Microsoft | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have shed light on a previously undocumented threat actor called NightEagle (aka APT-Q-95) that has been observed targeting Microsoft Exchange servers as a part of a zero-day exploit chain designed to target government, defense, and technology sectors in China. According to QiAnXin's RedDrip Team, the threat actor has been active since 2023 and has switched network infrastructure at an extremely fast rate. The findings were presented at CYDES 2025 , the third edition of Malaysia's National Cyber Defence & Security Exhibition and Conference held between July 1 and 3, 2025. "It seems to have the speed of an eagle and has been operating at night in China," the cybersecurity vendor said , explaining the rationale behind naming the adversary NightEagle. Attacks mounted by the threat actor have singled out entities operating in the high-tech, chip semiconductors, quantum technology, artificial intelligence, and military verticals with th...

A new study of integrated development environments (IDEs) like Microsoft Visual Studio Code, Visual Studio, IntelliJ IDEA, and Cursor has revealed weaknesses in how they handle the extension verification process, ultimately enabling attackers to execute malicious code on developer machines. "We discovered that flawed verification checks in Visual Studio Code allow publishers to add functionality to extensions while maintaining the verified icon," OX Security researchers Nir Zadok and Moshe Siman Tov Bustan said in a report shared with The Hacker News. "This results in the potential for malicious extensions to appear verified and approved, creating a false sense of trust." Specifically, the analysis found that Visual Studio Code sends an HTTP POST request to the domain "marketplace.visualstudio[.]com" to determine if an extension is verified or otherwise. The exploitation method essentially involves creating a malicious extension with the same verifia...

The U.S. Department of Justice (DoJ) on Monday announced sweeping actions targeting the North Korean information technology (IT) worker scheme, leading to the arrest of one individual and the seizure of 29 financial accounts, 21 fraudulent websites, and nearly 200 computers. The coordinated action saw searches of 21 known or suspected "laptop farms" between June 10 and 17, 2025, across 14 states in the U.S. that were put to use by North Korean IT workers to remotely connect to victim networks via company-provided laptop computers.  "The North Korean actors were assisted by individuals in the United States, China, United Arab Emirates, and Taiwan, and successfully obtained employment with more than 100 U.S. companies," the DoJ said . The North Korean IT worker scheme has become one of the crucial cogs in the Democratic People's Republic of North Korea (DPRK) revenue generation machine in a manner that bypasses international sanctions. The fraudulent operation...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

Microsoft has said that it's ending support for passwords in its Authenticator app starting August 1, 2025. Microsoft's move is part of a much larger shift away from traditional password-based logins. The company said the changes are also meant to streamline autofill within its two-factor authentication (2FA) app, making the experience simpler and more secure. Over the past few years, Microsoft has been pushing for a passwordless future using technologies like passkeys , Windows Hello, and FIDO2-based authentication. These methods offer better protection against phishing and password reuse, which are still major attack vectors. While it may feel like a hassle at first, this change is actually aimed at reducing your risk in the long run. "Starting July 2025, the autofill feature in Authenticator will stop working, and from August 2025, passwords will no longer be accessible in Authenticator," Microsoft said in a support document for Authenticator. It's worth noti...

Microsoft on Tuesday announced that it's extending Windows 10 Extended Security Updates ( ESU ) for an extra year by letting users either pay a small fee of $30 or by sync their PC settings to the cloud. The development comes ahead of the tech giant's upcoming October 14, 2025, deadline , when it plans to officially end support and stop providing security updates for devices running Windows 10. The desktop operating system was launched in July 2015. The Windows maker describes ESU as a "last resort option" for customers who need to run legacy Microsoft software that has reached end-of-life (EoL) status. This is meant to be a temporary solution while migrating to a newer supported platform. According to StatCounter data as of May 2025, Windows 10's market share stands at 53.19% globally, making it the most widely used version of Windows. This is followed by Windows 11 at 43%. As part of the new enrollment options announced by Microsoft, individuals can opt-...

Cybersecurity researchers have uncovered a Go-based malware called XDigo that has been used in attacks targeting Eastern European governmental entities in March 2025. The attack chains are said to have leveraged a collection of Windows shortcut ( LNK ) files as part of a multi-stage procedure to deploy the malware, French cybersecurity company HarfangLab said . XDSpy is the name assigned to a cyber espionage that's known to target government agencies in Eastern Europe and the Balkans since 2011. It was first documented by the Belarusian CERT in early 2020.  In recent years, companies in Russia and Moldova have been targeted by various campaigns to deliver malware families like UTask, XDDown, and DSDownloader that can download additional payloads and steal sensitive information from compromised hosts. HarfangLab said it observed the threat actor leveraging a remote code execution flaw in Microsoft Windows that's triggered when processing specially crafted LNK files. The v...

Most cyberattacks today don't start with loud alarms or broken firewalls. They start quietly—inside tools and websites your business already trusts. It's called " Living Off Trusted Sites " (LOTS)—and it's the new favorite strategy of modern attackers. Instead of breaking in, they blend in. Hackers are using well-known platforms like Google, Microsoft, Dropbox, and Slack as launchpads. They hide malicious code inside routine traffic, making it incredibly difficult for traditional defenses to detect them. And here's the scary part: many security teams don't even realize it's happening—until it's too late. Why You're Not Seeing These Attacks LOTS tactics don't look suspicious at first glance. There's no malware signature to flag, and no unusual IP address to trace. It's legitimate traffic—until it's not. Attackers are exploiting: Common business tools like Teams, Zoom, and GitHub Shortened or vanity URLs to redirect users Trusted cloud services to host malicious payloads ...

Threat actors with suspected ties to Russia have been observed taking advantage of a Google account feature called application specific passwords (or app passwords) as part of a novel social engineering tactic designed to gain access to victims' emails. Details of the highly targeted campaign were disclosed by Google Threat Intelligence Group (GTIG) and the Citizen Lab, stating the activity seeks to impersonate the U.S. Department of State.  "From at least April through early June 2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs), GTIG researchers Gabby Roncone and Wesley Shields said . "Once the target shares the ASP passcode, the attackers establish persistent access to the victim's mailbox." The activity has been attributed by Google to a threat cluster it tracks as UNC6293, which it says is likely affiliate...

Meta Platforms on Wednesday announced that it's adding support for passkeys, the next-generation password standard, on Facebook. "Passkeys are a new way to verify your identity and login to your account that's easier and more secure than traditional passwords," the tech giant said in a post. Support for passkeys is expected to be available "soon" on Android and iOS mobile devices. The feature is also coming to its Messenger platform in the coming months. The company said passkeys can also be used to auto-fill payment information when making purchases using Meta Pay. Meta previously rolled out passkeys support for WhatsApp on Android in October 2023, and on iOS a few months later in April 2024. There is no word yet on when it plans to bring passkeys to Instagram. Passkeys, backed by the FIDO Alliance, is a passwordless authentication solution that allows users to securely sign in to online services by using biometrics or the device lock PIN code. ...

Microsoft has released patches to fix 67 security flaws , including one zero-day bug in Web Distributed Authoring and Versioning (WebDAV) that it said has come under active exploitation in the wild. Of the 67 vulnerabilities, 11 are rated Critical and 56 are rated Important in severity. This includes 26 remote code execution flaws, 17 information disclosure flaws, and 14 privilege escalation flaws. The patches are in addition to 13 shortcomings addressed by the company in its Chromium-based Edge browser since the release of last month's Patch Tuesday update . The vulnerability that has been weaponized in real-world attacks concerns a remote code execution in WebDAV ( CVE-2025-33053 , CVSS score: 8.8) that can be triggered by deceiving users into clicking on a specially crafted URL. The tech giant credited Check Point researchers Alexandra Gofman and David Driker for discovering and reporting the bug. It's worth mentioning that CVE-2025-33053 is the first zero-day vulnerab...

India's Central Bureau of Investigation (CBI) has revealed that it has arrested six individuals and dismantled two illegal call centers that were found to be engaging in a sophisticated transnational tech support scam targeting Japanese citizens. The law enforcement agency said it conducted coordinated searches at 19 locations across Delhi, Haryana, and Uttar Pradesh on May 28, 2025, as part of an initiative called Operation Chakra V, which aims to combat cyber-enabled financial crimes. The cybercrime syndicates, per the CBI, defrauded foreign nationals, mainly Japanese citizens, by masquerading as technical support personnel from various multinational corporations, including Microsoft.  "The syndicate operated call centers designed to appear as legitimate customer service centers, through which victims were deceived into believing that their electronic devices were compromised," the agency said . "Under this pretext, victims were coerced into transferring funds ...

Microsoft and CrowdStrike have announced that they are teaming up to align their individual threat actor taxonomies by publishing a new joint threat actor mapping. "By mapping where our knowledge of these actors align, we will provide security professionals with the ability to connect insights faster and make decisions with greater confidence," Vasu Jakkal, corporate vice president at Microsoft Security, said . The initiative is seen as a way to untangle the menagerie of nicknames that private cybersecurity vendors assign to various hacking groups that are broadly categorized as a nation-state, financially motivated, influence operations, private sector offensive actors, and emerging clusters. For example, the Russian state-sponsored threat actor tracked by Microsoft as Midnight Blizzard (formerly Nobelium) is also known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, and The Dukes. Likewise, Forest Blizzard (previously Strontium) goes by other monikers such...

Cybersecurity researchers have warned of a new spear-phishing campaign that uses a legitimate remote access tool called Netbird to target Chief Financial Officers (CFOs) and financial executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia.  "In what appears to be a multi-stage phishing operation, the attackers aimed to deploy NetBird, a legitimate wireguard-based remote access tool on the victim's computer," Trellix researcher Srini Seethapathy said in an analysis. The activity, first detected by the cybersecurity company in mid-May 2025, has not been attributed to a known threat actor or group. The starting point of the attack is a phishing email that impersonates a recruiter from Rothschild & Co. and claims to offer a "strategic opportunity" with the company. The email is designed to entice the recipients into opening a purported PDF attachment that, in reality, is a phishin...

The China-linked threat actor behind the recent in-the-wild exploitation of a critical security flaw in SAP NetWeaver has been attributed to a broader set of attacks targeting organizations in Brazil, India, and Southeast Asia since 2023. "The threat actor mainly targets the SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations," Trend Micro security researcher Joseph C Chen said in an analysis published this week. "The actor also takes advantage of various known vulnerabilities to exploit public-facing servers." Some of the other prominent targets of the adversarial collective include Indonesia, Malaysia, the Philippines, Thailand, and Vietnam. The cybersecurity company is tracking the intrusion set under the moniker Earth Lamia , stating the activity shares some degree of overlap with threat clusters documented by Elastic Security Labs as REF0657 , Sophos as STAC6451 , and Palo Alto Networks Unit 42 a...