Information Technology Security

An ongoing social engineering campaign is targeting software developers with bogus npm packages under the guise of a job interview to trick them into downloading a Python backdoor. NPM is a package manager for the JavaScript programming language maintained by Microsoft's npm, Inc. npm is the default package manager for the JavaScript runtime environment Node.js and is included as a recommended feature in the Node.js installer. Wikipedia Cybersecurity firm Securonix is tracking the activity under the name DEV#POPPER, linking it to North Korean threat actors. "During these fraudulent interviews, the developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said . "The software contained a malicious Node JS payload that, once executed, compromised the developer's system." Details of the campaign first emerged in l...

By Bill Toulas, Bleeping Computer Healthcare service provider Kaiser Permanente disclosed a data security incident that may impact 13.4 million people in the United States. Kaiser Permanente is an integrated managed care consortium and one of the largest nonprofit health plans in the U.S. It operates 40 hospitals and 618 medical facilities in California, Colorado, the District of Columbia, Georgia, Hawaii, Maryland, Oregon, Virginia, and Washington. In a statement, the organization said that information from "approximately 13.4 million current and former members and patients" was leaked to third-party trackers installed on its websites and mobile applications. “Kaiser Permanente has determined that certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors Google, Microsoft Bing, and X (Twitter) when members and patients accessed its websites or mobile applications” - Kaiser Perma...

By Sergiu Gatlan,  Bleeping Computer ​The United Nations Development Programme (UNDP) is investigating a cyberattack after threat actors breached its IT systems to steal human resources data. UNDP, the UN's global development network, works in over 170 countries and territories and relies on donations from UN member states and private sector/multilateral organizations to help eradicate poverty and fight inequality and exclusion. In a statement published Tuesday, the organization revealed that the attackers hacked into local IT infrastructure in UN City, Copenhagen, in late March. "On March 27, UNDP received a threat intelligence notification that a data-extortion actor had stolen data which included certain human resources and procurement information," the UN agency disclosed. "Actions were immediately taken to identify a potential source and contain the affected server as well as to determine the specifics of the exposed data and who was impacted." UNDP is now ...

Attackers are increasingly making use of "networkless" attack techniques targeting cloud apps and identities. Here's how attackers can (and are) compromising organizations – without ever needing to touch the endpoint or conventional networked systems and services. Before getting into the details of the attack techniques being used, let's discuss why these attacks are becoming more prevalent.

By Lawrence Abrams,  Bleeping Computer The RansomHub extortion gang has begun leaking what they claim is corporate and patient data stolen from United Health subsidiary Change Healthcare in what has been a long and convoluted extortion process for the company. In February, Change Healthcare suffered a cyberattack that caused massive disruption to the US healthcare system , preventing pharmacies and doctors from billing or sending claims to insurance companies. The attack was ultimately linked to the BlackCat / ALPHV ransomware operation, who later said they stole 6 TB of data during the attack . After facing increased pressure from law enforcement, the BlackCat gang shut down their operation . This occurred amid claims they were pulling an exit scam by stealing a $22 million Change Healthcare ransom payment from the affiliate who conducted the attack. While Change Healthcare has declined to comment on whether it has paid a ransom, the affiliate known as "Notchy" said they ...

By Sergiu Gatlan, Bleeping Computer CISA has issued a new emergency directive ordering U.S. federal agencies to address risks resulting from the breach of multiple Microsoft corporate email accounts by the Russian APT29 hacking group. Emergency Directive 24-02 was issued to Federal Civilian Executive Branch (FCEB) agencies on April 2. It requires them to investigate potentially affected emails, reset any compromised credentials (if any), and take measures to secure privileged Microsoft Azure accounts. CISA says Russian Foreign Intelligence Service (SVR) operatives now use information stolen from Microsoft's corporate email systems, including the authentication details shared between Microsoft and its customers by email, to gain access to certain customer systems. "This Emergency Directive requires immediate action by agencies to reduce risk to our federal systems. For several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian ...

By Sergiu Gatlan,  Bleeping Computer LastPass revealed this week that threat actors targeted one of its employees in a voice phishing attack, using deepfake audio to impersonate Karim Toubba, the company's Chief Executive Officer. However, while 25% of people have been on the receiving end of an AI voice impersonation scam or know someone who has, according to a recent global study, the LastPass employee didn't fall for it because the attacker used WhatsApp, which is a very uncommon business channel. "In our case, an employee received a series of calls, texts, and at least one voicemail featuring an audio deepfake from a threat actor impersonating our CEO via WhatsApp," LastPass intelligence analyst Mike Kosak said. Deepfake audio LastPass CEO impersonation "As the attempted communication was outside of normal business communication channels and due to the employee’s suspicion regarding the presence of many of the hallmarks of a social engineering attempt (such a...

By Ax Sharma,  Bleeping Computer The Notepad++ project is seeking the public's help in taking down a copycat website that closely impersonates Notepad++ but is not affiliated with the project. Although, at the time of writing, the lookalike website takes visitors to the official Notepad++ downloads page, there is some concern that it could pose security threats—for example, if it starts pushing malicious releases or spam someday either deliberately or as a result of a hijack. The lookalike website appears prominently in search results

Among the never-ending list of malicious software that threat actors use in cyber attacks are viruses, worms, trojans, ransomware, spyware, and adware. Today's malware is not just about causing immediate damage; some programs get embedded within systems to siphon off data over time, disrupt operations strategically, or lay the groundwork for massive, coordinated attacks.  A prime example is a recently found malicious backdoor in a popular compression tool, known as xz Utils. Thankfully the malicious code was identified early “due to bad actor sloppiness”, but the consequences could’ve been massive. Read on to get the lowdown on recent high-profile malware attacks along with strategies to help limit malware risks at your organization.  Recent High-Profile Malware Attacks Here's a detailed overview of recent malware attacks, highlighting key incidents and offering valuable insights and lessons learned from each event. StripedFly A prolific and advanced cross-platform malware fra...

By Sergiu Gatlan,  Bleeping Computer Microsoft has confirmed that some Outlook.com users are experiencing issues with emails being blocked and marked as spam when trying to email Gmail accounts. This known issue only impacts users with Outlook.com country domains, according to a support document published by Redmond on Tuesday. Affected Outlook users are being told in follow-up emails from Gmail's servers that their messages were suspicious and have been stopped from reaching the recipient's inbox. "Remote server returned message detected as spam [..]. Gmail has detected that this message is likely suspicious due to the very low reputation of the sending domain. To best protect our users from spam, the message has been blocked," the replies from Gmail's mail server (mx.google.com) explain. Google's support website says that it's very likely that only a subset of these messages are being blocked because they have "a strong likelihood of being spam....