The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: Microsoft

Microsoft Warns of New Security Flaw Affecting Surface Pro 3 Devices

Microsoft Warns of New Security Flaw Affecting Surface Pro 3 Devices
October 20, 2021Ravie Lakshmanan
Microsoft has published a new advisory warning of a security bypass vulnerability affecting Surface Pro 3 convertible laptops that could be exploited by an adversary to introduce malicious devices within enterprise networks and defeat the device attestation mechanism. Tracked as  CVE-2021-42299  (CVSS score: 5.6), the issue has been codenamed " TPM Carte Blanche " by Google software engineer Chris Fenner, who is credited with discovering and reporting the attack technique. As of writing, other Surface devices, including the Surface Pro 4 and Surface Book, have been deemed unaffected, although other non-Microsoft machines using a similar BIOS may be vulnerable. "Devices use Platform Configuration Registers ( PCRs ) to record information about device and software configuration to ensure that the boot process is secure," the Windows maker noted in a bulletin. "Windows uses these PCR measurements to determine device health. A vulnerable device can masquerade as

Update Your Windows PCs Immediately to Patch New 0-Day Under Active Attack

Update Your Windows PCs Immediately to Patch New 0-Day Under Active Attack
October 12, 2021Ravie Lakshmanan
Microsoft on Tuesday rolled out  security patches  to contain a total of 71 vulnerabilities in Microsoft Windows and other software, including a fix for an actively exploited privilege escalation vulnerability that could be exploited in conjunction with remote code execution bugs to take control over vulnerable systems. Two of the addressed security flaws are rated Critical, 68 are rated Important, and one is rated Low in severity, with three of the issues listed as publicly known at the time of the release. The four zero-days are as follows — CVE-2021-40449  (CVSS score: 7.8) - Win32k Elevation of Privilege Vulnerability CVE-2021-41335  (CVSS score: 7.8) - Windows Kernel Elevation of Privilege Vulnerability CVE-2021-40469  (CVSS score: 7.2) - Windows DNS Server Remote Code Execution Vulnerability CVE-2021-41338  (CVSS score: 5.5) - Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability At the top of the list is CVE-2021-40449, a use-after-free vulnerability

Microsoft Fended Off a Record 2.4 Tbps DDoS Attack Targeting Azure Customers

Microsoft Fended Off a Record 2.4 Tbps DDoS Attack Targeting Azure Customers
October 12, 2021Ravie Lakshmanan
Microsoft on Monday revealed that its Azure cloud platform mitigated a 2.4 Tbps distributed denial-of-service (DDoS) attack in the last week of August targeting an unnamed customer in Europe, surpassing a  2.3 Tbps attack  stopped by Amazon Web Services in February 2020. "This is 140 percent higher than  2020's 1 Tbps attack  and higher than any network volumetric event previously detected on Azure," Amir Dahan, senior program manager for Azure Networking,  said  in a post, calling it a " UDP reflection " lasting for about 10 minutes. Reflected amplification attacks are a type of denial of service attacks wherein a threat actor takes advantage of the connectionless nature of UDP protocol with spoofed requests so as to overwhelm a target server or network with a flood of packets, causing disruption or rendering the server and its surrounding infrastructure unavailable. The attack is said to have originated from a botnet of approximately 70,000 compromised d

Microsoft Warns of Iran-Linked Hackers Targeting US and Israeli Defense Firms

Microsoft Warns of Iran-Linked Hackers Targeting US and Israeli Defense Firms
October 11, 2021Ravie Lakshmanan
An emerging threat actor likely supporting Iranian national interests has been behind a password spraying campaign targeting US, EU, and Israeli defense technology companies, with additional activity observed against regional ports of entry in the Persian Gulf as well as maritime and cargo transportation companies focused in the Middle East. Microsoft is tracking the hacking crew under the moniker DEV-0343 . The intrusions, which were first observed in late July 2021, are believed to have targeted more than 250 Office 365 tenants, fewer than 20 of which were successfully compromised following a  password spray  attack — a type of brute force attack wherein the same password is cycled against different usernames to log into an application or a network in an effort to avoid account lockouts. Indications thus far allude to the possibility that the activity is part of an intellectual property theft campaign aimed at government partners producing military-grade radars, drone technology

A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries

A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries
October 04, 2021Ravie Lakshmanan
A previously undocumented threat actor has been identified as behind a string of attacks targeting fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan with the goal of stealing data from compromised networks. Cybersecurity company Positive Technologies dubbed the advanced persistent threat (APT) group ChamelGang — referring to their chameleellonic capabilities, including disguising "its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google."  "To achieve their goal, the attackers used a trending penetration method—supply chain," the researchers  said  of one of the incidents investigated by the firm. "The group compromised a subsidiary and penetrated the target company's network through it. Trusted relationship attacks are rare today due to the complexity of their execution. Using this method […], the ChamelGang group was able to achieve its goal a

New Azure AD Bug Lets Hackers Brute-Force Passwords Without Getting Caught

New Azure AD Bug Lets Hackers Brute-Force Passwords Without Getting Caught
September 30, 2021Ravie Lakshmanan
Cybersecurity researchers have disclosed an unpatched security vulnerability in the protocol used by Microsoft Azure Active Directory that potential adversaries could abuse to stage undetected brute-force attacks. "This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory ( Azure AD ) without generating sign-in events in the targeted organization's tenant," researchers from Secureworks Counter Threat Unit (CTU)  said  in a report published on Wednesday. Azure Active Directory is Microsoft's enterprise cloud-based identity and access management (IAM) solution designed for single sign-on (SSO) and multi-factor authentication. It's also a core component of Microsoft 365 (formerly Office 365), with capabilities to provide authentication to other applications via OAuth. The weakness resides in the  Seamless Single Sign-On  feature that allows employees to automatically sign in when using their corporate devices that

Microsoft Warns of FoggyWeb Malware Targeting Active Directory FS Servers

Microsoft Warns of FoggyWeb Malware Targeting Active Directory FS Servers
September 27, 2021Ravie Lakshmanan
Microsoft on Monday revealed new malware deployed by the hacking group behind the SolarWinds supply chain attack last December to deliver additional payloads and steal sensitive information from Active Directory Federation Services ( AD FS ) servers. The tech giant's Threat Intelligence Center (MSTIC) codenamed the "passive and highly targeted backdoor" FoggyWeb, making it the threat actor tracked as Nobelium's latest tool in a long list of cyber weaponry such as  Sunburst ,  Sunspot ,  Raindrop ,  Teardrop ,  GoldMax, GoldFinder, Sibot ,  Flipflop ,  NativeZone ,  EnvyScout, BoomBox, and VaporRage . "Once Nobelium obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools," MSTIC researchers  said . "Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing cer

Microsoft Exchange Bug Exposes ~100,000 Windows Domain Credentials

Microsoft Exchange Bug Exposes ~100,000 Windows Domain Credentials
September 23, 2021Ravie Lakshmanan
An unpatched design flaw in the implementation of Microsoft Exchange's Autodiscover protocol has resulted in the leak of approximately 100,000 login names and passwords for Windows domains worldwide. "This is a severe security issue, since if an attacker can control such domains or has the ability to 'sniff' traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire," Guardicore's Amit Serper  said  in a technical report. "Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically syphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs [top-level domains]." The Exchange  Autodiscover  service enables users to configure applications such as Microsoft Outlook with minimal user input, allowing just a combination of email addresses and pas

Microsoft Warns of a Wide-Scale Phishing-as-a-Service Operation

Microsoft Warns of a Wide-Scale Phishing-as-a-Service Operation
September 22, 2021Ravie Lakshmanan
Microsoft has opened the lid on a large-scale phishing-as-a-service (PHaaS) operation that's involved in selling phishing kits and email templates as well as providing hosting and automated services at a low cost, thus enabling cyber actors to purchase phishing campaigns and deploy them with minimal efforts. "With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today," Microsoft 365 Defender Threat Intelligence Team  said  in a Tuesday report. "BulletProofLink (also referred to as BulletProftLink or Anthrax by its operators in various websites, ads, and other promotional materials) is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for its operators." The tech giant said it uncovered the operation during its investigation of a credential phishing

You Can Now Sign-in to Your Microsoft Accounts Without a Password

You Can Now Sign-in to Your Microsoft Accounts Without a Password
September 15, 2021Ravie Lakshmanan
Microsoft on Wednesday announced a new passwordless mechanism that allows users to access their accounts without a password by using Microsoft Authenticator, Windows Hello, a security key, or a verification code sent via SMS or email. The change is expected to be rolled out in the coming weeks. "Except for auto-generated passwords that are nearly impossible to remember, we largely create our own passwords,"  said  Vasu Jakkal, Microsoft's corporate vice president for Security, Compliance, and Identity. "But, given the vulnerability of passwords, requirements for them have gotten increasingly complex in recent years, including multiple symbols, numbers, case sensitivity, and disallowing previous passwords." "Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives," Jakkal added. Over the years, weak passwords have emerged as the entry point for a vast majority of attacks across enterprise and cons

Microsoft Releases Patch for Actively Exploited Windows Zero-Day Vulnerability

Microsoft Releases Patch for Actively Exploited Windows Zero-Day Vulnerability
September 14, 2021Ravie Lakshmanan
A day after  Apple  and  Google  rolled out urgent security updates, Microsoft has  pushed software fixes  as part of its monthly Patch Tuesday release cycle to plug 66 security holes affecting Windows and other components such as Azure, Office, BitLocker, and Visual Studio, including an  actively exploited zero-day  in its MSHTML Platform that came to light last week.  Of the 66 flaws, three are rated Critical, 62 are rated Important, and one is rated Moderate in severity. This is aside from the  20 vulnerabilities  in the Chromium-based Microsoft Edge browser that the company addressed since the start of the month. The most important of the updates concerns a patch for  CVE-2021-40444  (CVSS score: 8.8), an actively exploited remote code execution vulnerability in MSHTML that leverages malware-laced Microsoft Office documents, with EXPMON researchers noting "the exploit uses logical flaws so the exploitation is perfectly reliable." Also addressed is a publicly disclose

Microsoft Warns of Cross-Account Takeover Bug in Azure Container Instances

Microsoft Warns of Cross-Account Takeover Bug in Azure Container Instances
September 09, 2021Ravie Lakshmanan
Microsoft on Wednesday said it remediated a vulnerability in its Azure Container Instances ( ACI ) services that could have been weaponized by a malicious actor "to access other customers' information" in what the researchers described as the "first cross-account container takeover in the public cloud." An attacker exploiting the weakness could execute malicious commands on other users' containers, steal customer secrets and images deployed to the platform. The Windows maker did not share any additional specifics related to the flaw, save that  affected customers  "revoke any privileged credentials that were deployed to the platform before August 31, 2021." Azure Container Instances is a managed service that allows users to run Docker  containers  directly in a serverless cloud environment, without requiring the use of virtual machines, clusters, or orchestrators. Palo Alto Networks' Unit 42 threat intelligence team dubbed the vulnerabilit

Microsoft Says Chinese Hackers Were Behind SolarWinds Serv-U SSH 0-Day Attack

Microsoft Says Chinese Hackers Were Behind SolarWinds Serv-U SSH 0-Day Attack
September 04, 2021Ravie Lakshmanan
Microsoft has shared technical details about a now-fixed, actively exploited critical security vulnerability affecting SolarWinds Serv-U managed file transfer service that it has attributed with "high confidence" to a threat actor operating out of China. In mid-July, the Texas-based company  remedied  a remote code execution flaw ( CVE-2021-35211 ) that was rooted in Serv-U's implementation of the Secure Shell (SSH) protocol, which could be abused by attackers to run arbitrary code on the infected system, including the ability to install malicious programs and view, change, or delete sensitive data. "The Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration," Microsoft Offensive Research and Security Engineering team said in a  detailed write-up  describing the exploit. "An attacker can exploit this vulnerability by connecting to the open SSH port and sendin

Microsoft Warns of Widespread Phishing Attacks Using Open Redirects

Microsoft Warns of Widespread Phishing Attacks Using Open Redirects
August 28, 2021Ravie Lakshmanan
Microsoft is warning of a widespread credential phishing campaign that leverages  open redirector links  in email communications as a vector to trick users into visiting malicious websites while effectively bypassing security software. "Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking," Microsoft 365 Defender Threat Intelligence Team  said  in a report published this week. "Doing so leads to a series of redirections — including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems — before taking the user to a fake sign-in page. This ultimately leads to credential compromise, which opens the user and their organization to other attacks." Although redirect links in email messages serve a vital tool to take recipients to third-party websites or track click rates and measure the success of sales and marketin

38 Million Records Exposed from Microsoft Power Apps of Dozens of Organisations

38 Million Records Exposed from Microsoft Power Apps of Dozens of Organisations
August 24, 2021Ravie Lakshmanan
More than 38 million records from 47 different entities that rely on Microsoft's Power Apps portals platform were inadvertently left exposed online, bringing into sharp focus a "new vector of data exposure." "The types of data varied between portals, including personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses," UpGuard Research team  said  in a disclosure made public on Monday. Governmental bodies like Indiana, Maryland, and New York City, and private companies such as American Airlines, Ford, J.B. Hunt, and Microsoft are said to have been impacted. Among the most sensitive information that was left in the open were 332,000 email addresses and employee IDs used by Microsoft's own global payroll services, as well as more than 85,000 records related to Business Tools Support and Mixed Reality portals. Power Apps  is

Mozi IoT Botnet Now Also Targets Netgear, Huawei, and ZTE Network Gateways

Mozi IoT Botnet Now Also Targets Netgear, Huawei, and ZTE Network Gateways
August 20, 2021Ravie Lakshmanan
Mozi, a peer-to-peer (P2P) botnet known to target IoT devices, has gained new capabilities that allow it to achieve persistence on network gateways manufactured by Netgear, Huawei, and ZTE, according to latest findings. "Network gateways are a particularly juicy target for adversaries because they are ideal as initial access points to corporate networks," researchers at Microsoft Security Threat Intelligence Center and Section 52 at Azure Defender for IoT  said  in a technical write-up. "By infecting routers, they can perform man-in-the-middle (MITM) attacks—via HTTP hijacking and DNS spoofing—to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities." First  documented  by Netlab 360 in December 2019, Mozi has a history of infecting routers and digital video recorders in order to assemble them into an IoT botnet, which could be abused for launching distributed denial-of-service (DDoS) attacks, data exfiltration, and payload execut

Microsoft Releases Windows Updates to Patch Actively Exploited Vulnerability

Microsoft Releases Windows Updates to Patch Actively Exploited Vulnerability
August 10, 2021Ravie Lakshmanan
Microsoft on Tuesday rolled out  security updates  to address a total of 44 security issues affecting its software products and services, one of which it says is an actively exploited zero-day in the wild. The update, which is the smallest release since December 2019, squashes seven Critical and 37 Important bugs in Windows, .NET Core & Visual Studio, Azure, Microsoft Graphics Component, Microsoft Office, Microsoft Scripting Engine, Microsoft Windows Codecs Library, Remote Desktop Client, among others. This is in addition to  seven security flaws  it patched in the Microsoft Edge browser on August 5. Chief among the patched issues is  CVE-2021-36948  (CVSS score: 7.8), an elevation of privilege flaw affecting Windows Update Medic Service — a service that enables remediation and protection of Windows Update components — which could be abused to run malicious programs with escalated permissions. Microsoft's Threat Intelligence Center has been credited with reporting the flaw

Several Malware Families Targeting IIS Web Servers With Malicious Modules

Several Malware Families Targeting IIS Web Servers With Malicious Modules
August 04, 2021Ravie Lakshmanan
A systematic analysis of attacks against Microsoft's Internet Information Services (IIS) servers has revealed as many as 14 malware families, 10 of them newly documented, indicating that the Windows-based web server software continues to be a hotbed for  natively developed malware  for close to eight years. The findings were presented today by ESET malware researcher Zuzana Hromcova at the  Black Hat USA security conference . "The various kinds of native IIS malware identified are server-side malware and the two things it can do best is, first, see and intercept all communications to the server, and second, affect how the requests are processed," Hromcova told in an interview with The Hacker News. "Their motivations range from cybercrime to espionage, and a technique called SEO fraud." Government institutions in three Southeast Asian countries, a major telecommunications company in Cambodia, and a research institution in Vietnam, as well as dozens of private
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.