Microsoft Entra | Breaking Cybersecurity News | The Hacker News

New research has uncovered continued risk from a known security weakness in Microsoft's Entra ID , potentially enabling malicious actors to achieve account takeovers in susceptible software-as-a-service (SaaS) applications. Identity security company Semperis, in an analysis of 104 SaaS applications, found nine of them to be vulnerable to Entra ID cross-tenant nOAuth abuse. First disclosed by Descope in June 2023, nOAuth refers to a weakness in how SaaS applications implement OpenID Connect ( OIDC ), which refers to an authentication layer built atop OAuth to verify a user's identity. The authentication implementation flaw essentially allows a bad actor to change the mail attribute in the Entra ID account to that of a victim's and take advantage of the app's "Log in with Microsoft" feature to hijack that account. The attack is trivial, but it also works because Entra ID permits users to have an unverified email address, opening the door to user imperson...

Microsoft has shed light on a previously undocumented cluster of malicious activity originating from a Russia-affiliated threat actor dubbed Void Blizzard (aka Laundry Bear) that it said is attributed to "worldwide cloud abuse." Active since at least April 2024, the hacking group is linked to espionage operations mainly targeting organizations that are important to Russian government objectives, including those in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors in Europe and North America. "They often use stolen sign-in details that they likely buy from online marketplaces to gain access to organizations," the Microsoft Threat Intelligence team said in a report published today. "Once inside, they steal large amounts of emails and files." Attacks mounted by Void Blizzard have been found to disproportionately single out NATO member states and Ukraine, suggesting that the adversary is looking to ...

Cybersecurity researchers are calling attention to a new Linux cryptojacking campaign that's targeting publicly accessible Redis servers. The malicious activity has been codenamed RedisRaider by Datadog Security Labs. "RedisRaider aggressively scans randomized portions of the IPv4 space and uses legitimate Redis configuration commands to execute malicious cron jobs on vulnerable systems," security researchers Matt Muir and Frederic Baguelin said . The end goal of the campaign is to drop a Go-based primary payload that's responsible for unleashing an XMRig miner on compromised systems. The activity entails using a bespoke scanner to identify publicly accessible Redis servers across the internet and then issuing an INFO command to determine if the instances are running on a Linux host. If it's found to be the case, the scanning algorithm proceeds to abuse Redis's SET command to inject a cron job. The malware then uses the CONFIG command to change the Redi...