The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: windows hacking

Researchers Discover UEFI Bootkit Targeting Windows Computers Since 2012

Researchers Discover UEFI Bootkit Targeting Windows Computers Since 2012
October 05, 2021Ravie Lakshmanan
Cybersecurity researchers on Tuesday revealed details of a previously undocumented  UEFI  (Unified Extensible Firmware Interface) bootkit that has been put to use by threat actors to backdoor Windows systems as early as 2012 by modifying a legitimate Windows Boot Manager binary to achieve persistence, once again demonstrating how technology meant to secure the environment prior to loading the operating system is increasingly becoming a "tempting target." Slovak cybersecurity firm ESET codenamed the new malware "ESPecter" for its ability to persist on the EFI System Partition ( ESP ), in addition to circumventing Microsoft Windows Driver Signature Enforcement to load its own unsigned driver that can be used to facilitate espionage activities such as document theft, keylogging, and screen monitoring by periodically capturing screenshots. The intrusion route of the malware remains unknown as yet. "ESPecter shows that threat actors are relying not only on UEFI

Hackers Using Website's Contact Forms to Deliver IcedID Malware

Hackers Using Website's Contact Forms to Deliver IcedID Malware
April 13, 2021Ravie Lakshmanan
Microsoft has warned organizations of a "unique" attack campaign that abuses contact forms published on websites to deliver malicious links to businesses via emails containing fake legal threats, in what's yet another instance of adversaries abusing legitimate infrastructure to mount evasive campaigns that bypass security protections. "The emails instruct recipients to click a link to review supposed evidence behind their allegations, but are instead led to the download of IcedID, an info-stealing malware," the company's threat intelligence team  said  in a write-up published last Friday. IceID  is a Windows-based banking trojan that's used for reconnaissance and exfiltration of banking credentials, alongside features that allow it to connect to a remote command-and-control (C2) server to deploy additional payloads such as ransomware and malware capable of performing hands-on-keyboard attacks, stealing credentials, and moving laterally across affecte

Hackers Using a Windows OS Feature to Evade Firewall and Gain Persistence

Hackers Using a Windows OS Feature to Evade Firewall and Gain Persistence
April 01, 2021Ravie Lakshmanan
A novel technique adopted by attackers finds ways to use Microsoft's Background Intelligent Transfer Service (BITS) so as to deploy malicious payloads on Windows machines stealthily. In 2020, hospitals, retirement communities, and medical centers bore the brunt of an  ever-shifting phishing campaign  that distributed custom backdoors such as KEGTAP, which ultimately paved the way for RYUK ransomware attacks. But new  research  by FireEye's Mandiant cyber forensics arm has now revealed a previously unknown persistence mechanism that shows the adversaries made use of BITS to launch the backdoor. Introduced in Windows XP,  BITS  is a component of Microsoft Windows, which makes use of idle network bandwidth to facilitate the asynchronous transfer of files between machines. This is achieved by creating a job — a container that includes the files to download or upload. BITS is commonly used to deliver operating system updates to clients as well as by Windows Defender antivirus

Microsoft Reveals New Innocent Ways Windows Users Can Get Hacked

Microsoft Reveals New Innocent Ways Windows Users Can Get Hacked
August 12, 2020Mohit Kumar
Microsoft earlier today released its August 2020 batch of software security updates for all supported versions of its Windows operating systems and other products. This month's Patch Tuesday updates address a total of 120 newly discovered software vulnerabilities, of which 17 are critical, and the rest are important in severity. In a nutshell, your Windows computer can be hacked if you: Play a video file — thanks to flaws in Microsoft Media Foundation and Windows Codecs Listen to audio — thanks to bugs affecting Windows Media Audio Codec Browser a website — thanks to 'all time buggy' Internet Explorer Edit an HTML page — thanks to an MSHTML Engine flaw Read a PDF — thanks to a loophole in Microsoft Edge PDF Reader Receive an email message — thanks to yet another bug in Microsoft Outlook But don't worry, you don't need to stop using your computer or without Windows OS on it. All you need to do is click on the Start Menu → open Settings → click Security

Latest Microsoft Updates Patch 4 Critical Flaws In Windows RDP Client

Latest Microsoft Updates Patch 4 Critical Flaws In Windows RDP Client
September 10, 2019Mohit Kumar
Get your update caps on. Microsoft today released its monthly Patch Tuesday update for September 2019, patching a total of 79 security vulnerabilities in its software, of which 17 are rated critical, 61 as important, and one moderate in severity. Two of the security vulnerabilities patched by the tech giant this month are listed as "publicly known" at the time of release, one of which is an elevation of privilege vulnerability (CVE-2019-1235) in Windows Text Service Framework (TSF), more likely related to a 20-year-old flaw Google security researcher disclosed last month . Two other vulnerabilities patched this month are reported as being actively exploited in the wild by hackers, both are privilege elevation flaws—one resides in the Windows operating system and the other in Windows Common Log File System Driver. Besides these, Microsoft has released patches for four critical RCE vulnerabilities in Windows built-in Remote Desktop Client application that could enabl

4 New BlueKeep-like 'Wormable' Windows Remote Desktop Flaws Discovered

4 New BlueKeep-like 'Wormable' Windows Remote Desktop Flaws Discovered
August 13, 2019Swati Khandelwal
If you are using any supported version of the Windows operating system, stop everything and install the latest security updates from Microsoft immediately. Windows operating system contains four new critical wormable, remote code execution vulnerabilities in Remote Desktop Services, similar to the recently patched ' BlueKeep ' RDP vulnerability. Discovered by Microsoft's security team itself, all four vulnerabilities, CVE-2019-1181 , CVE-2019-1182 , CVE-2019-1222 , and CVE-2019-1226 , can be exploited by unauthenticated, remote attackers to take control of an affected computer system without requiring any user interaction. Just like BlueKeep RDP flaw , all four newly discovered vulnerabilities are also wormable and could be exploited by potential malware to propagate itself from one vulnerable computer to another automatically. "An attacker can get code execution at the system level by sending a specially crafted pre-authentication RDP packet to an affected RD

Reverse RDP Attack Also Enables Guest-to-Host Escape in Microsoft Hyper-V

Reverse RDP Attack Also Enables Guest-to-Host Escape in Microsoft Hyper-V
August 07, 2019Mohit Kumar
Remember the Reverse RDP Attack ? Earlier this year, researchers disclosed clipboard hijacking and path-traversal issues in Microsoft's Windows built-in RDP client that could allow a malicious RDP server to compromise a client computer, reversely. (You can find details and a video demonstration for this security vulnerability, along with dozens of critical flaws in other third-party RDP clients, in a previous article written by Swati Khandelwal for The Hacker News.) At the time when researchers responsibly reported this path-traversal issue to Microsoft, in October 2018, the company acknowledged the issue, also known as " Poisoned RDP vulnerability ," but decided not to address it. Now, it turns out that Microsoft silently patched this vulnerability  (CVE-2019-0887) just last month as part of its July Patch Tuesday updates after Eyal Itkin, security researcher at CheckPoint, found the same issue affecting Microsoft's Hyper-V technology as well. Microsoft

Watch Out! Microsoft Spotted Spike in Astaroth Fileless Malware Attacks

Watch Out! Microsoft Spotted Spike in Astaroth Fileless Malware Attacks
July 09, 2019Swati Khandelwal
Security researchers at Microsoft have released details of a new widespread campaign distributing an infamous piece of fileless malware that was primarily being found targeting European and Brazilian users earlier this year. Dubbed Astaroth , the malware trojan has been making the rounds since at least 2017 and designed to steal users' sensitive information like their credentials, keystrokes, and other data, without dropping any executable file on the disk or installing any software on the victim's machine. Initially discovered by researchers at Cybereason in February this year, Astaroath lived off the land by running the payload directly into the memory of a targeted computer or by leveraging legitimate system tools, such as WMIC, Certutil, Bitsadmin, and Regsvr32, to run the malicious code. While reviewing the Windows telemetry data, Andrea Lelli, a researcher at Microsoft Defender ATP Research Team, recently spotted a sudden unusual spike in the usage of Managemen

New Flaws Re-Enable DMA Attacks On Wide Range of Modern Computers

New Flaws Re-Enable DMA Attacks On Wide Range of Modern Computers
February 27, 2019Mohit Kumar
Security researchers have discovered a new class of security vulnerabilities that impacts all major operating systems, including Microsoft Windows, Apple macOS, Linux, and FreeBSD, allowing attackers to bypass protection mechanisms introduced to defend against DMA attacks. Known for years, Direct memory access (DMA)-based attacks let an attacker compromise a targeted computer in a matter of seconds by plugging-in a malicious hot plug device—such as an external network card, mouse, keyboard, printer, storage, and graphics card—into Thunderbolt 3 port or the latest USB-C port . The DMA-based attacks are possible because Thunderbolt port allows connected peripherals to bypass operating system security policies and directly read/write system memory that contains sensitive information including your passwords, banking logins, private files, and browser activity. That means, simply plugging in an infected device, created using tools like Interception , can manipulate the contents o

Flaws in Popular RDP Clients Allow Malicious Servers to Reverse Hack PCs

Flaws in Popular RDP Clients Allow Malicious Servers to Reverse Hack PCs
February 05, 2019Swati Khandelwal
You've always been warned not to share remote access to your computer with any untrusted people for many reasons—it's basic cyber security advice, and common sense, right? But what if I say, you should not even trust anyone who invites or offers you full remote access to their computers? Security researchers at cybersecurity firm Check Point have discovered more than two dozen vulnerabilities in both open-source RDP clients and Microsoft's own proprietary client that could allow a malicious RDP server to compromise a client computer, reversely. RDP, or Remote Desktop Protocol, allows users to connect to remote computers. The protocol is usually used by technical users and IT administrators to remotely connect to other devices on the network. RDP was initially developed by Microsoft for its Windows operating system, but there are several open source clients for the RDP protocol that can be used on Linux as well as Unix systems. Check Point researchers recently

Unpatched vCard Flaw Could Let Attackers Hack Your Windows PCs

Unpatched vCard Flaw Could Let Attackers Hack Your Windows PCs
January 15, 2019Wang Wei
A zero-day vulnerability has been discovered and reported in the Microsoft's Windows operating system that, under a certain scenario, could allow a remote attacker to execute arbitrary code on Windows machine. Discovered by security researcher John Page (@hyp3rlinx), the vulnerability was reported to the Microsoft security team through Trend Micro's Zero Day Initiative (ZDI) Program over 6 months ago, which the tech giant has refused to patch, at least for now. The vulnerability, which has not been assigned any CVE number, actually resides within the processing of a vCard file—a standard file format for storing contact information for a person or business, which is also supported by Microsoft Outlook. According to the researcher, a remote attacker can maliciously craft a VCard file in a way that the contact's website URL stored within the file points to a local executable file, which can be sent within a zipped file via an email or delivered separately via drive-b

Microsoft Issues Emergency Patch For Under-Attack IE Zero Day

Microsoft Issues Emergency Patch For Under-Attack IE Zero Day
December 19, 2018Swati Khandelwal
Microsoft today issued an out-of-band security update to patch a critical zero-day vulnerability in Internet Explorer (IE) Web browser that attackers are already exploiting in the wild to hack into Windows computers. Discovered by security researcher Clement Lecigne of Google's Threat Analysis Group, the vulnerability, tracked as CVE-2018-8653, is a remote code execution (RCE) flaw in the IE browser's scripting engine. According to the advisory, an unspecified memory corruption vulnerability resides in the scripting engine JScript component of Microsoft Internet Explorer that handles execution of scripting languages. If exploited successfully, the vulnerability could allow attackers to execute arbitrary code in the context of the current user. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change,

Adobe Issues Patch for Actively Exploited Flash Player Zero-Day Exploit

Adobe Issues Patch for Actively Exploited Flash Player Zero-Day Exploit
June 07, 2018Mohit Kumar
If you have already uninstalled Flash player, well done! But if you haven't, here's another great reason for ditching it. Adobe has released a security patch update for a critical vulnerability in its Flash Player software that is actively being exploited in the wild by hackers in targeted attacks against Windows users. Independently discovered last week by several security firms—including ICEBRG ,  Qihoo 360  and Tencent—the Adobe Flash player zero-day attacks have primarily been targeting users in the Middle East using a specially crafted Excel spreadsheet. "The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers," Qihoo 360 published vulnerability analysis in a blog post. The stack-based buffer overflow vulnerability, tracked as CVE-2018-5002, impacts Adobe Flash Player 29.0.0.171 and earlier versions on

Hackers Found Using A New Code Injection Technique to Evade Detection

Hackers Found Using A New Code Injection Technique to Evade Detection
April 13, 2018Mohit Kumar
While performing in-depth analysis of various malware samples, security researchers at Cyberbit found a new code injection technique, dubbed Early Bird , being used by at least three different sophisticated malware that helped attackers evade detection. As its name suggests, Early Bird is a "simple yet powerful" technique that allows attackers to inject malicious code into a legitimate process before its main thread starts, and thereby avoids detection by Windows hook engines used by most anti-malware products. The Early Bird code injection technique "loads the malicious code in a very early stage of thread initialization, before many security products place their hooks—which allows the malware to perform its malicious actions without being detected," the researchers said. The technique is similar to the AtomBombing code injection technique that does not rely on easy-to-detect API calls, allowing malware to inject code into processes in a manner that no a

Warning: Your Windows PC Can Get Hacked by Just Visiting a Site

Warning: Your Windows PC Can Get Hacked by Just Visiting a Site
April 10, 2018Mohit Kumar
Can you get hacked just by clicking on a malicious link or opening a website? — YES . Microsoft has just released its April month's Patch Tuesday security updates, which addresses multiple critical vulnerabilities in its Windows operating systems and other products, five of which could allow an attacker to hack your computer by just tricking you visit a website. Microsoft has patched five critical vulnerabilities in Windows Graphics Component that reside due to improper handling of embedded fonts by the Windows font library and affects all versions of Windows operating systems to date, including Windows 10 / 8.1 / RT 8.1 / 7, Windows Server 2008 / 2012 / 2016. An attacker can exploit these issues by tricking an unsuspecting user to open a malicious file or a specially crafted website with the malicious font, which if open in a web browser, would hand over control of the affected system to the attacker. All these five vulnerabilities in Windows Microsoft Graphics were dis

Windows Remote Assistance Exploit Lets Hackers Steal Sensitive Files

Windows Remote Assistance Exploit Lets Hackers Steal Sensitive Files
March 20, 2018Swati Khandelwal
You have always been warned not to share remote access to your computer with untrusted people for any reason—it's a basic cybersecurity advice, and common sense, right? But what if, I say you should not even trust anyone who invites or offer you full remote access to their computers. A critical vulnerability has been discovered in Microsoft's Windows Remote Assistanc e (Quick Assist) feature that affects all versions of Windows to date, including Windows 10, 8.1, RT 8.1, and 7, and allows remote attackers to steal sensitive files on the targeted machine. Windows Remote Assistance is a built-in tool that allows someone you trust to take over your PC (or you to take remote control of others) so they can help you fix a problem from anywhere around the world. The feature relies on the Remote Desktop Protocol (RDP) to establish a secure connection with the person in need. However, Nabeel Ahmed of Trend Micro Zero Day Initiative discovered and reported an information di

MS Office Built-in Feature Allows Malware Execution Without Macros Enabled

MS Office Built-in Feature Allows Malware Execution Without Macros Enabled
October 12, 2017Swati Khandelwal
Since new forms of cybercrime are on the rise, traditional techniques seem to be shifting towards more clandestine that involve the exploitation of standard system tools and protocols, which are not always monitored. Security researchers at Cisco's Talos threat research group have discovered one such attack campaign spreading malware-equipped Microsoft Word documents that perform code execution on the targeted device without requiring Macros enabled or memory corruption. This Macro-less code execution in MSWord technique, described in detail on Monday by a pair of security researchers from Sensepost, Etienne Stalmans and Saif El-Sherei, which leverages a built-in feature of MS Office, called Dynamic Data Exchange (DDE), to perform code execution. Dynamic Data Exchange (DDE) protocol is one of the several methods that Microsoft allows two running applications to share the same data. The protocol can be used by applications for one-time data transfers and for continuous exc

CowerSnail — Windows Backdoor from the Creators of SambaCry Linux Malware

CowerSnail — Windows Backdoor from the Creators of SambaCry Linux Malware
July 27, 2017Mohit Kumar
Last month, we reported about a group of hackers exploiting SambaCry —a 7-year-old critical remote code execution vulnerability in Samba networking software—to hack Linux computers and install malware to mine cryptocurrencies. The same group of hackers is now targeting Windows machines with a new backdoor, which is a QT-based re-compiled version of the same malware used to target Linux. Dubbed CowerSnail , detected by security researchers at Kaspersky Labs as Backdoor.Win32.CowerSnail, is a fully-featured windows backdoor that allows its creators to remotely execute any commands on the infected systems. Wondering how these two separate campaigns are connected? Interestingly, the CowerSnail backdoor uses the same command and control (C&C) server as the malware that was used to infect Linux machines to mine cryptocurrency last month by exploiting the then-recently exposed SambaCry vulnerability. Common C&C Server Location — cl.ezreal.space:20480 SambaCry vulnerabi

Critical Flaws Found in Windows NTLM Security Protocol – Patch Now

Critical Flaws Found in Windows NTLM Security Protocol – Patch Now
July 12, 2017Swati Khandelwal
As part of this month's Patch Tuesday , Microsoft has released security patches for a serious privilege escalation vulnerability which affect all versions of its Windows operating system for enterprises released since 2007. Researchers at behavioral firewall specialist Preempt discovered two zero-day vulnerabilities in Windows NTLM security protocols, both of which allow attackers to create a new domain administrator account and get control of the entire domain. NT LAN Manager (NTLM) is an old authentication protocol used on networks that include systems running the Windows operating system and stand-alone systems. Although NTLM was replaced by Kerberos in Windows 2000 that adds greater security to systems on a network, NTLM is still supported by Microsoft and continues to be used widely. The first vulnerability involves unprotected Lightweight Directory Access Protocol (LDAP) from NTLM relay, and the second impact Remote Desktop Protocol (RDP) Restricted-Admin mode. L
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.