The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

A hospital with 2,000 employees in the E.U. deployed Cynet protections across its environment. The hospital was in the process of upgrading several expensive imaging systems that were still supported by Windows XP and Windows 7 machines. Cynet protections were in place on most of the Windows XP and Windows 7 machines during the upgrade process, ensuring that legacy operating systems would not cause vulnerabilities or delay the activation of an  incident response plan . The hospital's I.T. security team appreciated this coverage after their previous provider abandoned support for Windows XP and Windows 7. "One of the many reasons we chose Cynet was their support of legacy Windows machines. It's expensive, difficult and time consuming to upgrade our imaging system software, but we needed protections as we slowly migrated to more current Windows environments. Cynet was one of the few providers that continue to protect these older Windows environments." The Attack Alo...

An unnamed government entity associated with the United Arab Emirates (U.A.E.) was targeted by a likely Iranian threat actor to breach the victim's Microsoft Exchange Server with a "simple yet effective" backdoor dubbed  PowerExchange . According to a new report from Fortinet FortiGuard Labs, the intrusion relied on email phishing as an initial access pathway, leading to the execution of a .NET executable contained with a ZIP file attachment. The binary, which masquerades as a PDF document, functions as a dropper to execute the final payload, which then launches the backdoor. PowerExchange, written in PowerShell, employs text files attached to emails for command-and-control (C2) communication. It allows the threat actor to run arbitrary payloads and upload and download files from and to the system. The custom implant achieves this by making use of the Exchange Web Services ( EWS ) API to connect to the victim's Exchange Server and uses a mailbox on the server to...

Identity-based attacks are on the rise. Attackers are targeting identities with compromised credentials, hijacked authentication methods, and misused privileges. While many threat detection solutions focus on cloud, endpoint, and network threats, they overlook the unique risks posed by SaaS identity ecosystems. This blind spot is wreaking havoc on heavily SaaS-reliant organizations big and small. The question is, what can security teams do about it? Have no fear, because Identity Threat Detection and Response (ITDR) is here to save the day. It's essential to have the visibility and response mechanisms to stop attacks before they become breaches. Here's the super lineup that every team needs to stop SaaS identity threats. #1 Full coverage: cover every angle  Like Cap's shield, this defense should cover every angle. Traditional threat detection tools such as XDRs and EDRs fail to cover SaaS applications and leave organizations vulnerable. SaaS identity threat detection and re...

A Brazilian threat actor is targeting more than 30 Portuguese financial institutions with information-stealing malware as part of a long-running campaign that commenced in 2021. "The attackers can steal credentials and exfiltrate users' data and personal information, which can be leveraged for malicious activities beyond financial gain," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel  said  in a new report shared with The Hacker News. The cybersecurity firm, which began tracking "Operation Magalenha" earlier this year, said the intrusions culminate in the deployment of two variants of a backdoor called  PeepingTitle  so as to "maximize attack potency." The links to Brazil stem from the use of the Brazilian-Portuguese language within the detected artifacts as well as source code overlaps with another banking trojan known as  Maxtrilha , which was first disclosed in September 2021. PeepingTitle, like Maxtrilha, is written in the Delphi...

In today's digital landscape, browser security has become an increasingly pressing issue, making it essential for organizations to be aware of the latest threats to browser security. That's why the Browser Security platform LayerX is hosting  a webinar  featuring guest speaker Paddy Harrington, a senior analyst at Forrester and the lead author of Forrester's browser security report "Securing The Browser In The World Of Anywhere Work ". During this webinar, Harrington will join LayerX CEO, to discuss the emergence of the browser security category, the browser security risk and threat landscape, and why addressing browser security can wait no longer. The webinar will also cover browser security solutions, explaining their pros, cons, and differences, and how organizations can work more securely in the browser. Additionally, the session will focus on using browser security solutions as a cost-saver for security teams. Participants will also get an exclusive opport...

The threat actors behind the nascent  Buhti  ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems. "While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec  said  in a report shared with The Hacker News. The cybersecurity firm is tracking the cybercrime group under the name  Blacktail . Buhti was first highlighted by Palo Alto Networks Unit 42 in February 2023,  describing  it as a Golang ransomware targeting the Linux platform. Later that same month, Bitdefender revealed the use of a Windows variant that was deployed against Zoho ManageEngine products that were vulnerable to critical remote code execution flaws ( CVE-2022-47966 ). The operators have since been observed swiftly exploiting other severe bugs impacting I...

A stealthy China-based group managed to establish a persistent foothold into critical infrastructure organizations in the U.S. and Guam without being detected,  Microsoft  and  the "Five Eyes" nations  said on Wednesday. The tech giant's threat intelligence team is tracking the activity, which includes post-compromise credential access and network system discovery, under the name  Volt Typhoon . The state-sponsored actor is  geared  towards espionage and information gathering, with the cluster active since June 2021 and obscuring its intrusion footprint by taking advantage of tools already installed or built into infected machines. Some of the prominent sectors targeted include communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education. The company further assessed with moderate confidence that the campaign is "pursuing development of capabilities that could disrupt critical c...

The Iranian threat actor known as  Agrius  is leveraging a new ransomware strain called Moneybird in its attacks targeting Israeli organizations. Agrius, also known as Pink Sandstorm (formerly Americium), has a  track record  of staging destructive data-wiping attacks aimed at Israel under the guise of ransomware infections. Microsoft has attributed the threat actor to Iran's Ministry of Intelligence and Security (MOIS), which also operates  MuddyWater . It's known to be active since at least December 2020. In December 2022, the hacking crew was  attributed  to a set of attempted disruptive intrusions that were directed against diamond industries in South Africa, Israel, and Hong Kong. These attacks involved the use of a .NET-based wiper-turned-ransomware called  Apostle  and its successor known as Fantasy. Unlike Apostle, Moneybird is programmed in C++. "The use of a new ransomware, written in C++, is noteworthy, as it demonstrates th...

Google on Wednesday announced the  0.1 Beta version  of  GUAC  (short for Graph for Understanding Artifact Composition) for organizations to secure their software supply chains. To that end, the search giant is  making available  the open source framework as an API for developers to integrate their own tools and policy engines. GUAC  aims to aggregate software security metadata from different sources into a graph database that maps out relationships between software, helping organizations determine how one piece of software affects another. "Graph for Understanding Artifact Composition ( GUAC ) gives you organized and actionable insights into your software supply chain security position," Google  says  in its documentation. "GUAC ingests software security metadata, like SBOMs, and maps out the relationship between software so that you can fully understand your software security position." In other words, it's designed to bring togethe...

At least eight websites associated with shipping, logistics, and financial services companies in Israel were targeted as part of a watering hole attack. Tel Aviv-based cybersecurity company ClearSky attributed the attacks with low confidence to an Iranian threat actor tracked as  Tortoiseshell , which is also called Crimson Sandstorm (previously Curium), Imperial Kitten, and TA456. "The infected sites collect preliminary user information through a script," ClearSky  said  in a technical report published Tuesday. Most of the impacted websites have been stripped of the rogue code. Tortoiseshell  is known to be active since at least July 2018, with  early attacks  targeting IT providers in Saudi Arabia. It has also been observed  setting up fake hiring websites  for U.S. military veterans in a bid to trick them into downloading remote access trojans. That said, this is not the first time Iranian activity clusters have set their sights on the Is...