The Hacker News | #1 Trusted Cybersecurity News Site

Multiple threat actors are weaponizing a design flaw in Foxit PDF Reader to deliver a variety of malware such as Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm. "This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands," Check Point  said  in a technical report. "This exploit has been used by multiple threat actors, from e-crime to espionage." It's worth noting that Adobe Acrobat Reader – which is more prevalent in sandboxes or antivirus solutions – is not susceptible to this specific exploit, thus contributing to the campaign's low detection rate. The issue stems from the fact that the application shows "OK" as the default selected option in a pop-up when users are asked to trust the document prior to enabling certain features to avoid potential security risks. Once a user clicks OK, they are displayed a second pop-up warning that the file is about to execute

All developers want to create secure and dependable software. They should feel proud to release their code with the full confidence they did not introduce any weaknesses or anti-patterns into their applications. Unfortunately, developers are not writing their own code for the most part these days. 96% of all software contains some open-source components, and open-source components make up between  70% and 90% of any given piece of modern software . Unfortunately for our security-minded developers, most modern vulnerabilities come from those software components.  As new vulnerabilities emerge and are publicly reported as  Common Vulnerabilities and Exposures  (CVEs), security teams have little choice but to ask the developer to refactor the code to include different versions of the dependencies. Nobody is happy in this situation, as it blocks new features and can be maddening to roll back component versions and hope that nothing breaks. Developers need a way to  quickly  determine if

A "multi-faceted campaign" has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible software like 1Password, Bartender 5, and Pixelmator Pro. "The presence of multiple malware variants suggests a broad cross-platform targeting strategy, while the overlapping C2 infrastructure points to a centralized command setup — possibly increasing the efficiency of the attacks," Recorded Future's Insikt Group  said  in a report. The cybersecurity firm, which is tracking the activity under the moniker GitCaught, said the campaign not only highlights the misuse of authentic internet services to orchestrate cyber attacks, but also the reliance on multiple malware variants targeting Android, macOS, and Windows to increase the success rate. Attack chains entail the use of fake profiles and repositories on GitHub,

Cybersecurity researchers have observed a spike in email phishing campaigns starting early March 2024 that delivers  Latrodectus , a nascent malware loader believed to be the successor to the IcedID malware. "These campaigns typically involve a recognizable infection chain involving oversized JavaScript files that utilize WMI's ability to invoke msiexec.exe and install a remotely-hosted MSI file, remotely hosted on a WEBDAV share," Elastic Security Labs researchers Daniel Stepanic and Samir Bousseaden  said . Latrodectus comes with standard capabilities that are typically expected of malware designed to deploy additional payloads such as QakBot, DarkGate, and  PikaBot , allowing threat actors to conduct various post-exploitation activities. An analysis of the latest Latrodectus artifacts has revealed an extensive focus on enumeration and execution as well as the incorporation of a self-delete technique to delete running files. The malware, besides masquerading as lib

The U.S. Department of Justice (DoJ) has charged two arrested Chinese nationals for allegedly orchestrating a pig butchering scam that laundered at least $73 million from victims through shell companies. The individuals, Daren Li, 41, and Yicheng Zhang, 38, were arrested in Atlanta and Los Angeles on April 12 and May 16, respectively. The foreign nationals have been "charged for leading a scheme to launder funds to the tune of at least $73 million tied to an international crypto investment scam," Deputy Attorney General Lisa Monaco  said . Prosecutors have accused Li, Zhang, and their co-conspirators of managing an international syndicate that laundered the funds obtained via cryptocurrency investment scams. As part of the fraudulent operation, victims are said to have been tricked into transferring millions of dollars to U.S. bank accounts that were opened in the name of various shell companies. "A network of money launderers then facilitated the transfer of those

The threat actors behind the Windows-based  Grandoreiro  banking trojan have returned in a global campaign since March 2024 following a law enforcement takedown in January. The large-scale phishing attacks, likely facilitated by other cybercriminals via a malware-as-a-service (MaaS) model, target over 1,500 banks across the world, spanning more than 60 countries in Central and South America, Africa, Europe, and the Indo-Pacific, IBM X-Force said. While  Grandoreiro  is known primarily for its focus in Latin America, Spain, and Portugal, the expansion is likely a shift in strategy after attempts to  shut down its infrastructure  by Brazilian authorities. Going hand-in-hand with the broader targeting footprint are significant improvements to the malware itself, which indicates active development. "Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected

The cryptojacking group known as  Kinsing  has demonstrated an ability to continuously evolve and adapt, proving to be a persistent threat by swiftly integrating newly disclosed vulnerabilities to the exploit arsenal and expand its botnet. The  findings  come from cloud security firm Aqua, which described the threat actor as actively orchestrating illicit cryptocurrency mining campaigns since 2019. Kinsing (aka  H2Miner ), a name given to both the malware and the adversary behind it, has consistently expanded its toolkit with new exploits to enroll infected systems in a crypto-mining botnet. It was  first documented  by TrustedSec in January 2020. In recent years, campaigns involving the Golang-based malware have weaponized  various flaws  in  Apache ActiveMQ ,  Apache Log4j ,  Apache NiFi ,  Atlassian Confluence ,  Citrix ,  Liferay Portal ,  Linux ,  Openfire ,  Oracle WebLogic Server , and  SaltStack  to breach vulnerable systems. Other methods have also involved exploiting mi

Cybersecurity and compliance guidance are in high demand among SMEs. However, many of them cannot afford to hire a full-time CISO. A  v CISO can answer this need by offering on-demand access to top-tier cybersecurity expertise. This is also an opportunity for MSPs and MSSPs to grow their business and bottom line. MSPs and MSSPs that expand their offerings and provide vCISO services will cater to SME requirements and concerns. By answering this market gap, they can grow their customer base as well as upsell to existing clients. This will lead to recurring revenue and increased profitability. Developing and scaling vCISO services requires a well-thought-out plan. This will help guide you through the required processes, anticipate and overcome challenges and optimize resource use. To aid you, we introduce a comprehensive and actionable  guide: "How to Scale Your vCISO Services Profitably" . The guide was developed based on the experience of industry leader  Cynom i, who has helped hun

A new report from XM Cyber has found – among other insights - a  dramatic  gap between where most organizations focus their security efforts, and where the most serious threats actually reside. The new report, Navigating the Paths of Risk: The State of Exposure Management in 2024, is based on hundreds of thousands of attack path assessments conducted by the  XM Cyber platform  during 2023. These assessments uncovered over 40 million exposures that affected millions of business-critical assets. Anonymized data regarding these exposures was then provided to the Cyentia Institute for independent analysis. To read the full report,  check it out here . Download the report to discover: Key findings on the types of exposures putting organizations at greatest risk of breach. The state of attack paths between on-prem and cloud networks. Top attack techniques seen in 2023. How to focus on what matters most, and remediate high-impact exposure risks to your critical assets. The

Cybersecurity researchers have shed more light on a remote access trojan (RAT) known as Deuterbear used by the China-linked  BlackTech  hacking group as part of a cyber espionage campaign targeting the Asia-Pacific region this year. "Deuterbear, while similar to Waterbear in many ways, shows advancements in capabilities such as including support for shellcode plugins, avoiding handshakes for RAT operation, and using HTTPS for C&C communication," Trend Micro researchers Pierre Lee and Cyris Tseng  said  in a new analysis. "Comparing the two malware variants, Deuterbear uses a shellcode format, possesses anti-memory scanning, and shares a traffic key with its downloader unlike Waterbear." BlackTech , active since at least 2007, is also tracked by the broader cybersecurity community under the monikers Circuit Panda, Earth Hundun, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard. Cyber attacks orchestrated by the group have long involved the deplo

The  Kimsuky  (aka Springtail) advanced persistent threat (APT) group, which is linked to North Korea's Reconnaissance General Bureau (RGB), has been observed deploying a Linux version of its GoBear backdoor as part of a campaign targeting South Korean organizations. The backdoor, codenamed  Gomir , is "structurally almost identical to GoBear, with extensive sharing of code between malware variants," the Symantec Threat Hunter Team, part of Broadcom,  said  in a new report. "Any functionality from GoBear that is operating system-dependent is either missing or reimplemented in Gomir." GoBear was  first documented  by South Korean security firm S2W in early February 2024 in connection with a campaign that delivered a malware called Troll Stealer (aka TrollAgent), which overlaps with known Kimsuky malware families like AppleSeed and AlphaSeed. A subsequent analysis by the AhnLab Security Intelligence Center (ASEC) revealed that the malware is distributed via t