Microsoft | Breaking Cybersecurity News | The Hacker News

A systematic analysis of attacks against Microsoft's Internet Information Services (IIS) servers has revealed as many as 14 malware families, 10 of them newly documented, indicating that the Windows-based web server software continues to be a hotbed for  natively developed malware  for close to eight years. The findings were presented today by ESET malware researcher Zuzana Hromcova at the  Black Hat USA security conference . "The various kinds of native IIS malware identified are server-side malware and the two things it can do best is, first, see and intercept all communications to the server, and second, affect how the requests are processed," Hromcova told in an interview with The Hacker News. "Their motivations range from cybercrime to espionage, and a technique called SEO fraud." Government institutions in three Southeast Asian countries, a major telecommunications company in Cambodia, and a research institution in Vietnam, as well as dozens of private

Microsoft Windows 10 and Windows 11 users are at risk of a new unpatched vulnerability that was recently disclosed publicly. As we reported last week, the vulnerability — SeriousSAM — allows attackers with low-level permissions to access Windows system files to perform a Pass-the-Hash (and potentially Silver Ticket) attack.  Attackers can exploit this vulnerability to obtain hashed passwords stored in the Security Account Manager (SAM) and Registry, and ultimately run arbitrary code with SYSTEM privileges. SeriousSAM vulnerability, tracked as CVE-2021-36934 , exists in the default configuration of Windows 10 and Windows 11, specifically due to a setting that allows 'read' permissions to the built-in user's group that contains all local users. As a result, built-in local users have access to read the SAM files and the Registry, where they can also view the hashes. Once the attacker has 'User' access, they can use a tool such as Mimikatz to gain access to the Re

Imagine a world where the software that powers your favorite apps, secures your online transactions, and keeps your digital life could be outsmarted and taken over by a cleverly disguised piece of code. This isn't a plot from the latest cyber-thriller; it's actually been a reality for years now. How this will change – in a positive or negative direction – as artificial intelligence (AI) takes on a larger role in software development is one of the big uncertainties related to this brave new world. In an era where AI promises to revolutionize how we live and work, the conversation about its security implications cannot be sidelined. As we increasingly rely on AI for tasks ranging from mundane to mission-critical, the question is no longer just, "Can AI  boost cybersecurity ?" (sure!), but also "Can AI  be hacked? " (yes!), "Can one use AI  to hack? " (of course!), and "Will AI  produce secure software ?" (well…). This thought leadership article is about the latter. Cydrill  (a

Cybersecurity researchers on Tuesday lifted the lid on a previously undocumented malware strain dubbed " MosaicLoader " that singles out individuals searching for cracked software as part of a global campaign. "The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service," Bitdefender researchers said in a  report  shared with The Hacker News. "The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links." The malware has been so named because of its sophisticated internal structure that's orchestrated to prevent reverse-engineering and evade analysis. Attacks involving MosaicLoader rely on a well-established tactic for malware delivery called search engine optimization (SEO) poisoning, wherein cybercriminals purc

Merely days after Microsoft sounded the alarm on an unpatched security vulnerability in the Windows Print Spooler service, possibly yet another zero-day flaw in the same component has come to light, making it the fourth printer-related shortcoming to be discovered in recent weeks. "Microsoft Windows allows for non-admin users to be able to install printer drivers via Point and Print," CERT Coordination Center's Will Dormann  said  in an advisory published Sunday. "Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process." An exploit for the vulnerability was disclosed by security researcher and  Mimikatz creator   Benjamin Delpy . #printnightmare - Episode 4 You know what is better than a Legit Kiwi Printer ? 🥝Another Legit Kiwi Printer...👍 No prerequiste at all, you even don't need to sign drivers/package🤪 pic.twitter.com/oInb5jm3tE — 🥝 B

Two of the zero-day Windows flaws rectified by Microsoft as part of its Patch Tuesday update earlier this week were weaponized by an Israel-based company called Candiru in a series of "precision attacks" to hack more than 100 journalists, academics, activists, and political dissidents globally. The spyware vendor was also formally identified as the commercial surveillance company that Google's Threat Analysis Group (TAG) revealed as exploiting multiple zero-day vulnerabilities in Chrome browser to target victims located in Armenia, according to a report published by the University of Toronto's Citizen Lab. " Candiru 's apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab researchers  said . "This case demonstrates, yet again, that in the absence of any international safegua

Microsoft on Thursday shared fresh guidance on yet another vulnerability affecting the Windows Print Spooler service, stating that it's working to address it in an upcoming security update. Tracked as  CVE-2021-34481  (CVSS score: 7.8), the issue concerns a local privilege escalation flaw that could be abused to perform unauthorized actions on the system. The company credited security researcher Jacob Baines for discovering and reporting the bug. "An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges," the Windows maker said in its advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights." However, it's worth pointing out that successful exploitation of the vulnerability requires the attacker to have t

Microsoft rolled out  Patch Tuesday updates  for the month of July with fixes for a total of 117 security vulnerabilities, including nine zero-day flaws, of which four are said to be under active attacks in the wild, potentially enabling an adversary to take control of affected systems.  Of the 117 issues, 13 are rated Critical, 103 are rated Important, and one is rated as Moderate in severity, with six of these bugs publicly known at the time of release.  The updates span across several of Microsoft's products, including Windows, Bing, Dynamics, Exchange Server, Office, Scripting Engine, Windows DNS, and Visual Studio Code. July also marks a dramatic jump in the volume of vulnerabilities, surpassing the number Microsoft collectively addressed as part of its updates in  May  (55) and  June  (50). Chief among the security flaws actively exploited are as follows — CVE-2021-34527  (CVSS score: 8.8) - Windows Print Spooler Remote Code Execution Vulnerability (publicly disclosed

Even as Microsoft  expanded patches  for the so-called PrintNightmare vulnerability for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, it has come to light that the fix for the remote code execution exploit in the Windows Print Spooler service can be bypassed in certain scenarios, effectively defeating the security protections and permitting attackers to run arbitrary code on infected systems. On Tuesday, the Windows maker issued an  emergency out-of-band update  to address  CVE-2021-34527  (CVSS score: 8.8) after the flaw was accidentally disclosed by researchers from Hong Kong-based cybersecurity firm Sangfor late last month, at which point it emerged that the issue was different from another bug — tracked as  CVE-2021-1675  — that was patched by Microsoft on June 8. "Several days ago, two security vulnerabilities were found in Microsoft Windows' existing printing mechanism," Yaniv Balmas, head of cyber research at Check Point, told The Hack

An analysis of off-the-shelf packages hosted on the NuGet repository has revealed 51 unique software components to be vulnerable to actively exploited, high-severity vulnerabilities, once again underscoring the threat posed by third-party dependencies to the software development process. In light of the growing number of cyber incidents that target the software supply chain, there is an urgent need to assess such third-party modules for any security risks and minimize the attack surface, ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News. NuGet  is a Microsoft-supported mechanism for the .NET platform and functions as a package manager designed to enable developers to share reusable code. The framework maintains a central repository of over 264,000 unique packages that have collectively produced more than 109 billion package downloads. "All identified precompiled software components in our research were different versions of 7Zip, WinSCP and PuT

Microsoft has shipped an  emergency out-of-band security update  to address a critical zero-day vulnerability — known as "PrintNightmare" — that affects the Windows Print Spooler service and can permit remote threat actors to run arbitrary code and take over vulnerable systems. Tracked as  CVE-2021-34527  (CVSS score: 8.8), the remote code execution flaw impacts all supported editions of Windows. Last week, the company warned it had detected active exploitation attempts targeting the vulnerability. "The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system," the CERT Coordination Center said of the issue. It's worth noting that PrintNightmare includes both remote code execution and a local privilege escalation vector that can be abused in attacks to run com

Microsoft is urging Azure users to  update  the PowerShell command-line tool as soon as possible to protect against a critical remote code execution vulnerability impacting .NET Core. The issue, tracked as  CVE-2021-26701  (CVSS score: 8.1), affects PowerShell versions 7.0 and 7.1 and have been remediated in versions 7.0.6 and 7.1.3, respectively. Windows PowerShell 5.1 isn't impacted by the flaw. Built on the .NET Common Language Runtime (CLR),  PowerShell  is a cross-platform task automation utility that consists of a command-line shell, a scripting language, and a configuration management framework. "A remote code execution vulnerability exists in .NET 5 and .NET Core due to how text encoding is performed," the company  noted in an advisory  published earlier this April, adding that the problem resides in the " System.Text.Encodings.Web " package, which provides types for encoding and escaping strings for use in JavaScript, HTML, and URLs. System.Text.

Cybersecurity researchers have detailed critical security vulnerabilities affecting  NETGEAR DGN2200v1 series routers , which they say could be reliably abused as a jumping-off point to compromise a network's security and gain unfettered access. The three  HTTPd  authentication security weaknesses (CVSS scores: 7.1 – 9.4) impact routers running firmware versions prior to v1.0.0.60, and have since been  fixed by the company  in December 2020 as part of a coordinated vulnerability disclosure process. "The rising number of firmware attacks and ransomware attacks via VPN devices and other internet-facing systems are examples of attacks initiated outside and below the operating system layer," Microsoft 365 Defender Research Team's Jonathan Bar Or  said . "As these types of attacks become more common, users must look to secure even the single-purpose software that run their hardware—like routers." In a nutshell, the flaws allow accessing router management pa

Microsoft on Friday said it's investigating an incident wherein a driver signed by the company turned out to be a malicious Windows rootkit that was observed communicating with command-and-control (C2) servers located in China. The driver, called " Netfilter ," is said to target gaming environments, specifically in the East Asian country, with the Redmond-based firm noting that "the actor's goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere." "The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers," Microsoft Security Response Center (MSRC)  said . It's worth pointing out that Netfilter also refers to a legitimate software package , which enables packet filtering and network address translation for Linux based systems. Microsoft dubbed the malware " Retliften ," alluding to "ne

In yet another sign that the Russian hackers who breached SolarWinds network monitoring software to compromise a slew of entities never really went away, Microsoft said the threat actor behind the malicious cyber activities used password spraying and brute-force attacks in an attempt to guess passwords and gain access to its customer accounts. "This recent activity was mostly unsuccessful, and the majority of targets were not successfully compromised – we are aware of three compromised entities to date," the tech giant's Threat Intelligence Center  said  Friday. "All customers that were compromised or targeted are being contacted through our nation-state notification process." The development was first  reported  by news service Reuters. The names of the victims were not revealed. The latest wave in a series of intrusions is said to have primarily targeted IT companies, followed by government agencies, non-governmental organizations, think tanks, and financ

Microsoft on Thursday warned of a "massive email campaign" that's pushing a Java-based STRRAT malware to steal confidential data from infected systems while disguising itself as a ransomware infection. "This RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them," the Microsoft Security Intelligence team  said  in a series of tweets. The new wave of attacks, which the company spotted last week, commences with spam emails sent from compromised email accounts with "Outgoing Payments" in the subject line, luring the recipients into opening malicious PDF documents that claim to be remittances, but in reality, connect to a rogue domain to download the STRRAT malware. Besides establishing connections to a command-and-control server during execution, the malware comes with a range of features that allow it to collect browser passwords, log keystrokes, and run remote command

Microsoft researchers on Thursday disclosed two dozen vulnerabilities affecting a wide range of Internet of Things (IoT) and Operational Technology (OT) devices used in industrial, medical, and enterprise networks that could be abused by adversaries to execute arbitrary code and even cause critical systems to crash. "These remote code execution (RCE) vulnerabilities cover more than 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology, and industrial control systems,"  said  Microsoft's 'Section 52' Azure Defender for IoT research group. The flaws have been collectively named " BadAlloc ," for they are rooted in standard  memory allocation functions  spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. A lack of proper input validations associated with these memory allocation functions

More than a week after Microsoft released a  one-click mitigation tool  to mitigate cyberattacks targeting on-premises Exchange servers, the company  disclosed  that patches have been applied to 92% of all internet-facing servers affected by the ProxyLogon vulnerabilities. The development, a 43% improvement from the previous week, caps off a whirlwind of espionage and malware campaigns that hit thousands of companies worldwide, with as many as 10 advanced persistent threat (APT) groups opportunistically moving quickly to exploit the bugs. According to telemetry data from RiskIQ, there are roughly 29,966 instances of Microsoft Exchange servers still exposed to attacks, down from 92,072 on March 10. While Exchange servers were under assault by multiple Chinese-linked state-sponsored hacking groups prior to  Microsoft's patch  on March 2, the release of  public proof-of-concept  exploits fanned a feeding frenzy of infections, opening the door for escalating attacks like ransomwar

A malicious web shell deployed on Windows systems by leveraging a previously undisclosed zero-day in SolarWinds' Orion network monitoring software may have been the work of a possible Chinese threat group. In a  report  published by Secureworks on Monday, the cybersecurity firm attributed the intrusions to a threat actor it calls Spiral. Back on December 22, 2020, Microsoft  disclosed  that a second espionage group may have been abusing the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on target systems. The findings were also corroborated by cybersecurity firms Palo Alto Networks'  Unit 42  threat intelligence team and  GuidePoint Security , both of whom described Supernova as a .NET web shell implemented by modifying an "app_web_logoimagehandler.ashx.b6031896.dll" module of the SolarWinds Orion application. The alterations were made possible not by breaching the SolarWinds app update infrastructure but instead b