The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Organizations in East Asia are being targeted by a likely Chinese-speaking actor dubbed DragonSpark while employing uncommon tactics to go past security layers. "The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation," SentinelOne  said  in an analysis published today. A striking aspect of the intrusions is the consistent use of SparkRAT to conduct a variety of activities, including stealing information, obtaining control of an infected host, or running additional PowerShell instructions. The threat actor's end goals remain unknown as yet, although espionage or cybercrime is likely to be the motive. DragonSpark's ties to China stem from the use of the  China Chopper  web shell to deploy malware – a widely used attack pathway among Chinese threat actors. Furthermore, not only do the open source tools used in the cyber assaults originate from develope

The U.S. Federal Bureau of Investigation (FBI) on Monday confirmed that North Korean threat actors were responsible for the theft of $100 million in cryptocurrency assets from  Harmony Horizon Bridge  in June 2022. The law enforcement agency attributed the hack to the  Lazarus Group  and APT38 (aka BlueNoroff, Copernicium, and Stardust Chollima), the latter of which is a North Korean state-sponsored threat group that specializes in financial cyber operations. The FBI further stated the Harmony intrusion leveraged an attack campaign dubbed  TraderTraitor  that was disclosed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in April 2022. The modus operandi entailed utilizing social engineering tricks to deceive employees of cryptocurrency companies into downloading rogue applications as part of a seemingly benign recruitment effort. "On Friday, January 13, 2023, North Korean cyber actors used RAILGUN, a privacy protocol, to launder over $60 million worth of

Super Low RPO with Continuous Data Protection: Dial Back to Just Seconds Before an Attack Zerto , a Hewlett Packard Enterprise company, can help you detect and recover from ransomware in near real-time. This solution leverages continuous data protection (CDP) to ensure all workloads have the lowest recovery point objective (RPO) possible. The most valuable thing about CDP is that it does not use snapshots, agents, or any other periodic data protection methodology. Zerto has no impact on production workloads and can achieve RPOs in the region of 5-15 seconds across thousands of virtual machines simultaneously. For example, the environment in the image below has nearly 1,000 VMs being protected with an average RPO of just six seconds! Application-Centric Protection: Group Your VMs to Gain Application-Level Control   You can protect your VMs with the Zerto application-centric approach using Virtual Protection Groups (VPGs). This logical grouping of VMs ensures that your whole applica

Vulnerability analysis results in  Orange Cyberdefenses' Security Navigator  show that some vulnerabilities first discovered in 1999 are still found in networks today. This is concerning. Age of VOC findings Our Vulnerability Scans are performed on a recurring basis, which provides us the opportunity to examine the difference between when a scan was performed on an Asset, and when a given finding on that Asset was reported. We can call that the finding 'Age'. If the findings first reported are not addressed, they will occur in more scans over time with increasing Age, and so we can track how the Age of reported findings changes over time. As the chart below clearly illustrates, the majority of real findings in our dataset, across all Severity levels, are between 75 and 225 days old. There is a second 'peak' at around 300 days, which we suspect has more to do with the age of the data in the dataset and can therefore be ignored. Finally, there is a fascinating 

The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. Emotet, which officially  reemerged  in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that's distributed via phishing emails. Attributed to a cybercrime group tracked as  TA542  (aka Gold Crestwood or Mummy Spider), the virus has  evolved  from a banking trojan to a malware distributor since its first appearance in 2014. The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities. Two latest additions to Emotet's module arsenal comprise an  SMB spreader  that's designed to facilitate lateral movement using a list of h

Apple has backported fixes for a recently disclosed critical security flaw affecting older devices, citing evidence of active exploitation. The issue, tracked as  CVE-2022-42856 , is a type confusion vulnerability in the WebKit browser engine that could result in arbitrary code execution when processing maliciously crafted web content. While it was originally addressed by the company on November 30, 2022, as part of iOS 16.1.2 update, the patch was subsequently expanded to a broader set of Apple devices with iOS 15.7.2, iPadOS 15.7.2, macOS Ventura 13.1, tvOS 16.2, and Safari 16.2. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1," the iPhone maker  said  in an advisory published Monday. To that end, the latest update, iOS 12.5.7, is available for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). Clément Lecigne of Google's Threat Anal

Meta Platforms on Monday announced that it has started to expand global testing of end-to-end encryption ( E2EE ) in Messenger chats by default. "Over the next few months, more people will continue to see some of their chats gradually being upgraded with an extra layer of protection provided by end-to-end encryption," Meta's Melissa Miranda  said . The social media behemoth said it intends to notify users in select individual chat threads as the security feature is enabled, while emphasizing that the process of choosing and upgrading the conversations to support E2EE is random. "It's designed to be random so that there isn't a negative impact on our infrastructure and people's chat experience," Miranda further explained. Along with flipping the switch on E2EE, Meta has also added more features into its encrypted chat experience, including support for themes, custom emojis and reactions, group profile photos, link previews, and active status. T

Two security flaws have been disclosed in Samsung's Galaxy Store app for Android that could be exploited by a local attacker to stealthily install arbitrary apps or direct prospective victims to fraudulent landing pages on the web. The issues, tracked as  CVE-2023-21433 and CVE-2023-21434 , were  discovered  by NCC Group and notified to the South Korean chaebol in November and December 2022. Samsung  classified  the bugs as moderate risk and released fixes in version 4.5.49.8 shipped earlier this month. Samsung Galaxy Store, previously known as Samsung Apps and Galaxy Apps, is a dedicated app store used for Android devices manufactured by Samsung. It was launched in September 2009. The first of the two vulnerabilities is CVE-2023-21433, which could enable an already installed rogue Android app on a Samsung device to install any application available on the Galaxy Store. Samsung described it as a case of improper access control that it said has been patched with proper permiss

The move to SaaS and other cloud tools has put an emphasis on Identity & Access Management (IAM). After all, user identity is one of the only barriers standing between sensitive corporate data and any unauthorized access.  The tools used to define IAM make up its identity fabric. The stronger the fabric, the more resistant identities are to pressure from threat actors. However, those pressures are only increasing. Decentralized IT, evolving threats, and zero-trust tools are pushing many IAM tools to their limits.  To maintain their effectiveness, IAM are shifting to operating as an agile, interconnected identity fabric rather than just siloed IAM tools. The demands of today's IT operating environment are forcing IAM to support decentralized IT environments while still providing centralized management and governance for its users. Interestingly, many of the identity fabric principles they define are currently found in leading SSPM tools. It's important to note that identity fabr

The legitimate command-and-control (C2) framework known as Sliver is  gaining   more traction  from threat actors as it emerges as an open source alternative to  Cobalt Strike  and Metasploit. The findings come from Cybereason, which  detailed  its inner workings in an exhaustive analysis last week. Sliver, developed by cybersecurity company BishopFox, is a Golang-based cross-platform post-exploitation framework that's designed to be used by security professionals in their red team operations. Its myriad features for adversary simulation – including dynamic code generation, in-memory payload execution, and process injection – have also made it an appealing tool for threat actors looking to gain elevated access to the target system upon gaining an initial foothold. In other words, the software is used as a second-stage to conduct next steps of the attack chain after already compromising a machine using one of the initial intrusion vectors such as spear-phishing or exploitatio