The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Android device users in South Korea have emerged as a target of a new mobile malware campaign that delivers a new type of threat dubbed SpyAgent . The malware "targets mnemonic keys by scanning for images on your device that might contain them," McAfee Labs researcher SangRyol Ryu said in an analysis, adding the targeting footprint has broadened in scope to include the U.K. The campaign makes use of bogus Android apps that are disguised as seemingly legitimate banking, government facilities, streaming, and utility apps in an attempt to trick users into installing them. As many as 280 fake applications have been detected since the start of the year. It all starts with SMS messages bearing booby-trapped links that urge users to download the apps in question in the form of APK files hosted on deceptive sites. Once installed, they are designed to request intrusive permissions to collect data from the devices. This includes contacts, SMS messages, photos, and other device i...

A previously undocumented threat actor with likely ties to Chinese-speaking groups has predominantly singled out drone manufacturers in Taiwan as part of a cyber attack campaign that commenced in 2024. Trend Micro is tracking the adversary under the moniker TIDRONE , stating the activity is espionage-driven given the focus on military-related industry chains. The exact initial access vector used to breach targets is presently unknown, with Trend Micro's analysis uncovering the deployment of custom malware such as CXCLNT and CLNTEND using remote desktop tools like UltraVNC. An interesting commonality observed across different victims is the presence of the same enterprise resource planning (ERP) software, raising the possibility of a supply chain attack. The attack chains subsequently go through three different stages that are designed to facilitate privilege escalation by means of a User Account Control ( UAC ) bypass, credential dumping, and defense evasion by disabling ant...

The U.S. government and a coalition of international partners have officially attributed a Russian hacking group tracked as Cadet Blizzard to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center ( Unit 29155 ). "These cyber actors are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020," the agencies said . "Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine." Targets of the attacks have focused on critical infrastructure and key resource sectors, including the government services, financial services, transportation systems, energy, and healthcare sectors of North Atlantic Treaty Organization (NATO) members, the European Union, Central American, and Asian countries. The joint advisory, released last week as part of a coordinated exercise dubbed Operatio...

Threat actors affiliated with North Korea have been observed leveraging LinkedIn as a way to target developers as part of a fake job recruiting operation. These attacks employ coding tests as a common initial infection vector, Google-owned Mandiant said in a new report about threats faced by the Web3 sector. "After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge," researchers Robert Wallace, Blas Kojusner, and Joseph Dobson said . The malware functions as a launchpad to compromise the target's macOS system by downloading a second-stage payload that establishes persistence via Launch Agents and Launch Daemons. It's worth pointing out that this is one of many activity clusters – namely Operation Dream Job , Contagious Interview , and others – undertaken by North Korean hacking groups that make use of job-related decoys to infect targets with malware. Recruiting-themed lures have ...

Two men have been indicted in the U.S. for their alleged involvement in managing a dark web marketplace called WWH Club that specializes in the sale of sensitive personal and financial information. Alex Khodyrev, a 35-year-old Kazakhstan national, and Pavel Kublitskii, a 37-year-old Russian national, have been charged with conspiracy to commit access device fraud and conspiracy to commit wire fraud. Khodyrev and Kublitskii, between 2014 and 2024, acted as the main administrators of WWH Club (wwh-club[.]ws) and various other sister sites – wwh-club[.]net, center-club[.]pw, opencard[.]pw, skynetzone[.]org – that functioned as dark web marketplaces, forums, and training centers to enable cybercrime. The indictment follows an investigation launched by the U.S. Federal Bureau of Investigation (FBI) in July 2020 after determining that WWH Club's primary domain (www-club[.]ws]) resolved to an IP address belonging to DigitalOcean, allowing them to issue a federal search warrant to t...

SonicWall has revealed that a recently patched critical security flaw impacting SonicOS may have come under active exploitation, making it essential that users apply the patches as soon as possible. The vulnerability, tracked as CVE-2024-40766, carries a CVSS score of 9.3 out of a maximum of 10. "An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash," SonicWall said in an updated advisory. With the latest development, the company has revealed that CVE-2024-40766 also impacts the firewall's SSLVPN feature. The issue has been addressed in the below versions - SOHO (Gen 5 Firewalls) - 5.9.2.14-13o Gen 6 Firewalls - 6.5.2.8-2n (for SM9800, NSsp 12400, and NSsp 12800) and 6.5.4.15.116n (for other Gen 6 Firewall appliances) The network security vendor has since updated the bulletin to reflect the p...

A recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Condi and JenX, and a known backdoor called SideWalk. The security vulnerability is a critical remote code execution bug (CVE-2024-36401, CVSS score: 9.8) that could allow malicious actors to take over susceptible instances. In mid-July, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The Shadowserver Foundation said it detected exploitation attempts against its honeypot sensors starting July 9, 2024. According to Fortinet FortiGuard Labs, the flaw has been observed being used to deliver GOREVERSE, a reverse proxy server designed to establish a connection with a command-and-control (C2) server for post-exploitation activity. These attacks are said to target IT service providers in In...

Threat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages. These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterparts (e.g., goog1e.com vs. google.com). Adversaries targeting open-source repositories across platforms have relied on developers making typing errors to initiate software supply chain attacks through PyPI, npm, Maven Central, NuGet, RubyGems, and Crate. The latest findings from cloud security firm Orca show that even GitHub Actions , a continuous integration and continuous delivery ( CI/CD ) platform, is not immune from the threat. "If developers make a typo in their GitHub action that matches a typosquatter's action, applications could be made to run malicious code without the developer even realizing," security researcher Ofir Yakobi said in a report shared with The Ha...

The 2024 State of the vCISO Report continues Cynomi's tradition of examining the growing popularity of virtual Chief Information Security Officer (vCISO) services. According to the independent survey, the demand for these services is increasing, with both providers and clients reaping the rewards. The upward trend is set to continue, with even faster growth expected in the future. However, service providers looking to enter the vCISO market must address challenges like technological limitations and a lack of security and compliance expertise.  For more details on the state of vCISO, read Cynomi's comprehensive report. The State of the Virtual CISO Survey Report by Global Surveyz, an independent survey company, which was commissioned by Cynomi, provides a deep understanding of the vCISO opportunities and challenges facing MSPs and MSSPs today. The report shares insights from 200 security leaders in MSPs and MSSPs that provide cybersecurity strategic services or cybersecurity...