Tag: hacked

Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor
News

Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor

Under the pretense of false browser upgrades, a Windows backdoor known as BadSpace is being distributed via reputable but corrupted websites. To install a backdoor into the victim's machine, the threat actor uses a multi-stage assault chain that includes an infected website, a command-and-control (C2) server, a JScript downloader, and occasionally a phony browser update, according to a report from German cybersecurity company G DATA. Researchers Gi7w0rm and Kevross33 revealed the malware's details for the first time last month. The first step in the process is to hack a website, even one that uses WordPress, and then insert code that uses logic to ascertain whether a person has already visited the site read more Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Back...
China-Backed Hackers Exploit Fortinet Flaw, Infecting 20,000 Systems Globally
News

China-Backed Hackers Exploit Fortinet Flaw, Infecting 20,000 Systems Globally

By taking advantage of a known major security vulnerability between 2022 and 2023, state-sponsored threat actors supported by China were able to access 20,000 Fortinet FortiGate systems globally, suggesting that the operation had a wider effect than previously thought. The Dutch National Cyber Security Centre (NCSC) stated in a recent bulletin that the state actor behind this operation knew about the FortiGate system vulnerability at least two months before Fortinet revealed it. In just one "zero-day" period, 14,000 devices were infected by the actor alone. Numerous Western countries, international organizations, and a sizable number of defense industry businesses were the targets of the effort read more China-Backed Hackers Exploit Fortinet Flaw Infecting 20000 Systems Globally. ...
State hackers turn to massive ORB proxy networks to evade detection
News

State hackers turn to massive ORB proxy networks to evade detection

Security researchers are alerting the public to the fact that state-sponsored hackers with ties to China are increasingly depending on a massive network of proxy servers made from hacked online devices and virtual private servers for cyberespionage purposes. These proxy meshes, which are managed by independent cybercriminals and grant access to numerous state-sponsored actors (APTs), are known as operational relay box (ORBs) networks. Though they resemble botnets, out-of-service routers and other Internet of Things items could be a combination of compromised devices and commercially rented VPS services to create ORBs. The increasing use of ORBs by adversaries poses difficulties in terms of detection and attribution, since the threat actor can no longer control the attack infrastr...
Researchers Warn of Chinese-Aligned Hackers Targeting South China Sea Countries
News

Researchers Warn of Chinese-Aligned Hackers Targeting South China Sea Countries

Details about Unfading Sea Haze, a previously unreported threat group that is thought to have been operational since 2018, have been made public by cybersecurity researchers. Bitdefender claimed in a report provided with The Hacker News that the intrusion targeted high-level organizations in South China Sea countries, including military and government targets. Martin Zugec, technical solutions director at Bitdefender, stated that the research found a concerning pattern that went beyond the historical background and that it had so far identified eight victims. Notably, access to infiltrated systems was frequently restored by the attackers. This exploitation draws attention to a serious weakness in the form of shoddy credential hygiene and insufficient patching procedures for expos...
DocGo discloses cyberattack after hackers steal patient health data
News

DocGo discloses cyberattack after hackers steal patient health data

DocGo, a mobile health company, acknowledged that it had been the victim of a cyberattack after malicious actors broke into its servers and took patient health information. DocGo is a healthcare provider that provides patients in thirty US states as well as the United Kingdom with remote monitoring, ambulance services, and mobile health solutions. DocGo disclosed that they had recently experienced a cyberattack and that they are collaborating with outside cybersecurity experts to support the investigation in a FORM 8-K filing that was submitted to the SEC on Tuesday night. According to the DocGo SEC filing, the company acted quickly to contain and respond to the situation after discovering illegal activity. These actions included informing the appropriate law authorities read mor...
APT42 Hackers Pose as Journalists to Harvest Credentials and Access Cloud Data
News

APT42 Hackers Pose as Journalists to Harvest Credentials and Access Cloud Data

Enhanced social engineering techniques are being used by the Iranian state-sponsored hacking group APT42 to penetrate target networks and cloud environments. According to a report released last week by Google Cloud subsidiary Mandiant, targets of the campaign include activists, academic institutions, media outlets, and non-governmental groups in the Middle East and North America. According to the business, APT42 was seen posing as journalists and event planners to establish credibility with their victims through continued communication and to provide conference invites or authentic papers. APT42 was able to obtain early access to cloud environments by harvesting credentials through the use of social engineering tactics read more APT42 Hackers Pose as Journalists to Harvest Creden...
Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack
News

Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack

The recently discovered zero-day vulnerability in Palo Alto Networks PAN-OS software has been used by threat actors since March 26, 2024, or over three weeks prior to its discovery yesterday. Under the moniker Operation MidnightEclipse, the network security company's Unit 42 division is monitoring the activity and crediting it to the efforts of a lone threat actor with an unidentified origin. This command injection vulnerability, listed as CVE-2024-3400 (CVSS score: 10.0), allows unauthenticated attackers to run arbitrary code on the firewall with root privileges. It is important to note that this problem only affects firewall installations running PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 with GlobalProtect gateway and device telemetry enabled read more Hackers Deploy Python Bac...
Hackers Exploiting Popular Document Publishing Sites for Phishing Attacks
News

Hackers Exploiting Popular Document Publishing Sites for Phishing Attacks

Once again demonstrating how threat actors are repurposing legitimate services for malicious ends, threat actors are using digital document publishing (DDP) sites hosted on platforms such as FlipSnack, Issuu, Marq, Publuu, RelayTo, and Simplebooklet for phishing, credential harvesting, and session token theft. According to Cisco Talos researcher Craig Jackson, hosting phishing lures on DDP sites increases the chance of a successful phishing attack because these sites frequently have a positive reputation, are unlikely to show up on web filter blocklists, and may give users a false sense of security if they recognize them as reputable or familiar. Although adversaries have previously hosted phishing documents using well-known cloud-based services like Google Drive, OneDrive, Dropbox,...
Hackers impersonate U.S. government agencies in BEC attacks
News

Hackers impersonate U.S. government agencies in BEC attacks

A group of hackers known only as TA4903, who specialize in business email compromise (BEC) assaults, has been pretending to be a number of US federal agencies in order to trick victims into opening infected files that contain links to phony bidding procedures. The threat actors pose as the U.S. Department of Transportation, the U.S. Department of Agriculture (USDA), and the U.S. Small Business Administration (SBA), according to Proofpoint, whose analysts have been monitoring the campaign. The threat actor has reportedly been active since at least 2019 but has stepped up its efforts since mid-2023 and until 2024, according to the email security business. The usage of QR codes in PDF document attachments is the most recent strategy noticed read more Hackers impersonate U.S. government...
Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor
News

Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor

December 2023 saw the use of a new backdoor known as TinyTurla-NG by the Russia-affiliated threat actor Turla as part of a three-month campaign aimed against Polish non-governmental organizations. In a technical report released today, Cisco Talos stated that "TinyTurla-NG, like TinyTurla, is a small 'last chance' backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems." The reason TinyTurla-NG got its name is that it has characteristics with TinyTurla, another implant that the antagonistic collective has been using in incursions targeting Afghanistan, Germany, and the United States since at least 2020. The cybersecurity firm initially published information about TinyTurla read more Russian Tu...