hacking | Breaking Cybersecurity News | The Hacker News

Ransomware attacks have only increased in sophistication and capabilities over the past year. From new evasion and anti-analysis techniques to stealthier variants coded in new languages, ransomware groups have adapted their tactics to effectively bypass common defense strategies.  Cyble, a renowned cyber threat intelligence company recognized for its research and findings, recently released its  Q3 Ransomware Report . This article delves into the significant developments from the third quarter of 2023, as detailed in the Q3 Ransomware Report, and offers predictions for upcoming quarters. The primary objective is to provide a comprehensive recap of the major targets, both sector-wise and by nation and region. Additionally, the article will highlight new techniques used, emphasizing major incidents and developments that potential targets should be aware of. We will also discuss anticipated trends in the future evolution of ransomware. The increased weaponization of Vulnerabilities to

The leak of the  LockBit 3.0 ransomware  builder last year has led to threat actors abusing the tool to spawn new variants. Russian cybersecurity company Kaspersky said it detected a ransomware intrusion that deployed a version of LockBit but with a markedly different ransom demand procedure. "The attacker behind this incident decided to use a different ransom note with a headline related to a previously unknown group, called NATIONAL HAZARD AGENCY," security researchers Eduardo Ovalle and Francesco Figurelli  said . The revamped ransom note directly specified the amount to be paid to obtain the decryption keys, and directed communications to a Tox service and email, unlike the LockBit group, which doesn't mention the amount and uses its own communication and negotiation platform. NATIONAL HAZARD AGENCY is far from the only cybercrime gang to use the leaked LockBit 3.0 builder. Some of the other threat actors known to leverage it include  Bl00dy and Buhti . Kaspersk

A recently patched security flaw in the popular WinRAR archiving software has been exploited as a zero-day since April 2023, new findings from Group-IB reveal. The vulnerability, cataloged as  CVE-2023-38831 , allows threat actors to spoof file extensions, thereby making it possible to launch malicious scripts contained within an archive that masquerades as seemingly innocuous image or text files. It was addressed in  version 6.23  released on August 2, 2023, alongside CVE-2023-40477. In attacks discovered by the Singapore-based firm in July 2023, specially crafted ZIP or RAR archive files distributed via trading-related forums such as Forex Station have been used to deliver a variety of malware families such as DarkMe,  GuLoader , and  Remcos RAT . "After infecting devices, the cybercriminals withdraw money from broker accounts," Group-IB malware analyst Andrey Polovinkin  said , adding as many as 130 traders' devices have been compromised as part of the campaign. T

A "staggering" 120,000 computers infected by stealer malware have credentials associated with cybercrime forums, many of them belonging to malicious actors. The  findings  come from Hudson Rock, which analyzed data collected from computers compromised between 2018 to 2023. "Hackers around the world infect computers opportunistically by promoting results for fake software or through YouTube tutorials directing victims to download infected software," Hudson Rock CTO Alon Gal told The Hacker News. "It is not a case of the threat actor infecting his own computer, it is that out of the 14,500,000 computers we have in our cybercrime database, some of them happen to be hackers that  accidentally got infected ." Data retrieved from machines compromised by stealer malware is often expansive and wide-ranging, enabling the real-world identities of hackers to be discovered based on indicators such as credentials, addresses, phone numbers, computer names, and IP a

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has alerted of two security flaws impacting Rockwell Automation ControlLogix EtherNet/IP (ENIP) communication module models that could be exploited to achieve remote code execution and denial-of-service (DoS). "The results and impact of exploiting these vulnerabilities vary depending on the ControlLogix system configuration, but they could lead to denial or loss of control, denial or loss of view, theft of operational data, or manipulation of control for disruptive or destructive consequences on the industrial process for which the ControlLogix system is responsible," Draogos  said . The list of flaws is as follows - CVE-2023-3595  (CVSS score: 9.8) - An out-of-bounds write flaw impacting 1756 EN2* and 1756 EN3* products that could result in arbitrary code execution with persistence on the target system through maliciously crafted common industrial protocol ( CIP ) messages. CVE-2023-3596  (CVSS score: 7.5

Google has released its monthly security updates for the Android operating system, addressing 46 new software vulnerabilities. Among these, three vulnerabilities have been identified as actively exploited in targeted attacks. One of the vulnerabilities tracked as CVE-2023-26083 is a memory leak flaw affecting the Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips. This particular vulnerability was exploited in a previous attack that enabled spyware infiltration on Samsung devices in December 2022. This vulnerability was regarded as serious enough to prompt the Cybersecurity and Infrastructure Security Agency (CISA) to issue a patching order for federal agencies in April 2023. Another significant vulnerability, identified as CVE-2021-29256, is a high-severity issue that affects specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers. This flaw permits an unprivileged user to gain unauthorized access to sensitive data and escalate privileges to the root lev

JumpCloud, a provider of cloud-based identity and access management solutions, has swiftly reacted to an ongoing cybersecurity incident that impacted some of its clients. As part of its damage control efforts, JumpCloud has reset the application programming interface (API) keys of all customers affected by this event, aiming to protect their valuable data. The company has informed the concerned clients about the critical nature of this move, reinforcing its commitment to safeguarding their operations and organizations. This API key reset will, however, disrupt certain functionalities like AD import, HRIS integrations, JumpCloud PowerShell modules, JumpCloud Slack apps, Directory Insights Serverless apps, ADMU, third-party zero-touch MDM packages, Command Triggers, Okta SCIM integration, Azure AD SCIM integration, Workato, Aquera, Tray, and more. Despite the potential disruptions, JumpCloud maintains that the key reset is for the greater good of its clients. For those needing assis

As many as five security flaws have been disclosed in Netgear RAX30 routers that could be chained to bypass authentication and achieve remote code execution. "Successful exploits could allow attackers to monitor users' internet activity, hijack internet connections, and redirect traffic to malicious websites or inject malware into network traffic," Claroty security researcher Uri Katz  said  in a report. Additionally, a network-adjacent threat actor could also weaponize the flaws to access and control networked smart devices like security cameras, thermostats, smart locks; tamper with router settings, and even use a compromised network to launch attacks against other devices or networks. The list of flaws, which were  demonstrated  at the Pwn2Own hacking competition held at Toronto in December 2022, is as follows - CVE-2023-27357 (CVSS score: 6.5) - Missing Authentication Information Disclosure Vulnerability CVE-2023-27368 (CVSS score: 8.8) - Stack-based Buffer

A nascent botnet called  Andoryu  has been found to  exploit  a now-patched critical security flaw in the Ruckus Wireless Admin panel to break into vulnerable devices. The  flaw , tracked as  CVE-2023-25717  (CVSS score: 9.8), stems from improper handling of HTTP requests, leading to unauthenticated remote code execution and a complete compromise of wireless Access Point (AP) equipment. Andoryu was  first documented  by Chinese cybersecurity firm QiAnXin earlier this February, detailing its ability to communicate with command-and-control (C2) servers using the  SOCKS5 protocol . While the malware is known to weaponize remote code execution flaws in GitLab ( CVE-2021-22205 ) and Lilin DVR for propagation, the addition of CVE-2023-25717 shows that Andoryu is actively expanding its exploit arsenal to ensnare more devices into the botnet. "It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies," Fort

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country. The agency  attributed  the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy. The email messages come with the subject line "Windows Update" and purportedly contain instructions in the Ukrainian language to run a PowerShell command under the pretext of security updates. Running the script loads and executes a next-stage PowerShell script that's designed to collect basic system information through commands like  tasklist  and  systeminfo , and exfiltrate the details via an HTTP request to a  Mocky API . To trick the targets into running the command, the emails impersonate system administrators of the targeted government entities using fake Microsoft Outlook email accounts created with the employees'

A significant number of victims in the consumer and enterprise sectors located across Australia, Japan, the U.S., and India have been affected by an evasive information-stealing malware called  ViperSoftX . ViperSoftX was first documented by Fortinet in 2020, with cybersecurity company Avast detailing a campaign in November 2022 that  leveraged  the malware to distribute a malicious Google Chrome extension capable of siphoning cryptocurrencies from wallet applications. Now a  new analysis  from Trend Micro has revealed the malware's adoption of "more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking." The arrival vector of ViperSoftX is typically a software crack or a key generator (keygen), while also employing actual non-malicious software like multimedia editors and system cleaner apps as "carriers." One of the key steps performed by the malware before downloading a first-stage Po

The browser serves as the primary interface between the on-premises environment, the cloud, and the web in the modern enterprise. Therefore, the browser is also exposed to multiple types of cyber threats and operational risks.  In light of this significant challenge, how are CISOs responding? LayerX, Browser Security platform provider, has polled more than 150 CISOs across multiple verticals and geolocations. They asked them about their security practices for SaaS access, BYOD, phishing, browser data loss and browser security. The results of this extensive poll can be found in the report "2023 Browser Security Survey". In this article, we bring a taste of the report. You can read all the results and analysis here . Main Highlights Organizations in the cloud are exposed to web-borne attacks. 87% of all-SaaS adopters and 79% of CISOs in a hybrid environment experienced a web-borne security threat in the past 12 months. Account takeover is a top concern. 48% list credential phis

Google on Tuesday rolled out emergency fixes to address another actively exploited high-severity zero-day flaw in its Chrome web browser. The flaw, tracked as  CVE-2023-2136 , is  described  as a case of  integer overflow  in  Skia , an open source 2D graphics library. Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on April 12, 2023. "Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page,"  according  to the NIST's National Vulnerability Database (NVD). The tech giant, which also fixed seven other security issues with the latest update, said it's aware of active exploitation of the flaw, but did not disclose additional details to prevent further abuse. The development marks the second Chrome zero-day vulnerability to be exploited by malicious actors th

Cybersecurity researchers have detailed the inner workings of a highly evasive loader named " in2al5d p3in4er " (read: invalid printer) that's used to deliver the Aurora information stealer malware. "The in2al5d p3in4er loader is compiled with  Embarcadero RAD Studio  and targets endpoint workstations using advanced anti-VM (virtual machine) technique," cybersecurity firm Morphisec  said  in a report shared with The Hacker News. Aurora  is a Go-based information stealer that emerged on the threat landscape in late 2022. Offered as a commodity malware to other actors, it's distributed through  YouTube videos  and SEO-poised fake cracked software download websites. Clicking the links present in YouTube video descriptions redirects the victim to decoy websites where they are enticed into downloading the malware under the garb of a seemingly-legitimate utility. The loader analyzed by Morphisec is designed to query the vendor ID of the graphics card install

Threat actors associated with the Vice Society ransomware gang have been observed using a bespoke PowerShell-based tool to fly under the radar and automate the process of exfiltrating data from compromised networks. "Threat actors (TAs) using built-in  data exfiltration   methods  like [living off the land binaries and scripts] negate the need to bring in external tools that might be flagged by security software and/or human-based security detection mechanisms," Palo Alto Networks Unit 42 researcher Ryan Chapman  said . "These methods can also hide within the general operating environment, providing subversion to the threat actor." Vice Society , tracked by Microsoft under the name DEV-0832, is an extortion-focused hacking group that emerged on the scene in May 2021. It's known to rely on ransomware binaries sold on the criminal underground to meet its goals. In December 2022, SentinelOne detailed the group's use of a ransomware variant, dubbed  PolyVi

U.S. President Joe Biden on Monday  signed an executive order  that restricts the use of commercial spyware by federal government agencies. The order said the spyware ecosystem "poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person." It also seeks to ensure that the government's use of such tools is done in a manner that's "consistent with respect for the rule of law, human rights, and democratic norms and values." To that end, the order lays out the various criteria under which commercial spyware could be disqualified for use by U.S. government agencies. They include - The purchase of commercial spyware by a foreign government or person to target the U.S. government, A commercial spyware vendor that uses or discloses sensitive data obtained from the cyber surveillance tool without authorization and operates under the control of a foreign g

Bitcoin ATM maker General Bytes disclosed that unidentified threat actors stole cryptocurrency from hot wallets by exploiting a zero-day security flaw in its software. "The attacker was able to upload his own java application remotely via the master service interface used by terminals to upload videos and run it using 'batm' user privileges," the company  said  in an advisory published over the weekend. "The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean," it further added. The company said that the server to which the malicious Java application was uploaded was by default configured to start applications present in the deployment folder ("/batm/app/admin/standalone/deployments/"). In doing so, the attack allowed the threat actor to access the database; read and decry