cybersecurity | Breaking Cybersecurity News | The Hacker News

Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that's under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is assigned as  CVE-2023-20198  and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It's worth pointing out that the shortcoming only affects enterprise networking gear that have the Web UI feature enabled and when it's exposed to the internet or to untrusted networks. "This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege  level 15 access ," Cisco  said  in a Monday advisory. "The attacker can then use that account to gain control of the affected system." The problem impacts both physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS server feature enabled. As a mitigation, it's recommended to disable the HTTP server feature on internet-facing systems. The networ

Cybersecurity researchers have shed light on a new sophisticated strain of malware that masquerades as a WordPress plugin to stealthily create administrator accounts and remotely control a compromised site. "Complete with a professional looking opening comment implying it is a caching plugin, this rogue code contains numerous functions, adds filters to prevent itself from being included in the list of activated plugins, and has pinging functionality that allows a malicious actor to check if the script is still operational, as well as file modification capabilities," Wordfence  said . The plugin also offers the ability to activate and deactivate arbitrary plugins on the site remotely as well as create rogue admin accounts with the username superadmin and a hard-coded password. In what's seen as an attempt to erase traces of compromise, it features a function named "_pln_cmd_hide" that's designed to remove the superadmin account when it's no longer req

High-profile government and telecom entities in Asia have been targeted as part of an ongoing campaign since 2021 that's designed to deploy basic backdoors and loaders for delivering next-stage malware. Cybersecurity company Check Point is tracking the activity under the name  Stayin' Alive . Targets include organizations located in Vietnam, Uzbekistan, Pakistan, and Kazakhstan. "The simplistic nature of the tools [...] and their wide variation suggests they are disposable, mostly utilized to download and run additional payloads," it  said  in a report published Wednesday. "These tools share no clear code overlaps with products created by any known actors and do not have much in common with each other." What's notable about the campaign is that the infrastructure  shares overlaps  with that used by  ToddyCat , a China-linked threat actor known for orchestrating cyber assaults against government and military agencies in Europe and Asia since at least

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday  added  a high-severity flaw in Adobe Acrobat Reader to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. Tracked as  CVE-2023-21608  (CVSS score: 7.8), the vulnerability has been described as a use-after-free bug that can be exploited to achieve remote code execution (RCE) with the privileges of the current user. A patch for the flaw was released by Adobe in January 2023. HackSys security researchers Ashfaq Ansari and Krishnakant Patil were  credited  with discovering and reporting the flaw. The  following versions  of the software are impacted - Acrobat DC - 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions (fixed in 22.003.20310) Acrobat Reader DC - 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions (fixed in 22.003.20310) Acrobat 2020 - 20.005.30418 and earlier versions (fixed in 20.005.30436) Acrobat Reader 2020 - 20.005.30418 and earl

Certain online risks to children are on the rise, according to a recent report from Thorn , a technology nonprofit whose mission is to build technology to defend children from sexual abuse. Research shared in the  Emerging Online Trends in Child Sexual Abuse 2023 report , indicates that minors are increasingly taking and sharing sexual images of themselves. This activity may occur consensually or coercively, as youth also report an increase in risky online interactions with adults. "In our digitally connected world, child sexual abuse material is easily and increasingly shared on the platforms we use in our daily lives," said John Starr, VP of Strategic Impact at Thorn. "Harmful interactions between youth and adults are not isolated to the dark corners of the web. As fast as the digital community builds innovative platforms, predators are co-opting these spaces to exploit children and share this egregious content." These trends and others shared in the Emerging O

Ensuring sensitive data remains confidential, protected from unauthorized access, and compliant with data privacy regulations is paramount. Data breaches result in financial and reputational damage but also lead to legal consequences. Therefore, robust data access security measures are essential to safeguard an organization's assets, maintain customer trust, and meet regulatory requirements.  A comprehensive  Data Security Platform  is essential for full visibility and control of sensitive data. One example is Satori's Universal Data Permissions Scanner (UDPS), an open-source authorization analysis tool.   UDPS , available on GitHub, enables universal visibility into data access permissions across various data stores. With this tool, it's easier to identify who has the potential to access sensitive data, which can help organizations take a proactive approach to enhancing their security posture, streamline compliance, and ensure well-governed data access. Understanding the Need for U

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday  added  two security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog due to active exploitation, while removing five bugs from the list due to lack of adequate evidence. The vulnerabilities newly added are below - CVE-2023-42793  (CVSS score: 9.8) - JetBrains TeamCity Authentication Bypass Vulnerability CVE-2023-28229  (CVSS score: 7.0) - Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability CVE-2023-42793 relates to a  critical authentication bypass vulnerability  that allows for remote code execution on TeamCity Server. Data gathered by GreyNoise has revealed exploitation attempts targeting the flaw from  74 unique IP addresses  to date. On the other hand, CVE-2023-28229 is a  high-severity flaw  in the Microsoft Windows Cryptographic Next Generation (CNG) Key Isolation Service that allows an attacker to gain specific limited SYSTEM privileges. There are curren

Today, mid-sized companies and their CISOs are struggling to handle the growing threat of SaaS security with limited manpower and tight budgets. Now, this may be changing. By focusing on the critical SaaS security needs of these companies, a new approach has emerged that can be  launched for $1,500 a year . If the name Wing Security (Wing) rings a bell, it is probably because earlier this year, they made waves by offering SaaS shadow IT discovery  completely for free . Today, Wing is once again aiming to disrupt the SaaS security market by offering a new tier that the company claims to be 'The essential SaaS security level that every company should achieve.'  The  new product tier  focuses on SaaS shadow IT discovery, automated vendor risk assessments, and the ability to easily perform user access reviews on dozens of critical business applications. Wing also provides the ability to generate compliance-ready access reports that customers can then send to their auditor. The c

Cybersecurity researchers have disclosed multiple critical security flaws in the  TorchServe tool  for serving and scaling PyTorch models that could be chained to achieve remote code execution on affected systems. Israel-based runtime application security company Oligo, which made the discovery, has coined the vulnerabilities  ShellTorch . "These vulnerabilities [...] can lead to a full chain Remote Code Execution (RCE), leaving countless thousands of services and end-users — including some of the world's largest companies — open to unauthorized access and insertion of malicious AI models, and potentially a full server takeover," security researchers Idan Levcovich, Guy Kaplan, and Gal Elbaz  said . The list of flaws, which have been addressed in  version 0.8.2 , is as follows - No CVE - Unauthenticated management interface API misconfiguration that binds it to 0.0.0.0 by default instead of localhost, making it accessible to external requests. CVE-2023-43654  (CVS

Cybersecurity experts have discovered yet another malware-as-a-service ( MaaS ) threat called  BunnyLoader  that's being advertised for sale on the cybercrime underground. "BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more," Zscaler ThreatLabz researchers Niraj Shivtarkar and Satyam Singh  said  in an analysis published last week. Among its other capabilities include running remote commands on the infected machine, a keylogger to capture keystrokes, and a clipper functionality to monitor the victim's clipboard and replace content matching cryptocurrency wallet addresses with actor-controlled addresses. A C/C++-based loader offered for $250 for a lifetime license, the malware is said to have been under continuous development since its debut on September 4, 2023, with new features and enhancements that incorporate anti-sandbox and antivirus evasion

Cybersecurity agencies from Japan and the U.S. have warned of attacks mounted by a state-backed hacking group from China to stealthily tamper with branch routers and use them as jumping-off points to access the networks of various companies in the two countries. The attacks have been tied to a malicious cyber actor dubbed  BlackTech  by the U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC). "BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers' domain-trust relationships to pivot from international subsidiaries to headquarters in Japan and the United States, which are the primary targets," the agencies  said  in a joint alert. Targeted sectors encompass government, industrial, technology, media, electronics

The landscape of browser security has undergone significant changes over the past decade. While Browser Isolation was once considered the gold standard for protecting against browser exploits and malware downloads, it has become increasingly inadequate and insecure in today's SaaS-centric world. The limitations of Browser Isolation, such as degraded browser performance and inability to tackle modern web-borne threats like phishing and malicious extensions, necessitate a shift towards more advanced solutions. These are the findings of a new report, titled " The Dark Side of Browser Isolation and the Next Generation of Browser Security " ( Download here ). The Roots of Browser Isolation In the past, traditional signature-based antiviruses were commonly used to protect against on-device malware infections. However, they failed to block two main types of threats. The first, browser exploit, especially in Microsoft's Internet Explorer. The second, drive-by malware down

Tibetan, Uyghur, and Taiwanese individuals and organizations are the targets of a persistent campaign orchestrated by a threat actor codenamed  EvilBamboo  to gather sensitive information. "The attacker has created fake Tibetan websites, along with social media profiles, likely used to deploy browser-based exploits against targeted users," Volexity security researchers Callum Roxan, Paul Rascagneres, and Thomas Lancaster said in a report published last week. "Partly through impersonating existing popular communities, the attacker has built communities on online platforms, such as Telegram, to aid in distribution of their malware." EvilBamboo, formerly tracked by the cybersecurity firm under the name Evil Eye, has been linked to multiple attack waves  since at least 2019 , with the threat actor leveraging watering hole attacks to deliver spyware targeting Android and iOS devices. It's also known as Earth Empusa and POISON CARP. The intrusions directed agai

Security teams are familiar with threats emanating from third-party applications that employees add to improve their productivity. These apps are inherently designed to deliver functionality to users by connecting to a "hub" app, such as Salesforce, Google Workspace, or Microsoft 365. Security concerns center on the permission scopes that are granted to the third party apps, and the potential for a threat actor to take over the core apps and abuse those permissions. There's no real concern that the app, on its own, will start deleting files or sharing data. As such, SaaS Security Posture Management (SSPM) solutions are able to identify integrated third party applications and present their permission scopes. The security team then makes a risk assessment, balancing the benefits the app offers with its permission scopes before deciding whether to keep or decouple the applications. However, threat actors have changed the playing field with the introduction of malicious apps. These appl

Cybersecurity researchers have discovered a fresh batch of malicious packages in the npm package registry that are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines to a remote server. Sonatype said it has discovered 14 different npm packages so far: @am-fe/hooks, @am-fe/provider, @am-fe/request, @am-fe/utils, @am-fe/watermark, @am-fe/watermark-core, @dynamic-form-components/mui, @dynamic-form-components/shineout, @expue/app, @fixedwidthtable/fixedwidthtable, @soc-fe/use, @spgy/eslint-plugin-spgy-fe, @virtualsearchtable/virtualsearchtable, and shineouts. "These packages [...] attempt to impersonate JavaScript libraries and components, such as ESLint plugins and TypeScript SDK tools," the software supply chain security firm  said . "But, upon installation, multiple versions of the packages were seen running obfuscated code to collect and siphon sensitive files from the target machine." Along with Kubernetes config and SSH ke