#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

Windows | Breaking Cybersecurity News | The Hacker News

Category — Windows
Researchers Warn of Unpatched "DogWalk" Microsoft Windows Vulnerability

Researchers Warn of Unpatched "DogWalk" Microsoft Windows Vulnerability

Jun 08, 2022
An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild. The issue — referenced as  DogWalk  — relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a specially crafted ".diagcab" archive file that contains a diagnostics configuration file. The idea is that the payload would get executed the next time the victim logs in to the system after a restart. The vulnerability affects all Windows versions, starting from Windows 7 and Server Server 2008 to the latest releases. DogWalk was originally  disclosed  by security researcher Imre Rad in January 2020 after Microsoft, having acknowledged the problem, deemed it as not a security issue. "There are a number of file types that can execute code in such a way but aren't techni...
Researchers Warn of 'Raspberry Robin' Malware Spreading via External Drives

Researchers Warn of 'Raspberry Robin' Malware Spreading via External Drives

May 06, 2022
Cybersecurity researchers have discovered a new Windows malware with worm-like capabilities and is propagated by means of removable USB devices. Attributing the malware to a cluster named " Raspberry Robin ," Red Canary researchers  noted  that the worm "leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL." The earliest signs of the activity are said to date back to September 2021, with infections observed in organizations with ties to technology and manufacturing sectors. Attack chains pertaining to Raspberry Robin start with connecting an infected USB drive to a Windows machine. Present within the device is the worm payload, which appears as a .LNK shortcut file to a legitimate folder. The worm then takes care of spawning a new process using cmd.exe to read and execute a malicious file stored on the external drive. This is followed by launching explorer.exe and msiexec.exe, the latter of which is used for extern...
Product Walkthrough: How Satori Secures Sensitive Data From Production to AI

Product Walkthrough: How Satori Secures Sensitive Data From Production to AI

Jan 20, 2025Data Security / Data Monitoring
Every week seems to bring news of another data breach, and it's no surprise why: securing sensitive data has become harder than ever. And it's not just because companies are dealing with orders of magnitude more data. Data flows and user roles are constantly shifting, and data is stored across multiple technologies and cloud environments. Not to mention, compliance requirements are only getting stricter and more elaborate.  The problem is that while the data landscape has evolved rapidly, the usual strategies for securing that data are stuck in the past. Gone are the days when data lived in predictable places, with access controlled by a chosen few. Today, practically every department in the business needs to use customer data, and AI adoption means huge datasets, and a constant flux of permissions, use cases, and tools. Security teams are struggling to implement effective strategies for securing sensitive data, and a new crop of tools, called data security platforms, have appear...
New Backdoor Targets French Entities via Open-Source Package Installer

New Backdoor Targets French Entities via Open-Source Package Installer

Mar 21, 2022
Researchers have exposed a new targeted email campaign aimed at French entities in the construction, real estate, and government sectors that leverages the Chocolatey Windows package manager to deliver a backdoor called  Serpent  on compromised systems. Enterprise security firm Proofpoint attributed the attacks to a likely advanced threat actor based on the tactics and the victimology patterns observed. The ultimate objective of the campaign remains presently unknown. "The threat actor attempted to install a backdoor on a potential victim's device, which could enable remote administration, command and control (C2), data theft, or deliver other additional payloads," Proofpoint researchers  said  in a report shared with The Hacker News. The phishing lure that triggers the infection sequence makes use of a resume-themed subject line, with the attached macro-embedded Microsoft Word document masquerading as information related to the European Union's General Data Pro...
cyber security

2024: A year of identity attacks | Get the new ebook

websitePush SecurityIdentity Security
Identity attacks were the leading cause of breaches in 2024. Learn how tooling and techniques are evolving.
New SysJoker Espionage Malware Targeting Windows, macOS, and Linux Users

New SysJoker Espionage Malware Targeting Windows, macOS, and Linux Users

Jan 12, 2022
A new  cross-platform backdoor  called " SysJoker " has been observed targeting machines running Windows, Linux, and macOS operating systems as part of an ongoing espionage campaign that's believed to have been initiated during the second half of 2021. "SysJoker masquerades as a system update and generates its [command-and-control server] by decoding a string retrieved from a text file hosted on Google Drive," Intezer researchers Avigayil Mechtinger, Ryan Robinson, and Nicole Fishbein  noted  in a technical write-up publicizing their findings. "Based on victimology and malware's behavior, we assess that SysJoker is after specific targets." The Israeli cybersecurity company, attributing the work to an advanced threat actor, said it first discovered evidence of the implant in December 2021 during an active attack against a Linux-based web server belonging to an unnamed educational institution. A C++-based malware, SysJoker is delivered via a dr...
Microsoft Issues Windows Update to Patch 0-Day Used to Spread Emotet Malware

Microsoft Issues Windows Update to Patch 0-Day Used to Spread Emotet Malware

Dec 15, 2021
Microsoft has rolled out  Patch Tuesday updates  to address multiple security vulnerabilities in Windows and other software, including one actively exploited flaw that's being abused to deliver Emotet, TrickBot, or Bazaloader malware payloads. The latest monthly release for December fixes a total of 67 flaws, bringing the total number of bugs patched by the company this year to 887, according to the  Zero Day Initiative . Seven of the 67 flaws are rated Critical and 60 are rated as Important in severity, with five of the issues publicly known at the time of release. It's worth noting that this is in addition to the  21 flaws  resolved in the Chromium-based Microsoft Edge browser. The most critical of the lot is  CVE-2021-43890  (CVSS score: 7.1), a Windows AppX installer spoofing vulnerability that Microsoft said could be exploited to achieve arbitrary code execution. The lower severity rating is indicative of the fact that code execution hinges on ...
New Wslink Malware Loader Runs as a Server and Executes Modules in Memory

New Wslink Malware Loader Runs as a Server and Executes Modules in Memory

Oct 28, 2021
Cybersecurity researchers on Wednesday took the wraps off a "simple yet remarkable" malware loader for malicious Windows binaries targeting Central Europe, North America and the Middle East. Codenamed " Wslink " by ESET, this previously undocumented malware stands apart from the rest in that it runs as a server and executes received modules in memory. There are no specifics available on the initial compromise vector and there are no code or operational overlaps that tie this tool to a known threat actor group. The Slovak cybersecurity firm noted that it has seen only a handful of detections in the past two years, suggesting that it could be used in highly-targeted cyber infiltrations. Wslink is designed to run as a service and can accept encrypted portal executable (PE) files from a specific IP address, which is then decrypted and loaded into memory prior to the execution. To achieve this, the client (i.e., the victim) and the server perform a handshake that in...
Update Your Windows PCs Immediately to Patch New 0-Day Under Active Attack

Update Your Windows PCs Immediately to Patch New 0-Day Under Active Attack

Oct 13, 2021
Microsoft on Tuesday rolled out  security patches  to contain a total of 71 vulnerabilities in Microsoft Windows and other software, including a fix for an actively exploited privilege escalation vulnerability that could be exploited in conjunction with remote code execution bugs to take control over vulnerable systems. Two of the addressed security flaws are rated Critical, 68 are rated Important, and one is rated Low in severity, with three of the issues listed as publicly known at the time of the release. The four zero-days are as follows — CVE-2021-40449  (CVSS score: 7.8) - Win32k Elevation of Privilege Vulnerability CVE-2021-41335  (CVSS score: 7.8) - Windows Kernel Elevation of Privilege Vulnerability CVE-2021-40469  (CVSS score: 7.2) - Windows DNS Server Remote Code Execution Vulnerability CVE-2021-41338  (CVSS score: 5.5) - Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability At the top of the list is CVE-2021-40449, a...
New Malware Targets Windows Subsystem for Linux to Evade Detection

New Malware Targets Windows Subsystem for Linux to Evade Detection

Sep 17, 2021
A number of malicious samples have been created for the Windows Subsystem for Linux (WSL) with the goal of compromising Windows machines, highlighting a sneaky method that allows the operators to stay under the radar and thwart detection by popular anti-malware engines. The "distinct tradecraft" marks the first instance where a threat actor has been found abusing WSL to install subsequent payloads. "These files acted as loaders running a payload that was either embedded within the sample or retrieved from a remote server and was then injected into a running process using Windows API calls," researchers from Lumen Black Lotus Labs  said  in a report published on Thursday. Windows Subsystem for Linux, launched in August 2016, is a  compatibility layer  that's designed to run Linux binary executables (in ELF format) natively on the Windows platform without the overhead of a traditional virtual machine or dual-boot setup. The earliest artifacts date back to M...
Windows MSHTML 0-Day Exploited to Deploy Cobalt Strike Beacon in Targeted Attacks

Windows MSHTML 0-Day Exploited to Deploy Cobalt Strike Beacon in Targeted Attacks

Sep 16, 2021
Microsoft on Wednesday disclosed details of a targeted phishing campaign that leveraged a now-patched zero-day flaw in its MSHTML platform using specially-crafted Office documents to deploy Cobalt Strike Beacon on compromised Windows systems. "These attacks used the vulnerability, tracked as  CVE-2021-40444 , as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders," Microsoft Threat Intelligence Center  said  in a technical write-up. "These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware." Details about CVE-2021-40444 (CVSS score: 8.8) first  emerged  on September 7 after researchers from EXPMON alerted the Windows maker about a "highly sophisticated zero-day attack" aimed at Microsoft Office users by taking advantage of a remote code execution vulnerability in MSHTML (aka Trident), a proprietary browser engine for the now...
Linux Implementation of Cobalt Strike Beacon Targeting Organizations Worldwide

Linux Implementation of Cobalt Strike Beacon Targeting Organizations Worldwide

Sep 13, 2021
Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of  Cobalt Strike Beacon  that's actively set its sights on government, telecommunications, information technology, and financial institutions in the wild. The as-yet undetected version of the penetration testing tool — codenamed "Vermilion Strike" — marks one of the  rare Linux ports , which has been traditionally a Windows-based red team tool heavily repurposed by adversaries to mount an array of targeted attacks. Cobalt Strike bills itself as a " threat emulation software ," with Beacon being the payload engineered to model an advanced actor and duplicate their post-exploitation actions. "The stealthy sample uses Cobalt Strike's command-and-control (C2) protocol when communicating to the C2 server and has remote access capabilities such as uploading files, running shell commands and writing to files," Intezer researchers said in a report publishe...
New 0-Day Attack Targeting Windows Users With Microsoft Office Documents

New 0-Day Attack Targeting Windows Users With Microsoft Office Documents

Sep 08, 2021
Microsoft on Tuesday warned of an actively exploited zero-day flaw impacting Internet Explorer that's being used to hijack vulnerable Windows systems by leveraging weaponized Office documents. Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents. "Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents," the company  said . "An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users who...
Latest Microsoft Windows Updates Patch Dozens of Security Flaws

Latest Microsoft Windows Updates Patch Dozens of Security Flaws

May 12, 2021
Microsoft on Tuesday rolled out its scheduled  monthly security update  with patches for 55 security flaws affecting Windows, Exchange Server, Internet Explorer, Office, Hyper-V, Visual Studio, and Skype for Business. Of these 55 bugs, four are rated as Critical, 50 are rated as Important, and one is listed as Moderate in severity. Three of the vulnerabilities are publicly known, although, unlike  last month , none of them are under active exploitation at the time of release. The most critical of the flaws addressed is  CVE-2021-31166 , a wormable remote code execution vulnerability in the HTTP protocol stack. The issue, which could allow an unauthenticated attacker to send a specially crafted packet to a targeted server, is rated 9.8 out of a maximum of 10 on the CVSS scale. Another vulnerability of note is a remote code execution flaw in Hyper-V ( CVE-2021-28476 ), which also scores the highest severity among all flaws patched this month with a CVSS rating of...
Masslogger Trojan Upgraded to Steal All Your Outlook, Chrome Credentials

Masslogger Trojan Upgraded to Steal All Your Outlook, Chrome Credentials

Feb 19, 2021
A credential stealer infamous for targeting Windows systems has resurfaced in a new phishing campaign that aims to steal credentials from Microsoft Outlook, Google Chrome, and instant messenger apps. Primarily directed against users in Turkey, Latvia, and Italy starting mid-January, the attacks involve the use of  MassLogger  — a .NET-based malware with capabilities to hinder static analysis — building on similar campaigns undertaken by the same actor against users in Bulgaria, Lithuania, Hungary, Estonia, Romania, and Spain in September, October, and November 2020. MassLogger was first spotted in the wild last April, but the presence of a new variant implies malware authors are constantly retooling their arsenal to evade detection and monetize them. "Although operations of the Masslogger trojan have been previously documented, we found the new campaign notable for using the compiled HTML file format to start the infection chain," researchers with Cisco Talos  said ...
Experts Detail A Recent Remotely Exploitable Windows Vulnerability

Experts Detail A Recent Remotely Exploitable Windows Vulnerability

Jan 23, 2021
More details have emerged about a security feature bypass vulnerability in Windows NT LAN Manager ( NTLM ) that was addressed by Microsoft as part of its monthly  Patch Tuesday updates  earlier this month. The flaw, tracked as  CVE-2021-1678  (CVSS score 4.3), was described as a "remotely exploitable" bug found in a vulnerable component bound to the network stack, although exact details of the issue remained unknown. Now according to researchers from Crowdstrike, the security bug, if left unpatched, could allow a bad actor to achieve remote code execution via an NTLM relay. "This vulnerability allows an attacker to relay NTLM authentication sessions to an attacked machine, and use a printer spooler  MSRPC  interface to remotely execute code on the attacked machine," the researchers  said  in a Friday advisory. NTLM relay attacks are a kind of man-in-the-middle (MitM) attacks that typically permit attackers with access to a network to interce...
Warning: Cross-Platform ElectroRAT Malware Targeting Cryptocurrency Users

Warning: Cross-Platform ElectroRAT Malware Targeting Cryptocurrency Users

Jan 05, 2021
Cybersecurity researchers today revealed a wide-ranging scam targeting cryptocurrency users that began as early as January last year to distribute trojanized applications to install a previously undetected remote access tool on target systems. Called ElectroRAT by Intezer, the RAT is written from ground-up in Golang and designed to target multiple operating systems such as Windows, Linux, and macOS.  The apps are developed using the open-source Electron cross-platform desktop app framework. "ElectroRAT is the latest example of attackers using Golang to develop multi-platform malware and evade most antivirus engines," the researchers said . "It is common to see various information stealers trying to collect private keys to access victims wallets. However, it is rare to see tools written from scratch and targeting multiple operating systems for these purposes." The campaign, first detected in December, is believed to have claimed over 6,500 victims based on th...
Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild

Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild

Sep 27, 2018
Cybersecurity researchers at ESET have unveiled what they claim to be the first-ever UEFI rootkit being used in the wild, allowing hackers to implant persistent malware on the targeted computers that could survive a complete hard-drive wipe. Dubbed LoJax , the UEFI rootkit is part of a malware campaign conducted by the infamous Sednit group, also known as APT28, Fancy Bear , Strontium , and Sofacy , to target several government organizations in the Balkans as well as in Central and Eastern Europe. Operating since at least 2007, Sednit group is a state-sponsored hacking group believed to be a unit of GRU (General Staff Main Intelligence Directorate), a Russian secret military intelligence agency. The hacking group has been associated with a number of high profile attacks, including the DNC hack just before the U.S. 2016 presidential election . UEFI, or Unified Extensible Firmware Interface, a replacement for the traditional BIOS, is a core and critical firmware component of a...
Microsoft Issues Emergency Patch For Critical Flaw In Windows Containers

Microsoft Issues Emergency Patch For Critical Flaw In Windows Containers

May 03, 2018
Just a few days prior to its monthly patch release, Microsoft released an emergency patch for a critical vulnerability in the Windows Host Compute Service Shim (hcsshim) library that could allow remote attackers to run malicious code on Windows computers. Windows Host Compute Service Shim (hcsshim) is an open source library that helps "Docker for Windows" execute Windows Server containers using a low-level container management API in Hyper-V. Discovered by Swiss developer and security researcher Michael Hanselmann , the critical vulnerability (tracked as CVE-2018-8115) is the result of the failure of the hcsshim library to properly validate input when importing a Docker container image. This, in turn, allows an attacker to remotely execute arbitrary code on the Windows host operating system, eventually letting the attacker create, remove, and replace files on the target host. As Hanselmann explained  in his personal blog, "Importing a Docker container image or...
Android Beats Windows to Become World's Most Popular Operating System

Android Beats Windows to Become World's Most Popular Operating System

Apr 03, 2017
It's an impressive milestone for Google — For the first time in decades, Android has been crowned as the world's most popular operating system in terms of Internet usage, knocking Microsoft Windows off the top spot. According to a new report from web traffic analytics firm StatCounter, Google's Android is the most popular operating system worldwide in terms of total internet usage across desktop, laptop, tablet, and mobile combined. Looking at overall internet usage, Android represented 37.93 percent of the global OS Internet usage market share in March, while Windows accounted for 37.91 percent. Although Windows is still not far behind, Android taking the lead is being described by StatCounter CEO Aodhan Cullen as a "milestone in technology history." This achievement is due to the fact that mobile devices are used to connect to the Internet far more frequently than desktops and laptops, and people are spending more time on smartphones surfing the Inter...
Microsoft Unveils Windows 10 — The Next Version Of Windows Operating system

Microsoft Unveils Windows 10 — The Next Version Of Windows Operating system

Oct 01, 2014
While the whole world was waiting for the next generation of Windows operating system , i.e. Windows 9, but skipping right over 9, Microsoft has announced the next version of its Windows is Windows 10 , disclosing its first details on Tuesday at an event in San Francisco. The latest version of Microsoft's flagship operating system, which will be available for everyone next year, brings back the popular Start Menu, which had been removed from Windows 8. Windows 10 will be Microsoft's single platform for developing apps across all devices, from Smartphones and tablets to desktop PCs. However, Windows 10 will not be a one-size-fits-all operating system and instead will vary a bit from device to device. " Windows 10 will run on the broadest amount of devices. A tailored experience for each device ," Microsoft's executive VP of operating systems, Terry Myerson said at a press event here Tuesday. " There will be one way to write a universal application, one ...
Expert Insights / Articles Videos
Cybersecurity Resources