data security | Breaking Cybersecurity News | The Hacker News

A South Korea-aligned cyber espionage has been linked to the zero-day exploitation of a now-patched critical remote code execution flaw in Kingsoft WPS Office to deploy a bespoke backdoor dubbed SpyGlace. The activity has been attributed to a threat actor dubbed APT-C-60 , according to cybersecurity firms ESET and DBAPPSecurity. The attacks have been found to infect Chinese and East Asian users with malware. The security flaw in question is CVE-2024-7262 (CVSS score: 9.3), which stems from a lack of proper validation of user-provided file paths. This loophole essentially allows an adversary to upload an arbitrary Windows library and achieve remote code execution. The bug "allows code execution via hijacking the control flow of the WPS Office plugin component promecefpluginhost.exe," ESET said , adding it found another way to achieve the same effect. The second vulnerability is tracked as CVE-2024-7263 (CVSS score: 9.3). The attack conceived by APT-C-60 weaponizes the

The Dutch Data Protection Authority (DPA) has fined Uber a record €290 million ($324 million) for allegedly failing to comply with European Union (E.U.) data protection standards when sending sensitive driver data to the U.S. "The Dutch DPA found that Uber transferred personal data of European taxi drivers to the United States (U.S.) and failed to appropriately safeguard the data with regard to these transfers," the agency said . The data protection watchdog said the move constitutes a "serious" violation of the General Data Protection Regulation (GDPR). In response, the ride-hailing, courier, and food delivery service has ended the practice. Uber is believed to have collected drivers' sensitive information and retained it on U.S.-based servers for over two years. This included account details and taxi licenses, location data, photos, payment details, and identity documents. In some cases, it also contained criminal and medical data of drivers. The DPA accu

Want to know what's the latest and greatest in SecOps for 2024? Gartner's recently released Hype Cycle for Security Operations report takes important steps to organize and mature the domain of Continuous Threat Exposure Management, aka CTEM. Three categories within this domain are included in this year's report: Threat Exposure Management, Exposure Assessment Platforms (EAP), and Adversarial Exposure Validation (AEV). These category definitions are aimed at providing some structure to the evolving landscape of exposure management technologies. Pentera, listed as a sample vendor in the newly defined AEV category, is playing a pivotal role in increasing the adoption of CTEM, with a focus on security validation. Following is our take on the CTEM related product categories and what they mean for enterprise security leaders. The Industry is Maturing CTEM, coined by Gartner in 2022, presents a structural approach for continuously assessing, prioritizing, validating, and remediating expo

It's no great revelation to say that SaaS applications have changed the way we operate, both in our personal and professional lives. We routinely rely on cloud-based and remote applications to conduct our basic functions, with the result that the only true perimeter of our networks has become the identities with which we log into these services. Unfortunately – as is so often the case – our appetite for better workflows, collaboration, and communications outpaced our willingness to make sure these tools and processes were secure as we hooked them into our environments, handing off our control of the security of our data. Each of these applications asks for various amounts of permissions into our data, which often rely on other vendors' services, creating not a network, but a tangle of interdependent intricacies that has become so complex most security and IT teams don't even know how many SaaS applications are connected in, let alone what they are or their access permissi

Cybersecurity researchers have uncovered a surge in malware infections stemming from malvertising campaigns distributing a loader called FakeBat. "These attacks are opportunistic in nature, targeting users seeking popular business software," the Mandiant Managed Defense team said in a technical report. "The infection utilizes a trojanized MSIX installer, which executes a PowerShell script to download a secondary payload." FakeBat , also called EugenLoader and PaykLoader, is linked to a threat actor named Eugenfest. The Google-owned threat intelligence team is tracking the malware under the name NUMOZYLOD and has attributed the Malware-as-a-Service (MaaS) operation to UNC4536. Attack chains propagating the loader malware make use of drive-by download techniques to push users searching for popular software toward bogus lookalike sites that host booby-trapped MSI installers. Some of the malware families delivered via FakeBat include IcedID, RedLine Stealer, Lumma

Incident response is a structured approach to managing and addressing security breaches or cyber-attacks. Security teams must overcome challenges such as timely detection, comprehensive data collection, and coordinated actions to enhance readiness. Improving these areas ensures a swift and effective response, minimizing damage and restoring normal operations quickly. Challenges in incident response Incident response presents several challenges that must be addressed to ensure a swift and effective recovery from cyber attacks. The following section lists some of these challenges. Timeliness : One of the primary challenges in incident response is addressing incidents quickly enough to minimize damage. Delays in response can lead to more compromises and increased recovery costs. Information correlation : Security teams often struggle to effectively collect and correlate relevant data. Without a comprehensive view, understanding the full scope and impact of the incident becomes difficu

Searchable Encryption has long been a mystery. An oxymoron. An unattainable dream of cybersecurity professionals everywhere. Organizations know they must encrypt their most valuable, sensitive data to prevent data theft and breaches. They also understand that organizational data exists to be used. To be searched, viewed, and modified to keep businesses running. Unfortunately, our Network and Data Security Engineers were taught for decades that you just can't search or edit data while in an encrypted state. The best they could do was to wrap that plaintext, unencrypted data within a cocoon of complex hardware, software, policies, controls, and governance. And how has that worked to date? Just look at the T-Mobile breach, the United Healthcare breach, Uber, Verizon, Kaiser Foundation Health Plan, Bank of America, Prudential… and the list goes on. All the data that was stolen in those breaches remained unencrypted to support day-to-day operations. It's safe to conclude that the way we

Businesses across the world have been hit by widespread disruptions to their Windows workstations stemming from a faulty update pushed out by cybersecurity company CrowdStrike. "CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts," the company's CEO George Kurtz said in a statement . "Mac and Linux hosts are not impacted. This is not a security incident or cyber attack." The company, which acknowledged "reports of [ Blue Screens of Death ] on Windows hosts," further said it has identified the issue and a fix has been deployed for its Falcon Sensor product, urging customers to refer to the support portal for the latest updates. For systems that have been already impacted by the problem, the mitigation instructions are listed below - Boot Windows in Safe Mode or Windows Recovery Environment Navigate to the C:\Windows\System32\drivers\CrowdStrike directory Find the file named &qu

The financially motivated threat actor known as FIN7 has been observed using multiple pseudonyms across several underground forums to likely advertise a security dodging tool known to be used by ransomware groups like AvosLocker, Black Basta, BlackCat, LockBit, and Trigona. "AvNeutralizer (aka AuKill ), a highly specialized tool developed by FIN7 to tamper with security solutions, has been marketed in the criminal underground and used by multiple ransomware groups," cybersecurity company SentinelOne said in a report shared with The Hacker News. FIN7, an e-crime group of Russian and Ukrainian origin, has been a persistent threat since at least 2012, shifting gears from its initial targeting of point-of-sale (PoS) terminals to acting as a ransomware affiliate for now-defunct gangs such as REvil and Conti, before launching its own ransomware-as-a-service (RaaS) programs DarkSide and BlackMatter. The threat actor, which is also tracked under the names Carbanak, Carbon Spide

Threat actors are actively exploiting a recently disclosed critical security flaw impacting Apache HugeGraph-Server that could lead to remote code execution attacks. Tracked as CVE-2024-27348 (CVSS score: 9.8), the vulnerability impacts all versions of the software before 1.3.0. It has been described as a remote command execution flaw in the Gremlin graph traversal language API. "Users are recommended to upgrade to version 1.3.0 with Java11 and enable the Auth system, which fixes the issue," the Apache Software Foundation noted in late April 2024. "Also you could enable the 'Whitelist-IP/port' function to improve the security of RESTful-API execution." Additional technical specifics about the flaw were released by penetration testing company SecureLayer7 in early June, stating it enables an attacker to bypass sandbox restrictions and achieve code execution, giving them complete control over a susceptible server. This week, the Shadowserver Foundat

Russian security vendor Kaspersky has said it's exiting the U.S. market nearly a month after the Commerce Department announced a ban on the sale of its software in the country citing a national security risk. News of the closure was first reported by journalist Kim Zetter. The company is expected to wind down its U.S. operations on July 20, 2024, the same day the ban comes into effect. It's also expected to lay off less than 50 employees in the U.S. "The company has carefully examined and evaluated the impact of the U.S. legal requirements and made this sad and difficult decision as business opportunities in the country are no longer viable," the company said in a statement. In late June 2024, the Commerce Department said it was enforcing a ban after what it said was an "extremely thorough investigation." The company was also added to the Entity List, preventing U.S. enterprises from conducting business with it. It's currently not known what was

Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S. "MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems," Fortinet FortiGuard Labs researcher Cara Lin said in a report published last week. The starting point of the attack chain is a Microsoft Word document that ostensibly contains a job description for a software engineer role. But opening the file triggers the exploitation of CVE-2021-40444 , a high-severity flaw in MSHTML that could result in remote code execution without requiring any user interaction. It was addressed by Microsoft as part of Patch Tuesday updates released in September 2021. In this case, it paves the way for the download of an HTML file ("olerender.html") from a remote s

Multiple content management system (CMS) platforms like WordPress, Magento, and OpenCart have been targeted by a new credit card web skimmer called Caesar Cipher Skimmer. A web skimmer refers to malware that is injected into e-commerce sites with the goal of stealing financial and payment information .  According to Sucuri, the latest campaign entails making malicious modifications to the checkout PHP file associated with the WooCommerce plugin for WordPress ("form-checkout.php") to steal credit card details. "For the past few months, the injections have been changed to look less suspicious than a long obfuscated script," security researcher Ben Martin said , noting the malware's attempt to masquerade as Google Analytics and Google Tag Manager. Specifically, it utilizes the same substitution mechanism employed in Caesar cipher to encode the malicious piece of code into a garbled string and conceal the external domain that's used to host the payload.

Highlights Complex Tool Landscape : Explore the wide array of cybersecurity tools used by MSPs, highlighting the common challenge of managing multiple systems that may overlap in functionality but lack integration. Top Cybersecurity Challenges : Discuss the main challenges MSPs face, including integration issues, limited visibility across systems, and the high cost and complexity of maintaining diverse tools. Effective Solutions and Strategies : Introduce strategic approaches and solutions, such as consolidating tools into unified platforms to enhance efficiency, reduce costs, and improve overall cybersecurity management. As MSPs continue to be the backbone of IT security for numerous businesses, the array of tools at their disposal has grown exponentially. However, this abundance of options isn't without its drawbacks. The challenge isn't just in choosing the right tools but in efficiently integrating and managing them to ensure seamless security coverage and operational efficiency