The Hacker News | #1 Trusted Cybersecurity News Site

Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015. Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform. "The documents contained VBA code to drop and run an executable with the name 'ctrlpanel.exe,'" security researcher Vanja Svajcer  said . "The virus is still active in Ukraine and is causing potentially confidential documents to be uploaded to publicly accessible document repositories." A striking aspect of OfflRouter is its inability to spread via email, necessitating that it be propagated via other means, such as sharing documents and removable media, including USB memory sticks containing the infected documents. These design choices, intentional or otherwise, are said to have confined the spread of OfflRouter within Ukraine's borders and to a few organiza

The infamous cybercrime syndicate known as FIN7 has been linked to a spear-phishing campaign targeting the U.S. automotive industry to deliver a known backdoor called Carbanak (aka Anunak). "FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights," the BlackBerry research and intelligence team  said  in a new write-up. "They used the lure of a free IP scanning tool to run their well-known Anunak backdoor and gain an initial foothold utilizing living off the land binaries, scripts, and libraries ( LOLBAS )." FIN7, also known as Carbon Spider, Elbrus, Gold Niagara, ITG14, Sangria Tempest, is a well-known  financially motivated e-crime group  that has a track record of striking a wide range of industry verticals to deliver malware capable of stealing information from point-of-sale (PoS) systems since 2012. In recent years, the threat actor has  transitioned  to  conducting ransomware operations , del

Super Low RPO with Continuous Data Protection: Dial Back to Just Seconds Before an Attack Zerto , a Hewlett Packard Enterprise company, can help you detect and recover from ransomware in near real-time. This solution leverages continuous data protection (CDP) to ensure all workloads have the lowest recovery point objective (RPO) possible. The most valuable thing about CDP is that it does not use snapshots, agents, or any other periodic data protection methodology. Zerto has no impact on production workloads and can achieve RPOs in the region of 5-15 seconds across thousands of virtual machines simultaneously. For example, the environment in the image below has nearly 1,000 VMs being protected with an average RPO of just six seconds! Application-Centric Protection: Group Your VMs to Gain Application-Level Control   You can protect your VMs with the Zerto application-centric approach using Virtual Protection Groups (VPGs). This logical grouping of VMs ensures that your whole applica

A new Android trojan called  SoumniBot  has been detected in the wild targeting users in South Korea by leveraging weaknesses in the manifest extraction and parsing procedure. The malware is "notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest," Kaspersky researcher Dmitry Kalinin  said  in a technical analysis. Every Android app comes with a  manifest XML file  ("AndroidManifest.xml") that's located in the root directory and declares the various components of the app, as well as the permissions and the hardware and software features it requires. Knowing that threat hunters typically commence their analysis by inspecting the app's manifest file to determine its behavior, the threat actors behind the malware have been found to leverage three different techniques to make the process a lot more challenging. The first method involves the use of an invalid Compression method value when unpackin

Sandboxes are synonymous with dynamic malware analysis. They help to execute malicious files in a safe virtual environment and observe their behavior. However, they also offer plenty of value in terms of static analysis. See these five scenarios where a sandbox can prove to be a useful tool in your investigations. Detecting Threats in PDFs PDF files are frequently exploited by threat actors to deliver payloads. Static analysis in a sandbox makes it possible to expose any threat a malicious PDF contains by extracting its structure. The presence of JavaScript or Bash scripts can reveal a possible mechanism for downloading and executing malware.  Sandboxes like ANY.RUN also allows users to scrutinize URLs found in PDFs to identify suspicious domains, potential command and control (C2) servers, or other indicators of compromise. Example: Static analysis of a PDF file in ANY.RUN Interactivity allows our users to manipulate files within a VM as they wish, but static Discovery offers

As many as 37 individuals have been arrested as part of an international crackdown on a cybercrime service called  LabHost  that has been used by criminal actors to steal personal credentials from victims around the world. Described as one of the largest Phishing-as-a-Service ( PhaaS ) providers, LabHost offered phishing pages targeting banks, high-profile organizations, and other service providers located primarily in Canada, the U.S., and the U.K. As part of the operation, codenamed PhishOFF and Nebulae (referring to the Australian arm of the probe), two LabHost users from Melbourne and Adelaide were arrested on April 17, with three others arrested and charged with drug-related offenses. "Australian offenders are allegedly among 10,000 cybercriminals globally who have used the platform, known as LabHost, to trick victims into providing their personal information, such as online banking logins, credit card details and passwords, through persistent phishing attacks sent via te

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

Threat actors are actively exploiting critical vulnerabilities in OpenMetadata to gain unauthorized access to Kubernetes workloads and leverage them for cryptocurrency mining activity. That's according to the Microsoft Threat Intelligence team, which  said  the flaws have been weaponized since the start of April 2024. OpenMetadata is an  open-source platform  that operates as a metadata management tool, offering a unified solution for data asset discovery, observability, and governance. The flaws in question – all discovered and credited to security researcher Alvaro Muñoz – are listed below - CVE-2024-28847  (CVSS score: 8.8) - A Spring Expression Language (SpEL) injection vulnerability in PUT /api/v1/events/subscriptions (fixed in version 1.2.4) CVE-2024-28848  (CVSS score: 8.8) - A SpEL injection vulnerability in GET /api/v1/policies/validation/condition/<expr> (fixed in version 1.2.4) CVE-2024-28253  (CVSS score: 8.8) - A SpEL injection vulnerability in PUT /api/v

A new Google malvertising campaign is leveraging a cluster of domains mimicking a legitimate IP scanner software to deliver a previously unknown backdoor dubbed  MadMxShell . "The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites," Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh  said . As many as 45 domains are said to have been registered between November 2023 and March 2024, with the sites masquerading as port scanning and IT management software such as Advanced IP Scanner, Angry IP Scanner, IP scanner PRTG, and ManageEngine. While this is  not the first time  threat actors are  banking  on  malvertising techniques  to serve malware via lookalike sites, the development marks the first time the delivery vehicle is being used to propagate a sophisticated Windows backdoo

A previously undocumented "flexible" backdoor called  Kapeka  has been "sporadically" observed in cyber attacks targeting Eastern Europe, including Estonia and Ukraine, since at least mid-2022. The findings come from Finnish cybersecurity firm WithSecure, which attributed the malware to the Russia-linked advanced persistent threat (APT) group tracked as  Sandworm  (aka APT44 or Seashell Blizzard). Microsoft is tracking the same malware under the name KnuckleTouch. "The malware [...] is a flexible backdoor with all the necessary functionalities to serve as an early-stage toolkit for its operators, and also to provide long-term access to the victim estate," security researcher Mohammad Kazem Hassan Nejad  said . Kapeka comes fitted with a dropper that's designed to launch and execute a backdoor component on the infected host, after which it removes itself. The dropper is also responsible for setting up persistence for the backdoor either as a schedul