#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter

Microsoft | Breaking Cybersecurity News | The Hacker News

Microsoft Issues January 2023 Patch Tuesday Updates, Warns of Zero-Day Exploit

Microsoft Issues January 2023 Patch Tuesday Updates, Warns of Zero-Day Exploit
Jan 11, 2023 Patch Management / Endpoint Security
The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of  98 security flaws , including one bug that the company said is being actively exploited in the wild. 11 of the 98 issues are rated Critical and 87 are rated Important in severity, with one of the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release updates for its Chromium-based Edge browser.  The vulnerability that's under attack relates to  CVE-2023-21674  (CVSS score: 8.8), a privilege escalation flaw in Windows Advanced Local Procedure Call ( ALPC ) that could be exploited by an attacker to gain SYSTEM permissions. "This vulnerability could lead to a browser sandbox escape," Microsoft noted in an advisory, crediting Avast researchers Jan Vojtěšek, Milánek, and Przemek Gmerek for reporting the bug. While details of the vulnerability are still under wraps, a successful exploit requires an attacker to have alrea

Microsoft Reveals Tactics Used by 4 Ransomware Families Targeting macOS

Microsoft Reveals Tactics Used by 4 Ransomware Families Targeting macOS
Jan 06, 2023 Endpoint Security / Cyber Threat
Microsoft has shed light on four different ransomware families –  KeRanger , FileCoder, MacRansom, and EvilQuest – that are known to impact Apple macOS systems. "While these malware families are old, they exemplify the range of capabilities and malicious behavior possible on the platform," the tech giant's Security Threat Intelligence team  said  in a Thursday report. The initial vector for these ransomware families involves what the Windows maker calls "user-assisted methods," wherein the victim downloads and installs trojanized applications. Alternatively, it can also arrive as a second-stage payload that's dropped by an already existing malware on the infected host or as part of a supply chain attack. Irrespective of the modus operandi employed, the attacks proceed along similar lines, with the threat actors relying on legitimate operating system features and exploiting vulnerabilities to break into the systems and encrypt files of interest. This i

APT Hackers Turn to Malicious Excel Add-ins as Initial Intrusion Vector

APT Hackers Turn to Malicious Excel Add-ins as Initial Intrusion Vector
Dec 28, 2022 Malware / Windows Security
Microsoft's decision to block Visual Basic for Applications (VBA) macros by default for Office files downloaded from the internet has led many threat actors to improvise their attack chains in recent months. Now according to Cisco Talos , advanced persistent threat (APT) actors and commodity malware families alike are increasingly using Excel add-in (.XLL) files as an initial intrusion vector. Weaponized Office documents delivered via spear-phishing emails and other social engineering attacks have remained one of the widely used entry points for criminal groups looking to execute malicious code. These documents traditionally prompt the victims to enable macros to view seemingly innocuous content, only to activate the execution of malware stealthily in the background. To counter this misuse, the Windows maker enacted a crucial change starting in July 2022 that blocks macros in Office files attached to email messages, effectively severing a crucial attack vector. While this

France Fines Microsoft €60 Million for Using Advertising Cookies Without User Consent

France Fines Microsoft €60 Million for Using Advertising Cookies Without User Consent
Dec 23, 2022 Privacy / Data Security
France's privacy watchdog has imposed a €60 million ($63.88 million) fine against Microsoft's Ireland subsidiary for dropping advertising cookies in users' computers without their explicit consent in violation of data protection laws in the European Union. The Commission nationale de l'informatique et des libertés (CNIL)  noted  that users visiting the home page of its Bing search engine did not have a "mechanism to refuse cookies as easily as accepting them." The authority, which carried out an online audit between September 2020 and May 2021 following a complaint it received in February 2020,  stated  the tech giant deposited cookies with an aim to serve ads and fight advertising fraud without getting a user's permission beforehand, as is required by law. Along with the fines, Microsoft has also been ordered to alter its cookie practices within three months, or risk facing an additional penalty of €60,000 per day of non-compliance following the end

Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems

Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems
Dec 20, 2022 Endpoint Security / Vulnerability
Microsoft has disclosed details of a now-patched security flaw in Apple macOS that could be exploited by an attacker to get around security protections imposed to prevent the execution of malicious applications. The shortcoming, dubbed  Achilles  ( CVE-2022-42821 , CVSS score: 5.5), was addressed by the iPhone maker in  macOS Ventura 13 ,  Monterey 12.6.2 , and  Big Sur 11.7.2 , describing it as a logic issue that could be weaponized by an app to circumvent Gatekeeper checks. "Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS," Jonathan Bar Or of the Microsoft 365 Defender Research Team  said . Gatekeeper is a  security mechanism  designed to ensure that only trusted apps run on the operating system. This is  enforced  by means of an extended attribute called "com.apple.quarantine" that's assigned to files downlo

Minecraft Servers Under Attack: Microsoft Warns About Cross-Platform DDoS Botnet

Minecraft Servers Under Attack: Microsoft Warns About Cross-Platform DDoS Botnet
Dec 16, 2022 Server Security / Botnet
Microsoft on Thursday flagged a cross-platform botnet that's primarily designed to launch distributed denial-of-service (DDoS) attacks against private Minecraft servers. Called  MCCrash , the botnet is characterized by a unique spreading mechanism that allows it to propagate to Linux-based devices despite originating from malicious software downloads on Windows hosts. "The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices," the company  said  in a report. "Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet." This also means that the malware could persist on IoT devices even after removing it from the infected source PC. The tech giant's cybersecurity division is tracking the activity cluster under its emerging moniker DEV-1028. A majority of the infections have been reported in Russia, and

Microsoft Reclassifies SPNEGO Extended Negotiation Security Vulnerability as 'Critical'

Microsoft Reclassifies SPNEGO Extended Negotiation Security Vulnerability as 'Critical'
Dec 15, 2022 Windows Security / Network Security
Microsoft has revised the severity of a security vulnerability it originally  patched in September 2022 , upgrading it to "Critical" after it emerged that it could be exploited to achieve remote code execution. Tracked as  CVE-2022-37958  (CVSS score: 8.1), the flaw was previously described as an  information disclosure vulnerability  in SPNEGO Extended Negotiation ( NEGOEX ) Security Mechanism. SPNEGO, short for Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), is a scheme that allows a client and remote server to arrive at a consensus on the choice of the protocol to be used (e.g., Kerberos or NTLM) for authentication. But a  further analysis  of the flaw by IBM Security X-Force researcher Valentina Palmiotti found that it could allow remote execution of arbitrary code, prompting Microsoft to reclassify its severity. "This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide range of protocols," IBM  said  this

Ransomware Attackers Use Microsoft-Signed Drivers to Gain Access to Systems

Ransomware Attackers Use Microsoft-Signed Drivers to Gain Access to Systems
Dec 14, 2022 Endpoint Security / Firmware Security
Microsoft on Tuesday disclosed it took steps to implement blocking protections and suspend accounts that were used to publish malicious drivers that were certified by its Windows Hardware Developer Program . The tech giant said its investigation revealed the activity was restricted to a number of developer program accounts and that no further compromise was detected. Cryptographically signing malware is concerning not least because it not only undermines a key security mechanism but also allows threat actors to subvert traditional detection methods and infiltrate target networks to perform highly privileged operations. The probe, Redmond stated, was initiated after it was notified of rogue drivers being used in post-exploitation efforts, including deploying ransomware, by cybersecurity firms Mandiant, SentinelOne, and Sophos on October 19, 2022. One notable aspect of these attacks was that the adversary had already obtained administrative privileges on compromised systems before

December 2022 Patch Tuesday: Get Latest Security Updates from Microsoft and More

December 2022 Patch Tuesday: Get Latest Security Updates from Microsoft and More
Dec 14, 2022 Patch Management / Vulnerability
Tech giant Microsoft released its last set of monthly security updates for 2022 with  fixes for 49 vulnerabilities  across its software products. Of the 49 bugs, six are rated Critical, 40 are rated Important, and three are rated Moderate in severity. The updates are in addition to  24 vulnerabilities  that have been addressed in the Chromium-based Edge browser since the start of the month. December's Patch Tuesday plugs two zero-day vulnerabilities, one that's actively exploited and another issue that's listed as publicly disclosed at the time of release. The former relates to  CVE-2022-44698  (CVSS score: 5.4), one of the  three security bypass issues  in Windows SmartScreen that could be exploited by a malicious actor to evade mark of the web (MotW) protections. It's worth noting that this issue, in conjunction with  CVE-2022-41091  (CVSS score: 5.4), has been observed being exploited by Magniber ransomware actors to deliver rogue JavaScript files within ZIP arc

Russian Hackers Spotted Targeting U.S. Military Weapons and Hardware Supplier

Russian Hackers Spotted Targeting U.S. Military Weapons and Hardware Supplier
Dec 07, 2022 Password Security / Cyber Threat
A state-sponsored hacking group with links to Russia has been linked to attack infrastructure that spoofs the Microsoft login page of Global Ordnance, a legitimate U.S.-based military weapons and hardware supplier. Recorded Future attributed the new infrastructure to a threat activity group it tracks under the name  TAG-53 , and is broadly known by the cybersecurity community as Blue Callisto , Callisto, COLDRIVER, SEABORGIUM, and TA446. "Based on historical public reporting on overlapping TAG-53 campaigns, it is likely that this credential harvesting activity is enabled in part through phishing," Recorded Future's Insikt Group  said  in a report published this week. The cybersecurity firm said it discovered 38 domains, nine of which contained references to companies like UMO Poland, Sangrail LTD, DTGruelle, Blue Sky Network, the Commission for International Justice and Accountability (CIJA), and the Russian Ministry of Internal Affairs. It's suspected that the t

Microsoft Alerts Cryptocurrency Industry of Targeted Cyberattacks

Microsoft Alerts Cryptocurrency Industry of Targeted Cyberattacks
Dec 07, 2022 Cryptocurrency / Threat Intelligence
Cryptocurrency investment companies are the target of a developing threat cluster that uses Telegram groups to seek out potential victims. Microsoft's Security Threat Intelligence Center (MSTIC) is tracking the activity under the name  DEV-0139 , and builds upon a recent report from Volexity that attributed the same set of attacks to North Korea's  Lazarus Group . "DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members," the tech giant  said . The adversary subsequently impersonated another cryptocurrency investment company and invited the victim to join a different Telegram chat group under the pretext of asking for feedback on the trading fee structure used by exchange platforms across VIP tiers. It's worth pointing out that the  VIP program  is  designed  to  reward   high-volume traders  with exclusive trading fee incentives and discount

Hackers Exploiting Abandoned Boa Web Servers to Target Critical Industries

Hackers Exploiting Abandoned Boa Web Servers to Target Critical Industries
Nov 23, 2022
Microsoft on Tuesday disclosed the intrusion activity aimed at Indian power grid entities earlier this year likely involved the exploitation of security flaws in a now-discontinued web server called Boa . The tech behemoth's cybersecurity division  said  the vulnerable component poses a "supply chain risk that may affect millions of organizations and devices." The findings build on a prior report  published  by Recorded Future in April 2022, which delved into a sustained campaign orchestrated by suspected China-linked adversaries to strike critical infrastructure organizations in India. The cybersecurity firm attributed the attacks to a previously undocumented threat cluster called Threat Activity Group 38. While the Indian government described the attacks as unsuccessful "probing attempts," China denied it was behind the campaign. The connections to China stem from the use of a modular backdoor dubbed  ShadowPad , which is known to be shared among several

Microsoft Warns of Hackers Using Google Ads to Distribute Royal Ransomware

Microsoft Warns of Hackers Using Google Ads to Distribute Royal Ransomware
Nov 19, 2022
A developing threat activity cluster has been found using Google Ads in one of its campaigns to distribute various post-compromise payloads, including the recently discovered  Royal ransomware . Microsoft, which spotted the updated malware delivery method in late October 2022, is tracking the group under the name  DEV-0569 . "Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation," the Microsoft Security Threat Intelligence team  said  in an analysis. The threat actor is known to rely on malvertising to point unsuspecting victims to malware downloader links that pose as software installers for legitimate apps like Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom. The malware downloader, a strain referred to as  BATLOADER , is a dropper that functions as a conduit to distribute next-stage pa

Microsoft Blames Russian Hackers for Prestige Ransomware Attacks on Ukraine and Poland

Microsoft Blames Russian Hackers for Prestige Ransomware Attacks on Ukraine and Poland
Nov 11, 2022
Microsoft on Thursday attributed the recent spate of ransomware incidents targeting transportation and logistics sectors in Ukraine and Poland to a threat cluster that shares overlaps with the Russian state-sponsored  Sandworm group . The attacks, which were disclosed by the tech giant last month, involved a strain of previously undocumented malware called  Prestige  and is said to have taken place within an hour of each other across all victims. The Microsoft Threat Intelligence Center (MSTIC) is now tracking the threat actor under its element-themed moniker Iridium (née DEV-0960), a Russia-based group that's publicly tracked by the name Sandworm (aka Iron Viking, TeleBots, and Voodoo Bear). "This attribution assessment is based on forensic artifacts, as well as overlaps in victimology, tradecraft, capabilities, and infrastructure, with known Iridium activity," MSTIC  said  in an update. The company also further assessed the group to have orchestrated compromise act

Install Latest Windows Update ASAP! Patches Issued for 6 Actively Exploited Zero-Days

Install Latest Windows Update ASAP! Patches Issued for 6 Actively Exploited Zero-Days
Nov 09, 2022
Microsoft's latest round of monthly security updates has been released with fixes for  68 vulnerabilities  spanning its software portfolio, including patches for six actively exploited zero-days. 12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by  OpenSSL  the previous week. Also separately  addressed  in Microsoft Edge at the start of the month is an actively exploited flaw in Chromium-based browsers ( CVE-2022-3723 ) that was plugged by Google as part of an out-of-band update late last month. "The big news is that  two older zero-day CVEs  affecting Exchange Server, made public at the end of September, have finally been fixed," Greg Wiseman, product manager at Rapid7, said in a statement shared with The Hacker News. "Customers are advised to update their  Exchange Server systems  immediately, regardless of whether any previously recommended mitigation steps
More Resources