Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Google Microsoft. Show all posts
Rising Threats
Cybersecurity Google Microsoft News Rising Threats

Microsoft Urges Millions to Upgrade as Windows Support Ends, Security Risks Increase

 

Microsoft Windows users are facing increasing security risks as the end of support for older versions of Windows approaches. Recently, Microsoft warned 50 million users of outdated operating systems such as Windows XP, Vista, 7, and 8.1 that they are no longer receiving essential security updates or technical support. 

While these versions still power millions of PCs globally, Microsoft has advised users to upgrade to newer systems, specifically Windows 11, for better security. As Microsoft stated, “Devices running an unsupported version of Windows will still function,” but they won’t receive “technical support of any issue, software updates, [or, more critically] security updates or fixes.” 

The warning also extends to the 900 million users of Windows 10. Microsoft will cease support for this version in October 2025, leaving users vulnerable to cyberattacks unless they upgrade. Although Windows 10 users have another year before the security updates stop, Microsoft is urging them to consider transitioning to Windows 11. 

However, one of the main hurdles is that many older PCs are not compatible with Windows 11, requiring users to buy new hardware. Microsoft is promoting the purchase of new computers and the use of its cloud service, OneDrive, to facilitate the upgrade to Windows 11. However, many users are resistant to upgrading due to the costs and the lack of a secondary market to sell their outdated PCs. 

As a result, the adoption of Windows 11 has been slow, and there are concerns about how Microsoft will handle the transition when support for Windows 10 ends. The tech giant has made it clear that running an unsupported version of Windows leaves users vulnerable to cyberattacks, viruses, and spyware. 

Despite monthly security alerts and updates for current Windows versions, the risk for users on unsupported systems continues to grow. With Microsoft’s recommendation to upgrade sooner rather than later, millions of users will need to make crucial decisions about their computer systems as the 2025 deadline approaches.
Read more »
ransomware attacks
Cyber Attacks Data Theft Google Microsoft ransomware attacks

Microsoft Warns of Storm-0501 Ransomware Attacks on U.S. Cloud Systems

 

Microsoft has uncovered a multi-stage cyberattack by the financially motivated group Storm-0501, targeting sectors in the U.S., including government, manufacturing, transportation, and law enforcement. 

The attackers compromised hybrid cloud environments, stealing credentials, tampering with data, and deploying ransomware. Storm-0501, active since 2021, first gained attention for using the Sabbath ransomware against U.S. school districts. 

The group later evolved into a ransomware-as-a-service (RaaS) affiliate, deploying ransomware variants like Hive, BlackCat, and the newer Embargo ransomware. 

In its latest attacks, Storm-0501 exploited weak credentials and over-privileged accounts to move from on-premises systems to cloud environments, gaining persistent backdoor access. Microsoft reported that the group used several known vulnerabilities, including those in Zoho ManageEngine and Citrix NetScaler, to gain initial access. 

The group then leveraged admin privileges to compromise further devices and collect sensitive data, using tools like Impacket and Cobalt Strike for lateral movement and to evade detection. Storm-0501 also deployed open-source tools, such as Rclone, to exfiltrate data. 

They masked these tools by renaming them to familiar Windows binary names. Their ability to exploit weak credentials and gain access to Microsoft Entra ID accounts enabled the group to establish persistent cloud access, further increasing the risk to organizations. 

In response to these attacks, Microsoft highlighted the growing security challenges posed by hybrid cloud environments. The company stressed the need for organizations to adopt stronger security measures, including multi-factor authentication (MFA) and regular software updates to fix known vulnerabilities. 

To help mitigate future attacks, Microsoft has enhanced its security protocols, particularly around Microsoft Entra ID, to prevent the abuse of Directory Synchronization Accounts. Storm-0501's activities underscore the increasing sophistication of cyber threats and the urgent need for businesses to bolster their defenses across both on-premises and cloud infrastructures.
Read more »
Microsoft 365
Command and Control(C2) Cyber Security Google Microsoft Hackers Microsoft 365

Rising Threat: Hackers Exploit Microsoft Graph for Command-and-Control Operations

 


Recently, there has been a trend among nation-state espionage groups they are tapping into native Microsoft services for their command-and-control (C2) operations. Surprisingly, different groups, unrelated to each other, have reached the same conclusion that It is smarter to leverage Microsoft's services instead of creating and managing their own infrastructure. This approach not only saves them money and hassle but also lets their malicious activities blend in more seamlessly with regular network traffic. In this regard, the Microsoft graph plays a major role. 
 
Microsoft Graph is like a toolbox for developers, offering an interface to connect to various data like emails, calendars, and files stored in Microsoft's cloud services. While it is harmless in its intended use, it has also become a tool for hackers to set up their command-and-control (C2) infrastructure using these same cloud services. Recently, Symantec found a new type of malware called "BirdyClient" being used against an organization in Ukraine. This malware sneaks into the Graph API to upload and download files through OneDrive. However, we are still waiting to hear from Microsoft about this.   
 
O'Brien emphasizes that organisations must be vigilant regarding unauthorized cloud account usage. Many individuals access personal accounts, like OneDrive, from work networks, which poses a risk as it makes it harder to detect malicious activities. To mitigate this risk, organizations should ensure that connections are limited to their enterprise accounts and implement strict access controls. 

In response to the concerning trend of hackers exploiting Microsoft Graph for command-and-control operations, organizations must prioritize proactive measures to fortify their cybersecurity posture. Firstly, staying vigilant with updates and patches for all Microsoft applications, particularly those related to Microsoft Graph, is imperative. Regularly monitoring network traffic for any anomalies or unauthorized access attempts can also help in the early detection of suspicious activities. Implementing robust access controls and multi-factor authentication protocols can significantly mitigate the risk of unauthorized access to sensitive data through Microsoft Graph. 

Additionally, conducting thorough employee training programs to raise awareness about the potential threats posed by such exploits and promoting a culture of cybersecurity consciousness throughout the organization are indispensable steps in bolstering defenses against cyber threats. By adopting these preventive measures, organizations can effectively safeguard their systems and data from the nefarious intentions of cyber adversaries.
Read more »
Windows
Authentication BlackWing Experience Fingerprint Google Microsoft Hello Fingerprint ID Password Laptops Privacy Tools Social Media Vulnerabilities and Exploit Windows

Laptops with Windows Hello Fingerprint Authentication Vulnerable

 


Microsoft’s Windows Hello security, which offers a passwordless method of logging into Windows-powered machines may not be as secure as users think. Microsoft Windows Hello fingerprint authentication was evaluated for security over its fingerprint sensors embedded in laptops. This led to the discovery of multiple vulnerabilities that would allow a threat actor to bypass Windows Hello Authentication completely. 

As reported by Blackwing Intelligence in a blog post, Microsoft's Offensive Research and Security Engineering (MORSE) had asked them to conduct an assessment of the security of the three top fingerprint sensors embedded in laptops, in response to a recent request. 

There was research conducted on three laptops, the Dell Inspiron 15, the Lenovo ThinkPad T14, and the Microsoft Surface Pro Type Cover with Fingerprint ID, which were used in the study. It was discovered that several vulnerabilities in the Windows Hello fingerprint authentication system could be exploited by researchers working on the project.

In addition, The document also reveals that the fingerprint sensors used in Lenovo ThinkPad T14, Dell Inspiron 15, Surface Pro 8 and X tablets made by Goodix, Synaptics, and ELAN were vulnerable to man-in-the-middle attacks due to their underlying technology. 

A premier sensor enabling fingerprint authentication through Windows Hello is not as secure as manufacturers would like. It has been discovered that there are several security flaws in many fingerprint sensors used in many laptops that are compatible with the Windows Hello authentication feature due to the use of outdated firmware. 

It was discovered by researchers at Blackwing Intelligence, a company that conducts research into the security, offensive capabilities, and vulnerability of hardware and software products. The researchers found weaknesses in fingerprint sensors embedded in the devices from Goodix, Synaptics, and ELAN, all of which are manufactured by these manufacturers. 

Using fingerprint reader exploits requires users to already have fingerprint authentication set up on their targeted laptops so that the exploits can work. Three fingerprint sensors in the system are all part of a type of sensor that is known as "match on chip" (MoC), which includes all biometric management functions in the integrated circuit of the sensor itself.

Concept Of Vulnerability Match On Chip As reported by Cyber Security News, this vulnerability is due to a flaw within the concept of the "match on chip" type sensors. Microsoft removed the option of storing some fingerprint templates on the host machine and replaced it with a "match on chip" sensor.  This means that the fingerprint templates are now stored on the chip, thus potentially reducing the concern that fingerprints might be exfiltrated from the host if the host becomes compromised, which could compromise the privacy of your data. 

Despite this, this method has a downside as it does not prevent malicious sensors from spoofing the communication between the sensor and the host, so in this case, an authorized and authenticated user who is using the sensor can easily be fooled. 

There have been several successful attempts at defeating Windows Hello biometric-based authentication systems in the past, but this isn't the first time. This month, Microsoft released two patches (CVE-2021-34466, CVSS score: 6.1), aimed at patching up a security flaw that was rated medium severity in July 2021, and that could allow an adversary to hijack the login process by spoofing the target's face. 

The validity of Microsoft's statement as to whether they will be able to find a fix for the flaws is still unclear; however, this is not the first time Windows Hello, a biometric-based system, has been the victim of attacks. A proof of concept in 2021 showed that by using an infrared photo of a victim with the facial recognition feature of Windows Hello, it was possible to bypass the authentication method. Following this, Microsoft fixed the issue to prevent the problem from occurring again.
Read more »
SQL
Chinese Hackers Cobalt Strike Google Microsoft Internet Explorer keylogger malware MySQL RAT SQL

Gh0stCringe Malware Recently Attacked Insecure Microsoft SQL and MySQL Servers

 

Hackers are deploying the Gh0stCringe remote support trojans on vulnerable computers by inadequately targeting secured Microsoft SQL and MySQL database servers. 

Gh0stCringe, also known as CirenegRAT, is a Gh0st RAT malware variant that was most recently used in Chinese cyber-espionage activities in 2020, however, it has been around since 2018. The malware has several instructions and functionalities which can be activated after the malware connects to its command and control server, or through data stored in the virus's settings. 

Attackers can use Gh0stCringe to download payloads like crypto miners from C2 servers, access specified websites via the Internet Explorer web browser, and even wipe the start-up disk's Master Boot Record (MBR). The malware includes a keylogger, which records input data in the Default. key file in the Windows System directory if it is activated. 

Threat actors are infiltrating database servers and writing the malicious'mcsql.exe' executable to disc utilizing the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes. These assaults are comparable to the Microsoft SQL server attempts, which used the Microsoft SQL xp cmdshell command to drop Cobalt Strike beacons. In addition to Gh0stCringe, AhnLab's study notes the presence of numerous malware samples on the investigated servers, implying potentially competing threat actors are infiltrating the same servers to drop payloads with its own operations.

Gh0stCringe RAT is a strong virus that can connect to a C2 server to receive custom commands or exfiltrate stolen data to the enemies. For an endless loop, the keylogging component uses the Windows Polling method (GetAsyncKeyState API) to ask the state of each key. This otherwise dependable recording mechanism carries the risk of very high CPU utilization, however, this is unlikely to cause issues for threat actors on poorly maintained servers. The malware will also record keystrokes for the previous three minutes and send them to the infection's command and control servers along with basic system and network information. 

Threat actors will be able to steal login passwords and other sensitive information that logged-in users entered on the device using these logged keystrokes. CirenegRAT has four operational modes: 0, 1, 2, and a specific Windows 10 mode which the threat actor can choose from during deployment.

Update your server software to install the most recent security upgrades, which can help you avoid a variety of attacks to make use of known flaws. It's also critical to use a secure admin password that can't be brute-forced. The most important step is to put the database server behind a firewall to only allow authorized devices to connect to it.
Read more »
reCAPTCHA
Cyber Security Google Microsoft Phishing email reCAPTCHA

Google reCAPTCHA used by Phishing Attackers

 


Thousands of phishing emails threaten Microsoft users to obtain their Office 365 credentials during an active attack. The attackers add to the campaign an air of authenticity by the use of a bogus Google reCAPTCHA scheme and top domain landing pages which include symbols of victims' organizations. Though more than 2,500 phishing emails connected with the campaign have been blocked by the organization. Security company Zscaler's Threat Analysis Unit, ThreatLabZ, has noticed that since December 2020 phishing is increasing, with mostly senior staff working in the banking industry being targeted. 

Google reCAPTCHA is a service that effectively prevents spam and misuse on websites by using a Turing test to separate human beings and bots (by asking the user to click on a fire hydrant out of a series of images, for instance). The campaign starts with an attacker sending phishing emails to targets, which tend to come from some kind of single contact system to simplify corporate communication. There is a malicious email attachment in the email. The victims are diverted to a .xyz phishing website, which is masked by the official Google reCAPTCHA page, to trick visitors when they open the embedded HTML file. This shows that an attacker has done his research which allows him to configure his landing pages to fit his victim's profile, also making the attack more credible. Phishing emails claim to be programmed emails from the unified communication resources of victimizations which say they have a voice message link. 

Following, checking the reCAPTCHA, the victims will be sent to a false Microsoft login page. When victims submit their username and password, they are encouraged to add credibility to the campaign by falsifying a message " validation successful." The researchers added that “Users are then shown a recording of a voicemail message that they can play, allowing threat actors to avoid suspicion.” 

"These attacks can be categorized as BEC [business email compromise] although the sender, in this case, involves the use of popular unified communication systems used by the organizations," Gayathri Anbalagan, the lead researcher on the Zscaler study points out. "We are not able to attribute this campaign to a specific threat actor but looking at the operational theme and the target profiles, it is likely to be a single coordinated campaign." 

“Similar phishing campaigns utilizing fake Google reCAPTCHA have been observed for several years, but this specific campaign targeting executives across specific industry verticals started in December 2020,” noted researchers. Phishing attackers have also acquired multiple approaches to make the scams look more credible, such as Google Translate or customized font.
Read more »
Subscribe to: Posts (Atom)