The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Cybersecurity researchers have unearthed new network infrastructure set up by Iranian threat actors to support activities linked to the recent targeting of U.S. political campaigns. Recorded Future's Insikt Group has linked the infrastructure to a hacking group it tracks as GreenCharlie, an Iran-nexus cyber threat group that overlaps with APT42, Charming Kitten, Damselfly, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda. "The group's infrastructure is meticulously crafted, utilizing dynamic DNS (DDNS) providers like Dynu, DNSEXIT, and Vitalwerks to register domains used in phishing attacks," the cybersecurity company said . "These domains often employ deceptive themes related to cloud services, file sharing, and document visualization to lure targets into revealing sensitive information or downloading malicious files." Examples include terms like "cloud," "uptimezone," "doceditor," "joincloud,"

The most dangerous vulnerability you've never heard of. In the world of cybersecurity, vulnerabilities are discovered so often, and at such a high rate, that it can be very difficult to keep up with. Some vulnerabilities will start ringing alarm bells within your security tooling, while others are far more nuanced, but still pose an equally dangerous threat. Today, we want to discuss one of these more nuanced vulnerabilities as it is likely lurking in your environment waiting to be exploited: Active Directory Certificate Services vulnerabilities.  vPenTest by Vonahi Security recently implemented an attack vector specifically designed to identify and mitigate these hidden AD CS threats. But first, let's explore why AD CS vulnerabilities are so dangerous and how they work. What is Active Directory Certificate Services? Active Directory Certificate Services ("AD CS"), as defined by Microsoft is, "a Windows Server role for issuing and managing public key infrastructure (PKI) certific

Want to know what's the latest and greatest in SecOps for 2024? Gartner's recently released Hype Cycle for Security Operations report takes important steps to organize and mature the domain of Continuous Threat Exposure Management, aka CTEM. Three categories within this domain are included in this year's report: Threat Exposure Management, Exposure Assessment Platforms (EAP), and Adversarial Exposure Validation (AEV). These category definitions are aimed at providing some structure to the evolving landscape of exposure management technologies. Pentera, listed as a sample vendor in the newly defined AEV category, is playing a pivotal role in increasing the adoption of CTEM, with a focus on security validation. Following is our take on the CTEM related product categories and what they mean for enterprise security leaders. The Industry is Maturing CTEM, coined by Gartner in 2022, presents a structural approach for continuously assessing, prioritizing, validating, and remediating expo

Cybersecurity researchers have disclosed a new campaign that potentially targets users in the Middle East through malware that disguises itself as Palo Alto Networks GlobalProtect virtual private network (VPN) tool. "The malware can execute remote PowerShell commands, download and exfiltrate files, encrypt communications, and bypass sandbox solutions, representing a significant threat to targeted organizations," Trend Micro researcher Mohamed Fahmy said in a technical report. The sophisticated malware sample has been observed employing a two-stage process and involves setting up connections to command-and-control (C2) infrastructure that purports to be a company VPN portal, allowing the threat actors to operate freely without tripping any alarms. The initial intrusion vector for the campaign is currently unknown, although it's suspected to involve the use of phishing techniques to deceive users into thinking that they are installing the GlobalProtect agent. The

Threat actors with ties to North Korea have been observed publishing a set of malicious packages to the npm registry, indicating "coordinated and relentless" efforts to target developers with malware and steal cryptocurrency assets. The latest wave, which was observed between August 12 and 27, 2024, involved packages named temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console. "Behaviors in this campaign lead us to believe that qq-console is attributable to the North Korean campaign known as 'Contagious Interview,'" software supply chain security firm Phylum said . Contagious Interview refers to an ongoing campaign that seeks to compromise software developers with information stealing malware as part of a purported job interview process that involves tricking them into downloading bogus npm packages or fake installers for video conferencing software such as MiroTalk hosted on decoy websites. The end goal of the attacks is to

A comprehensive guide authored by Dean Parsons, SANS Certified Instructor and CEO / Principal Consultant of ICS Defense Force, emphasizes the growing need for specialized ICS security measures in the face of rising cyber threats. With a staggering 50% increase in ransomware attacks targeting industrial control systems (ICS) in 2023, the SANS Institute is taking decisive action by announcing the release of its essential new strategy guide, " ICS Is the Business: Why Securing ICS/OT Environments Is Business-Critical in 2024 ." Authored by Dean Parsons, CEO of ICS Defense Force and a SANS Certified Instructor, this guide offers a comprehensive analysis of the rapidly evolving threat landscape and provides critical steps that organizations must take to safeguard their operations and ensure public safety. As cyber threats grow in both frequency and sophistication, this guide is an indispensable resource for securing the vital systems that underpin our world. Key Insights from t

Chinese-speaking users are the target of a "highly organized and sophisticated attack" campaign that is likely leveraging phishing emails to infect Windows systems with Cobalt Strike payloads. "The attackers managed to move laterally, establish persistence and remain undetected within the systems for more than two weeks," Securonix researchers Den Iuzvyk and Tim Peck said in a new report. The covert campaign, codenamed SLOW#TEMPEST and not attributed to any known threat actor, commences with malicious ZIP files that, when unpacked, activates the infection chain, leading to the deployment of the post-exploitation toolkit on compromised systems. Present with the ZIP archive is a Windows shortcut (LNK) file that disguises itself as a Microsoft Word file, "违规远程控制软件人员名单.docx.lnk," which roughly translates to "List of people who violated the remote control software regulations." "Given the language used in the lure files, it's likely th

Threat actors are actively exploiting a now-patched, critical security flaw impacting the Atlassian Confluence Data Center and Confluence Server to conduct illicit cryptocurrency mining on susceptible instances. "The attacks involve threat actors that employ methods such as the deployment of shell scripts and XMRig miners, targeting of SSH endpoints, killing competing crypto mining processes, and maintaining persistence via cron jobs," Trend Micro researcher Abdelrahman Esmail said . The security vulnerability exploited is CVE-2023-22527 , a maximum severity bug in older versions of Atlassian Confluence Data Center and Confluence Server that could allow unauthenticated attackers to achieve remote code execution. It was addressed by the Australian software company in mid-January 2024. Trend Micro said it observed a high number of exploitation attempts against the flaw between mid-June and end of July 2024 that leveraged it to drop the XMRig miner on unpatched hosts. At l

A non-profit supporting Vietnamese human rights has been the target of a multi-year campaign designed to deliver a variety of malware on compromised hosts. Cybersecurity company Huntress attributed the activity to a threat cluster tracked as APT32, a Vietnamese-aligned hacking crew that's also known as APT-C-00, Canvas Cyclone (formerly Bismuth), Cobalt Kitty, and OceanLotus. The intrusion is believed to have been ongoing for at least four years. "This intrusion has a number of overlaps with known techniques used by the threat actor APT32/OceanLotus, and a known target demographic which aligns with APT32/OceanLotus targets," security researchers Jai Minton and Craig Sweeney said . OceanLotus , active since at least 2012, has a history of targeting company and government networks in East-Asian countries, particularly Vietnam, the Philippines, Laos, and Cambodia with the end goal of cyber espionage and intellectual property theft. Attack chains typically make use of

Cybersecurity researchers have flagged multiple in-the-wild exploit campaigns that leveraged now-patched flaws in Apple Safari and Google Chrome browsers to infect mobile users with information-stealing malware. "These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices," Google Threat Analysis Group (TAG) researcher Clement Lecigne said in a report shared with The Hacker News. The activity, observed between November 2023 and July 2024, is notable for delivering the exploits by means of a watering hole attack on Mongolian government websites, cabinet.gov[.]mn and mfa.gov[.]mn. A watering hole attack, also called a strategic website compromise attack, is a form of cyber attack that targets groups of users or those within a particular industry by compromising websites that they commonly visit in order to serve them with malware and gain access to their systems. The intrusion set has been attributed wi