malware protection | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have uncovered design weaknesses in Microsoft's Windows Smart App Control and SmartScreen that could enable threat actors to gain initial access to target environments without raising any warnings. Smart App Control ( SAC ) is a cloud-powered security feature introduced by Microsoft in Windows 11 to block malicious, untrusted, and potentially unwanted apps from being run on the system. In cases where the service is unable to make a prediction about the app, it checks if it's signed or has a valid signature so as to be executed. SmartScreen, which was released alongside Windows 10, is a similar security feature that determines whether a site or a downloaded app is potentially malicious. It also leverages a reputation-based approach for URL and app protection. "Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content," Redmond notes in its documentation. "I

Incident response is a structured approach to managing and addressing security breaches or cyber-attacks. Security teams must overcome challenges such as timely detection, comprehensive data collection, and coordinated actions to enhance readiness. Improving these areas ensures a swift and effective response, minimizing damage and restoring normal operations quickly. Challenges in incident response Incident response presents several challenges that must be addressed to ensure a swift and effective recovery from cyber attacks. The following section lists some of these challenges. Timeliness : One of the primary challenges in incident response is addressing incidents quickly enough to minimize damage. Delays in response can lead to more compromises and increased recovery costs. Information correlation : Security teams often struggle to effectively collect and correlate relevant data. Without a comprehensive view, understanding the full scope and impact of the incident becomes difficu

For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,

A new cyber attack campaign has been observed using spurious  MSIX  Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed  GHOSTPULSE . "MSIX is a Windows app package format that developers can leverage to package, distribute, and install their applications to Windows users," Elastic Security Labs researcher Joe Desimone  said  in a technical report published last week. "However, MSIX requires access to purchased or stolen code signing certificates making them viable to groups of above-average resources." Based on the installers used as lures, it's suspected that potential targets are  enticed  into downloading the MSIX packages through known techniques such as compromised websites, search engine optimization (SEO) poisoning, or malvertising. Launching the MSIX file opens a Windows prompting the users to click the Install button, doing so which res

For the last few years, the cybersecurity threat landscape has gotten progressively more complex and dangerous. The online world is now rife with data thieves, extortionists, and even state actors looking to exploit vulnerabilities in businesses' digital defenses.  And unfortunately — the bad guys have the upper hand at the moment. Part of the reason for that is the fallout from the rapid digitization made necessary by the COVID-19 pandemic. According to research on the subject,  more than half of businesses  have yet to mitigate the risks created by that digitization. And when you add a persistent shortage of cybersecurity workers to that fact, you have the makings of a scary situation. But businesses aren't helpless. There are plenty of things they can do to augment their defenses as they look to mitigate cyber risks. And best of all, some of those options won't cost them a thing. A great example of that is the open-source security platform  Wazuh . It offers busines

A malware campaign targeting South Korean entities that came to light earlier this year has been attributed to a North Korean nation-state hacking group called Andariel, once again indicating that  Lazarus  attackers are following the trends and their  arsenal  is in  constant development . "The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity," Russian cybersecurity firm Kaspersky  said  in a deep-dive published Tuesday. Victims of the attack are in the manufacturing, home network service, media, and construction sectors. Designated as part of the Lazarus constellation, Andariel is known for unleashing attacks on South Korean organizations and businesses using specifically tailored methods created for maximum effectivity. In September 2019, the sub-group, along with Lazarus and Bluenoroff, was  sanctioned by the U.S. Treasury Department  for their malicious cyber activity on critical infrastructure. Anda

Researchers have disclosed significant security weaknesses in popular antivirus software applications that could be abused to deactivate their protections and take control of allow-listed applications to perform nefarious operations on behalf of the malware to defeat anti-ransomware defenses. The twin attacks,  detailed  by academics from the University of Luxembourg and the University of London, are aimed at circumventing the protected folder feature offered by antivirus programs to encrypt files (aka "Cut-and-Mouse") and disabling their real-time protection by simulating mouse "click" events (aka "Ghost Control"). "Antivirus software providers always offer high levels of security, and they are an essential element in the everyday struggle against criminals,"  said  Prof. Gabriele Lenzini, chief scientist at the Interdisciplinary Center for Security, Reliability, and Trust at the University of Luxembourg. "But they are competing with cri

Intel and Cybereason have partnered to build anti-ransomware defenses into the chipmaker's newly announced 11th generation Core  vPro  business-class processors. The hardware-based security enhancements are baked into Intel's vPro platform via its  Hardware Shield  and  Threat Detection Technology  (TDT), enabling profiling and detection of ransomware and other threats that have an impact on the CPU performance. "The joint solution represents the first instance where PC hardware plays a direct role in ransomware defenses to better protect enterprise endpoints from costly attacks," Cybereason  said . Exclusive to vPro, Intel Hardware Shield provides protections against firmware-level attacks targeting the  BIOS , thereby ensuring that the operating system (OS) runs on legitimate hardware as well as minimizing the risk of malicious code injection by locking down memory in the BIOS when the software is running to help prevent planted malware from compromising the OS

Cybersecurity agencies in the US and UK yesterday issued a joint advisory about a massive ongoing malware threat infecting Taiwanese company QNAP's network-attached storage (NAS) appliances. Called QSnatch (or Derek), the data-stealing malware is said to have compromised 62,000 devices since reports emerged last October, with a high degree of infection in Western Europe and North America. "All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes," the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC) said in the alert. "Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates." The mode of compromise, i.e., the infection vector, still remains unclear, but CISA and NCSC said the first campaign likely began in 2014 and continued till mid-2017 before intensifying over th

Cybersecurity researchers on Tuesday detailed as many as four different families of Brazilian banking trojans that have targeted financial institutions in Brazil, Latin America, and Europe. Collectively called the "Tetrade" by Kaspersky researchers, the malware families — comprising Guildma, Javali, Melcoz, and Grandoreiro — have evolved their capabilities to function as a backdoor and adopt a variety of obfuscation techniques to hide its malicious activities from security software. "Guildma, Javali, Melcoz and Grandoreiro are examples of yet another Brazilian banking group/operation that has decided to expand its attacks abroad, targeting banks in other countries," Kaspersky said in an analysis . "They benefit from the fact that many banks operating in Brazil also have operations elsewhere in Latin America and Europe, making it easy to extend their attacks against customers of these financial institutions." A Multi-Stage Malware Deployment Process

Cybersecurity researchers today uncovered new details of watering hole attacks against the Kurdish community in Syria and Turkey for surveillance and intelligence exfiltration purposes. The advanced persistent threat behind the operation, called StrongPity , has retooled with new tactics to control compromised machines, cybersecurity firm Bitdefender said in a report shared with The Hacker News. "Using watering hole tactics to selectively infect victims and deploying a three-tier C&C infrastructure to thwart forensic investigations, the APT group leveraged Trojanized popular tools, such as archivers, file recovery applications, remote connections applications, utilities, and even security software, to cover a wide range of options that targeted victims might be seeking," the researchers said. With the timestamps of the analyzed malware samples used in the campaign coinciding with the Turkish offensive into north-eastern Syria (codenamed Operation Peace Spring )

VirusTotal, the famous multi-antivirus scanning service owned by Google, recently announced new threat detection capabilities it added with the help of an Israeli cybersecurity firm. VirusTotal provides a free online service that analyzes suspicious files and URLs to detect malware and automatically shares them with the security community. With the onslaught of new malware types and samples, researchers rely on the rapid discovery and sharing provided by VirusTotal to keep their companies safe from attacks. VirusTotal relies on a continuous stream of new malware discoveries to protect its members from significant damage. Cynet , the creator of the autonomous breach protection platform, has now integrated its Cynet Detection Engine into VirusTotal. The benefits of this partnership are twofold. First, Cynet provides the VirusTotal partner network cutting-edge threat intelligence from its ML-based detection engine (CyAI) that actively protects the company's clients around th

Cybersecurity researchers today uncovered the modus operandi of an elusive threat group that hacks into the high-profile military and diplomatic entities in Eastern Europe for espionage. The findings are part of a collaborative analysis by cybersecurity firm ESET and the impacted firms, resulting in an extensive look into InvisiMole's operations and the group's tactics, tools, and procedures (TTPs). "ESET researchers conducted an investigation of these attacks in cooperation with the affected organizations and were able to uncover the extensive, sophisticated tool-sets used for delivery, lateral movement, and execution of InvisiMole's backdoors," the company said in a report shared with The Hacker News. Cooperation with the Gamaredon Group First discovered in 2018 , InvisiMole has been active at least since 2013 in connection with targeted cyber-espionage operations in Ukraine and Russia. After slipping under the radar, the threat actor returned late

Cybersecurity researchers today took the wraps off a new sophisticated cyber-espionage campaign directed against aerospace and military organizations in Europe and the Middle East with an aim to spy on key employees of the targeted firms and, in some case, even to siphon money. The campaign, dubbed " Operation In(ter)ception " because of a reference to "Inception" in the malware sample, took place between September to December 2019, according to a new report cybersecurity firm ESET shared with The Hacker News. "The primary goal of the operation was espionage," the researchers told The Hacker News. "However, in one of the cases we investigated, the attackers tried to monetize access to a victim's email account through a business email compromise (BEC) attack as the final stage of the operation." The financial motivation behind the attacks, coupled with similarities in targeting and development environment, have led ESET to suspect Laz

Chinese security firm Qihoo 360 Netlab said it partnered with tech giant Baidu to disrupt a malware botnet infecting over hundreds of thousands of systems. The botnet was traced back to a group it calls ShuangQiang (also called Double Gun ), which has been behind several attacks since 2017 aimed at compromising Windows computers with MBR and VBR bootkits , and installing malicious drivers for financial gain and hijack web traffic to e-commerce sites. In addition to using images uploaded to Baidu Tieba to distribute configuration files and malware — a technique called steganography — the group has begun using Alibaba Cloud storage to host configuration files and Baidu's analytics platform Tongji to manage the activity of its infected hosts, the researchers said. The initial compromise relies on luring unsuspecting users to install game launching software from sketchy game portals that contain malicious code under the guise of a patch. Once the user downloads and inst