Microsoft Defender | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered a new Raspberry Robin campaign wave that has been propagating the malware through malicious Windows Script Files ( WSFs ) since March 2024. "Historically, Raspberry Robin was known to spread through removable media like USB drives, but over time its distributors have experimented with other initial infection vectors," HP Wolf Security researcher Patrick Schläpfer  said  in a report shared with The Hacker News. Raspberry Robin, also called QNAP worm, was  first spotted  in September 2021 that has since  evolved into a downloader  for various other payloads in recent years, such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and also serving as a precursor for ransomware. While the malware was initially distributed by means of USB devices containing LNK files that retrieved the payload from a compromised QNAP device, it has since  adopted other methods  such as social engineering and malvertising. It's attribute

The Russia-linked threat actor known as Turla infected several systems belonging to an unnamed European non-governmental organization (NGO) in order to deploy a backdoor called TinyTurla-NG (TTNG) . "The attackers compromised the first system, established persistence and added exclusions to antivirus products running on these endpoints as part of their preliminary post-compromise actions," Cisco Talos  said  in a new report published today. "Turla then opened additional channels of communication via Chisel for data exfiltration and to pivot to additional accessible systems in the network." There is evidence indicating that the infected systems were breached as early as October 2023, with Chisel deployed in December 2023 and data exfiltration taking place via the tool a month later, around January 12, 2024. TinyTurla-NG was  first documented  by the cybersecurity company last month after it was found to be used in connection with a cyber attack targeting a Poli

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

A newly disclosed security flaw in the Microsoft Defender SmartScreen has been exploited as a zero-day by an advanced persistent threat actor called  Water Hydra  (aka DarkCasino) targeting financial market traders. Trend Micro, which began tracking the campaign in late December 2023, said it entails the exploitation of CVE-2024-21412, a security bypass vulnerability related to Internet Shortcut Files (.URL).  "In this attack chain, the threat actor leveraged CVE-2024-21412 to bypass Microsoft Defender SmartScreen and infect victims with the DarkMe malware," the cybersecurity firm  said  in a Tuesday report. Microsoft, which  addressed  the flaw in its February Patch Tuesday update, said an unauthenticated attacker could exploit the flaw by sending the targeted user a specially crafted file in order to bypass displayed security checks. However, successful exploitation banks on the prerequisite that the threat actor convinces the victim to click on the file link to view

A new Go-based malware loader called  CherryLoader  has been discovered by threat hunters in the wild to deliver additional payloads onto compromised hosts for follow-on exploitation. Arctic Wolf Labs, which discovered the new attack tool in two recent intrusions, said the loader's icon and name masquerades as the legitimate CherryTree note-taking application to dupe potential victims into installing it. "CherryLoader was used to drop one of two privilege escalation tools,  PrintSpoofer  or  JuicyPotatoNG , which would then run a batch file to establish persistence on the victim device," researchers Hady Azzam, Christopher Prest, and Steven Campbell  said . In another novel twist, CherryLoader also packs modularized features that allow the threat actor to swap exploits without recompiling code. It's currently not known how the loader is distributed, but the attack chains examined by the cybersecurity firm show that CherryLoader ("cherrytree.exe") and i

High-severity security vulnerabilities have been disclosed in different endpoint detection and response (EDR) and antivirus (AV) products that could be exploited to turn them into data wipers. "This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable," SafeBreach Labs researcher Or Yair  said . "It does all that without implementing code that touches the target files, making it fully undetectable." EDR software, by design, are capable of continually scanning a machine for potentially suspicious and malicious files, and taking appropriate action, such as deleting or quarantining them. The idea, in a nutshell, is to trick vulnerable security products into deleting legitimate files and directories on the system and render the machine inoperable by making use of specially crafted paths. This is achieved by taking advantage of what's ca

Microsoft on Wednesday disclosed details of a now-patched "high severity vulnerability" in the TikTok app for Android that could let attackers take over accounts when victims clicked on a malicious link. "Attackers could have leveraged the vulnerability to hijack an account without users' awareness if a targeted user simply clicked a specially crafted link," Dimitrios Valsamaras of the Microsoft 365 Defender Research Team  said  in a write-up. Successful exploitation of the flaw could have permitted malicious actors to access and modify users' TikTok profiles and sensitive information, leading to the unauthorized exposure of private videos. Attackers could also have abused the bug to send messages and upload videos on behalf of users. The issue, addressed in version 23.7.3, impacts two flavors of its Android app com.ss.android.ugc.trill (for East and Southeast Asian users) and com.zhiliaoapp.musically (for users in other countries except for India, wher

Microsoft on Monday disclosed that it mitigated a security flaw affecting Azure Synapse and Azure Data Factory that, if successfully exploited, could result in remote code execution. The vulnerability, tracked as  CVE-2022-29972 , has been codenamed " SynLapse " by researchers from Orca Security, who reported the flaw to Microsoft in January 2022. "The vulnerability was specific to the third-party Open Database Connectivity ( ODBC ) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime ( IR ) and did not impact Azure Synapse as a whole," the company  said . "The vulnerability could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant." In other words, a malicious actor can weaponize the bug to acquire the Azure Data Factory service certificate and access another tenant's Integration Runtimes to gain access to sensitive informa

Microsoft on Wednesday detailed a previously undiscovered technique put to use by the TrickBot malware that involves using compromised Internet of Things (IoT) devices as a go-between for establishing communications with the command-and-control (C2) servers. "By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, TrickBot adds another persistence layer that helps malicious IPs evade detection by standard security systems," Microsoft's Defender for IoT Research Team and Threat Intelligence Center (MSTIC)  said . TrickBot, which emerged as a banking trojan in 2016, has evolved into a sophisticated and persistent threat, with its modular architecture enabling it to adapt its tactics to suit different networks, environments, and devices as well as offer access-as-a-service for next-stage payloads like Conti ransomware. The expansion to TrickBot's capabilities comes amid reports of its  infrastructure goin