The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

In a sudden turn of events, Baphomet, the current administrator of BreachForums, said in an update on March 21, 2023, that the hacking forum has been officially taken down but emphasized that "it's not the end." "You are allowed to hate me, and disagree with my decision but I promise what is to come will be better for us all," Baphomet noted in a message posted on the BreachForums Telegram channel. The  shutdown  is suspected to have been prompted by suspicions that law enforcement may have obtained access to the site's configurations, source code, and information about the forum's users. The development follows the  arrest of its administrator  Conor Brian Fitzpatrick (aka "pompompurin"), who has been charged with a single count of conspiracy to commit access device fraud. Over the past few months, BreachForums filled the void left by RaidForums last year, becoming a lucrative destination to purchase and sell stolen databases from variou

Amid the  ongoing war  between Russia and Ukraine, government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea have been attacked as part of an active campaign that drops a previously unseen, modular framework dubbed  CommonMagic . "Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods," Kaspersky  said  in a new report. The Russian cybersecurity company, which detected the attacks in October 2022, is tracking the activity cluster under the name "Bad Magic." Attack chains entail the use of booby-trapped URLS pointing to a ZIP archive hosted on a malicious web server. The file, when opened, contains a decoy document and a malicious LNK file that culminates in the deployment of a backdoor named PowerMagic. Written in PowerShell, PowerMagic establishes contact with a remote server and executes arbitrary commands, the results of which are exfiltra

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

Poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of a malware called ShellBot. "ShellBot, also known as  PerlBot , is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server," AhnLab Security Emergency response Center (ASEC)  said  in a report. ShellBot is installed on servers that have weak credentials, but only after threat actors make use of scanner malware to identify systems that have SSH port 22 open. A list of known SSH credentials is used to initiate a dictionary attack to breach the server and deploy the payload, after which it leverages the Internet Relay Chat ( IRC ) protocol to communicate with a remote server. This encompasses the ability to receive commands that allows ShellBot to carry out DDoS attacks and exfiltrate harvested information. ASEC said it identified three different ShellBot versions – LiGhT's Modded perlbot v2, DDoS

H0lyGh0st, Magecart, and a slew of state-sponsored hacker groups are diversifying their tactics and shifting their focus to… You. That is, if you're in charge of cybersecurity for a small-to-midsize enterprise (SME). Why? Bad actors know that SMEs typically have a smaller security budget, less infosec manpower, and possibly weak or missing security controls to protect their data and infrastructure. So, how can you prepare for the imminent onslaught from new and emerging threat groups?  You need a plan. Start with the NIST Cyber Security Framework The good news is you don't have to create your security strategy from scratch. The National Institute of Standards and Technology Cyber Security Framework (NIST CSF) is one of the most respected and widely used standards in the world. While originally designed for critical infrastructure industries, the NIST CSF is flexible enough for organizations of all sizes, sectors, and maturities to use in large part because the framewor

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The  findings  come from threat intelligence firm Mandiant, which noted that desktop operating systems (19), web browsers (11), IT and network management products (10), and mobile operating systems (six) accounted for the most exploited product types. Of the 55 zero-day bugs, 13 are estimated to have been abused by cyber espionage groups, with four others exploited by financially motivated threat actors for ransomware-related operations. Commercial spyware vendors were linked to the exploitation of three zero-days. Among state-sponsored groups, those attributed to China have emerged as the most

Bitcoin ATM maker General Bytes disclosed that unidentified threat actors stole cryptocurrency from hot wallets by exploiting a zero-day security flaw in its software. "The attacker was able to upload his own java application remotely via the master service interface used by terminals to upload videos and run it using 'batm' user privileges," the company  said  in an advisory published over the weekend. "The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean," it further added. The company said that the server to which the malicious Java application was uploaded was by default configured to start applications present in the deployment folder ("/batm/app/admin/standalone/deployments/"). In doing so, the attack allowed the threat actor to access the database; read and decry

A new piece of malware dubbed  dotRunpeX  is being used to distribute numerous known malware families such as  Agent Tesla ,  Ave Maria ,  BitRAT ,  FormBook ,  LokiBot ,  NetWire ,  Raccoon Stealer ,  RedLine Stealer ,  Remcos ,  Rhadamanthys , and  Vidar . "DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families," Check Point  said  in a report published last week. Said to be in active development, dotRunpeX arrives as a second-stage malware in the infection chain, often deployed via a downloader (aka loader) that's transmitted through phishing emails as malicious attachments. Alternatively, it's known to leverage malicious Google Ads on search result pages to direct unsuspecting users searching for popular software such as AnyDesk and LastPass to copycat sites hosting trojanized installers. The latest DotRunpeX artifacts, first spotted in October 2022, add an extra o

A banking trojan dubbed  Mispadu  has been linked to multiple spam campaigns targeting countries like Bolivia, Chile, Mexico, Peru, and Portugal with the goal of stealing credentials and delivering other payloads. The activity, which commenced in August 2022, is currently ongoing, the Ocelot Team from Latin American cybersecurity firm Metabase Q said in a report shared with The Hacker News. Mispadu  (aka URSA) was  first documented  by ESET in November 2019, describing its ability to perpetrate monetary and credential theft and act as a backdoor by taking screenshots and capturing keystrokes. "One of their main strategies is to compromise legitimate websites, searching for vulnerable versions of WordPress, to turn them into their command-and-control server to spread malware from there, filtering out countries they do not wish to infect, dropping different type of malware based on the country being infected," researchers Fernando García and Dan Regalado said. It's a

2022 was the year when inflation hit world economies, except in one corner of the global marketplace – stolen data. Ransomware payments fell by over 40% in 2022 compared to 2021. More organisations chose not to pay ransom demands, according to findings by blockchain firm Chainalysis. Nonetheless, stolen data has value beyond a price tag, and in risky ways you may not expect. Evaluating stolen records is what  Lab 1, a new cyber monitoring platform , believes will make a big difference for long-term cybersecurity resilience. Think of data value this way:  Stolen credentials can become future phishing attacks Logins for adult websites are potential extortion attempts Travel and location data are a risk to VIPs and senior leadership, And so on… Hackers could retaliate for non-payment by simply posting their loot to forums where the data will be available for further enrichment and exploitation.  Shining a light on dark places Even though your company may not have suffered a di