#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

Microsoft | Breaking Cybersecurity News | The Hacker News

Category — Microsoft
Microsoft Detects Growing Use of File Hosting Services in Business Email Compromise Attacks

Microsoft Detects Growing Use of File Hosting Services in Business Email Compromise Attacks

Oct 09, 2024 Enterprise Security / Identity Theft
Microsoft is warning of cyber attack campaigns that abuse legitimate file hosting services such as SharePoint, OneDrive, and Dropbox that are widely used in enterprise environments as a defense evasion tactic. The end goal of the campaigns are broad and varied, allowing threat actors to compromise identities and devices and conduct business email compromise ( BEC ) attacks, which ultimately result in financial fraud, data exfiltration, and lateral movement to other endpoints. The weaponization of legitimate internet services (LIS) is an increasingly popular risk vector adopted by adversaries to blend in with legitimate network traffic in a manner such that it often bypasses traditional security defenses and complicates attribution efforts. The approach is also called living-off-trusted-sites (LOTS), as it leverages the trust and familiarity of these services to sidestep email security guardrails and deliver malware. Microsoft said it has been observing a new trend in phishing c
U.S. and Microsoft Seize 107 Russian Domains in Major Cyber Fraud Crackdown

U.S. and Microsoft Seize 107 Russian Domains in Major Cyber Fraud Crackdown

Oct 04, 2024 Phishing Attack / Cybercrime
Microsoft and the U.S. Department of Justice (DoJ) on Thursday announced the seizure of 107 internet domains used by state-sponsored threat actors with ties to Russia to facilitate computer fraud and abuse in the country. "The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials," said Deputy Attorney General Lisa Monaco. The activity has been attributed to a threat actor called COLDRIVER , which is also known by the names Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), Dancing Salome, Gossamer Bear, Iron Frontier, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057. Active since at least 2012, the group is assessed to be an operational unit within Center 18 of the Russian Federal Security Service (FSB). In December 2023, the U.K. and U.S. governments sanctioned two members of the group – Aleksandrovich Peretyat
The Secret Weakness Execs Are Overlooking: Non-Human Identities

The Secret Weakness Execs Are Overlooking: Non-Human Identities

Oct 03, 2024Enterprise Security / Cloud Security
For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,
Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks

Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks

Sep 27, 2024 Ransomware / Cloud Security
The threat actor known as Storm-0501 has targeted government, manufacturing, transportation, and law enforcement sectors in the U.S. to stage ransomware attacks. The multi-stage attack campaign is designed to compromise hybrid cloud environments and perform lateral movement from on-premises to cloud environment, ultimately resulting in data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment, Microsoft said. "Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware operations," according to the tech giant's threat intelligence team. Active since 2021, the threat actor has a history of targeting education entities with Sabbath (54bb47h) ransomware before evolving into a ransomware-as-a-service ( RaaS ) affiliate delivering various ransomware payloads over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware. A n
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector

Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector

Sep 19, 2024 Healthcare / Malware
Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S. The tech giant's threat intelligence team is tracking the activity under the name Vanilla Tempest (formerly DEV-0832). "Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool," it said in a series of posts shared on X. In the next step, the attackers proceed to carry out lateral movement through Remote Desktop Protocol (RDP) and then use the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload. The Windows maker said Vanilla Tempest has been active since at least July 2022, with previous attacks targeting education, healthcare, IT, and manufacturing secto
Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

Sep 11, 2024 Windows Security / Vulnerability
Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024. The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech giant resolved in its Chromium-based Edge browser since last month's Patch Tuesday release. The three vulnerabilities that have been weaponized in a malicious context are listed below, alongside a bug that Microsoft is treating as exploited - CVE-2024-38014 (CVSS score: 7.8) - Windows Installer Elevation of Privilege Vulnerability CVE-2024-38217 (CVSS score: 5.4) - Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability CVE-2024-38226 (CVSS score: 7.3) - Microsoft Publisher Security Feature Bypass Vulnerability CVE-2024-43491 (CVSS score: 9.8) - Microsoft Windows Updat
New Flaws in Microsoft macOS Apps Could Allow Hackers to Gain Unrestricted Access

New Flaws in Microsoft macOS Apps Could Allow Hackers to Gain Unrestricted Access

Sep 03, 2024 Endpoint Security / Cyber Threat
Eight vulnerabilities have been uncovered in Microsoft applications for macOS that an adversary could exploit to gain elevated privileges or access sensitive data by circumventing the operating system's permissions-based model, which revolves around the Transparency, Consent, and Control ( TCC ) framework. "If successful, the adversary could gain any privileges already granted to the affected Microsoft applications," Cisco Talos said . "For example, the attacker could send emails from the user account without the user noticing, record audio clips, take pictures, or record videos without any user interaction." The shortcomings span various applications such as Outlook, Teams, Word, Excel PowerPoint, and OneNote. The cybersecurity company said malicious libraries could be injected into these applications and gain their entitlements and user-granted permissions, which could then be weaponized for extracting sensitive information depending on the access granted
North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit

North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit

Aug 31, 2024 Rootkit / Threat Intelligence
A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit. The development is indicative of the persistent efforts made by the nation-state adversary, which has made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months. Microsoft, which detected the activity on August 19, 2024, attributed it to a threat actor it tracks as Citrine Sleet (formerly DEV-0139 and DEV-1222), which is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736 . It's assessed to be a sub-cluster within the Lazarus Group (aka Diamond Sleet and Hidden Cobra). It's worth mentioning that the use of the AppleJeus malware has also been previously attributed by Kaspersky to another Lazarus subgroup called BlueNoroff (aka APT38, Nickel Gladstone, and Stardust Chollima), indicative of the infrastructure and toolset sharin
New QR Code Phishing Campaign Exploits Microsoft Sway to Steal Credentials

New QR Code Phishing Campaign Exploits Microsoft Sway to Steal Credentials

Aug 28, 2024 Phishing Attack / Data Breach
Cybersecurity researchers are calling attention to a new QR code phishing (aka quishing) campaign that leverages Microsoft Sway infrastructure to host fake pages, once again highlighting the abuse of legitimate cloud offerings for malicious purposes. "By using legitimate cloud applications, attackers provide credibility to victims, helping them to trust the content it serves," Netskope Threat Labs researcher Jan Michael Alcantara said . "Additionally, a victim uses their Microsoft 365 account that they're already logged-into when they open a Sway page, that can help persuade them about its legitimacy as well. Sway can also be shared through either a link (URL link or visual link) or embedded on a website using an iframe." The attacks have primarily singled out users in Asia and North America, with technology, manufacturing, and finance sectors being the most sought-after sectors. Microsoft Sway is a cloud-based tool for creating newsletters, presentations
Microsoft Fixes ASCII Smuggling Flaw That Enabled Data Theft from Microsoft 365 Copilot

Microsoft Fixes ASCII Smuggling Flaw That Enabled Data Theft from Microsoft 365 Copilot

Aug 27, 2024 AI Security / Vulnerability
Details have emerged about a now-patched vulnerability in Microsoft 365 Copilot that could enable the theft of sensitive user information using a technique called ASCII smuggling. " ASCII Smuggling is a novel technique that uses special Unicode characters that mirror ASCII but are actually not visible in the user interface," security researcher Johann Rehberger said . "This means that an attacker can have the [large language model] render, to the user, invisible data, and embed them within clickable hyperlinks. This technique basically stages the data for exfiltration!" The entire attack strings together a number of attack methods to fashion them into a reliable exploit chain. This includes the following steps - Trigger prompt injection via malicious content concealed in a document shared on the chat to seize control of the chatbot Using a prompt injection payload to instruct Copilot to search for more emails and documents, a technique called automatic too
GitHub Patches Critical Security Flaw in Enterprise Server Granting Admin Privileges

GitHub Patches Critical Security Flaw in Enterprise Server Granting Admin Privileges

Aug 22, 2024 Enterprise Software / Vulnerability
GitHub has released fixes to address a set of three security flaws impacting its Enterprise Server product, including one critical bug that could be abused to gain site administrator privileges. The most severe of the shortcomings has been assigned the CVE identifier CVE-2024-6800, and carries a CVSS score of 9.5. "On GitHub Enterprise Server instances that use SAML single sign-on (SSO) authentication with specific IdPs utilizing publicly exposed signed federation metadata XML, an attacker could forge a SAML response to provision and/or gain access to a user account with site administrator privileges," GitHub said in an advisory. The Microsoft-owned subsidiary has also addressed a pair of medium-severity flaws - CVE-2024-7711 (CVSS score: 5.3) - An incorrect authorization vulnerability that could allow an attacker to update the title, assignees, and labels of any issue inside a public repository. CVE-2024-6337 (CVSS score: 5.9) - An incorrect authorization vulnerab
Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data

Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data

Aug 21, 2024 Software Security / Vulnerability
Cybersecurity researchers have disclosed a critical security flaw impacting Microsoft's Copilot Studio that could be exploited to access sensitive information. Tracked as CVE-2024-38206 (CVSS score: 8.5), the vulnerability has been described as an information disclosure bug stemming from a server-side request forgery ( SSRF ) attack. "An authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio to leak sensitive information over a network," Microsoft said in an advisory released on August 6, 2024. The tech giant further said the vulnerability has been addressed and that it requires no customer action. Tenable security researcher Evan Grant, who is credited with discovering and reporting the shortcoming, said it takes advantage of Copilot's ability to make external web requests. "Combined with a useful SSRF protection bypass, we used this flaw to get access to Microsoft's internal infrastructure for Cop
Researchers Uncover TLS Bootstrap Attack on Azure Kubernetes Clusters

Researchers Uncover TLS Bootstrap Attack on Azure Kubernetes Clusters

Aug 20, 2024 Vulnerability / Container Security
Cybersecurity researchers have disclosed a security flaw impacting Microsoft Azure Kubernetes Services that, if successfully exploited, could allow an attacker to escalate their privileges and access credentials for services used by the cluster. "An attacker with command execution in a pod running within an affected Azure Kubernetes Services cluster could download the configuration used to provision the cluster node, extract the transport layer security (TLS) bootstrap tokens, and perform a TLS bootstrap attack to read all secrets within the cluster," Google-owned Mandiant said . Clusters using "Azure CNI" for the "Network configuration" and "Azure" for the "Network Policy" have been found to be impacted by the privilege escalation bug. Microsoft has since addressed the issue following responsible disclosure. The attack technique devised by the threat intelligence firm hinges on accessing a little-known component called Azure WireS
Microsoft Patches Zero-Day Flaw Exploited by North Korea’s Lazarus Group

Microsoft Patches Zero-Day Flaw Exploited by North Korea's Lazarus Group

Aug 19, 2024 Vulnerability / Zero-Day
A newly patched security flaw in Microsoft Windows was exploited as a zero-day by Lazarus Group , a prolific state-sponsored actor affiliated with North Korea. The security vulnerability, tracked as CVE-2024-38193 (CVSS score: 7.8), has been described as a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said in an advisory for the flaw last week. It was addressed by the tech giant as part of its monthly Patch Tuesday update. Credited with discovering and reporting the flaw are Gen Digital researchers Luigino Camastra and Milánek. Gen Digital owns a number of security and utility software brands like Norton, Avast, Avira, AVG, ReputationDefender, and CCleaner. "This flaw allowed them to gain unauthorized access to sensitive system areas," the company disclosed last week, adding it discovered the exploitation in early J
Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Days

Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Days

Aug 14, 2024 Windows Security / Vulnerability
Microsoft on Tuesday shipped fixes to address a total of 90 security flaws , including 10 zero-days, of which six have come under active exploitation in the wild. Of the 90 bugs, nine are rated Critical, 80 are rated Important, and one is rated Moderate in severity. This is also in addition to 36 vulnerabilities that the tech giant resolved in its Edge browser since last month. The Patch Tuesday updates are notable for addressing six actively exploited zero-days - CVE-2024-38189 (CVSS score: 8.8) - Microsoft Project Remote Code Execution Vulnerability CVE-2024-38178 (CVSS score: 7.5) - Windows Scripting Engine Memory Corruption Vulnerability CVE-2024-38193 (CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability CVE-2024-38106 (CVSS score: 7.0) - Windows Kernel Elevation of Privilege Vulnerability CVE-2024-38107 (CVSS score: 7.8) - Windows Power Dependency Coordinator Elevation of Privilege Vulnerability CVE-2024-38213 (CVS
Microsoft Warns of Unpatched Office Vulnerability Leading to Data Exposure

Microsoft Warns of Unpatched Office Vulnerability Leading to Data Exposure

Aug 10, 2024 Vulnerability / Enterprise Security
Microsoft has disclosed an unpatched zero-day in Office that, if successfully exploited, could result in unauthorized disclosure of sensitive information to malicious actors. The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7.5), has been described as a spoofing flaw that affects the following versions of Office - Microsoft Office 2016 for 32-bit edition and 64-bit editions Microsoft Office LTSC 2021 for 32-bit and 64-bit editions Microsoft 365 Apps for Enterprise for 32-bit and 64-bit Systems Microsoft Office 2019 for 32-bit and 64-bit editions Credited with discovering and reporting the vulnerability are researchers Jim Rush and Metin Yunus Kandemir.  "In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability," Microsoft said in an advisory. "However, an attacker would have no w
Expert Insights / Articles Videos
Cybersecurity Resources