RSS Dashboard

The Hackers News

X-Force Threat Intelligence Report

The National Cyber Security Centre

Zero Day Initiative: Published

NHS High CareCerts

ThreatPost

Mandiant

20-Year-Old BreachForums Founder Faces Up to 5 Years in Prison
20-Year-Old BreachForums Founder Faces Up to 5 Years in Prison

Conor Brian Fitzpatrick, the 20-year-old founder and the administrator of the now-defunct BreachForums has been formally charged in the U.S. with conspiracy to commit access device fraud. If proven guilty, Fitzpatrick, who… [...]

Where SSO Falls Short in Protecting SaaS
Where SSO Falls Short in Protecting SaaS

Single sign-on (SSO) is an authentication method that allows users to authenticate their identity for multiple applications with just one set of credentials. From a security standpoint, SSO is the… [...]

New MacStealer macOS Malware Steals iCloud Keychain Data and Passwords
New MacStealer macOS Malware Steals iCloud Keychain Data and Passwords

A new information-stealing malware has set its sights on Apple's macOS operating system to siphon sensitive information from compromised devices. Dubbed MacStealer, it's the latest example of a threat that uses… [...]

Microsoft Issues Patch for aCropalypse Privacy Flaw in Windows Screenshot Tools
Microsoft Issues Patch for aCropalypse Privacy Flaw in Windows Screenshot Tools

Microsoft has released an out-of-band update to address a privacy-defeating flaw in its screenshot editing tool for Windows 10 and Windows 11. The issue, dubbed aCropalypse, could enable malicious actors to recover… [...]

U.K. National Crime Agency Sets Up Fake DDoS-For-Hire Sites to Catch Cybercriminals
U.K. National Crime Agency Sets Up Fake DDoS-For-Hire Sites to Catch Cybercriminals

In what's a case of setting a thief to catch a thief, the U.K. National Crime Agency (NCA) revealed that it has created a network of fake DDoS-for-hire websites to… [...]

Professional Services Industry Profile

The professional services industry—made up of companies that provide specialized consulting services such as legal, accounting, and architecture firms, as well as non-governmental organizations, or NGOs,—have come under increased attack… [...]

Manufacturing Industry Profile

Cybercriminals and nation-state actors alike find the manufacturing industry an attractive target for attacks due to the rich intellectual property data it houses. From chemicals to electronics to automobiles and… [...]

IcedID's HDESK Backdoor Module

IcedID is one of the most popular trojans in use today and is a favored tool of many threat groups with a long record of successful compromises. Originally classified as… [...]

Financial Services Industry Profile

The financial services industry has long been an attractive target for cybercriminals seeking financial gain, and as sophisticated nation-state groups progressively target this sector, risks to financial assets are growing.… [...]

Threat Actors use LummaC2 Stealer to Target Crypto Wallets

In the process of a routine threat-hunting exercise, Cyble researchers discovered a post on a forum that contained information on stealer malware. The post stated that the stealer known as… [...]

Threat Report 24th March 2023

The NCSC's threat report is drawn from recent open source reporting. [...]

Threat Report 10th March 2023

The NCSC's threat report is drawn from recent open source reporting. [...]

Threat Report 24th February 2023

The NCSC's threat report is drawn from recent open source reporting. [...]

Threat Report 10th February 2023

The NCSC's threat report is drawn from recent open source reporting. [...]

Threat Report 27th January 2023

The NCSC's threat report is drawn from recent open source reporting. [...]

ZDI-23-341: Schneider Electric IGSS openReport Improper Input Validation Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. User interaction is required to exploit this vulnerability in that the target must visit… [...]

ZDI-23-340: Schneider Electric IGSSdataServer Exposed Dangerous Function Data Deletion Vulnerability

This vulnerability allows remote attackers to delete application-level data on affected installations of Schneider Electric IGSS. Authentication is not required to exploit this vulnerability. [...]

ZDI-23-339: Schneider Electric IGSS IGSSdataServer Exposed Dangerous Function Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. Authentication is not required to exploit this vulnerability. [...]

ZDI-23-338: Schneider Electric IGSS getRMSreportFile Directory Traversal Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. User interaction is required to exploit this vulnerability in that the target must visit… [...]

ZDI-23-337: Schneider Electric IGSS IGSSdataServer Exposed Dangerous Function Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. Authentication is not required to exploit this vulnerability. [...]

CC-4289 - Cisco Releases Security Updates for Multiple Products

Severity: Information only Cisco has released security updates to address nine High and nine Medium severity vulnerabilities for Cisco IOS XE, Cisco IOS, Cisco DNA Center, and other products Cisco has… [...]

CC-4280 - Veeam Releases Security Update

Severity: Information only The security update addresses the vulnerability CVE-2023-27532, which affects the Veeam Backup & Replication Component The security update addresses the vulnerability CVE-2023-27532, which affects the Veeam Backup & Replication Component Updated:… [...]

CC-4288 - Drupal Releases Security Updates

Severity: Information only Five security advisories address multiple vulnerabilities affecting the Drupal platform Five security advisories address multiple vulnerabilities affecting the Drupal platform Updated: 21 Mar 2023 [...]

CC-4286 - B. Braun Medical Space Battery Pack SP with Wi-Fi Vulnerability

Severity: Low B. Braun Medical Space Battery Pack SP with Wi-Fi contains a vulnerability that could cause privilege escalation B. Braun Medical Space Battery Pack SP with Wi-Fi contains a vulnerability that could cause… [...]

CC-4285 - Adobe Releases Security Updates

Severity: Information only Adobe security updates address vulnerabilities in ColdFusion, Photoshop, and other Adobe products Adobe security updates address vulnerabilities in ColdFusion, Photoshop, and other Adobe products Updated: 15 Mar… [...]

CC-4284 - SAP Releases March 2023 Security Updates

Severity: Medium Scheduled security updates address vulnerabilities affecting multiple products Scheduled security updates address vulnerabilities affecting multiple products Updated: 15 Mar 2023 [...]

CC-4283 - Microsoft Releases March 2023 Security Updates

Severity: Medium Scheduled updates for Microsoft products, including security updates for two zero-day vulnerabilities Scheduled updates for Microsoft products, including security updates for two zero-day vulnerabilities Updated: 15 Mar 2023 [...]

CC-4282 - Critical Privilege Escalation Vulnerability in Microsoft Outlook for Windows

Severity: High Microsoft has released a critical security update to address zero-day vulnerability known as CVE-2023-23397 Microsoft has released a critical security update to address zero-day vulnerability known as CVE-2023-23397… [...]

CC-4281 - Fortinet Release Multiple Security Updates

Severity: Medium Updates address 1 Low, 8 Medium, and 5 High severity vulnerabilities including an actively exploit vulnerability in FortiOS Updates address 1 Low, 8 Medium, and 5 High severity vulnerabilities including… [...]

CC-4201 - VMware Releases Critical Security Update for Cloud Foundation

Severity: Medium Critical update addresses an RCE vulnerability and a second vulnerability that could lead to a DoS condition Critical update addresses an RCE vulnerability and a second vulnerability that… [...]

Student Loan Breach Exposes 2.5M Records
Student Loan Breach Exposes 2.5M Records
2.5 million people were affected, in a breach that could spell more trouble down the line.
Watering Hole Attacks Push ScanBox Keylogger
Watering Hole Attacks Push ScanBox Keylogger
Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant the ScanBox JavaScript-based reconnaissance tool.
Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms
Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms
Over 130 companies tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.
Ransomware Attacks are on the Rise
Ransomware Attacks are on the Rise
Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.
Cybercriminals Are Selling Access to Chinese Surveillance Cameras
Cybercriminals Are Selling Access to Chinese Surveillance Cameras
Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed.
UNC961 in the Multiverse of Mandiant: Three Encounters with a Financially Motivated Threat Actor

Web application vulnerabilities are like doorways: you never know who or what will walk through. Between December 2021 and July 2022, the Mandiant Managed Defense and Incident Response teams responded to three UNC961 intrusions at different organizations that each started in similar fashion. Two of these victims were under the protection of Managed Defense who identified and responded to the threat before significant impact occurred. In the third intrusion, the Mandiant Incident Response team was contacted after UNC961 had compromised the victim and transferred access to UNC3966.

This blog

We (Did!) Start the Fire: Hacktivists Increasingly Claim Targeting of OT Systems

In January 2023, the Anonymous affiliated hacktivist group, GhostSec, claimed on social media to have deployed ransomware to encrypt a Belarusian remote terminal unit (RTU)—a type of operational technology (OT) device for remote monitoring of industrial automation devices. The actors’ stated intention was to demonstrate support for Ukraine in the ongoing Russian invasion. Researchers, OT security professionals and media outlets analyzed the claims and concluded that the actor overstated the implications of the alleged attack. 

Although there was no significant impact in this particular

Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace
Executive Summary Mandiant tracked 55 zero-day vulnerabilities that we judge were exploited in 2022. Although this count is lower than the record-breaking 81 zero-days exploited in 2021, it still represents almost triple the number from 2020. Chinese state-sponsored cyber espionage groups exploited more zero-days than other cyber espionage actors in 2022, which is consistent with previous years.  We identified four zero-day vulnerabilities exploited by financially motivated threat actors. 75% of these instances appear to be linked to ransomware operations. Products from Microsoft
Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation

Cyber espionage threat actors continue to target technologies that do not support endpoint detection and response (EDR) solutions such as firewalls, IoT devices, hypervisors and VPN technologies (e.g. Fortinet, SonicWall, Pulse Secure, and others). Mandiant has investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over the years where suspected China-nexus groups have exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and maintain long-term access to the victim environments.

We

Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW

In part one on North Korea's UNC2970, we covered UNC2970’s tactics, techniques and procedures (TTPs) and tooling that they used over the course of multiple intrusions. In this installment, we will focus on how UNC2970 utilized Bring Your Own Vulnerable Device (BYOVD) to further enable their operations.

During our investigation, Mandiant consultants identified most of the original compromised hosts, targeted by UNC2970, contained the files %temp%\_SB_SMBUS_SDK.dll and suspicious drivers, created around the same time on disk.

At the time Mandiant initially identified these files