The Hacker News | #1 Trusted Cybersecurity News Site

Security vulnerabilities uncovered in cloud-based pinyin keyboard apps could be exploited to reveal users' keystrokes to nefarious actors. The findings come from the Citizen Lab, which discovered weaknesses in eight of nine apps from vendors like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. The only vendor whose keyboard app did not have any security shortcomings is that of Huawei's. The vulnerabilities could be exploited to "completely reveal the contents of users' keystrokes in transit," researchers Jeffrey Knockel, Mona Wang, and Zoë Reichert  said . The disclosure builds upon prior research from the interdisciplinary laboratory based at the University of Toronto, which identified  cryptographic flaws  in Tencent's Sogou Input Method last August. Collectively, it's estimated that close to one billion users are affected by this class of vulnerabilities, with Input Method Editors (IMEs) from Sogou, Baidu, and iFlytek accounting fo

Compliance requirements are meant to increase cybersecurity transparency and accountability. As cyber threats increase, so do the number of  compliance frameworks  and the specificity of the security controls, policies, and activities they include. For CISOs and their teams, that means compliance is a time-consuming, high-stakes process that demands strong organizational and communication skills on top of security expertise. We tapped into the CISO brain trust to get their take on the best ways to approach data security and privacy compliance requirements. In this blog, they share strategies to reduce the pain of dealing with the compliance process, including risk management and stakeholder alignment. Read on for recommendations for turning compliance from a "necessary evil" into a strategic tool that helps you evaluate cyber risk, gain budget and buy-in, and increase customer and shareholder confidence. Which CISOs care most about compliance? How CISOs view cybersecurity complia

A new malware campaign has been exploiting the updating mechanism of the eScan antivirus software to distribute backdoors and cryptocurrency miners like XMRig through a long-standing threat codenamed GuptiMiner targeting large corporate networks. Cybersecurity firm Avast said the activity is the work of a threat actor with possible connections to a North Korean hacking group dubbed  Kimsuky , which is also known as Black Banshee, Emerald Sleet, and TA427. "GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker's DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others," Avast  said . The intricate and elaborate infection chain, at its core, leverages a security shortcoming in the update mechanism of Indian antivirus vendor eScan to

A new ongoing malware campaign has been observed distributing three different stealers, such as  CryptBot ,  LummaC2 , and  Rhadamanthys  hosted on Content Delivery Network (CDN) cache domains since at least February 2024. Cisco Talos has attributed the activity with moderate confidence to a threat actor tracked as  CoralRaider , a suspected Vietnamese-origin group that came to light earlier this month. This assessment is based on "several overlaps in tactics, techniques, and procedures (TTPs) of CoralRaider's Rotbot campaign, including the initial attack vector of the Windows Shortcut file, intermediate PowerShell decryptor and payload download scripts, the FoDHelper technique used to bypass User Access Controls (UAC) of the victim machine," the company said. Targets of the campaign span various business verticals across geographies, including the U.S., Nigeria, Pakistan, Ecuador, Germany, Egypt, the U.K., Poland, the Philippines, Norway, Japan, Syria, and Turkey.

Researchers have identified a dependency confusion vulnerability impacting an archived Apache project called Cordova App Harness . Dependency confusion attacks  take place owing to the fact that package managers check the public repositories before private registries, thus allowing a threat actor to publish a malicious package with the same name to a public package repository. This causes the package manager to inadvertently download the fraudulent package from the public repository instead of the intended private repository. If successful, it can have serious consequences, such as installing all downstream customers that install the package. A May 2023 analysis of npm and PyPI packages stored in cloud environments by enterprise security company Orca  revealed  that nearly 49% of organizations are vulnerable to a dependency confusion attack. While npm and other package managers have since introduced fixes to prioritize the private versions, application security firm Legit Securit

In the high-stakes world of cybersecurity, the battleground has shifted. Supply chain attacks have emerged as a potent threat, exploiting the intricate web of interconnected systems and third-party dependencies to breach even the most formidable defenses. But what if you could turn the tables and proactively hunt these threats before they wreak havoc? We invite you to join us for an exclusive webinar that will equip you with the knowledge and strategies to stay ahead of the curve: " Supply Chain Under Siege: Unveiling Hidden Threats ." This comprehensive session, led by industry experts Rhys Arkins (VP of Product) and Jeffrey Martin (VP of Product Marketing), promises an in-depth exploration of the supply chain threat landscape. Brace yourself for a revelatory journey through: The Anatomy of Supply Chain Threats:  Gain a deep understanding of these insidious attacks, their far-reaching consequences, and the vulnerabilities they exploit. Proactive Threat Hunting Methodol

The introduction of Open AI's ChatGPT was a defining moment for the software industry, touching off a GenAI race with its November 2022 release. SaaS vendors are now rushing to upgrade tools with enhanced productivity capabilities that are driven by generative AI. Among a wide range of uses, GenAI tools make it easier for developers to build software, assist sales teams in mundane email writing, help marketers produce unique content at low cost, and enable teams and creatives to brainstorm new ideas.  Recent significant GenAI product launches include Microsoft 365 Copilot, GitHub Copilot, and Salesforce Einstein GPT. Notably, these GenAI tools from leading SaaS providers are paid enhancements, a clear sign that no SaaS provider will want to miss out on cashing in on the GenAI transformation. Google will soon launch its SGE "Search Generative Experience" platform for premium AI-generated summaries rather than a list of websites.  At this pace, it's just a matter of a short time befo

European Police Chiefs said that the complementary partnership between law enforcement agencies and the technology industry is at risk due to end-to-end encryption (E2EE). They called on the industry and governments to take urgent action to ensure public safety across social media platforms. "Privacy measures currently being rolled out, such as end-to-end encryption, will stop tech companies from seeing any offending that occurs on their platforms," Europol  said . "It will also stop law enforcement's ability to obtain and use this evidence in investigations to prevent and prosecute the most serious crimes such as child sexual abuse, human trafficking, drug smuggling, homicides, economic crime, and terrorism offenses." The idea that E2EE protections could stymie law enforcement is often referred to as the  "going dark" problem , triggering concerns it could create  new obstacles  to gather evidence of nefarious activity. The development comes ag

Cybersecurity breaches can be devastating for both individuals and businesses alike. While many people tend to focus on understanding how and why they were targeted by such breaches, there's a larger, more pressing question: What is the true financial impact of a cyberattack? According to research by Cybersecurity Ventures, the global cost of cybercrime is projected to reach an astonishing 10.5 trillion USD annually by 2025, which marks a dramatic increase from the 3 trillion USD reported in 2015. This sharp rise highlights a concerning trend: cybercriminals have significantly improved their methods for conducting sophisticated and successful cyberattacks over the years. According to research firm Cybersecurity Ventures, the cost of global cybercrime will reach a staggering 10.5 trillion USD annually by 2025, up from the 3 trillion USD that it was in 2015. It's clear, then, that these threat actors have found ways to pull off sophisticated and successful cyberattacks over the yea

German authorities said they have issued arrest warrants against three citizens on suspicion of spying for China. The full names of the defendants were not disclosed by the Office of the Federal Prosecutor (aka Generalbundesanwalt), but it includes Herwig F., Ina F., and Thomas R. "The suspects are strongly suspected of working for a Chinese secret service since an unspecified date before June 2022," the Generalbundesanwalt  said . Thomas R. is believed to have acted as an agent for China's Ministry of State Security (MSS), gathering information about innovative technologies in Germany that could be used for military purposes. The defendant also sought the help of a married couple, Herwig F. and Ina F., who run a Düsseldorf-based business that established connections with the scientific and research community in Germany. This materialized in the form of an agreement with an unnamed German university to conduct a study for an unnamed Chinese contractor regarding the