#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

data theft | Breaking Cybersecurity News | The Hacker News

Category — data theft
Scattered Spider Adopts RansomHub and Qilin Ransomware for Cyber Attacks

Scattered Spider Adopts RansomHub and Qilin Ransomware for Cyber Attacks

Jul 17, 2024 Cybercrime / Ransomware
The infamous cybercrime group known as Scattered Spider has incorporated ransomware strains such as RansomHub and Qilin into its arsenal, Microsoft has revealed. Scattered Spider is the designation given to a threat actor that's known for its sophisticated social engineering schemes to breach targets and establish persistence for follow-on exploitation and data theft. It also has a history of targeting VMWare ESXi servers and deploying BlackCat ransomware. It shares overlaps with activity clusters tracked by the broader cybersecurity community under the monikers Gold Harvest, 0ktapus, Octo Tempest, and UNC3944. Last month, it was reported that a key member of the group was arrested in Spain. RansomHub, which arrived on the scene earlier this February, has been assessed to be a rebrand of another ransomware strain called Knight, according to an analysis from Broadcom-owned Symantec last month. "RansomHub is a ransomware-as-a-service (RaaS) payload used by more and mor
Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer

Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer

Jul 16, 2024 Data Security / Vulnerability
An advanced persistent threat (APT) group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida . Cybersecurity firm Trend Micro, which observed the activity in mid-May 2024, said the vulnerability – tracked as CVE-2024-38112 – was used as part of a multi-stage attack chain using specially crafted internet shortcut (URL) files. "Variations of the Atlantida campaign have been highly active throughout 2024 and have evolved to use CVE-2024-38112 as part of Void Banshee infection chains," security researchers Peter Girnus and Aliakbar Zahravi said . "The ability of APT groups like Void Banshee to exploit disabled services such as [Internet Explorer] poses a significant threat to organizations worldwide." The findings dovetail with prior disclosures from Check Point, which told The Hacker News of a campaign leveraging the same shortc
The Secret Weakness Execs Are Overlooking: Non-Human Identities

The Secret Weakness Execs Are Overlooking: Non-Human Identities

Oct 03, 2024Enterprise Security / Cloud Security
For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,
New Poco RAT Targets Spanish-Speaking Victims in Phishing Campaign

New Poco RAT Targets Spanish-Speaking Victims in Phishing Campaign

Jul 11, 2024 Malware / Threat Intelligence
Spanish language victims are the target of an email phishing campaign that delivers a new remote access trojan (RAT) called Poco RAT since at least February 2024. The attacks primarily single out mining, manufacturing, hospitality, and utilities sectors, according to cybersecurity company Cofense. "The majority of the custom code in the malware appears to be focused on anti-analysis, communicating with its command-and-control center (C2), and downloading and running files with a limited focus on monitoring or harvesting credentials," it said . Infection chains begin with phishing messages bearing finance-themed lures that trick recipients into clicking on an embedded URL pointing to a 7-Zip archive file hosted on Google Drive. Other methods observed include the use of HTML or PDF files directly attached to the emails or downloaded via another embedded Google Drive link. The abuse of legitimate services by threat actors is not a new phenomenon as it allows them to bypass
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
Dark Web Malware Logs Expose 3,300 Users Linked to Child Abuse Sites

Dark Web Malware Logs Expose 3,300 Users Linked to Child Abuse Sites

Jul 08, 2024 Dark Web / Cyber Crime
An analysis of information-stealing malware logs published on the dark web has led to the discovery of thousands of consumers of child sexual abuse material (CSAM), indicating how such information could be used to combat serious crimes. "Approximately 3,300 unique users were found with accounts on known CSAM sources," Recorded Future said in a proof-of-concept (PoC) report published last week. "A notable 4.2% had credentials for multiple sources, suggesting a higher likelihood of criminal behavior." Over the past few years, off-the-shelf info-stealer variants have become a pervasive and ubiquitous threat targeting various operating systems with an aim to siphon sensitive information such as credentials, cryptocurrency wallets, payment card data, and screenshots. This is evidenced in the rise of new stealer malware strains such as Kematian Stealer , Neptune Stealer , 0bj3ctivity , Poseidon (formerly RodStealer), Satanstealer , and StrelaStealer . Distribut
South Korean ERP Vendor's Server Hacked to Spread Xctdoor Malware

South Korean ERP Vendor's Server Hacked to Spread Xctdoor Malware

Jul 03, 2024 Malware / Threat Intelligence
An unnamed South Korean enterprise resource planning (ERP) vendor's product update server has been found to be compromised to deliver a Go-based backdoor dubbed Xctdoor. The AhnLab Security Intelligence Center (ASEC), which identified the attack in May 2024, did not attribute it to a known threat actor or group, but noted that the tactics overlap with that of Andariel , a sub-cluster within the infamous Lazarus Group. The similarities stem from the North Korean adversary's prior use of the ERP solution to distribute malware like HotCroissant – which is identical to Rifdoor – in 2017 by inserting a malicious routine into a software update program. In the recent incident analyzed by ASEC, the same executable is said to have been tampered with to execute a DLL file from a specific path using the regsvr32.exe process as opposed to launching a downloader. The DLL file, Xctdoor, is capable of stealing system information, including keystrokes, screenshots, and clipboard conte
Australian Man Charged for Fake Wi-Fi Scam on Domestic Flights

Australian Man Charged for Fake Wi-Fi Scam on Domestic Flights

Jul 02, 2024 Data Theft / Wi-Fi Security
An Australian man has been charged with running a fake Wi-Fi access point during a domestic flight with an aim to steal user credentials and data. The unnamed 42-year-old "allegedly established fake free Wi-Fi access points, which mimicked legitimate networks, to capture personal data from unsuspecting victims who mistakenly connected to them," the Australian Federal Police (AFP) said in a press release last week. The agency said the suspect was charged in May 2024 after it launched an investigation a month earlier following a report from an airline about a suspicious Wi-Fi network identified by its employees during a domestic flight. A subsequent search of his baggage on April 19 led to the seizure of a portable wireless access device, a laptop, and a mobile phone. He was arrested on May 8 after a search warrant was executed at his home. The individual is said to have staged what's called an evil twin Wi-Fi attack across various locations, including domestic flig
Indian Software Firm's Products Hacked to Spread Data-Stealing Malware

Indian Software Firm's Products Hacked to Spread Data-Stealing Malware

Jul 01, 2024 Supply Chain Attack / Threat Intelligence
Installers for three different software products developed by an Indian company named Conceptworld have been trojanized to distribute information-stealing malware. The installers correspond to Notezilla, RecentX, and Copywhiz, according to cybersecurity firm Rapid7, which discovered the supply chain compromise on June 18, 2024. The issue has since been remediated by Conceptworld as of June 24 within 12 hours of responsible disclosure. "The installers had been trojanized to execute information-stealing malware that has the capability to download and execute additional payloads," the company said , adding the malicious versions had a larger file size than their legitimate counterparts. Specifically, the malware is equipped to steal browser credentials and cryptocurrency wallet information, log clipboard contents and keystrokes, and download and execute additional payloads on infected Windows hosts. It also sets up persistence using a scheduled task to execute the main paylo
Russian National Indicted for Cyber Attacks on Ukraine Before 2022 Invasion

Russian National Indicted for Cyber Attacks on Ukraine Before 2022 Invasion

Jun 27, 2024 Cyber Crime / Cyber Warfare
A 22-year-old Russian national has been indicted in the U.S. for his alleged role in staging destructive cyber attacks against Ukraine and its allies in the days leading to Russia's full-blown military invasion of Ukraine in early 2022. Amin Timovich Stigal, the defendant in question, is assessed to be affiliated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). He remains at large. If convicted, he faces a maximum penalty of five years in prison. Concurrent with the action, the U.S. Department of State's Rewards for Justice program is offering a reward of up to $10 million for information pertaining to his whereabouts or the malicious cyber attacks he is associated with. "The defendant conspired with Russian military intelligence on the eve of Russia's unjust and unprovoked invasion of Ukraine to launch cyberattacks targeting the Ukrainian government and later targeting its allies, including the United States,&quo
New Credit Card Skimmer Targets WordPress, Magento, and OpenCart Sites

New Credit Card Skimmer Targets WordPress, Magento, and OpenCart Sites

Jun 26, 2024 Web Skimming / Website Security
Multiple content management system (CMS) platforms like WordPress, Magento, and OpenCart have been targeted by a new credit card web skimmer called Caesar Cipher Skimmer. A web skimmer refers to malware that is injected into e-commerce sites with the goal of stealing financial and payment information .  According to Sucuri, the latest campaign entails making malicious modifications to the checkout PHP file associated with the WooCommerce plugin for WordPress ("form-checkout.php") to steal credit card details. "For the past few months, the injections have been changed to look less suspicious than a long obfuscated script," security researcher Ben Martin said , noting the malware's attempt to masquerade as Google Analytics and Google Tag Manager. Specifically, it utilizes the same substitution mechanism employed in Caesar cipher to encode the malicious piece of code into a garbled string and conceal the external domain that's used to host the payload.
New Cyberthreat 'Boolka' Deploying BMANAGER Trojan via SQLi Attacks

New Cyberthreat 'Boolka' Deploying BMANAGER Trojan via SQLi Attacks

Jun 25, 2024 Data Theft / Web Security
A previously undocumented threat actor dubbed Boolka has been observed compromising websites with malicious scripts to deliver a modular trojan codenamed BMANAGER . "The threat actor behind this campaign has been carrying out opportunistic SQL injection attacks against websites in various countries since at least 2022," Group-IB researchers Rustam Mirkasymov and Martijn van den Berk said in a report published last week. "Over the last three years, the threat actors have been infecting vulnerable websites with malicious JavaScript scripts capable of intercepting any data entered on an infected website." Boolka gets its name from the JavaScript code inserted into the website that beacons out to a command-and-control server named "boolka[.]tk" every time an unsuspecting visitor lands on the infected site. The JavaScript is also designed to collect and exfiltrate user inputs and interactions in a Base64-encoded format, indicating the use of the malware
Multiple Threat Actors Deploying Open-Source Rafel RAT to Target Android Devices

Multiple Threat Actors Deploying Open-Source Rafel RAT to Target Android Devices

Jun 24, 2024 Mobile Security / Threat Intelligence
Multiple threat actors, including cyber espionage groups, are employing an open-source Android remote administration tool called Rafel RAT to meet their operational objectives by masquerading it as Instagram, WhatsApp, and various e-commerce and antivirus apps. "It provides malicious actors with a powerful toolkit for remote administration and control, enabling a range of malicious activities from data theft to device manipulation," Check Point said in an analysis published last week. It boasts a wide range of features, such as the ability to wipe SD cards, delete call logs, siphon notifications, and even act as ransomware. The use of Rafel RAT by DoNot Team (aka APT-C-35, Brainworm, and Origami Elephant) was previously highlighted by the Israeli cybersecurity company in cyber attacks that leveraged a design flaw in Foxit PDF Reader to trick users into downloading malicious payloads. The campaign, which took place in April 2024, is said to have utilized military-them
Singapore Police Extradites Malaysians Linked to Android Malware Fraud

Singapore Police Extradites Malaysians Linked to Android Malware Fraud

Jun 18, 2024 Mobile Security / Financial Fraud
The Singapore Police Force (SPF) has announced the extradition of two men from Malaysia for their alleged involvement in a mobile malware campaign targeting citizens in the country since June 2023. The unnamed individuals, aged 26 and 47, engaged in scams that tricked unsuspecting users into downloading malicious apps onto their Android devices via phishing campaigns with the aim of stealing their personal data and banking credentials. The stolen information was subsequently used to initiate fraudulent transactions on the victims' banking accounts, resulting in financial losses. Following a seven-months-long investigation that was launched in November 2023 in partnership with the Hong Kong Police Force (HKPF) and the Royal Malaysia Police (RMP), the SPF said it found evidence linking the two men to a syndicate responsible for carrying out malware-enabled scams. "The two men [...] allegedly operated servers for the purposes of infecting victims' Android mobile phones w
U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain

U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain

Jun 16, 2024 Cybercrime / SIM Swapping
Law enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider. The individual, a 22-year-old man from the United Kingdom, was arrested this week in the Spanish city of Palma de Mallorca as he attempted to board a flight to Italy. The move is part of a joint effort between the U.S. Federal Bureau of Investigation (FBI) and the Spanish National Police that began last May. News of the arrest was first reported by Murcia Today on June 14, 2024, with vx-underground subsequently revealing that the apprehended party is "associated with several other high profile ransomware attacks performed by Scattered Spider." The malware research group further said the individual was a SIM swapper who operated under the alias "Tyler." SIM swapping attacks work by calling the telecom provider to transfer a target's phone number to a SIM under their control with the goal of intercepting their messages, including one-
Snowflake Breach Exposes 165 Customers' Data in Ongoing Extortion Campaign

Snowflake Breach Exposes 165 Customers' Data in Ongoing Extortion Campaign

Jun 11, 2024 Data Theft / Cloud Security
As many as 165 customers of Snowflake are said to have had their information potentially exposed as part of an ongoing campaign designed to facilitate data theft and extortion, indicating the operation has broader implications than previously thought. Google-owned Mandiant, which is assisting the cloud data warehousing platform in its incident response efforts, is tracking the as-yet-unclassified activity cluster under the name UNC5537 , describing it as a financially motivated threat actor. "UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims," the threat intelligence firm said on Monday. "UNC5537 has targeted hundreds of organizations worldwide, and frequently extorts victims for financial gain. UNC5537 operates under various aliases on Telegram channels and cybercrime forums." There is evidence to suggest tha
Hackers Target Python Developers with Fake "Crytic-Compilers" Package on PyPI

Hackers Target Python Developers with Fake "Crytic-Compilers" Package on PyPI

Jun 06, 2024 Software Security / Data Theft
Cybersecurity researchers have discovered a malicious Python package uploaded to the Python Package Index (PyPI) repository that's designed to deliver an information stealer called Lumma (aka LummaC2). The package in question is crytic-compilers, a typosquatted version of a legitimate library named crytic-compile . The rogue package was downloaded 441 times before it was taken down by PyPI maintainers. "The counterfeit library is interesting in that, in addition [to] being named after the legitimate Python utility, 'crytic-compile,' it aligns its version numbers with the real library," Sonatype security researcher Ax Sharma said . "Whereas the real library's latest version stops at 0.3.7, the counterfeit 'crytic-compilers' version picks up right here, and ends at 0.3.11 — giving off the impression that this is a newer version of the component." In a further attempt to keep up the ruse, some versions of crytic-compilers (e.g., 0.3.9) we
New 'Brokewell' Android Malware Spread Through Fake Browser Updates

New 'Brokewell' Android Malware Spread Through Fake Browser Updates

Apr 26, 2024 Mobile Security / Cybercrime
Fake browser updates are being used to push a previously undocumented Android malware called  Brokewell . "Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware," Dutch security firm ThreatFabric  said  in an analysis published Thursday. The malware is said to be in active development, adding new commands to capture touch events, textual information displayed on screen, and the applications a victim launches. The list of Brokewell apps that masquerade as Google Chrome, ID Austria, and Klarna is as follows - jcwAz.EpLIq.vcAZiUGZpK (Google Chrome) zRFxj.ieubP.lWZzwlluca (ID Austria) com.brkwl.upstracking (Klarna) Like other recent Android malware families of its kind, Brokewell is capable of getting around restrictions imposed by Google that prevent sideloaded apps from requesting  accessibility service permissions . The banking trojan, once installed and launched for the first time, pro
CoralRaider Malware Campaign Exploits CDN Cache to Spread Info-Stealers

CoralRaider Malware Campaign Exploits CDN Cache to Spread Info-Stealers

Apr 24, 2024 Malware / Data Security
A new ongoing malware campaign has been observed distributing three different stealers, such as  CryptBot ,  LummaC2 , and  Rhadamanthys  hosted on Content Delivery Network (CDN) cache domains since at least February 2024. Cisco Talos has attributed the activity with moderate confidence to a threat actor tracked as  CoralRaider , a suspected Vietnamese-origin group that came to light earlier this month. This assessment is based on "several overlaps in tactics, techniques, and procedures (TTPs) of CoralRaider's Rotbot campaign, including the initial attack vector of the Windows Shortcut file, intermediate PowerShell decryptor and payload download scripts, the FoDHelper technique used to bypass User Access Controls (UAC) of the victim machine," the company said. Targets of the campaign span various business verticals across geographies, including the U.S., Nigeria, Pakistan, Ecuador, Germany, Egypt, the U.K., Poland, the Philippines, Norway, Japan, Syria, and Turkey.
Hackers Target macOS Users with Malicious Ads Spreading Stealer Malware

Hackers Target macOS Users with Malicious Ads Spreading Stealer Malware

Mar 30, 2024 Malware / Cryptocurrency
Malicious ads and bogus websites are acting as a conduit to deliver two different stealer malware, including Atomic Stealer, targeting Apple macOS users. The ongoing infostealer attacks targeting macOS users may have adopted different methods to compromise victims' Macs, but operate with the end goal of stealing sensitive data, Jamf Threat Labs  said  in a report published Friday. One such attack chain targets users searching for Arc Browser on search engines like Google to serve bogus ads that redirect users to look-alike sites ("airci[.]net") that serve the malware. "Interestingly, the malicious website cannot be accessed directly, as it returns an error," security researchers Jaron Bradley, Ferdous Saljooki, and Maggie Zirnhelt said. "It can only be accessed through a generated sponsored link, presumably to evade detection." The disk image file downloaded from the counterfeit website ("ArcSetup.dmg") delivers  Atomic Stealer , which i
Expert Insights / Articles Videos
Cybersecurity Resources