApp, has agreed to pay $725 million to settle a long-running class-action lawsuit filed in 2018. The legal dispute sprang up in response to revelations that the social media giant allowed third-party apps such as those used by Cambridge Analytica to access users' personal information without their consent for political advertising. The proposed settlement, first  reported  by Reuters last week, is the latest penalty paid by the company in the wake of a  number  of  privacy   mishaps   through the years . It still requires the approval of a federal judge in the San Francisco division of the U.S. District Court. It's worth noting that Facebook previously sought to  dismiss the lawsuit  in September 2019,  claiming  users have no legitimate privacy interest in any information they make available to their friends on social media. The  data harvesting scandal , which  came  to  light  in March 2018, involved a

Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called  GuLoader  to evade security software. "New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings," CrowdStrike researchers Sarang Sonawane and Donato Onofri  said  in a technical write-up published last week. GuLoader, also called  CloudEyE , is a Visual Basic Script (VBS) downloader that's used to distribute remote access trojans such as Remcos on infected machines. It was first detected in the wild in 2019. In November 2021, a JavaScript malware strain dubbed RATDispenser  emerged  as a conduit for dropping GuLoader by means of a Base64-encoded VBScript dropper. Recent GuLoader samples unearthed by CrowdStrike have been found to exhibit a three-stage process wherein the VBScript is designed to deliver a next-stage that performs anti-a