#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

Cyber Attack | Breaking Cybersecurity News | The Hacker News

Category — Cyber Attack
Cybercriminals Exploit Popular Software Searches to Spread FakeBat Malware

Cybercriminals Exploit Popular Software Searches to Spread FakeBat Malware

Aug 19, 2024 Malvertising / Cybercrime
Cybersecurity researchers have uncovered a surge in malware infections stemming from malvertising campaigns distributing a loader called FakeBat. "These attacks are opportunistic in nature, targeting users seeking popular business software," the Mandiant Managed Defense team said in a technical report. "The infection utilizes a trojanized MSIX installer, which executes a PowerShell script to download a secondary payload." FakeBat , also called EugenLoader and PaykLoader, is linked to a threat actor named Eugenfest. The Google-owned threat intelligence team is tracking the malware under the name NUMOZYLOD and has attributed the Malware-as-a-Service (MaaS) operation to UNC4536. Attack chains propagating the loader malware make use of drive-by download techniques to push users searching for popular software toward bogus lookalike sites that host booby-trapped MSI installers. Some of the malware families delivered via FakeBat include IcedID, RedLine Stealer, Lumma
China-Backed Earth Baku Expands Cyber Attacks to Europe, Middle East, and Africa

China-Backed Earth Baku Expands Cyber Attacks to Europe, Middle East, and Africa

Aug 14, 2024 Threat Intelligence / Cyber Attack
The China-backed threat actor known as Earth Baku has diversified its targeting footprint beyond the Indo-Pacific region to include Europe, the Middle East, and Africa starting in late 2022. Newly targeted countries as part of the activity include Italy, Germany, the U.A.E., and Qatar, with suspected attacks also detected in Georgia and Romania. Governments, media and communications, telecoms, technology, healthcare, and education are some of the sectors singled out as part of the intrusion set. "The group has updated its tools, tactics, and procedures (TTPs) in more recent campaigns, making use of public-facing applications such as IIS servers as entry points for attacks, after which they deploy sophisticated malware toolsets on the victim's environment," Trend Micro researchers Ted Lee and Theo Chen said in an analysis published last week. The findings build upon recent reports from Zscaler and Google-owned Mandiant , which also detailed the threat actor's u
The Secret Weakness Execs Are Overlooking: Non-Human Identities

The Secret Weakness Execs Are Overlooking: Non-Human Identities

Oct 03, 2024Enterprise Security / Cloud Security
For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,
FBI Shuts Down Dispossessor Ransomware Group's Servers Across U.S., U.K., and Germany

FBI Shuts Down Dispossessor Ransomware Group's Servers Across U.S., U.K., and Germany

Aug 13, 2024 Ransomware / Network Security
The U.S. Federal Bureau of Investigation (FBI) on Monday announced the disruption of online infrastructure associated with a nascent ransomware group called Radar/Dispossessor. The effort saw the dismantling of three U.S. servers, three United Kingdom servers, 18 German servers, eight U.S.-based criminal domains, and one German-based criminal domain. Dispossessor is said to be led by individual(s) who go by the online moniker "Brain." "Since its inception in August 2023, Radar/Dispossessor has quickly developed into an internationally impactful ransomware group, targeting and attacking small-to-mid-sized businesses and organizations from the production, development, education, healthcare, financial services, and transportation sectors," the FBI said in a statement. As many as 43 companies have been identified as victims of Dispossessor attacks, including those located in Argentina, Australia, Belgium, Brazil, Canada, Croatia, Germany, Honduras, India, Peru, Pol
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
Rogue PyPI Library Solana Users, Steals Blockchain Wallet Keys

Rogue PyPI Library Solana Users, Steals Blockchain Wallet Keys

Aug 11, 2024 Supply Chain / Software Security
Cybersecurity researchers have discovered a new malicious package on the Python Package Index (PyPI) repository that masquerades as a library from the Solana blockchain platform but is actually designed to steal victims' secrets. "The legitimate Solana Python API project is known as 'solana-py' on GitHub, but simply ' solana ' on the Python software registry, PyPI," Sonatype researcher Ax Sharma said in a report published last week. "This slight naming discrepancy has been leveraged by a threat actor who published a 'solana-py' project on PyPI." The malicious "solana-py" package attracted a total of 1,122 downloads since it was published on August 4, 2024. It's no longer available for download from PyPI. The most striking aspect of the library is that it carried the version numbers 0.34.3, 0.34.4, and 0.34.5. The latest version of the legitimate "solana" package is 0.34.3. This clearly indicates an attempt o
New Phishing Scam Uses Google Drawings and WhatsApp Shortened Links

New Phishing Scam Uses Google Drawings and WhatsApp Shortened Links

Aug 08, 2024 Network Security / Cloud Security
Cybersecurity researchers have discovered a novel phishing campaign that leverages Google Drawings and shortened links generated via WhatsApp to evade detection and trick users into clicking on bogus links designed to steal sensitive information. "The attackers chose a group of the best-known websites in computing to craft the threat, including Google and WhatsApp to host the attack elements, and an Amazon look-alike to harvest the victim's information," Menlo Security researcher Ashwin Vamshi said . "This attack is a great example of a Living Off Trusted Sites ( LoTS ) threat." The starting point of the attack is a phishing email that directs the recipients to a graphic that appears to be an Amazon account verification link. This graphic, for its part, is hosted on Google Drawings, in an apparent effort to evade detection. Abusing legitimate services has obvious benefits for attackers in that they're not only a low-cost solution, but more importantly,
Chinese Hackers Target Japanese Firms with LODEINFO and NOOPDOOR Malware

Chinese Hackers Target Japanese Firms with LODEINFO and NOOPDOOR Malware

Jul 31, 2024 Cyber Attack / Threat Intelligence
Japanese organizations are the target of a Chinese nation-state threat actor that leverages malware families like LODEINFO and NOOPDOOR to harvest sensitive information from compromised hosts while stealthily remaining under the radar in some cases for a time period ranging from two to three years. Israeli cybersecurity company Cybereason is tracking the campaign under the name Cuckoo Spear , attributing it as related to a known intrusion set dubbed APT10, which is also known as Bronze Riverside, ChessMaster, Cicada, Cloudhopper, MenuPass, MirrorFace, Purple Typhoon (formerly Potassium), and Stone Panda. "The actors behind NOOPDOOR not only utilized LODEINFO during the campaign, but also utilized the new backdoor to exfiltrate data from compromised enterprise networks," it said . The findings come weeks after JPCERT/CC warned of cyber attacks mounted by the threat actor targeting Japanese entities using the two malware strains. Earlier this January, ITOCHU Cyber & I
Cybercriminals Target Polish Businesses with Agent Tesla and Formbook Malware

Cybercriminals Target Polish Businesses with Agent Tesla and Formbook Malware

Jul 30, 2024 Malware / Cyber Threat
Cybersecurity researchers have detailed widespread phishing campaigns targeting small and medium-sized businesses (SMBs) in Poland during May 2024 that led to the deployment of several malware families like Agent Tesla , Formbook , and Remcos RAT . Some of the other regions targeted by the campaigns include Italy and Romania, according to cybersecurity firm ESET. "Attackers used previously compromised email accounts and company servers, not only to spread malicious emails but also to host malware and collect stolen data," ESET researcher Jakub Kaloč said in a report published today. These campaigns, spread across nine waves, are notable for the use of a malware loader called DBatLoader (aka ModiLoader and NatsoLoader) to deliver the final payloads. This, the Slovakian cybersecurity company said, marks a departure from previous attacks observed in the second half of 2023 that leveraged a cryptors-as-a-service (CaaS) dubbed AceCryptor to propagate Remcos RAT (aka Resc
New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries

New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries

Jul 30, 2024 Cyber Espionage / Malware
The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives. SideWinder , which is also known by the names APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, and Razor Tiger, is assessed to be affiliated with India. It has been operational since 2012, often making use of spear-phishing as a vector to deliver malicious payloads that trigger the attack chains. "SideWinder makes use of email spear-phishing, document exploitation and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants," the Canadian cybersecurity company said in an analysis published last week. The latest
CrowdStrike Warns of New Phishing Scam Targeting German Customers

CrowdStrike Warns of New Phishing Scam Targeting German Customers

Jul 26, 2024 Enterprise Security / Network Security
CrowdStrike is alerting about an unfamiliar threat actor attempting to capitalize on the Falcon Sensor update fiasco to distribute dubious installers targeting German customers as part of a highly targeted campaign. The cybersecurity company said it identified what it described as an unattributed spear-phishing attempt on July 24, 2024, distributing an inauthentic CrowdStrike Crash Reporter installer via a website impersonating an unnamed German entity. The imposter website is said to have been created on July 20, a day after the botched update crashed nearly 9 million Windows devices, causing extensive IT disruptions across the world. "After the user clicks the Download button, the website leverages JavaScript (JS) that masquerades as JQuery v3.7.1 to download and deobfuscate the installer," CrowdStrike's Counter Adversary Operations team said . "The installer contains CrowdStrike branding, German localization, and a password [is] required to continue install
Microsoft Defender Flaw Exploited to Deliver ACR, Lumma, and Meduza Stealers

Microsoft Defender Flaw Exploited to Deliver ACR, Lumma, and Meduza Stealers

Jul 24, 2024 Malvertising / Threat Intelligence
A now-patched security flaw in the Microsoft Defender SmartScreen has been exploited as part of a new campaign designed to deliver information stealers such as ACR Stealer, Lumma , and Meduza . Fortinet FortiGuard Labs said it detected the stealer campaign targeting Spain, Thailand, and the U.S. using booby-trapped files that exploit CVE-2024-21412 (CVSS score: 8.1). The high-severity vulnerability allows an attacker to sidestep SmartScreen protection and drop malicious payloads. Microsoft addressed this issue as part of its monthly security updates released in February 2024. "Initially, attackers lure victims into clicking a crafted link to a URL file designed to download an LNK file," security researcher Cara Lin said . "The LNK file then downloads an executable file containing an [HTML Application] script." The HTA file serves as a conduit to decode and decrypt PowerShell code responsible for fetching a decoy PDF file and a shellcode injector that, in tur
New ICS Malware 'FrostyGoop' Targeting Critical Infrastructure

New ICS Malware 'FrostyGoop' Targeting Critical Infrastructure

Jul 23, 2024 ICS Malware / Critical Infrastructure
Cybersecurity researchers have discovered what they say is the ninth Industrial Control Systems (ICS)-focused malware that has been used in a disruptive cyber attack targeting an energy company in the Ukrainian city of Lviv earlier this January. Industrial cybersecurity firm Dragos has dubbed the malware FrostyGoop , describing it as the first malware strain to directly use Modbus TCP communications to sabotage operational technology (OT) networks. It was discovered by the company in April 2024. "FrostyGoop is an ICS-specific malware written in Golang that can interact directly with Industrial Control Systems (ICS) using Modbus TCP over port 502," researchers Kyle O'Meara, Magpie (Mark) Graham, and Carolyn Ahlers said in a technical report shared with The Hacker News. It's believed that the malware, mainly designed to target Windows systems, has been used to target ENCO controllers with TCP port 502 exposed to the internet. It has not been tied to any previously
Magento Sites Targeted with Sneaky Credit Card Skimmer via Swap Files

Magento Sites Targeted with Sneaky Credit Card Skimmer via Swap Files

Jul 23, 2024 Threat Detection / Website Security
Threat actors have been observed using swap files in compromised websites to conceal a persistent credit card skimmer and harvest payment information. The sneaky technique, observed by Sucuri on a Magento e-commerce site's checkout page, allowed the malware to survive multiple cleanup attempts, the company said. The skimmer is designed to capture all the data into the credit card form on the website and exfiltrate the details to an attacker-controlled domain named "amazon-analytic[.]com," which was registered in February 2024. "Note the use of the brand name; this tactic of leveraging popular products and services in domain names is often used by bad actors in an attempt to evade detection," security researcher Matt Morrow said . This is just one of many defense evasion methods employed by the threat actor, which also includes the use of swap files ("bootstrap.php-swapme") to load the malicious code while keeping the original file ("bootstra
Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware

Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware

Jul 20, 2024 Malware / IT Outage
Cybersecurity firm CrowdStrike, which is facing the heat for causing worldwide IT disruptions by pushing out a flawed update to Windows devices, is now warning that threat actors are exploiting the situation to distribute Remcos RAT to its customers in Latin America under the guise of providing a hotfix. The attack chains involve distributing a ZIP archive file named " crowdstrike-hotfix.zip ," which contains a malware loader named Hijack Loader (aka DOILoader or IDAT Loader) that, in turn, launches the Remcos RAT payload. Specifically, the archive file also includes a text file ("instrucciones.txt") with Spanish-language instructions that urges targets to run an executable file ("setup.exe") to recover from the issue. "Notably, Spanish filenames and instructions within the ZIP archive indicate this campaign is likely targeting Latin America-based (LATAM) CrowdStrike customers," the company said , attributing the campaign to a suspected e-
WazirX Cryptocurrency Exchange Loses $230 Million in Major Security Breach

WazirX Cryptocurrency Exchange Loses $230 Million in Major Security Breach

Jul 19, 2024 Cryptocurrency / Cybercrime
Indian cryptocurrency exchange WazirX has confirmed that it was the target of a security breach that led to the theft of $230 million in cryptocurrency assets. "A cyber attack occurred in one of our [multi-signature] wallets involving a loss of funds exceeding $230 million," the company said in a statement. "This wallet was operated utilizing the services of Liminal's digital asset custody and wallet infrastructure from February 2023." The Mumbai-based company said the attack stemmed from a mismatch between the information that was displayed on Liminal's interface and what was actually signed. It said the payload was replaced to transfer wallet control to an attacker. Crypto custody firm Liminal is one of the six signatories on the wallet and is responsible for transaction verifications. "Our preliminary investigations show that one of the self custody multi-sig smart contract wallets created outside of the Liminal ecosystem has been compromised
DarkGate Malware Exploits Samba File Shares in Short-Lived Campaign

DarkGate Malware Exploits Samba File Shares in Short-Lived Campaign

Jul 12, 2024 Malware / Cyber Attack
Cybersecurity researchers have shed light on a short-lived DarkGate malware campaign that leveraged Samba file shares to initiate the infections. Palo Alto Networks Unit 42 said the activity spanned the months of March and April 2024, with the infection chains using servers running public-facing Samba file shares hosting Visual Basic Script (VBS) and JavaScript files. Targets included North America, Europe, and parts of Asia. "This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware," security researchers Vishwa Thothathri, Yijie Sui, Anmol Maurya, Uday Pratap Singh, and Brad Duncan said . DarkGate, which first emerged in 2018, has evolved into a malware-as-a-service (MaaS) offering used by a tightly controlled number of customers. It comes with capabilities to remotely control compromised hosts, execute code, mine cryptocurrency, launch reverse shells, and drop addit
PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks

PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks

Jul 11, 2024 Cyber Attack / Vulnerability
Multiple threat actors have been observed exploiting a recently disclosed security flaw in PHP to deliver remote access trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) botnets. The vulnerability in question is CVE-2024-4577 (CVSS score: 9.8), which allows an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. It was publicly disclosed in early June 2024. "CVE-2024-4577 is a flaw that allows an attacker to escape the command line and pass arguments to be interpreted directly by PHP," Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg said in a Wednesday analysis. "The vulnerability itself lies in how Unicode characters are converted into ASCII." The web infrastructure company said it began observing exploit attempts against its honeypot servers targeting the PHP flaw within 24 hours of it being public knowledge. This included exploits designed to deliver a remote
Smash-and-Grab Extortion

Smash-and-Grab Extortion

Jul 10, 2024 IoT Security / Firmware Security
The Problem The "2024 Attack Intelligence Report" from the staff at Rapid7 [1] is a well-researched, well-written report that is worthy of careful study. Some key takeaways are:  53% of the over 30 new vulnerabilities that were widely exploited in 2023 and at the start of 2024 were zero-days . More mass compromise events arose from zero-day vulnerabilities than from n-day vulnerabilities. Nearly a quarter of widespread attacks were zero-day attacks where a single adversary compromised dozens to hundreds of organizations simultaneously. Attackers are moving from initial access to exploitation in minutes or hours rather than days or weeks. So the conventional patch and put strategy is as effective as a firetruck showing up after a building has burned to the ground! Of course, patch and put could prevent future attacks, but taking into account that patch development takes from days to weeks [2] and that the average time to apply critical patches is 16 days [3], devices are vulner
Expert Insights / Articles Videos
Cybersecurity Resources