Security News

A never-before-seen remote access trojan dubbed ZuoRAT has been singling out small office/home office routers as part of a sophisticated campaign targeting North American and European networks. The malware "Grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold," researchers from Lumen Black Lotus Labs said in a report shared with The Hacker News.

"The new malware is a.NET based DNS Backdoor which is a customized version of the open source tool 'DIG.net,'" Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar said in a report published last week. "The malware leverages a DNS attack technique called 'DNS Hijacking' in which an attacker-controlled DNS server manipulates the response of DNS queries and resolves them as per their malicious requirements."

A crew using malware that performs cryptomining and clipboard-hacking operations have made off with at least $1.7 million in stolen cryptocurrency. They also observed that there are several design similarities between Clipminer and KryptoCibule - another cryptomining trojan that, a few months before Clipminer hit the scene, was detected and written about by ESET analysts.

Threat analysts have discovered a large operation of a new cryptocurrency mining malware called Clipminer that brought its operators at least $1.7 million from transaction hijacking. According to researchers from Symantec, a Broadcom company, Clipminer is based on the KryptoCibule malware.

With the rapid adoption of container-based technologies, organizations are increasingly concerned about the security of their Kubernetes clusters. How confident are CISOs about their security posture?Proofpoint released its annual Voice of the CISO report, which explores key challenges facing chief information security officers.

Dubbed ChromeLoader, the malware is a "Pervasive and persistent browser hijacker that modifies its victims' browser settings and redirects user traffic to advertisement websites," Aedan Russell of Red Canary said in a new report. ChromeLoader is a rogue Chrome browser extension and is typically distributed in the form of ISO files via pay-per-install sites and baited social media posts that advertise QR codes to cracked video games and pirated movies.

The Python module "Ctx" and a fork of the PHP library "Phpass" have recently been modified by an unknown attacker to grab AWS credentials/keys and send them to a Heroku app. What at first seemed like the work of a malicious actor turned out to be an exploit by a security researcher, who wanted to demonstrate how easy it is to take control of popular packages and the repositories hosting them.

The hacker behind this hijack has now broken silence and explained his reasons to BleepingComputer. The hijacker of these libraries is an Istanbul-based security researcher, Yunus Aydın aka SockPuppets, who has attested to the fact when approached by BleepingComputer.

"The distinctive feature of these attacks is that the attacker performs some action before the victim creates an account, which makes it trivial for the attacker to gain access after the victim has created/recovered the account," explain Sudhodanan and Paverd in their paper. Their threat model makes certain assumptions: that the attacker can access the target service and third-party IdP services; that the attacker can create free and paid accounts at the target service but doesn't have admin rights; that the attacker can create accounts with IdP services and use these with the target service; and that the attacker knows the victim's email address and other basic details like first and last name.

Online accounts getting hijacked and misused is an everyday occurrence, but did you know that account pre-hijacking attacks are also possible? Inspired by previous research on preemptive account hijacking by way of single sign-on technology, researchers Avinash Sudhodanan and Andrew Paverd wanted to see whether an action by an attacker performed before a victim creates an account may allow the former to gain access to it once the the victim has created/recovered the account.