The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

A critical flaw in Progress Software's in MOVEit Transfer managed file transfer application has come under widespread exploitation in the wild to take over vulnerable systems. The shortcoming, which is assigned the CVE identifier CVE-2023-34362 , relates to a severe SQL injection vulnerability that could lead to escalated privileges and potential unauthorized access to the environment. "An SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database," the company  said . "Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements." Patches for the bug have been made available by the Massachusetts-based company, which also owns Teler

An analysis of the "evasive and tenacious" malware known as QBot has revealed that 25% of its command-and-control (C2) servers are merely active for a single day. What's more, 50% of the servers don't remain active for more than a week, indicating the use of an adaptable and dynamic  C2 infrastructure , Lumen Black Lotus Labs said in a report shared with The Hacker News. "This botnet has adapted techniques to conceal its infrastructure in residential IP space and infected web servers, as opposed to hiding in a network of hosted virtual private servers (VPSs)," security researchers Chris Formosa and Steve Rudd said. QBot , also called QakBot and Pinkslipbot, is a persistent and potent threat that started off as a banking trojan before evolving into a downloader for other payloads, including ransomware. Its origins go back as far as 2007. The malware arrives on victims' devices via spear-phishing emails, which either directly incorporate lure files o

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

A previously unknown advanced persistent threat (APT) is targeting iOS devices as part of a sophisticated and long-running mobile campaign dubbed  Operation Triangulation  that began in 2019. "The targets are infected using zero-click exploits via the iMessage platform, and the malware runs with root privileges, gaining complete control over the device and user data," Kaspersky  said . The Russian cybersecurity company said it discovered traces of compromise after creating offline backups of the targeted devices. The attack chain begins with the iOS device receiving a message via iMessage that contains an attachment bearing the exploit. The exploit is said to be  zero-click , meaning the receipt of the message triggers the vulnerability without requiring any user interaction in order to achieve code execution. It's also configured to retrieve additional payloads for privilege escalation and drop a final stage malware from a remote server that Kaspersky described as

Cybersecurity researchers have unmasked the identity of one of the individuals who is believed to be associated with the e-crime actor known as  XE Group . According to  Menlo Security , which pieced together the information from different online sources, "Nguyen Huu Tai, who also goes by the names Joe Nguyen and Thanh Nguyen, has the strongest likelihood of being involved with the XE Group." XE Group (aka XeThanh), previously documented by  Malwarebytes  and  Volexity , has a history of carrying out cyber criminal activities since at least 2013. It's suspected to be a threat actor of Vietnamese origin. Some of the entities targeted by the threat actor span government agencies, construction organizations, and healthcare sectors. It's known to compromise internet-exposed servers with known exploits and monetize the intrusions by installing password theft or  credit card skimming code  for online services. "As far back as 2014, the threat actor was seen crea

Researchers have discovered a novel attack on the Python Package Index (PyPI) repository that employs compiled Python code to sidestep detection by application security tools. "It may be the first supply chain attack to take advantage of the fact that Python bytecode (PYC) files can be directly executed," ReversingLabs analyst Karlo Zanki  said  in a report shared with The Hacker News. The package in question is  fshec2 , which was removed from the third-party software registry on April 17, 2023, following responsible disclosure on the same day. PYC files are compiled bytecode files that are generated by the Python interpreter when a Python program is executed. "When a module is imported for the first time (or when the source file has changed since the current compiled file was created) a .pyc file containing the compiled code should be created in a __pycache__ subdirectory of the directory containing the .py file,"  explains  the Python documentation. The pa

IT hygiene  is a security best practice that ensures that digital assets in an organization's environment are secure and running properly. Good IT hygiene includes vulnerability management, security configuration assessments, maintaining asset and system inventories, and comprehensive visibility into the activities occurring in an environment. As technology advances and the tools used by cybercriminals and cybersecurity professionals evolve, the strategies used to carry out cyber attacks differ based on their complexity and uniqueness. Threat actors continuously target organizations practicing poor IT hygiene to exploit known security weaknesses and human error. Security administrators can defend against cyberattacks by implementing good  IT hygiene  practices like whitelisting programs, keeping systems up to date, and more. Gaining complete visibility into the IT assets is fundamental to developing an effective security strategy. The emergence of shadow IT, like rogue assets, s

The threat actors behind BlackCat ransomware have come up with an improved variant that prioritizes speed and stealth in an attempt to bypass security guardrails and achieve their goals. The new version, dubbed  Sphynx  and announced in February 2023, packs a "number of updated capabilities that strengthen the group's efforts to evade detection," IBM Security X-Force said in a new analysis. The "product" update was  first highlighted  by vx-underground in April 2023. Trend Micro, last month,  detailed  a Linux version of Sphynx that's "focused primarily on its encryption routine." BlackCat , also called ALPHV and Noberus, is the first Rust-language-based ransomware strain spotted in the wild. Active since November 2021, it has emerged as a formidable ransomware actor, victimizing  more than 350 targets  as of May 2023. The group, like other ransomware-as-a-service (RaaS) offerings, is  known  to operate a double extortion scheme, deploying

Cybersecurity researchers have offered a closer look at the RokRAT remote access trojan that's employed by the North Korean state-sponsored actor known as  ScarCruft . "RokRAT is a sophisticated remote access trojan (RAT) that has been observed as a critical component within the attack chain, enabling the threat actors to gain unauthorized access, exfiltrate sensitive information, and potentially maintain persistent control over compromised systems," ThreatMon  said . ScarCruft , active since at least 2012, is a  cyber espionage group  that operates on behalf of the North Korean government, exclusively focusing on targets in its southern counterpart. The group is believed to be a subordinate element within North Korea's Ministry of State Security (MSS). Attack chains mounted by the group have leaned heavily on social engineering to spear-phish victims and deliver payloads onto target networks. This includes exploiting vulnerabilities in Hancom's Hangul Word

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has  added  a recently patched critical security flaw in Zyxel gear to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. Tracked as  CVE-2023-28771  (CVSS score: 9.8), the issue relates to a  command injection flaw  impacting different firewall models that could enable an unauthenticated attacker to execute arbitrary code by sending a specially crafted packet to the device. Zyxel addressed the security defect as part of updates released on April 25, 2023. The list of impacted devices is below - ATP (versions ZLD V4.60 to V5.35, patched in ZLD V5.36) USG FLEX (versions ZLD V4.60 to V5.35, patched in ZLD V5.36) VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and ZyWALL/USG (versions ZLD V4.60 to V4.73, patched in ZLD V4.73 Patch 1) The Shadowserver Foundation, in a  recent tweet , said the flaw is "being actively exploited to build a  Mirai-like botnet " since M