Information security | Breaking Cybersecurity News | The Hacker News

Ukraine has claimed responsibility for a cyber attack that targeted Russia state media company VGTRK and disrupted its operations, according to reports from Bloomberg and Reuters . The incident took place on the night of October 7, VGTRK confirmed , describing it as an "unprecedented hacker attack." However, it said "no significant damage" was caused and that everything was working normally despite attempts to interrupt radio and TV broadcasts. That said, Russian media outlet Gazeta.ru reported that the hackers wiped "everything" from the company's servers, including backups, citing an anonymous source. A source told Reuters that "Ukrainian hackers 'congratulated' Putin on his birthday by carrying out a large-scale attack on the all-Russian state television and radio broadcasting company." The attack is believed to be the work of a pro-Ukrainian hacker group called Sudo rm-RF . The Russian government has since said an investi

The threat actors behind the Rhadamanthys information stealer have added new advanced features to the malware, including using artificial intelligence (AI) for optical character recognition (OCR) as part of what's called "Seed Phrase Image Recognition." "This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in cryptocurrencies," Recorded Future's Insikt Group said in an analysis of version 0.7.0 of the malware. "The malware can recognize seed phrase images on the client side and send them back to the command-and-control (C2) server for further exploitation." First discovered in the wild in September 2022, Rhadamanthys has emerged as one of the most potent information stealers that are advertised under the malware-as-a-service (MaaS) model, alongside Lumma and others. The malware continues to have an active presence despite suffering bans from underground forum

For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,

Since its emergence, Generative AI has revolutionized enterprise productivity. GenAI tools enable faster and more effective software development, financial analysis, business planning, and customer engagement. However, this business agility comes with significant risks, particularly the potential for sensitive data leakage. As organizations attempt to balance productivity gains with security concerns, many have been forced to choose between unrestricted GenAI usage to banning it altogether. A new e-guide by LayerX titled 5 Actionable Measures to Prevent Data Leakage Through Generative AI Tools is designed to help organizations navigate the challenges of GenAI usage in the workplace. The guide offers practical steps for security managers to protect sensitive corporate data while still reaping the productivity benefits of GenAI tools like ChatGPT. This approach is intended to allow companies to strike the right balance between innovation and security. Why Worry About ChatGPT? The e

Imagine trying to find a needle in a haystack, but the haystack is on fire, and there are a million other needles you also need to find. That's what dealing with security alerts can feel like. SIEM was supposed to make this easier, but somewhere along the way, it became part of the problem. Too many alerts, too much noise, and not enough time to actually stop threats. It's time for a change. It's time to reclaim control. Join Zuri Cortez and Seth Geftic for an insightful webinar as they navigate the complexities of " Solving the SIEM Problem: A Hard Reset on Legacy Solutions ."  They'll share insider knowledge, battle-tested strategies, and a clear path to taming the SIEM beast in this informative session. Here's what we'll cover: SIEM 101: A quick refresher on what SIEM is, why it's important, and the challenges it faces today The Problem with Legacy SIEM: We'll pull back the curtain and reveal why traditional solutions are struggl

As many as 25 websites linked to the Kurdish minority have been compromised as part of a watering hole attack designed to harvest sensitive information for over a year and a half. French cybersecurity firm Sekoia, which disclosed details of the campaign dubbed SilentSelfie, described the intrusion set as long-running, with first signs of infection detected as far back as December 2022. The strategic web compromises are designed to deliver four different variants of an information-stealing framework, it added. "These ranged from the simplest, which merely stole the user's location, to more complex ones that recorded images from the selfie camera and led selected users to install a malicious APK, i.e an application used on Android," security researchers Felix Aimé and Maxime A said in a Wednesday report. Targeted websites include Kurdish press and media, Rojava administration and its armed forces, those related to revolutionary far-left political parties, and organizatio

Transportation and logistics companies in North America are the target of a new phishing campaign that delivers a variety of information stealers and remote access trojans (RATs). The activity cluster, per Proofpoint, makes use of compromised legitimate email accounts belonging to transportation and shipping companies so as to inject malicious content into existing email conversations. As many as 15 breached email accounts have been identified as used as part of the campaign. It's currently not clear how these accounts are infiltrated in the first place or who is behind the attacks. "Activity which occurred from May to July 2024 predominately delivered Lumma Stealer, StealC, or NetSupport," the enterprise security firm said in an analysis published Tuesday. "In August 2024, the threat actor changed tactics by employing new infrastructure and a new delivery technique, as well as adding payloads to deliver DanaBot and Arechclient2." The attack chains invol

A "simplified Chinese-speaking actor" has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation. The black hat SEO cluster has been codenamed DragonRank by Cisco Talos, with victimology footprint scattered across Thailand, India, Korea, Belgium, the Netherlands, and China. "DragonRank exploits targets' web application services to deploy a web shell and utilizes it to collect system information and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities," security researcher Joey Chen said . The attacks have led to compromises of 35 Internet Information Services ( IIS ) servers with the end goal of deploying the BadIIS malware, which was first documented by ESET in August 2021. It's specifically designed to facilitate proxy ware and SEO fraud by turning the compromised IIS server into a relay point for mal

A new side-channel attack dubbed PIXHELL could be abused to target air-gapped computers by breaching the "audio gap" and exfiltrating sensitive information by taking advantage of the noise generated by pixels on an LCD screen. "Malware in the air-gap and audio-gap computers generates crafted pixel patterns that produce noise in the frequency range of 0 - 22 kHz," Dr. Mordechai Guri , the head of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at the Ben Gurion University of the Negev in Israel, said in a newly published paper. "The malicious code exploits the sound generated by coils and capacitors to control the frequencies emanating from the screen. Acoustic signals can encode and transmit sensitive information." The attack is notable in that it doesn't require any specialized audio hardware, loudspeaker, or internal speaker on the compromised computer, instead relying on the LCD screen to gene

The proliferation of cybersecurity tools has created an illusion of security. Organizations often believe that by deploying a firewall, antivirus software, intrusion detection systems, identity threat detection and response , and other tools, they are adequately protected. However, this approach not only fails to address the fundamental issue of the attack surface but also introduces dangerous third-party risk to the mix. The world of cybersecurity is in a constant state of flux, with cybercriminals becoming increasingly sophisticated in their tactics. In response, organizations are investing heavily in cybersecurity tools, hoping to build an impenetrable fortress around their digital assets. However, the belief that adding "just one more cybersecurity tool" will magically fix your attack surface and enhance your protection is a dangerous misconception. The limitations of cybersecurity tools Cybersecurity tools, while essential, have inherent limitations. They are designe

A hacktivist group known as Head Mare has been linked to cyber attacks that exclusively target organizations located in Russia and Belarus. "Head Mare uses more up-to-date methods for obtaining initial access," Kaspersky said in a Monday analysis of the group's tactics and tools. "For instance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which allows the attacker to execute arbitrary code on the system via a specially prepared archive. This approach allows the group to deliver and disguise the malicious payload more effectively." Head Mare, active since 2023, is one of the hacktivist groups attacking Russian organizations in the context of the Russo-Ukrainian conflict that began a year before. It also maintains a presence on X , where it has leaked sensitive information and internal documentation from victims. Targets of the group's attacks include governments, transportation, energy, manufacturing,

Chinese-speaking users are the target of a "highly organized and sophisticated attack" campaign that is likely leveraging phishing emails to infect Windows systems with Cobalt Strike payloads. "The attackers managed to move laterally, establish persistence and remain undetected within the systems for more than two weeks," Securonix researchers Den Iuzvyk and Tim Peck said in a new report. The covert campaign, codenamed SLOW#TEMPEST and not attributed to any known threat actor, commences with malicious ZIP files that, when unpacked, activates the infection chain, leading to the deployment of the post-exploitation toolkit on compromised systems. Present with the ZIP archive is a Windows shortcut (LNK) file that disguises itself as a Microsoft Word file, "违规远程控制软件人员名单.docx.lnk," which roughly translates to "List of people who violated the remote control software regulations." "Given the language used in the lure files, it's likely th

Details have emerged about a now-patched vulnerability in Microsoft 365 Copilot that could enable the theft of sensitive user information using a technique called ASCII smuggling. " ASCII Smuggling is a novel technique that uses special Unicode characters that mirror ASCII but are actually not visible in the user interface," security researcher Johann Rehberger said . "This means that an attacker can have the [large language model] render, to the user, invisible data, and embed them within clickable hyperlinks. This technique basically stages the data for exfiltration!" The entire attack strings together a number of attack methods to fashion them into a reliable exploit chain. This includes the following steps - Trigger prompt injection via malicious content concealed in a document shared on the chat to seize control of the chatbot Using a prompt injection payload to instruct Copilot to search for more emails and documents, a technique called automatic too

Nowadays, sensitive and critical data is traveling in everyday business channels that offer only the basic level of security and encryption, and companies are often oblivious to the risk. A case in point: Disney suffered a devastating data leak by a hacktivist group known as NullBulge that got hold of over 1.2 terabytes of data from Disney's internal Slack messaging channels. The breach exposed sensitive information, including: details about unreleased projects, computer code, login details and passwords, and Intellectual Property (IP) and corporate secrets. Slack breaches have also impacted companies like Uber, Rockstar, and Electronic Arts (EA). Cisco Webex used by the German Bundeswehr leaked data from hundreds of meetings, some classified. Outlook was breached by Chinese hackers last year. We have nothing against any of the tools above. They are all great collaboration tools. However, just like companies don't allow developers to use just any old tool to push code to p

Cybersecurity researchers have disclosed a critical security flaw impacting Microsoft's Copilot Studio that could be exploited to access sensitive information. Tracked as CVE-2024-38206 (CVSS score: 8.5), the vulnerability has been described as an information disclosure bug stemming from a server-side request forgery ( SSRF ) attack. "An authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio to leak sensitive information over a network," Microsoft said in an advisory released on August 6, 2024. The tech giant further said the vulnerability has been addressed and that it requires no customer action. Tenable security researcher Evan Grant, who is credited with discovering and reporting the shortcoming, said it takes advantage of Copilot's ability to make external web requests. "Combined with a useful SSRF protection bypass, we used this flaw to get access to Microsoft's internal infrastructure for Cop

In what's a case of an operational security (OPSEC) lapse, the operator behind a new information stealer called Styx Stealer leaked data from their own computer, including details related to the clients, profit information, nicknames, phone numbers, and email addresses. Styx Stealer, a derivative of the Phemedrone Stealer , is capable of stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency wallet information, cybersecurity company Check Point said in an analysis. It first emerged in April 2024. "Styx Stealer is most likely based on the source code of an old version of Phemedrone Stealer, which lacks some features found in newer versions such as sending reports to Telegram, report encryption, and more," the company noted . "However, the creator of Styx Stealer added some new features: auto-start, clipboard monitor and crypto-clipper, additional sandbox evasion, and anti-analysis techniques, and re-implemented sending dat

Cybersecurity researchers have shed light on a sophisticated information stealer campaign that impersonates legitimate brands to distribute malware like DanaBot and StealC . The activity cluster, orchestrated by Russian-speaking cybercriminals and collectively codenamed Tusk, is said to encompass several sub-campaigns, leveraging the reputation of the platforms to trick users into downloading the malware using bogus sites and social media accounts. "All the active sub-campaigns host the initial downloader on Dropbox," Kaspersky researchers Elsayed Elrefaei and AbdulRhman Alfaifi said . "This downloader is responsible for delivering additional malware samples to the victim's machine, which are mostly info-stealers (DanaBot and StealC) and clippers." Of the 19 sub-campaigns identified to date, three are said to be currently active. The name "Tusk" is a reference to the word "Mammoth" used by the threat actors in log messages associated with t