#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

windows security | Breaking Cybersecurity News | The Hacker News

Category — windows security
OilRig Exploits Windows Kernel Flaw in Espionage Campaign Targeting UAE and Gulf

OilRig Exploits Windows Kernel Flaw in Espionage Campaign Targeting UAE and Gulf

Oct 13, 2024
The Iranian threat actor known as OilRig has been observed exploiting a now-patched privilege escalation flaw impacting the Windows Kernel as part of a cyber espionage campaign targeting the U.A.E. and the broader Gulf region. "The group utilizes sophisticated tactics that include deploying a backdoor that leverages Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities like CVE-2024-30088 for privilege escalation," Trend Micro researchers Mohamed Fahmy, Bahaa Yamany, Ahmed Kamal, and Nick Dai said in an analysis published on Friday. The cybersecurity company is tracking the threat actor under the moniker Earth Simnavaz , which is also referred to as APT34, Crambus, Cobalt Gypsy, GreenBug, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten. The attack chains entail the deployment of a previously undocumented implant that comes with capabilities to exfiltrate credentials through on-premises Microsoft Exchange servers, a tried-and-tested tact
Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild

Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild

Oct 09, 2024 Vulnerability / Zero-Day
Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild. Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn't include the 25 additional flaws that the tech giant addressed in its Chromium-based Edge browser over the past month. Five of the vulnerabilities are listed as publicly known at the time of release, with two of them coming under active exploitation as a zero-day - CVE-2024-43572 (CVSS score: 7.8) - Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected) CVE-2024-43573 (CVSS score: 6.5) - Windows MSHTML Platform Spoofing Vulnerability (Exploitation Detected) CVE-2024-43583 (CVSS score: 7.8) - Winlogon Elevation of Privilege Vulnerability CVE-2024-20659 (CVSS score: 7.1) - Windows Hyper-V Security Feature Bypass Vulnerability CVE
How to Get Going with CTEM When You Don't Know Where to Start

Want To Excel in Cybersecurity Risk Management?

Georgetown UniversityWebinar / Risk Management
Manage cybersecurity risk with a Georgetown master's degree. Learn more in our Oct. 23 webinar.
Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

Sep 11, 2024 Windows Security / Vulnerability
Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024. The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech giant resolved in its Chromium-based Edge browser since last month's Patch Tuesday release. The three vulnerabilities that have been weaponized in a malicious context are listed below, alongside a bug that Microsoft is treating as exploited - CVE-2024-38014 (CVSS score: 7.8) - Windows Installer Elevation of Privilege Vulnerability CVE-2024-38217 (CVSS score: 5.4) - Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability CVE-2024-38226 (CVSS score: 7.3) - Microsoft Publisher Security Feature Bypass Vulnerability CVE-2024-43491 (CVSS score: 9.8) - Microsoft Windows Updat
cyber security

Master the Art of AI-powered Cybersecurity

websiteNVIDIAArtificial Intelligence / Cybersecurity
Learn to build and manage advanced AI workflows that safeguard data against emerging threats, enhancing your ability to detect and respond to potential security breaches with this free course.
Apache OFBiz Update Fixes High-Severity Flaw Leading to Remote Code Execution

Apache OFBiz Update Fixes High-Severity Flaw Leading to Remote Code Execution

Sep 06, 2024 Cybersecurity / Vulnerability
A new security flaw has been addressed in the Apache OFBiz open-source enterprise resource planning (ERP) system that, if successfully exploited, could lead to unauthenticated remote code execution on Linux and Windows. The high-severity vulnerability, tracked as CVE-2024-45195 (CVSS score: 7.5), affects all versions of the software before 18.12.16. "An attacker with no valid credentials exploit missing view authorization checks in the web application to execute arbitrary code on the server," Rapid7 security researcher Ryan Emmons said in a new report. It's worth noting that CVE-2024-45195 is a bypass for a sequence of issues , CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, which were addressed by the project maintainers over the past few months. Both CVE-2024-32113 and CVE-2024-38856 have since come under active exploitation in the wild, with the former leveraged to deploy the Mirai botnet malware. Rapid7 said all three older shortcomings stem from the &q
North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit

North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit

Aug 31, 2024 Rootkit / Threat Intelligence
A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit. The development is indicative of the persistent efforts made by the nation-state adversary, which has made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months. Microsoft, which detected the activity on August 19, 2024, attributed it to a threat actor it tracks as Citrine Sleet (formerly DEV-0139 and DEV-1222), which is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736 . It's assessed to be a sub-cluster within the Lazarus Group (aka Diamond Sleet and Hidden Cobra). It's worth mentioning that the use of the AppleJeus malware has also been previously attributed by Kaspersky to another Lazarus subgroup called BlueNoroff (aka APT38, Nickel Gladstone, and Stardust Chollima), indicative of the infrastructure and toolset sharin
Critical Flaws in Traccar GPS System Expose Users to Remote Attacks

Critical Flaws in Traccar GPS System Expose Users to Remote Attacks

Aug 26, 2024 Software Security / Vulnerability
Two security vulnerabilities have been disclosed in the open-source Traccar GPS tracking system that could be potentially exploited by unauthenticated attackers to achieve remote code execution under certain circumstances. Both the vulnerabilities are path traversal flaws and could be weaponized if guest registration is enabled, which is the default configuration for Traccar 5, Horizon3.ai researcher Naveen Sunkavally said. A brief description of the shortcomings is as follows - CVE-2024-24809 (CVSS score: 8.5) - Path Traversal: 'dir/../../filename' and unrestricted upload of file with dangerous type CVE-2024-31214 (CVSS score: 9.7) - Unrestricted file upload vulnerability in device image upload could lead to remote code execution "The net result of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place files with arbitrary content anywhere on the file system," Sunkavally said . "However an attacker only has partial control over the filename.
PEAKLIGHT Downloader Deployed in Attacks Targeting Windows with Malicious Movie Downloads

PEAKLIGHT Downloader Deployed in Attacks Targeting Windows with Malicious Movie Downloads

Aug 23, 2024 Malware / Threat Intelligence
Cybersecurity researchers have uncovered a never-before-seen dropper that serves as a conduit to launch next-stage malware with the ultimate goal of infecting Windows systems with information stealers and loaders. "This memory-only dropper decrypts and executes a PowerShell-based downloader," Google-owned Mandiant said . "This PowerShell-based downloader is being tracked as PEAKLIGHT." Some of the malware strains distributed using this technique are Lumma Stealer , Hijack Loader (aka DOILoader, IDAT Loader, or SHADOWLADDER), and CryptBot , all of which are advertised under the malware-as-a-service (SaaS) model. The starting point of the attack chain is a Windows shortcut (LNK) file that's downloaded via drive-by download techniques -- e.g., when users look up a movie on search engines. It's worth pointing out that the LNK files are distributed within ZIP archives that are disguised as pirated movies. The LNK file connects to a content delivery network
Microsoft Patches Zero-Day Flaw Exploited by North Korea’s Lazarus Group

Microsoft Patches Zero-Day Flaw Exploited by North Korea's Lazarus Group

Aug 19, 2024 Vulnerability / Zero-Day
A newly patched security flaw in Microsoft Windows was exploited as a zero-day by Lazarus Group , a prolific state-sponsored actor affiliated with North Korea. The security vulnerability, tracked as CVE-2024-38193 (CVSS score: 7.8), has been described as a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said in an advisory for the flaw last week. It was addressed by the tech giant as part of its monthly Patch Tuesday update. Credited with discovering and reporting the flaw are Gen Digital researchers Luigino Camastra and Milánek. Gen Digital owns a number of security and utility software brands like Norton, Avast, Avira, AVG, ReputationDefender, and CCleaner. "This flaw allowed them to gain unauthorized access to sensitive system areas," the company disclosed last week, adding it discovered the exploitation in early J
RansomHub Group Deploys New EDR-Killing Tool in Latest Cyber Attacks

RansomHub Group Deploys New EDR-Killing Tool in Latest Cyber Attacks

Aug 15, 2024 Ransomware / Cybercrime
A cybercrime group with links to the RansomHub ransomware has been observed using a new tool designed to terminate endpoint detection and response (EDR) software on compromised hosts, joining the likes of other similar programs like AuKill (aka AvNeutralizer) and Terminator . The EDR-killing utility has been dubbed EDRKillShifter by cybersecurity company Sophos, which discovered the tool in connection with a failed ransomware attack in May 2024. "The EDRKillShifter tool is a 'loader' executable – a delivery mechanism for a legitimate driver that is vulnerable to abuse (also known as a 'bring your own vulnerable driver,' or BYOVD , tool)," security researcher Andreas Klopsch said . "Depending on the threat actor's requirements, it can deliver a variety of different driver payloads." RansomHub , a suspected rebrand of the Knight ransomware, surfaced in February 2024, leveraging known security flaws to obtain initial access and drop legitimate rem
Researchers Uncover 10 Flaws in Google's File Transfer Tool Quick Share

Researchers Uncover 10 Flaws in Google's File Transfer Tool Quick Share

Aug 10, 2024 Vulnerability / Mobile Security
As many as 10 security flaws have been uncovered in Google's Quick Share data transfer utility for Android and Windows that could be assembled to trigger remote code execution (RCE) chain on systems that have the software installed. "The Quick Share application implements its own specific application-layer communication protocol to support file transfers between nearby, compatible devices," SafeBreach Labs researchers Or Yair and Shmuel Cohen said in a technical report shared with The Hacker News. "By investigating how the protocol works, we were able to fuzz and identify logic within the Quick Share application for Windows that we could manipulate or bypass." The result is the discovery of 10 vulnerabilities – nine affecting Quick Share for Windows and one impacting Android – that could be fashioned into an "innovative and unconventional" RCE attack chain to run arbitrary code on Windows hosts. The RCE attack chain has been codenamed QuickShell
Microsoft Warns of Unpatched Office Vulnerability Leading to Data Exposure

Microsoft Warns of Unpatched Office Vulnerability Leading to Data Exposure

Aug 10, 2024 Vulnerability / Enterprise Security
Microsoft has disclosed an unpatched zero-day in Office that, if successfully exploited, could result in unauthorized disclosure of sensitive information to malicious actors. The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7.5), has been described as a spoofing flaw that affects the following versions of Office - Microsoft Office 2016 for 32-bit edition and 64-bit editions Microsoft Office LTSC 2021 for 32-bit and 64-bit editions Microsoft 365 Apps for Enterprise for 32-bit and 64-bit Systems Microsoft Office 2019 for 32-bit and 64-bit editions Credited with discovering and reporting the vulnerability are researchers Jim Rush and Metin Yunus Kandemir.  "In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability," Microsoft said in an advisory. "However, an attacker would have no w
Windows Downgrade Attack Risks Exposing Patched Systems to Old Vulnerabilities

Windows Downgrade Attack Risks Exposing Patched Systems to Old Vulnerabilities

Aug 08, 2024 Windows Security / Vulnerability
Microsoft said it is developing security updates to address two loopholes that it said could be abused to stage downgrade attacks against the Windows update architecture and replace current versions of the operating system files with older versions. The vulnerabilities are listed below - CVE-2024-38202 (CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability CVE-2024-21302 (CVSS score: 6.7) - Windows Secure Kernel Mode Elevation of Privilege Vulnerability Credited with discovering and reporting the flaws is SafeBreach Labs researcher Alon Leviev, who presented the findings at Black Hat USA 2024 and DEF CON 32 . CVE-2024-38202, which is rooted in the Windows Backup component, allows an "attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS)," the tech giant said. It, however, noted that an attacker attempting to leverage the flaw would have to c
CrowdStrike Reveals Root Cause of Global System Outages

CrowdStrike Reveals Root Cause of Global System Outages

Aug 07, 2024 Cybersecurity / Incident Response
Cybersecurity company CrowdStrike has published its root cause analysis detailing the Falcon Sensor software update crash that crippled millions of Windows devices globally. The "Channel File 291" incident, as originally highlighted in its Preliminary Post Incident Review (PIR), has been traced back to a content validation issue that arose after it introduced a new Template Type to enable visibility into and detection of novel attack techniques that abuse named pipes and other Windows interprocess communication (IPC) mechanisms. Specifically, it's related to a problematic content update deployed over the cloud, with the company describing it as a "confluence" of several shortcomings that led to a crash – the most prominent of them is a mismatch between the 21 inputs passed to the Content Validator via the IPC Template Type as opposed to the 20 supplied to the Content Interpreter. CrowdStrike said the parameter mismatch was not discovered during "multi
North Korean Hackers Moonstone Sleet Push Malicious JS Packages to npm Registry

North Korean Hackers Moonstone Sleet Push Malicious JS Packages to npm Registry

Aug 06, 2024 Malware / Windows Security
The North Korea-linked threat actor known as Moonstone Sleet has continued to push malicious npm packages to the JavaScript package registry with the aim of infecting Windows systems, underscoring the persistent nature of their campaigns. The packages in question, harthat-api and harthat-hash , were published on July 7, 2024, according to Datadog Security Labs. Both the libraries did not attract any downloads and were shortly pulled after a brief period of time. The security arm of the cloud monitoring firm is tracking the threat actor under the name Stressed Pungsan, which exhibits overlaps with a newly discovered North Korean malicious activity cluster dubbed Moonstone Sleet. "While the name resembles the Hardhat npm package (an Ethereum development utility), its content does not indicate any intention to typosquat it," Datadog researchers Sebastian Obregoso and Zack Allen said . "The malicious package reuses code from a well-known GitHub repository called node-
Researchers Uncover Flaws in Windows Smart App Control and SmartScreen

Researchers Uncover Flaws in Windows Smart App Control and SmartScreen

Aug 05, 2024 Threat Intelligence / Vulnerability
Cybersecurity researchers have uncovered design weaknesses in Microsoft's Windows Smart App Control and SmartScreen that could enable threat actors to gain initial access to target environments without raising any warnings. Smart App Control ( SAC ) is a cloud-powered security feature introduced by Microsoft in Windows 11 to block malicious, untrusted, and potentially unwanted apps from being run on the system. In cases where the service is unable to make a prediction about the app, it checks if it's signed or has a valid signature so as to be executed. SmartScreen, which was released alongside Windows 10, is a similar security feature that determines whether a site or a downloaded app is potentially malicious. It also leverages a reputation-based approach for URL and app protection. "Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content," Redmond notes in its documentation. "I
Expert Insights / Articles Videos
Cybersecurity Resources