windows hacking | Breaking Cybersecurity News | The Hacker News

A new research has uncovered multiple vulnerabilities that could be exploited to bypass  Windows Hello authentication  on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops. The flaws were discovered by researchers at hardware and software product security and offensive research firm Blackwing Intelligence, who found the weaknesses in the fingerprint sensors from Goodix, Synaptics, and ELAN that are embedded into the devices. A prerequisite for the fingerprint reader exploits is that the users of the targeted laptops have fingerprint authentication already set up. All the three fingerprint sensors are a type of sensor called "match on chip" ( MoC ), which integrates the matching and other biometric management functions directly into the sensor's integrated circuit. "While MoC prevents replaying stored fingerprint data to the host for matching, it does not, in itself, prevent a malicious sensor from spoofing a legitimate sensor's commu...

A new cyber attack campaign has been observed using spurious  MSIX  Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed  GHOSTPULSE . "MSIX is a Windows app package format that developers can leverage to package, distribute, and install their applications to Windows users," Elastic Security Labs researcher Joe Desimone  said  in a technical report published last week. "However, MSIX requires access to purchased or stolen code signing certificates making them viable to groups of above-average resources." Based on the installers used as lures, it's suspected that potential targets are  enticed  into downloading the MSIX packages through known techniques such as compromised websites, search engine optimization (SEO) poisoning, or malvertising. Launching the MSIX file opens a Windows prompting the users to click the Install button, doing so...

Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...

Microsoft last week announced that it's temporarily disabling the MSIX ms-appinstaller protocol handler in Windows following evidence that a security vulnerability in the installer component was exploited by threat actors to deliver malware such as Emotet, TrickBot, and Bazaloader. MSIX , based on a combination of .msi, .appx, App-V and ClickOnce installation technologies, is a universal Windows app package format that allows developers to distribute their applications for the desktop operating system and  other platforms . ms-appinstaller, specifically, is designed to help users  install a Windows app  by simply clicking a link on a website. But a spoofing vulnerability uncovered in Windows App Installer ( CVE-2021-43890 , CVSS score: 7.1) meant that it could be tricked into installing a rogue app that was never intended to be installed by the user via a malicious attachment used in phishing campaigns. Although Microsoft released initial patches to address this fla...

A new Iranian threat actor has been discovered exploiting a now-addressed critical flaw in the Microsoft Windows MSHTML platform to target Farsi-speaking victims with a previously undocumented PowerShell-based information stealer designed to harvest extensive details from infected machines. "[T]he stealer is a PowerShell script, short with powerful collection capabilities — in only ~150 lines, it provides the adversary a lot of critical information including screen captures, Telegram files, document collection, and extensive data about the victim's environment," SafeBreach Labs researcher Tomer Bar  said  in a report published Wednesday. Nearly half of the targets are from the U.S., with the cybersecurity firm noting that the attacks are likely aimed at "Iranians who live abroad and might be seen as a threat to Iran's Islamic regime." The phishing campaign, which began in July 2021, involved the exploitation of CVE-2021-40444, a remote code execution fl...

Cybersecurity researchers on Tuesday revealed details of a previously undocumented  UEFI  (Unified Extensible Firmware Interface) bootkit that has been put to use by threat actors to backdoor Windows systems as early as 2012 by modifying a legitimate Windows Boot Manager binary to achieve persistence, once again demonstrating how technology meant to secure the environment prior to loading the operating system is increasingly becoming a "tempting target." Slovak cybersecurity firm ESET codenamed the new malware "ESPecter" for its ability to persist on the EFI System Partition ( ESP ), in addition to circumventing Microsoft Windows Driver Signature Enforcement to load its own unsigned driver that can be used to facilitate espionage activities such as document theft, keylogging, and screen monitoring by periodically capturing screenshots. The intrusion route of the malware remains unknown as yet. "ESPecter shows that threat actors are relying not only on UEFI ...

Microsoft has warned organizations of a "unique" attack campaign that abuses contact forms published on websites to deliver malicious links to businesses via emails containing fake legal threats, in what's yet another instance of adversaries abusing legitimate infrastructure to mount evasive campaigns that bypass security protections. "The emails instruct recipients to click a link to review supposed evidence behind their allegations, but are instead led to the download of IcedID, an info-stealing malware," the company's threat intelligence team  said  in a write-up published last Friday. IceID  is a Windows-based banking trojan that's used for reconnaissance and exfiltration of banking credentials, alongside features that allow it to connect to a remote command-and-control (C2) server to deploy additional payloads such as ransomware and malware capable of performing hands-on-keyboard attacks, stealing credentials, and moving laterally across affecte...

A novel technique adopted by attackers finds ways to use Microsoft's Background Intelligent Transfer Service (BITS) so as to deploy malicious payloads on Windows machines stealthily. In 2020, hospitals, retirement communities, and medical centers bore the brunt of an  ever-shifting phishing campaign  that distributed custom backdoors such as KEGTAP, which ultimately paved the way for RYUK ransomware attacks. But new  research  by FireEye's Mandiant cyber forensics arm has now revealed a previously unknown persistence mechanism that shows the adversaries made use of BITS to launch the backdoor. Introduced in Windows XP,  BITS  is a component of Microsoft Windows, which makes use of idle network bandwidth to facilitate the asynchronous transfer of files between machines. This is achieved by creating a job — a container that includes the files to download or upload. BITS is commonly used to deliver operating system updates to clients as well as by Window...

Microsoft earlier today released its August 2020 batch of software security updates for all supported versions of its Windows operating systems and other products. This month's Patch Tuesday updates address a total of 120 newly discovered software vulnerabilities, of which 17 are critical, and the rest are important in severity. In a nutshell, your Windows computer can be hacked if you: Play a video file — thanks to flaws in Microsoft Media Foundation and Windows Codecs Listen to audio — thanks to bugs affecting Windows Media Audio Codec Browser a website — thanks to 'all time buggy' Internet Explorer Edit an HTML page — thanks to an MSHTML Engine flaw Read a PDF — thanks to a loophole in Microsoft Edge PDF Reader Receive an email message — thanks to yet another bug in Microsoft Outlook But don't worry, you don't need to stop using your computer or without Windows OS on it. All you need to do is click on the Start Menu → open Settings → click Security...

Get your update caps on. Microsoft today released its monthly Patch Tuesday update for September 2019, patching a total of 79 security vulnerabilities in its software, of which 17 are rated critical, 61 as important, and one moderate in severity. Two of the security vulnerabilities patched by the tech giant this month are listed as "publicly known" at the time of release, one of which is an elevation of privilege vulnerability (CVE-2019-1235) in Windows Text Service Framework (TSF), more likely related to a 20-year-old flaw Google security researcher disclosed last month . Two other vulnerabilities patched this month are reported as being actively exploited in the wild by hackers, both are privilege elevation flaws—one resides in the Windows operating system and the other in Windows Common Log File System Driver. Besides these, Microsoft has released patches for four critical RCE vulnerabilities in Windows built-in Remote Desktop Client application that could enabl...

If you are using any supported version of the Windows operating system, stop everything and install the latest security updates from Microsoft immediately. Windows operating system contains four new critical wormable, remote code execution vulnerabilities in Remote Desktop Services, similar to the recently patched ' BlueKeep ' RDP vulnerability. Discovered by Microsoft's security team itself, all four vulnerabilities, CVE-2019-1181 , CVE-2019-1182 , CVE-2019-1222 , and CVE-2019-1226 , can be exploited by unauthenticated, remote attackers to take control of an affected computer system without requiring any user interaction. Just like BlueKeep RDP flaw , all four newly discovered vulnerabilities are also wormable and could be exploited by potential malware to propagate itself from one vulnerable computer to another automatically. "An attacker can get code execution at the system level by sending a specially crafted pre-authentication RDP packet to an affected RD...

Remember the Reverse RDP Attack ? Earlier this year, researchers disclosed clipboard hijacking and path-traversal issues in Microsoft's Windows built-in RDP client that could allow a malicious RDP server to compromise a client computer, reversely. (You can find details and a video demonstration for this security vulnerability, along with dozens of critical flaws in other third-party RDP clients, in a previous article written by Swati Khandelwal for The Hacker News.) At the time when researchers responsibly reported this path-traversal issue to Microsoft, in October 2018, the company acknowledged the issue, also known as " Poisoned RDP vulnerability ," but decided not to address it. Now, it turns out that Microsoft silently patched this vulnerability  (CVE-2019-0887) just last month as part of its July Patch Tuesday updates after Eyal Itkin, security researcher at CheckPoint, found the same issue affecting Microsoft's Hyper-V technology as well. Microsoft...

Security researchers at Microsoft have released details of a new widespread campaign distributing an infamous piece of fileless malware that was primarily being found targeting European and Brazilian users earlier this year. Dubbed Astaroth , the malware trojan has been making the rounds since at least 2017 and designed to steal users' sensitive information like their credentials, keystrokes, and other data, without dropping any executable file on the disk or installing any software on the victim's machine. Initially discovered by researchers at Cybereason in February this year, Astaroath lived off the land by running the payload directly into the memory of a targeted computer or by leveraging legitimate system tools, such as WMIC, Certutil, Bitsadmin, and Regsvr32, to run the malicious code. While reviewing the Windows telemetry data, Andrea Lelli, a researcher at Microsoft Defender ATP Research Team, recently spotted a sudden unusual spike in the usage of Managemen...

Security researchers have discovered a new class of security vulnerabilities that impacts all major operating systems, including Microsoft Windows, Apple macOS, Linux, and FreeBSD, allowing attackers to bypass protection mechanisms introduced to defend against DMA attacks. Known for years, Direct memory access (DMA)-based attacks let an attacker compromise a targeted computer in a matter of seconds by plugging-in a malicious hot plug device—such as an external network card, mouse, keyboard, printer, storage, and graphics card—into Thunderbolt 3 port or the latest USB-C port . The DMA-based attacks are possible because Thunderbolt port allows connected peripherals to bypass operating system security policies and directly read/write system memory that contains sensitive information including your passwords, banking logins, private files, and browser activity. That means, simply plugging in an infected device, created using tools like Interception , can manipulate the contents o...

You've always been warned not to share remote access to your computer with any untrusted people for many reasons—it's basic cyber security advice, and common sense, right? But what if I say, you should not even trust anyone who invites or offers you full remote access to their computers? Security researchers at cybersecurity firm Check Point have discovered more than two dozen vulnerabilities in both open-source RDP clients and Microsoft's own proprietary client that could allow a malicious RDP server to compromise a client computer, reversely. RDP, or Remote Desktop Protocol, allows users to connect to remote computers. The protocol is usually used by technical users and IT administrators to remotely connect to other devices on the network. RDP was initially developed by Microsoft for its Windows operating system, but there are several open source clients for the RDP protocol that can be used on Linux as well as Unix systems. Check Point researchers recently ...

A zero-day vulnerability has been discovered and reported in the Microsoft's Windows operating system that, under a certain scenario, could allow a remote attacker to execute arbitrary code on Windows machine. Discovered by security researcher John Page (@hyp3rlinx), the vulnerability was reported to the Microsoft security team through Trend Micro's Zero Day Initiative (ZDI) Program over 6 months ago, which the tech giant has refused to patch, at least for now. The vulnerability, which has not been assigned any CVE number, actually resides within the processing of a vCard file—a standard file format for storing contact information for a person or business, which is also supported by Microsoft Outlook. According to the researcher, a remote attacker can maliciously craft a VCard file in a way that the contact's website URL stored within the file points to a local executable file, which can be sent within a zipped file via an email or delivered separately via drive-b...

Microsoft today issued an out-of-band security update to patch a critical zero-day vulnerability in Internet Explorer (IE) Web browser that attackers are already exploiting in the wild to hack into Windows computers. Discovered by security researcher Clement Lecigne of Google's Threat Analysis Group, the vulnerability, tracked as CVE-2018-8653, is a remote code execution (RCE) flaw in the IE browser's scripting engine. According to the advisory, an unspecified memory corruption vulnerability resides in the scripting engine JScript component of Microsoft Internet Explorer that handles execution of scripting languages. If exploited successfully, the vulnerability could allow attackers to execute arbitrary code in the context of the current user. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, ...

If you have already uninstalled Flash player, well done! But if you haven't, here's another great reason for ditching it. Adobe has released a security patch update for a critical vulnerability in its Flash Player software that is actively being exploited in the wild by hackers in targeted attacks against Windows users. Independently discovered last week by several security firms—including ICEBRG ,  Qihoo 360  and Tencent—the Adobe Flash player zero-day attacks have primarily been targeting users in the Middle East using a specially crafted Excel spreadsheet. "The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers," Qihoo 360 published vulnerability analysis in a blog post. The stack-based buffer overflow vulnerability, tracked as CVE-2018-5002, impacts Adobe Flash Player 29.0.0.171 and earlier versions on ...

While performing in-depth analysis of various malware samples, security researchers at Cyberbit found a new code injection technique, dubbed Early Bird , being used by at least three different sophisticated malware that helped attackers evade detection. As its name suggests, Early Bird is a "simple yet powerful" technique that allows attackers to inject malicious code into a legitimate process before its main thread starts, and thereby avoids detection by Windows hook engines used by most anti-malware products. The Early Bird code injection technique "loads the malicious code in a very early stage of thread initialization, before many security products place their hooks—which allows the malware to perform its malicious actions without being detected," the researchers said. The technique is similar to the AtomBombing code injection technique that does not rely on easy-to-detect API calls, allowing malware to inject code into processes in a manner that no a...

Can you get hacked just by clicking on a malicious link or opening a website? — YES . Microsoft has just released its April month's Patch Tuesday security updates, which addresses multiple critical vulnerabilities in its Windows operating systems and other products, five of which could allow an attacker to hack your computer by just tricking you visit a website. Microsoft has patched five critical vulnerabilities in Windows Graphics Component that reside due to improper handling of embedded fonts by the Windows font library and affects all versions of Windows operating systems to date, including Windows 10 / 8.1 / RT 8.1 / 7, Windows Server 2008 / 2012 / 2016. An attacker can exploit these issues by tricking an unsuspecting user to open a malicious file or a specially crafted website with the malicious font, which if open in a web browser, would hand over control of the affected system to the attacker. All these five vulnerabilities in Windows Microsoft Graphics were dis...