#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Microsoft | Breaking Cybersecurity News | The Hacker News

Microsoft Uncovers Austrian Company Exploiting Windows and Adobe Zero-Day Exploits

Microsoft Uncovers Austrian Company Exploiting Windows and Adobe Zero-Day Exploits
Jul 28, 2022
A cyber mercenary that "ostensibly sells general security and information analysis services to commercial customers" used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities. The company, which Microsoft describes as a private-sector offensive actor (PSOA), is an Austria-based outfit called  DSIRF  that's linked to the development and attempted sale of a piece of cyberweapon referred to as Subzero , which can be used to hack targets' phones, computers, and internet-connected devices. "Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama," the tech giant's cybersecurity teams  said  in a Wednesday report. Microsoft is  tracking  the actor under the moniker KNOTWEED, continuing its trend of terming PSOAs using names given to trees and shrubs. The company previously designated the name  SOUR

Malicious IIS Extensions Gaining Popularity Among Cyber Criminals for Persistent Access

Malicious IIS Extensions Gaining Popularity Among Cyber Criminals for Persistent Access
Jul 27, 2022
Threat actors are increasingly abusing Internet Information Services ( IIS ) extensions to backdoor servers as a means of establishing a "durable persistence mechanism." That's according to a  new warning  from the Microsoft 365 Defender Research Team, which said that "IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules." Attack chains taking this approach commence with weaponizing a critical vulnerability in the hosted application for initial access, using this foothold to drop a script web shell as the first stage payload. This web shell then becomes the conduit for installing a rogue IIS module to provide highly covert and persistent access to the server, in addition to monitoring incoming and outgoing requests as well as running remote commands. Indeed, earlier this month, Kaspersky researchers disclosed a cam

How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl

How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl
Mar 21, 2024SaaS Security / Endpoint Security
In today's digital-first business environment dominated by SaaS applications, organizations increasingly depend on third-party vendors for essential cloud services and software solutions. As more vendors and services are added to the mix, the complexity and potential vulnerabilities within the  SaaS supply chain  snowball quickly. That's why effective vendor risk management (VRM) is a critical strategy in identifying, assessing, and mitigating risks to protect organizational assets and data integrity. Meanwhile, common approaches to vendor risk assessments are too slow and static for the modern world of SaaS. Most organizations have simply adapted their legacy evaluation techniques for on-premise software to apply to SaaS providers. This not only creates massive bottlenecks, but also causes organizations to inadvertently accept far too much risk. To effectively adapt to the realities of modern work, two major aspects need to change: the timeline of initial assessment must shorte

Microsoft Adds Default Protection Against RDP Brute-Force Attacks in Windows 11

Microsoft Adds Default Protection Against RDP Brute-Force Attacks in Windows 11
Jul 25, 2022
Microsoft is now taking steps to prevent Remote Desktop Protocol (RDP) brute-force attacks as part of the latest builds for the Windows 11 operating system in an attempt to raise the  security baseline  to meet the evolving threat landscape. To that end, the default policy for Windows 11 builds – particularly, Insider Preview builds 22528.1000 and newer – will automatically lock accounts for 10 minutes after 10 invalid sign-in attempts. "Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute-force password vectors," David Weston, Microsoft's vice president for OS security and enterprise,  said  in a series of tweets last week. "This technique is very commonly used in Human Operated Ransomware and other attacks -- this control will make brute forcing much harder which is awesome!" It's worth pointing out that while this  account lockout setting  is already incorporated in Windows 10, it's not enabled by default. The f

Automated remediation solutions are crucial for security

cyber security
websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.

Microsoft Resumes Blocking Office VBA Macros by Default After 'Temporary Pause'

Microsoft Resumes Blocking Office VBA Macros by Default After 'Temporary Pause'
Jul 22, 2022
Microsoft has officially resumed blocking Visual Basic for Applications (VBA) macros by default across Office apps, weeks after temporarily announcing plans to roll back the change. "Based on our review of customer feedback, we've made updates to both our  end user  and our  IT admin  documentation to make clearer what options you have for different scenarios," the company  said  in an update on July 20. Earlier this February, Microsoft publicized its plans to disable macros by default in Office applications such as Access, Excel, PowerPoint, Visio, and Word as a way to prevent threat actors from abusing the feature to deliver malware. It's a known fact that a majority of the damaging cyberattacks today leverage email-based phishing lures to spread bogus documents containing malicious macros as a primary vector for initial access. "Macros can add a lot of functionality to Office, but they are often used by people with bad intentions to distribute malware to

North Korean Hackers Targeting Small and Midsize Businesses with H0lyGh0st Ransomware

North Korean Hackers Targeting Small and Midsize Businesses with H0lyGh0st Ransomware
Jul 15, 2022
An emerging threat cluster originating from North Korea has been linked to developing and using ransomware in cyberattacks targeting small businesses since September 2021. The group, which calls itself H0lyGh0st after the ransomware payload of the same name, is being tracked by the Microsoft Threat Intelligence Center under the moniker DEV-0530, a designation assigned for unknown, emerging, or a developing group of threat activity. Targeted entities primarily include small-to-midsize businesses such as manufacturing organizations, banks, schools, and event and meeting planning companies. "Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims," the researchers  said  in a Thursday analysis. "The group's standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange

Microsoft Details App Sandbox Escape Bug Impacting Apple iOS, iPadOS, macOS Devices

Microsoft Details App Sandbox Escape Bug Impacting Apple iOS, iPadOS, macOS Devices
Jul 14, 2022
Microsoft on Wednesday shed light on a now patched security vulnerability affecting Apple's operating systems that, if successfully exploited, could allow attackers to escalate device privileges and deploy malware. "An attacker could take advantage of this sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing additional payloads," Jonathan Bar Or of the Microsoft 365 Defender Research Team  said  in a write-up. Tracked as  CVE-2022-26706  (CVSS score: 5.5), the security vulnerability impacts iOS, iPadOS, macOS, tvOS, and watchOS and was fixed by Apple in May 2022. Calling it an access issue affecting the LaunchServices (launchd) component, the iPhone maker noted that "A sandboxed process may be able to circumvent sandbox restrictions," adding it mitigated the issue with additional restrictions. While Apple's  App Sandbox  is designed to tightly regulate a third-party app's acce

Microsoft Warns of Large-Scale AiTM Phishing Attacks Against Over 10,000 Organizations

Microsoft Warns of Large-Scale AiTM Phishing Attacks Against Over 10,000 Organizations
Jul 13, 2022
Microsoft on Tuesday disclosed that a large-scale phishing campaign targeted over 10,000 organizations since September 2021 by hijacking Office 365's authentication process even on accounts secured with multi-factor authentication (MFA). "The attackers then used the stolen credentials and session cookies to access affected users' mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets," the company's cybersecurity teams  reported . The intrusions entailed setting up adversary-in-the-middle (AitM) phishing sites, wherein the attacker deploys a proxy server between a potential victim and the targeted website so that recipients of a phishing email are redirected to lookalike landing pages designed to capture credentials and MFA information. "The phishing page has two different Transport Layer Security (TLS) sessions — one with the target and another with the actual website the target wants to access," the company

Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout

Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout
Jul 13, 2022
Microsoft released its monthly round of Patch Tuesday updates to address  84 new security flaws  spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are  two other bugs  in the Chromium-based Edge browser, one of which plugs another  zero-day flaw  that Google disclosed as being actively exploited in real-world attacks. Top of the list of this month's updates is  CVE-2022-22047  (CVSS score: 7.8), a case of privilege escalation in the Windows Client Server Runtime Subsystem ( CSRSS ) that could be abused by an attacker to gain SYSTEM permissions. "With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools," Kev Breen, director of cyber threat research at Immersive Labs, told The Hacker News. "With SYSTEM acce

Microsoft Windows Autopatch is Now Generally Available for Enterprise Systems

Microsoft Windows Autopatch is Now Generally Available for Enterprise Systems
Jul 12, 2022
Microsoft on Monday announced the general availability of a feature called Autopatch that automatically keeps Windows and Office software up-to-date on enrolled endpoints. The launch, which comes a day before Microsoft is expected to release its monthly round of security patches, is available for customers with Windows Enterprise E3 and E5 licenses. It, however, doesn't support Windows Education (A3) or Windows Front Line Worker (F3) licenses. "Microsoft will continue to release updates on the second Tuesday of every month and now Autopatch helps streamline updating operations and create new opportunities for IT pros," Lior Bela  said . Autopatch works by  applying security updates  first to devices in what's called the Test ring, which contains a minimum number of representative devices. After a validation period, the updates are pushed to the First (1% devices), Fast (9%), and Broad (90%) rings. The service was first  teased  by the tech giant in April 2022

Microsoft Temporarily Rolls Back Plan to Block Office VBA Macros by Default

Microsoft Temporarily Rolls Back Plan to Block Office VBA Macros by Default
Jul 08, 2022
Five months after announcing plans to disable Visual Basic for Applications (VBA) macros by default in the Office productivity suite, Microsoft appears to have rolled back its plans. "Based on feedback received, a rollback has started," Microsoft employee Angela Robertson  said  in a July 6 comment. "An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available." When reached by The Hacker News, Redmond said its decision to reverse course was temporary and that it's working to incorporate further usability improvements. "Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability," a Microsoft spokesperson said. "This is a temporary change, and we are fully committed to making the default change for all users. Regardless of the default setting, customers can block internet macros th

Microsoft Warns About Evolving Capabilities of Toll Fraud Android Malware Apps

Microsoft Warns About Evolving Capabilities of Toll Fraud Android Malware Apps
Jul 01, 2022
Microsoft has detailed the evolving capabilities of toll fraud malware apps on Android, pointing out its "complex multi-step attack flow" and an improved mechanism to evade security analysis. Toll fraud belongs to a category of billing fraud wherein malicious mobile applications come with hidden subscription fees, roping in unsuspecting users to premium content without their knowledge or consent. It's also different from other  fleeceware threats  in that the malicious functions are only carried out when a compromised device is connected to one of its target network operators. "It also, by default, uses cellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi connection is available," Dimitrios Valsamaras and Sang Shin Jung of the Microsoft 365 Defender Research Team  said  in an exhaustive analysis. "Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription

New 'SessionManager' Backdoor Targeting Microsoft IIS Servers in the Wild

New 'SessionManager' Backdoor Targeting Microsoft IIS Servers in the Wild
Jul 01, 2022
A newly discovered malware has been put to use in the wild at least since March 2021 to backdoor Microsoft Exchange servers belonging to a wide range of entities worldwide, with infections lingering in 20 organizations as of June 2022. Dubbed  SessionManager , the malicious tool masquerades as a module for Internet Information Services ( IIS ), a web server software for Windows systems, after exploiting one of the ProxyLogon flaws within Exchange servers.  Targets included 24 distinct NGOs, government, military, and industrial organizations spanning Africa, South America, Asia, Europe, Russia and the Middle East. A total of 34 servers have been compromised by a SessionManager variant to date. This is far from the first time the technique has been  observed in real-world attacks . The use of a rogue IIS module as a means to distribute stealthy implants has its echoes in an Outlook credential stealer called  Owowa  that came to light in December 2021. "Dropping an IIS module a

Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers

Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers
Jul 01, 2022
A cloud threat actor group tracked as 8220 has updated its malware toolset to breach Linux servers with the goal of installing crypto miners as part of a long-running campaign. "The updates include the deployment of new versions of a crypto miner and an IRC bot," Microsoft Security Intelligence said in a series of tweets on Thursday. "The group has actively updated its techniques and payloads over the last year." 8220, active since early 2017 , is a Chinese-speaking, Monero-mining threat actor so named for its preference to communicate with command-and-control (C2) servers over port 8220. It's also the developer of a tool called whatMiner, which has been co-opted by the Rocke cybercrime group in their attacks. In July 2019, the Alibaba Cloud Security Team uncovered an extra shift in the adversary's tactics, noting its use of rootkits to hide the mining program. Two years later, the gang resurfaced with Tsunami IRC botnet variants and a custom "

State-Backed Hackers Using Ransomware as a Decoy for Cyber Espionage Attacks

State-Backed Hackers Using Ransomware as a Decoy for Cyber Espionage Attacks
Jun 24, 2022
A China-based advanced persistent threat (APT) group is possibly deploying short-lived ransomware families as a decoy to cover up the true operational and tactical objectives behind its campaigns. The activity cluster, attributed to a hacking group dubbed  Bronze Starlight  by Secureworks, involves the deployment of post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0. "The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group," the researchers  said  in a new report. "In each case, the ransomware targets a small number of victims over a relatively brief period of time before it ceases operations, apparently permanently." Bronze Starlight, active since mid-2021, is also tracked by Microsoft under the emerging threat cluster moniker DEV-0401, with the tech giant empha

BlackCat Ransomware Gang Targeting Unpatched Microsoft Exchange Servers

BlackCat Ransomware Gang Targeting Unpatched Microsoft Exchange Servers
Jun 16, 2022
Microsoft is warning that the BlackCat ransomware crew is leveraging exploits for  unpatched Exchange server  vulnerabilities to gain access to targeted networks. Upon gaining an entry point, the attackers swiftly moved to gather information about the compromised machines, followed by carrying out credential theft and lateral movement activities, before harvesting intellectual property and dropping the ransomware payload. The entire sequence of events played out over the course of two full weeks, the Microsoft 365 Defender Threat Intelligence Team  said  in a report published this week. "In another incident we observed, we found that a ransomware affiliate gained initial access to the environment via an internet-facing Remote Desktop server using compromised credentials to sign in," the researchers said, pointing out how "no two BlackCat 'lives' or deployments might look the same." BlackCat , also known by the names ALPHV and Noberus, is a relatively n
Cybersecurity Resources