The Hacker News | #1 Trusted Cybersecurity News Site

U.S. and Israeli cybersecurity agencies have published a new advisory attributing an Iranian cyber group to targeting the 2024 Summer Olympics and compromising a French commercial dynamic display provider to show messages denouncing Israel's participation in the sporting event. The activity has been pinned on an entity that's known as Emennet Pasargad , which the agencies said has been operating under the cover name Aria Sepehr Ayandehsazan (ASA) since mid-2024. It's tracked by the broader cybersecurity community as Cotton Sandstorm, Haywire Kitten, and Marnanbridge. "The group exhibited new tradecraft in its efforts to conduct cyber-enabled information operations into mid-2024 using a myriad of cover personas, including multiple cyber operations that occurred during and targeting the 2024 Summer Olympics – including the compromise of a French commercial dynamic display provider," according to the advisory . ASA, the U.S. Federal Bureau of Investigation (FBI),

Cybersecurity researchers have flagged a "massive" campaign that targets exposed Git configurations to siphon credentials, clone private repositories, and even extract cloud credentials from the source code. The activity, codenamed EMERALDWHALE , is estimated to have collected over 10,000 private repositories and stored in an Amazon S3 storage bucket belonging to a prior victim. The bucket, consisting of no less than 15,000 stolen credentials, has since been taken down by Amazon. "The stolen credentials belong to Cloud Service Providers (CSPs), Email providers, and other services," Sysdig said in a report. "Phishing and spam seem to be the primary goal of stealing the credentials." The multi-faceted criminal operation, while not sophisticated, has been found to leverage an arsenal of private tools to steal credentials as well as scrape Git config files, Laravel .env files, and raw web data. It has not been attributed to any known threat actor or grou

With so many SaaS applications, a range of configuration options, API capabilities, endless integrations, and app-to-app connections, the SaaS risk possibilities are endless. Critical organizational assets and data are at risk from malicious actors, data breaches, and insider threats, which pose many challenges for security teams. Misconfigurations are silent killers, leading to major vulnerabilities. So, how can CISOs reduce the noise? What misconfiguration should security teams focus on first? Here are five major SaaS configuration mistakes that can lead to security breaches. #1 Misconfiguration: HelpDesk Admins Have Excessive Privileges Risk: Help desk teams have access to sensitive account management functions making them prime targets for attackers. Attackers can exploit this by convincing help desk personnel to reset MFA for privileged users, gaining unauthorized access to critical systems. Impact: Compromised help desk accounts can lead to unauthorized changes to admin-

Did you know that advanced threat actors can infiltrate the identity systems of major organizations and extract sensitive data within days? It's a chilling reality, becoming more common and concerning by the day. These attackers exploit vulnerabilities in SaaS and cloud environments, using compromised identities to move laterally within networks, causing widespread damage. Cybersecurity and IT professionals now face an uphill battle against these sophisticated threats. Traditional security measures are proving insufficient, leaving organizations vulnerable to data breaches, financial losses, and reputational harm. This webinar provides crucial insights and actionable strategies to help safeguard your organization against these evolving threats. Join us to hear from a renowned expert with firsthand experience in cyber defense. Ian Ahl, SVP of P0 Labs and former Head of Advanced Practices at Mandiant, brings extensive experience from responding to hundreds of breaches. He will shar

Microsoft has revealed that a Chinese threat actor it tracks as Storm-0940 is leveraging a botnet called Quad7 to orchestrate highly evasive password spray attacks. The tech giant has given the botnet the name CovertNetwork-1658, stating the password spray operations are used to steal credentials from multiple Microsoft customers. "Active since at least 2021, Storm-0940 obtains initial access through password spray and brute-force attacks, or by exploiting or misusing network edge applications and services," the Microsoft Threat Intelligence team said . "Storm-0940 is known to target organizations in North America and Europe, including think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others." Quad7, aka 7777 or xlogin, has been the subject of extensive analyses by Sekoia and Team Cymru in recent months. The botnet malware has been observed targeting several brands of SOHO routers and VPN appliances

Microsoft is further delaying the release of its controversial Recall feature for Windows Copilot+ PCs, stating it's taking the time to improve the experience. The development was first reported by The Verge. The artificial intelligence-powered tool was initially slated for a preview release starting in October. "We are committed to delivering a secure and trusted experience with Recall," the company said in an updated statement released Thursday. "To ensure we deliver on these important updates, we're taking additional time to refine the experience before previewing it with Windows Insiders. Originally planned for October, Recall will now be available for preview with Windows Insiders on Copilot+ PCs by December" Microsoft unveiled Recall earlier this May, describing it as a way for users to explore a "visual timeline" of their screens over time and help find things from apps, websites, images, and documents. The search experience was meant

Identity security is front, and center given all the recent breaches that include Microsoft, Okta, Cloudflare and Snowflake to name a few. Organizations are starting to realize that a shake-up is needed in terms of the way we approach identity security both from a strategic but also a technology vantage point.  Identity security is more than just provisioning access  The conventional view of viewing identity security as primarily concerned with provisioning and de-provisioning access for applications and services, often in a piecemeal manner, is no longer sufficient. This view was reflected as a broad theme in the Permiso Security State of Identity Security Report (2024) , which finds that despite growing levels of confidence in the ability to identify security risk, nearly half of organizations (45%) remain "concerned" or "extremely concerned" about their current tools being able to detect and protect against identity security attacks.  The Permiso commissioned survey conducted o

Cybersecurity researchers have disclosed a new phishing kit that has been put to use in campaigns targeting Australia, Japan, Spain, the U.K., and the U.S. since at least September 2024. Netcraft said more than 2,000 phishing websites have been identified the kit, known as Xiū gǒu, with the offering used in attacks aimed at a variety of verticals, such as public sectors, postal, digital services, and banking services. "Threat actors using the kit to deploy phishing websites often rely on Cloudflare's anti-bot and hosting obfuscation capabilities to prevent detection," Netcraft said in a report published Thursday. Some aspects of the phishing kit were documented by security researchers Will Thomas (@ BushidoToken) and Fox_threatintel (@banthisguy9349) in September 2024. Phishing kits like Xiū gǒu pose a risk because they could lower the barrier of entry for less skilled hackers, potentially leading to an increase in malicious campaigns that could lead to theft of

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up. "While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ significantly due to platform differences," ThreatFabric said in an analysis published this week. LightSpy, first documented in 2020 as targeting users in Hong Kong, is a modular implant that employs a plugin-based architecture to augment its capabilities and allow it to capture a wide range of sensitive information from an infected device. Attack chains distributing the malware leverage known security flaws in Apple iOS and macOS to trigger a WebKit exploit that drops a file with the extension ".PNG," but is actually a Mach-O binary responsible for retrieving next-stage payloads

LottieFiles has revealed that its npm package "lottie-player" was compromised as part of a supply chain attack, prompting it to release an updated version of the library. "On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code," the company said in a statement on X. "This does not impact our dotlottie player and/or SaaS service." LottieFiles is an animation workflow platform that enables designers to create, edit, and share animations in a JSON-based animation file format called Lottie. It's also the developer behind an npm package named lottie-player , which allows for embedding and playing Lottie animations on websites. According to the company, "a large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest