The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The Telegram-based online marketplace known as HuiOne Guarantee and its vendors have cumulatively received at least $24 billion in cryptocurrency, dwarfing the now-defunct Hydra to become the largest online illicit marketplace to have ever operated. The figures, released by blockchain analytics firm Elliptic, show that monthly inflows have increased by 51% since July 2024. Huione Guarantee, part of the HuiOne Group of companies, came under spotlight mid-last year when it was exposed as a hub for online fraudsters, advertising money laundering services, stolen data, and even electrified shackles meant for use against people who are trafficked into scam compounds under the pretext of high paying jobs to conduct romance baiting scams . The development led to cryptocurrency company Tether freezing $29.62 million of its stablecoin connected to the marketplace. Established in 2021 ostensibly to facilitate the sale of cars and real estate, it's said to have strong links with Camb...

Threat hunters are calling attention to a new campaign that has targeted Fortinet FortiGate firewall devices with management interfaces exposed on the public internet. "The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes," cybersecurity firm Arctic Wolf said in an analysis published last week. The malicious activity is believed to have commenced in mid-November 2024, with unknown threat actors gaining unauthorized access to management interfaces on affected firewalls to alter configurations and extract credentials using DCSync . The exact initial access vector is currently not known, although it has been assessed with "high confidence" that it's likely driven by the exploitation of a zero-day vulnerability given the "compressed timeline across affected organizations as well as firmware versions af...

Russia-linked threat actors have been attributed to an ongoing cyber espionage campaign targeting Kazakhstan as part of the Kremlin's efforts to gather economic and political intelligence in Central Asia. The campaign has been assessed to be the work of an intrusion set dubbed UAC-0063 , which likely shares overlap with APT28, a nation-state group affiliated with Russia's General Staff Main Intelligence Directorate (GRU). It's also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. UAC-0063 was first documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in early 2023, detailing its attacks on government entities using malware families tracked as HATVIBE, CHERRYSPY, and STILLARCH (aka DownEx). It's worth pointing out that the use of these malware strains has been exclusive to this group. Subsequent campaigns have been observed setting their sights o...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a second security flaw impacting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products to the Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation in the wild. The vulnerability in question is CVE-2024-12686 (CVSS score: 6.6), a medium-severity bug that could allow an attacker with existing administrative privileges to inject commands and run as a site user. "BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain an OS command injection vulnerability that can be exploited by an attacker with existing administrative privileges to upload a malicious file," CISA said. "Successful exploitation of this vulnerability can allow a remote attacker to execute underlying operating system commands within the context of the site user." The addition of CVE-2024-12686 to the KEV catalog comes nearly a month after it a...

A recently disclosed critical security flaw impacting the Aviatrix Controller cloud networking platform has come under active exploitation in the wild to deploy backdoors and cryptocurrency miners. Cloud security firm Wiz said it's currently responding to "multiple incidents" involving the weaponization of CVE-2024-50603 (CVSS score: 10.0), a maximum severity bug that could result in unauthenticated remote code execution. Put differently, a successful exploitation of the flaw could permit an attacker to inject malicious operating system commands owing to the fact that certain API endpoints do not adequately sanitize user-supplied input. The vulnerability has been addressed in versions 7.1.4191 and 7.2.4996. Jakub Korepta, a security researcher at Polish cybersecurity company Securing, has been credited with discovering and reporting the shortcoming. A proof-of-concept (PoC) exploit has since been made publicly available . Data gathered by the cybersecurity company...

The cyber world's been buzzing this week, and it's all about staying ahead of the bad guys. From sneaky software bugs to advanced hacking tricks, the risks are real, but so are the ways to protect yourself. In this recap, we'll break down what's happening, why it matters, and what you can do to stay secure. Let's turn awareness into action and keep one step ahead of the threats. ⚡ Threat of the Week Critical Ivanti Flaw Comes Under Exploitation — A newly discovered critical security vulnerability in Ivanti Connect Secure appliances has been exploited as a zero-day since mid-December 2024. The flaw (CVE-2025-0282, CVSS score: 9.0) is a stack-based buffer overflow bug that could lead to unauthenticated remote code execution. According to Google-owned Mandiant, the flaw has been exploited to deploy the SPAWN ecosystem of malware – the SPAWNANT installer, SPAWNMOLE tunneler, and the SPAWNSNAIL SSH backdoor – as well as two other previou...

In 2024, ransomware attacks targeting VMware ESXi servers reached alarming levels, with the average ransom demand skyrocketing to $5 million. With approximately 8,000 ESXi hosts exposed directly to the internet (according to Shodan), the operational and business impact of these attacks is profound. Most of the Ransomware strands that are attacking ESXi servers nowadays, are variants of the infamous Babuk ransomware, adapted to avoid detection of security tools. Moreover, accessibility is becoming more widespread, as attackers monetize their entry points by selling Initial Access to other threat actors, including ransomware groups. As organizations are dealing with compounded threats on an ever-expanding front: new vulnerabilities, new entry points, monetized cyber-crime networks, and more, there is ever-growing urgency for enhanced security measures and vigilance. The architecture of ESXi Understanding how an attacker can gain control of the ESXi host begins with understanding the ...

Cybersecurity researchers are warning of a new stealthy credit card skimmer campaign that targets WordPress e-commerce checkout pages by inserting malicious JavaScript code into a database table associated with the content management system (CMS). "This credit card skimmer malware targeting WordPress websites silently injects malicious JavaScript into database entries to steal sensitive payment details," Sucuri researcher Puja Srivastava said in a new analysis. "The malware activates specifically on checkout pages, either by hijacking existing payment fields or injecting a fake credit card form." The GoDaddy-owned website security company said it discovered the malware embedded into the WordPress wp_options table with the option "widget_block," thus allowing it to avoid detection by scanning tools and persist on compromised sites without attracting attention. In doing so, the idea is to insert the malicious JavaScript into an HTML block widget thr...

No less than 4,000 unique web backdoors previously deployed by various threat actors have been hijacked by taking control of abandoned and expired infrastructure for as little as $20 per domain. Cybersecurity company watchTowr Labs said it pulled off the operation by registering over 40 domain names that the backdoors had been designed to use for command-and-control (C2). In partnership with the Shadowserver Foundation, the domains implicated in the research have been sinkholed. "We have been hijacking backdoors (that were reliant on now abandoned infrastructure and/or expired domains) that themselves existed inside backdoors, and have since been watching the results flood in," watchTowr Labs CEO Benjamin Harris and researcher Aliz Hammond said in a technical write-up last week. "This hijacking allowed us to track compromised hosts as they 'reported in,' and theoretically gave us the power to commandeer and control these compromised hosts." Among the ...

Microsoft has revealed that it's pursuing legal action against a "foreign-based threat–actor group" for operating a hacking-as-a-service infrastructure to intentionally get around the safety controls of its generative artificial intelligence (AI) services and produce offensive and harmful content. The tech giant's Digital Crimes Unit (DCU) said it has observed the threat actors "develop sophisticated software that exploited exposed customer credentials scraped from public websites," and "sought to identify and unlawfully access accounts with certain generative AI services and purposely alter the capabilities of those services." The adversaries then used these services, such as Azure OpenAI Service, and monetized the access by selling them to other malicious actors, providing them with detailed instructions as to how to use these custom tools to generate harmful content. Microsoft said it discovered the activity in July 2024. The Windows maker...

The U.S. Department of Justice (DoJ) on Friday indicted three Russian nationals for their alleged involvement in operating the cryptocurrency mixing services Blender.io and Sinbad.io. Roman Vitalyevich Ostapenko and Alexander Evgenievich Oleynik were arrested on December 1, 2024, in coordination with the Netherlands' Financial Intelligence and Investigative Service, Finland's National Bureau of Investigation, and the U.S. Federal Bureau of Investigation (FBI). It was not revealed from where they were apprehended. The third individual, Anton Vyachlavovich Tarasov, is still at large. The defendants have been accused of operating cryptocurrency mixers (aka tumblers) that served as safe havens for "laundering criminally derived funds," including the proceeds of ransomware and wire fraud, thereby allowing state-sponsored hacking groups and cybercriminals to profit off their malicious operations. Specifically, they allowed their paying users to send cryptocurrency to ...