The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

An unknown threat actor has been observed targeting the U.S. aerospace industry with a new PowerShell-based malware called PowerDrop . "PowerDrop uses advanced techniques to evade detection such as deception, encoding, and encryption," according to Adlumin, which  found the malware  implanted in an unnamed domestic aerospace defense contractor in May 2023. "The name is derived from the tool, Windows PowerShell, used to concoct the script, and 'Drop' from the DROP (DRP) string used in the code for padding." PowerDrop is also a post-exploitation tool, meaning it's designed to gather information from victim networks after obtaining initial access through other means. The malware employs Internet Control Message Protocol (ICMP) echo request messages as beacons to initiate communications with a command-and-control (C2) server. The server, for its part, responds back with an encrypted command that's decoded and run on the compromised host. A similar

A recent malware campaign has been found to leverage  Satacom downloader  as a conduit to deploy stealthy malware capable of siphoning cryptocurrency using a rogue extension for Chromium-based browsers. "The main purpose of the malware that is dropped by the Satacom downloader is to steal BTC from the victim's account by performing web injections into targeted cryptocurrency websites," Kaspersky researchers Haim Zigel and Oleg Kupreev  said . Targets of the campaign include Coinbase, Bybit, KuCoin, Huobi, and Binance users primarily located in Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, and Mexico. Satacom downloader, also called  Legion Loader , first emerged in 2019 as a dropper for next-stage payloads, including information stealers and cryptocurrency miners. Infection chains involving the malware begin when users searching for cracked software are redirected to bogus websites that host ZIP archive files containing the malware. "Various types

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

Thousands of adware apps for Android have been found to masquerade as cracks or modded versions of popular applications to serve unwanted ads to users as part of a campaign ongoing since October 2022. "The campaign is designed to aggressively push adware to Android devices with the purpose to drive revenue," Bitdefender said in a technical report shared with The Hacker News. "However, the threat actors involved can easily switch tactics to redirect users to other types of malware such as banking Trojans to steal credentials and financial information or ransomware." The Romanian cybersecurity company said it has discovered 60,000 unique apps carrying the adware, with a majority of the detections located in the U.S., South Korea, Brazil, Germany, the U.K., France, Kazakhstan, Romania, and Italy. It's worth pointing out that none of the apps are distributed through the official Google Play Store. Instead, users searching for apps like Netflix, PDF viewers, se

Attacks on critical infrastructure and other OT systems are on the rise as digital transformation and OT/IT convergence continue to accelerate. Water treatment facilities, energy providers, factories, and chemical plants — the infrastructure that undergirds our daily lives could all be at risk. Disrupting or manipulating OT systems stands to pose real physical harm to citizens, environments, and economies. Yet the landscape of OT security tools is far less developed than its information technology (IT) counterpart. According to a recent  report from Takepoint Research and Cyolo , there is a notable lack of confidence in the tools commonly used to secure remote access to industrial environments.  Figure 1: New research reveals a large gap across industries between the level of concern about security risks and the level of confidence in existing solutions for industrial secure remote access (I-SRA). The traditional security strategy of industrial environments was isolation – isolatio

Google on Monday released security updates to patch a high-severity flaw in its Chrome web browser that it said is being actively exploited in the wild. Tracked as  CVE-2023-3079 , the vulnerability has been described as a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on June 1, 2023. "Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,"  according  to the NIST's National Vulnerability Database (NVD). The tech giant, as is typically the case, did not disclose details of the nature of the attacks, but  noted  it's "aware that an exploit for CVE-2023-3079 exists in the wild." With the latest development, Google has addressed a total of three actively exploited zero-days in Chrome since the start of the year - CVE-2023-2033  (CVSS score: 8.8) - Type Co

Threat actors associated with the  Cyclops ransomware  have been observed offering an information stealer malware that's designed to capture sensitive data from infected hosts. "The threat actor behind this [ransomware-as-a-service] promotes its offering on forums," Uptycs  said  in a new report. "There it requests a share of profits from those engaging in malicious activities using its malware." Cyclops ransomware is notable for targeting all major desktop operating systems, including Windows, macOS, and Linux. It's also designed to terminate any potential processes that could interfere with encryption. The macOS and Linux versions of Cyclops ransomware are written in Golang. The ransomware further employs a complex encryption scheme that's a mix of asymmetric and symmetric encryption. The Go-based stealer, for its part, is designed to target Windows and Linux systems, capturing details such as operating system information, computer name, number o

A Chinese-speaking phishing gang dubbed  PostalFurious  has been linked to a new SMS campaign that's targeting users in the U.A.E. by masquerading as postal services and toll operators, per Group-IB. The fraudulent scheme entails sending users bogus text messages asking them to pay a vehicle trip fee to avoid additional fines. The messages also contain a shortened URL to conceal the actual phishing link. Clicking on the link directs the unsuspecting recipients to a fake landing page that's designed to capture payment credentials and personal data. The campaign is estimated to be active as of April 15, 2023. "The URLs from the texts lead to fake branded payment pages that ask for personal details, such as name, address, and credit card information," Group-IB  said . "The phishing pages appropriate the official name and logo of the impersonated postal service provider." The exact scale of the attacks is currently unknown. What's known is that the tex

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday  placed  two recently disclosed flaws in Zyxel firewalls to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerabilities, tracked as  CVE-2023-33009 and CVE-2023-33010 , are buffer overflow vulnerabilities that could enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution. Patches to plug the security holes were released by Zyxel on May 24, 2023. The following list of devices are affected - ATP (versions ZLD V4.32 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2) USG FLEX (versions ZLD V4.50 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2) USG FLEX50(W) / USG20(W)-VPN (versions ZLD V4.25 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2) VPN (versions ZLD V4.30 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), and ZyWALL/USG (versions ZLD V4.25 to V4.73 Patch 1, patched in ZLD V4.73 Patch 2) While the exa

Microsoft has officially linked the  ongoing active exploitation  of a critical flaw in the Progress Software MOVEit Transfer application to a threat actor it tracks as  Lace Tempest . "Exploitation is often followed by deployment of a web shell with data exfiltration capabilities," the Microsoft Threat Intelligence team  said  in a series of tweets today. "CVE-2023-34362 allows attackers to authenticate as any user." Lace Tempest, also called Storm-0950, is a ransomware affiliate that overlaps with other groups such as FIN11, TA505, and Evil Corp. It's also known to operate the Cl0p extortion site.  The threat actor also has a track record of exploiting different zero-day flaws to siphon data and extort victims, with the group recently observed weaponizing a  severe bug in PaperCut servers . CVE-2023-34362 relates to an SQL injection vulnerability in MOVEit Transfer that enables unauthenticated, remote attackers to gain access to the application database