Microsoft | Breaking Cybersecurity News | The Hacker News

Threat hunters have shed light on a new campaign targeting the foreign ministry of an unnamed South American nation with bespoke malware capable of granting remote access to infected hosts. The activity, detected in November 2024, has been attributed by Elastic Security Labs to a threat cluster it tracks as REF7707 . Some of the other targets include a telecommunications entity and a university, both located in Southeast Asia. "While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices," security researchers Andrew Pease and Seth Goodwin said in a technical analysis. The exact initial access vector used in the attacks is currently not clear, although it has been observed that Microsoft's certutil application is used to download additional payloads from a web server associated with the Foreign Ministry. The certutil commands used to ...

Microsoft on Tuesday released fixes for 63 security flaws impacting its software products, including two vulnerabilities that it said has come under active exploitation in the wild. Of the 63 vulnerabilities, three are rated Critical, 57 are rated Important, one is rated Moderate, and two are rated Low in severity. This is aside from the 23 flaws Microsoft addressed in its Chromium-based Edge browser since the release of last month's Patch Tuesday update . The update is notable for fixing two actively exploited flaws - CVE-2025-21391 (CVSS score: 7.1) - Windows Storage Elevation of Privilege Vulnerability  CVE-2025-21418 (CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability "An attacker would only be able to delete targeted files on a system," Microsoft said in an alert for CVE-2025-21391. "This vulnerability does not allow disclosure of any confidential information, but could allow an attacker to delete d...

Microsoft is warning of an insecure practice wherein software developers are incorporating publicly disclosed ASP.NET machine keys from publicly accessible resources, thereby putting their applications in attackers' pathway. The tech giant's threat intelligence team said it observed limited activity in December 2024 that involved an unknown threat actor using a publicly available, static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework. It also noted that it has identified over 3,000 publicly disclosed keys that could be used for these types of attacks, which it's calling ViewState code injection attacks . "Whereas many previously known ViewState code injection attacks used compromised or stolen keys that are often sold on dark web forums, these publicly disclosed keys could pose a higher risk because they are available in multiple code repositories and could have been pushed into development code without modificat...

Microsoft has released patches to address two Critical-rated security flaws impacting Azure AI Face Service and Microsoft Account that could allow a malicious actor to escalate their privileges under certain conditions. The flaws are listed below - CVE-2025-21396 (CVSS score: 7.5) - Microsoft Account Elevation of Privilege Vulnerability CVE-2025-21415 (CVSS score: 9.9) - Azure AI Face Service Elevation of Privilege Vulnerability "Authentication bypass by spoofing in Azure AI Face Service allows an authorized attacker to elevate privileges over a network," Microsoft in an advisory for CVE-2025-21415, crediting an anonymous researcher for reporting the flaw. CVE-2025-21396, on the other hand, stems from a case of missing authorization that could permit an unauthorized attacker to elevate privileges over a network. A security researcher who goes by the alias Sugobet has been acknowledged for discovering it. The tech giant also noted that it's aware of the existen...

Cybersecurity researchers have disclosed details of a now-patched vulnerability impacting the Microsoft SharePoint connector on Power Platform that, if successfully exploited, could allow threat actors to harvest a user's credentials and stage follow-on attacks. This could manifest in the form of post-exploitation actions that allow the attacker to send requests to the SharePoint API on behalf of the impersonated user, enabling unauthorized access to sensitive data, Zenity Labs said in a report shared with The Hacker News ahead of publication. "This vulnerability can be exploited across Power Automate, Power Apps, Copilot Studio, and Copilot 365, which significantly broadens the scope of potential damage," senior security researcher Dmitry Lozovoy said . "It increases the likelihood of a successful attack, allowing hackers to target multiple interconnected services within the Power Platform ecosystem." Following responsible disclosure in September 2024, ...

Cybersecurity researchers have discovered a malvertising campaign that's targeting Microsoft advertisers with bogus Google ads that aim to take them to phishing pages that are capable of harvesting their credentials. "These malicious ads, appearing on Google Search, are designed to steal the login information of users trying to access Microsoft's advertising platform," Jérôme Segura, senior director of research at Malwarebytes, said in a Thursday report. The findings came a few weeks after the cybersecurity company exposed a similar campaign that leveraged sponsored Google Ads to target individuals and businesses advertising via the search giant's advertising platform. The latest set of attacks targets users who search for terms like "Microsoft Ads" on Google Search, hoping to trick them into clicking on malicious links served in the form of sponsored ads in the search results pages. At the same time, the threat actors behind the campaign employ s...

SonicWall is alerting customers of a critical security flaw impacting its Secure Mobile Access (SMA) 1000 Series appliances that it said has been likely exploited in the wild as a zero-day. The vulnerability, tracked as CVE-2025-23006 , is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. "Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands," the company said in an advisory. It's worth noting that CVE-2025-23006 does not affect its Firewall and SMA 100 series products. The flaw has been addressed in version 12.4.3-02854 (platform-hotfix). SonicWall also said that it has been notified of "possible active exploitation" by unspecified threat actors, necessitating that customers apply the fixes as soon as p...

The Russian threat actor known as Star Blizzard has been linked to a new spear-phishing campaign that targets victims' WhatsApp accounts, signaling a departure from its longstanding tradecraft in a likely attempt to evade detection. "Star Blizzard's targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations researchers whose work touches on Russia, and sources of assistance to Ukraine related to the war with Russia," the Microsoft Threat Intelligence team said in a report  shared with The Hacker News. Star Blizzard (formerly SEABORGIUM) is a Russia-linked threat activity cluster known for its credential harvesting campaigns. Active since at least 2012, it's also tracked under the monikers Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), COLDRIVER, Dancing Salome, Gossamer Bear, Iron Frontier, TA446, and UNC4057. Previously observed attack ...

Details have emerged about a now-patched security vulnerability that could allow a bypass of the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems. The vulnerability, assigned the CVE identifier CVE-2024-7344 (CVSS score: 6.7), resides in a UEFI application signed by Microsoft's "Microsoft Corporation UEFI CA 2011" third-party UEFI certificate, according to a new report from ESET shared with The Hacker News. Successful exploitation of the flaw can lead to the execution of untrusted code during system boot, thereby enabling attackers to deploy malicious UEFI bootkits on machines that have Secure Boot on, irrespective of the operating system installed. Secure Boot is a firmware security standard that prevents malware from loading when a computer starts up by ensuring that the device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). The feature leverages digital signatures to validate the authenticity,...

Cybersecurity researchers have found that the Microsoft Active Directory Group Policy that's designed to disable NT LAN Manager (NTLM) v1 can be trivially bypassed by a misconfiguration. "A simple misconfiguration in on-premise applications can override the Group Policy, effectively negating the Group Policy designed to stop NTLMv1 authentications," Silverfort researcher Dor Segal said in a report shared with The Hacker News. NTLM is a still widely used mechanism particularly in Windows environments to authenticate users across a network. The legacy protocol, while not removed due to backward compatibility requirements, has been deprecated as of mid 2024. Late last year, Microsoft officially removed NTLMv1 starting in Windows 11, version 24H2, and Windows Server 2025. While NTLMv2 introduces new mitigations to make it harder to perform relay attacks, the technology has been besieged by several security weaknesses that have been actively exploited by threat acto...

Microsoft kicked off 2025 with a new set of patches for a total of 161 security vulnerabilities across its software portfolio, including three zero-days that have been actively exploited in attacks. Of the 161 flaws, 11 are rated Critical and 149 are rated Important in severity. One other flaw, a non-Microsoft CVE related to a Windows Secure Boot bypass ( CVE-2024-7344 , CVSS score: 6.7), has not been assigned any severity. According to the Zero Day Initiative , the update marks the largest number of CVEs addressed in a single month since at least 2017. The fixes are in addition to seven vulnerabilities the Windows maker addressed in its Chromium-based Edge browser since the release of December 2024 Patch Tuesday updates. Prominent among the patches released by Microsoft is a trio of flaws in Windows Hyper-V NT Kernel Integration VSP ( CVE-2025-21333 , CVE-2025-21334 , and CVE-2025-21335 , CVSS scores: 7.8) that the company said has come under active exploitation in the wild. ...

Microsoft has shed light on a now-patched security flaw impacting Apple macOS that, if successfully exploited, could have allowed an attacker running as "root" to bypass the operating system's System Integrity Protection ( SIP ) and install malicious kernel drivers by loading third-party kernel extensions. The vulnerability in question is CVE-2024-44243 (CVSS score: 5.5), a medium-severity bug that was addressed by Apple as part of macOS Sequoia 15.2 released last month. The iPhone maker described it as a "configuration issue" that could permit a malicious app to modify protected parts of the file system. "Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits," Jonathan Bar Or of the Microsoft Threat Intelligen...

Microsoft has revealed that it's pursuing legal action against a "foreign-based threat–actor group" for operating a hacking-as-a-service infrastructure to intentionally get around the safety controls of its generative artificial intelligence (AI) services and produce offensive and harmful content. The tech giant's Digital Crimes Unit (DCU) said it has observed the threat actors "develop sophisticated software that exploited exposed customer credentials scraped from public websites," and "sought to identify and unlawfully access accounts with certain generative AI services and purposely alter the capabilities of those services." The adversaries then used these services, such as Azure OpenAI Service, and monetized the access by selling them to other malicious actors, providing them with detailed instructions as to how to use these custom tools to generate harmful content. Microsoft said it discovered the activity in July 2024. The Windows maker...