The Hacker News | #1 Trusted Cybersecurity News Site

How safe is your comments section? Discover how a seemingly innocent 'thank you' comment on a product page concealed a malicious vulnerability, underscoring the necessity of robust security measures. Read the full real-life case study  here .  When is a 'Thank you' not a 'Thank you'? When it's a sneaky bit of code that's been hidden inside a 'Thank You' image that somebody posted in the comments section of a product page! The guilty secret hidden inside this particular piece of code was designed to let hackers bypass security controls and steal the personal identifying information of online shoppers, which could have meant big trouble for them and the company. The page in question belongs to a global retailer. User communities are often a great source of unbiased advice from fellow enthusiasts, which was why a Nikon camera owner was posting there. They were looking for the ideal 50mm lens and asked for a recommendation. They offered thanks in advance to whoever might take th

Google on Monday announced that it's simplifying the process of enabling two-factor authentication (2FA) for users with personal and Workspace accounts. Also called, 2-Step Verification ( 2SV ), it aims to add an extra layer of security to users' accounts to prevent takeover attacks in case the passwords are stolen. The new change entails adding a second step method, such as an authenticator app or a hardware security key, before turning on 2FA, thus eliminating the need for using the less secure SMS-based authentication. "This is particularly helpful for organizations using Google Authenticator (or other equivalent time-based one-time password (TOTP) apps)," the company  said . "Previously, users had to enable 2SV with a phone number before being able to add Authenticator." Users with hardware security keys have two options to add them to their accounts, including by registering a FIDO1 credential on the hardware key or by assigning a passkey (i.e., a

A Russian operator of a now-dismantled BTC-e cryptocurrency exchange has  pleaded guilty  to money laundering charges from 2011 to 2017. Alexander Vinnik, 44, was charged in January 2017 and taken into custody in Greece in July 2017. He was subsequently  extradited  to the U.S. in August 2022. Vinnik and his co-conspirators have been accused of owning and managing BTC-e, which allowed its criminal customers to trade in Bitcoin with high levels of anonymity. BTC-e is said to have facilitated transactions for cybercriminals worldwide, receiving illicit proceeds from numerous computer intrusions and hacking incidents, ransomware scams, identity theft schemes, corrupt public officials, and narcotics distribution rings. The crypto exchange received more than $4 billion worth of bitcoin over the course of its operation, according to the U.S. Department of Justice (DoJ). It also processed over $9 billion-worth of transactions and served over one million users worldwide, several of them i

More than 50% of the 90,310 hosts have been found exposing a  Tinyproxy service  on the internet that's vulnerable to a critical unpatched security flaw in the HTTP/HTTPS proxy tool. The issue, tracked as  CVE-2023-49606 , carries a CVSS score of 9.8 out of a maximum of 10, per Cisco Talos, which described it as a use-after-free bug impacting versions 1.10.0 and 1.11.1, which is the latest version. "A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution," Talos  said  in an advisory last week. "An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability." In other words, an unauthenticated threat actor could send a specially crafted  HTTP Connection header  to trigger memory corruption that can result in remote code execution. According to  data  shared by attack surface management company Censys, of the 90,310 hosts exposing a Ti

The recently uncovered cyber espionage campaign targeting perimeter network devices from several vendors, including Cisco, may have been the work of China-linked actors, according to  new findings  from attack surface management firm Censys. Dubbed  ArcaneDoor , the activity is said to have commenced around July 2023, with the first confirmed attack against an unnamed victim detected in early January 2024. The targeted attacks, orchestrated by a previously undocumented suspected sophisticated state-sponsored actor tracked as  UAT4356  (aka Storm-1849), entailed the deployment of two custom malware dubbed Line Runner and Line Dancer. The initial access pathway used to facilitate the intrusions has yet to be discovered, although the adversary has been observed leveraging two now-patched flaws in Cisco Adaptive Security Appliances ( CVE-2024-20353  and  CVE-2024-20359 ) to persist Line Runner. Telemetry data gathered as part of the investigation has revealed the threat actor'

Cybercriminals are vipers. They're like snakes in the grass, hiding behind their keyboards, waiting to strike. And if you're a small- and medium-sized business (SMB), your organization is the ideal lair for these serpents to slither into.  With cybercriminals becoming more sophisticated, SMBs like you must do more to protect themselves. But at what price? That's the daunting question many SMBs are forced to ask. Amidst your everyday challenges, the answer seems obvious: forgo investing in a robust cybersecurity solution for the time being. However, the alternative is to cross your fingers and hope hackers don't find you. That, of course, isn't the most prudent strategy, as the uncomfortable truth is threat actors now see your organization as a quick path to profit. Therefore, if your defenses are weak—or just not there—these digital crooks are likely to disrupt your operations, access sensitive data, and extort a heavy ransom. In this article, we'll explore the financial burdens

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

Multiple security vulnerabilities have been disclosed in various applications and system components within Xiaomi devices running Android. "The vulnerabilities in Xiaomi led to access to arbitrary activities, receivers and services with system privileges, theft of arbitrary files with system privileges, [and] disclosure of phone, settings and Xiaomi account data," mobile security firm Oversecured  said  in a report shared with The Hacker News. The 20 shortcomings impact different apps and components like - Gallery (com.miui.gallery) GetApps (com.xiaomi.mipicks) Mi Video (com.miui.videoplayer) MIUI Bluetooth (com.xiaomi.bluetooth) Phone Services (com.android.phone) Print Spooler (com.android.printspooler) Security (com.miui.securitycenter) Security Core Component (com.miui.securitycore) Settings (com.android.settings) ShareMe (com.xiaomi.midrop) System Tracing (com.android.traceur), and Xiaomi Cloud (com.miui.cloudservice) Some of the notable flaws include a

Cybersecurity researchers have discovered a new information stealer targeting Apple macOS systems that's designed to set up persistence on the infected hosts and act as a spyware. Dubbed  Cuckoo  by Kandji, the malware is a universal Mach-O binary that's capable of running on both Intel- and Arm-based Macs. The exact distribution vector is currently unclear, although there are indications that the binary is hosted on sites like dumpmedia[.]com, tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com that claim to offer free and paid versions of applications dedicated to ripping music from streaming services and converting it into the MP3 format. The disk image file downloaded from the websites is responsible for spawning a bash shell to gather host information and ensuring that the compromised machine is not located in Armenia, Belarus, Kazakhstan, Russia, Ukraine. The malicious binary is executed only if the locale check is successful. It also establishes persist

Czechia and Germany on Friday revealed that they were the target of a long-term cyber espionage campaign conducted by the Russia-linked nation-state actor known as  APT28 , drawing condemnation from the European Union (E.U.), the North Atlantic Treaty Organization (NATO), the U.K., and the U.S. The Czech Republic's Ministry of Foreign Affairs (MFA), in a statement, said some unnamed entities in the country have been attacked using a security flaw in Microsoft Outlook that came to light early last year. "Cyber attacks targeting political entities, state institutions and critical infrastructure are not only a threat to national security, but also disrupt the democratic processes on which our free society is based," the MFA  said . The security flaw in question is  CVE-2023-23397 , a now-patched critical privilege escalation bug in Outlook that could allow an adversary to access Net-NTLMv2 hashes and then use them to authenticate themselves by means of a relay attack. G