Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Windows 10. Show all posts
Windows 10
Cyber Security Massgrave Microsoft software Piracy Windows 10

Hackers Release Powerful Tool to Unlock Microsoft Software for Free

 



A group of hackers has created a tool that allows people to activate Microsoft Windows and Office software without needing an official license. This method, described as a major breakthrough in software piracy, completely bypasses Microsoft's security system. Surprisingly, Microsoft has not taken any action against it so far.  


A New Way to Unlock Microsoft Software  

The hacker group, known as Massgrave, has been making activation tools for years. Their latest update, called Microsoft Activation Scripts (MAS) 3.0, introduces a powerful new method called TSforge Activation. This technique enables users to unlock different versions of Windows and Office permanently, even if they do not have a valid license.  

One of its most prominent features is that it allows Windows 10 users to continue receiving updates beyond the official support cutoff in October 2025. This makes it especially useful for those who want to keep using older systems without paying for Microsoft’s extended support.  

MAS was first launched in 2024 as an open-source project meant to remove Microsoft’s digital restrictions. The latest update improves its features, fixes previous issues, and enhances its ability to bypass security checks. Massgrave claims that TSforge Activation is one of the most advanced tools they have ever created.  


How Does TSforge Activation Work?  

Microsoft uses a system called the Software Protection Platform (SPP) to control software licensing. This system ensures that only users with valid product keys can access all the features of Windows and Office. It relies on two main files:  

1. Data.dat (Physical Store) – This file contains essential activation details.  

2. Tokens.dat (Token Store) – This file helps verify whether a product key is legitimate.  

The TSforge Activation method tricks Microsoft’s security system by injecting false data into these files. This makes the system believe that an invalid product key is genuine, allowing users to activate their software for free.  

The activation method works on:  

  • Windows 7, 8, 10, and 11  
  • Windows Server editions from 2008 R2 to 2025  
  • Microsoft Office versions from 2013 to 2024  

Additionally, users can unlock premium features meant for business licenses, such as Microsoft’s Extended Security Updates (ESU) program. This allows older Windows versions to continue receiving security updates beyond their expiration dates.  


Microsoft’s Reaction and Ethical Concerns 

Massgrave acknowledges that Microsoft has improved its security over time. They admit that the Software Protection Platform is much stronger than the old systems used in Windows XP. However, they argue that their project is not truly piracy because it is an open-source tool available on GitHub, a platform owned by Microsoft.  

Despite this, using activation tools without a legal license is against Microsoft’s terms of service. While the company has not taken action against this tool yet, using such software carries risks. In some cases, companies or individuals who distribute or use illegal activation methods can face legal consequences.  

Interestingly, Massgrave does not charge for its tool, stating that they do not believe in making money from piracy. However, they continue to develop new ways to bypass Microsoft’s security, raising questions about software ownership and digital rights.  

The release of TSforge Activation underlines the ongoing conflict between software developers and digital piracy. While Microsoft strengthens its security, hackers find new ways to bypass restrictions. Users should carefully consider the legal and ethical risks before using unauthorized activation methods.

Read more »
Windows 10
Content Censorship Digital Platform Microsoft Online Streaming Vulnerabilities and Exploits Windows 10

Unveiling Vulnerabilities in Microsoft PlayReady DRM: Impact on Streaming Platforms

 

In a meticulous research endeavor, Security Explorations, a division of AG Security Research, embarked on an exhaustive analysis of Microsoft's Warbird and Protected Media Path (PMP) technologies. The culmination of this investigation has unearthed critical deficiencies within the security architecture of Microsoft's PlayReady Digital Rights Management (DRM) system, posing profound implications for content security across a spectrum of streaming platforms. 

At the core of Microsoft's content protection ecosystem lies Protected Media Path (PMP), an amalgamation of cryptographic protocols, code integrity checks, and authentication mechanisms designed to fortify content security within Windows OS environments. In tandem, Microsoft Warbird endeavors to erect formidable barriers against reverse engineering attempts, encrypting and obfuscating binaries to thwart unauthorized access. 

However, despite the multifaceted security measures embedded within these technologies, Security Explorations' research has illuminated vulnerabilities within PMP components. These vulnerabilities lay bare the underbelly of Microsoft's DRM infrastructure, allowing for the extraction of plaintext content keys essential for the decryption of high-definition content. The ramifications of such exploits extend far and wide, implicating prominent streaming platforms including Canal+ Online, Netflix, HBO Max, Amazon Prime Video, and Sky Showtime. 

Of particular concern is the vulnerability's prevalence on Windows 10 systems lacking Hardware DRM capability, a demographic constituting a significant portion of the user base due to compatibility constraints with Windows 11. The exploitation of Software DRM implementations prevalent in these environments underscores the urgent need for remedial action. While Microsoft's PlayReady team has been apprised of these findings, Security Explorations has refrained from disclosing detailed technical information through the MSRC channel, citing proprietary concerns and the imperative to safeguard intellectual property. 

Beyond the immediate ramifications for individual platforms, the research underscores broader implications for the content security landscape. With the burgeoning digital streaming industry valued at $544 billion, the imperative of ensuring robust DRM solutions cannot be overstated. The compromise of plaintext content keys not only imperils individual platforms but also undermines consumer trust and revenue streams, posing a systemic risk to the digital content ecosystem. 

Mitigating these vulnerabilities demands a concerted effort from industry stakeholders. Streaming platforms may consider transitioning to alternative DRM technologies or implementing interim safeguards to mitigate the risk of exploitation. However, the challenge lies in striking a delicate balance between security measures and user accessibility, ensuring seamless functionality without compromising content security. The research findings underscore the imperative for collaborative efforts between security researchers and industry stakeholders to fortify DRM ecosystems against evolving threats. 
Moreover, they highlight the pressing need for enhanced regulatory scrutiny and industry standards to bolster content security in the digital age. 

In light of these revelations, streaming platforms must reassess their security posture and implement robust measures to safeguard against unauthorized access and content piracy. Failure to address these vulnerabilities not only jeopardizes consumer confidence but also undermines the viability of streaming platforms in an increasingly interconnected world. As the digital landscape continues to evolve, proactive measures are indispensable to safeguarding content integrity and preserving the sanctity of digital content distribution channels. Only through collective vigilance and concerted action can the industry fortify itself against the ever-looming specter of security threats.
Read more »
Windows 11
Cyber Security DLL Search Order Hijacking Exploitation Malicious Code Privilege Escalation Security Bypass Security Joes Threat actors Windows 10 Windows 11

New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections

 

Security researchers have outlined a fresh variant of a dynamic link library (DLL) search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and Windows 11.

The new method, disclosed in a report by cybersecurity firm Security Joes and exclusively shared with The Hacker News, exploits executables commonly present in the trusted WinSxS folder, utilizing the classic DLL search order hijacking technique. By doing so, adversaries can avoid the need for elevated privileges when attempting to run malicious code on a compromised system, introducing potentially vulnerable binaries into the attack chain.

DLL search order hijacking involves manipulating the search order used to load DLLs, allowing the execution of malicious payloads for purposes such as defense evasion, persistence, and privilege escalation. This technique targets applications that do not specify the full path to required libraries, relying on a predefined search order to locate DLLs on disk.

Threat actors exploit this behavior by relocating legitimate system binaries into non-standard directories that contain malicious DLLs, named after legitimate ones. This tricks the system into loading the attack code-containing library instead of the authentic one.

The unique aspect introduced by Security Joes focuses on files within the trusted "C:\Windows\WinSxS" folder. WinSxS, short for Windows side-by-side, is a crucial Windows component used for OS customization and updates to ensure compatibility and integrity.

According to Ido Naor, co-founder and CEO of Security Joes, the discovery diverges from traditional cyber attack methods, providing a more subtle and stealthy exploitation technique. The strategy involves identifying vulnerable binaries in the WinSxS folder and combining them with DLL search order hijacking methods. This entails strategically placing a custom DLL with the same name as a legitimate DLL into an actor-controlled directory, triggering code execution when executing a vulnerable file in the WinSxS folder.

Security Joes emphasized the potential for additional binaries in the WinSxS folder susceptible to this DLL search order hijacking, urging organizations to take precautions. They recommended examining parent-child relationships between processes, particularly focusing on trusted binaries, and closely monitoring activities performed by binaries in the WinSxS folder, including network communications and file operations.
Read more »
Windows 10
DLL hijacking malware QBot malware Windows 10

QBot Phishing Exploits Windows Control Panel EXE to Infect Devices


Phishing messages and emails across the QBot malware are allegedly utilizing a DLL hijacking vulnerability in the Windows10 Control Panel to infect PCs, most likely in an effort to avoid being detected by security software. 

DLL hijacking is an attack method used by threat actors to take advantage of the way Windows loads dynamic link libraries (DLLs). 

During the launch of a Windows executable, it will look for any DLL dependencies present in the Windows search path. The program would instead load a malicious DLL and infect the computer if a threat actor creates a malicious DLL with the same name as one of the program's necessary DLLs and retained it in the same folder as the executable. 

QBot, also known as Qakbot, is a Windows malware that was initially a banking trojan but later emerged as a full-featured malware dropper. The malware is also utilized by renowned ransomware gangs like Black Basta, Egregor, and Prolock in order to gain initial access to corporate networks. 

In July, security researcher ProxyLife found that threat actors were using the Windows 7 Calculator's DLL hijacking vulnerability, in order to spread the QBot malware. 

Meanwhile this week, ProxyLife reported that the threat actors have switched to utilizing a DLL hijacking flaw in the Windows10 Control Panel executable, namely control.exe. 

Abusing the Windows Control Panel:  

In a phishing campaign witnessed by ProxyLife, the hackers used stolen reply- chain emails to distribute an HTML file attachment, which downloads a password-protected ZIP archive consisting an ISO file inside. 

The HTML file, named similar to 'RNP_[number]_[number].html, displays an image personating Google Drive and a password for a ZIP archive that is downloaded automatically. This ZIP archive consists of an ISO disk image that, when double-clicked will automatically be displayed in a new drive letter in Windows10 and later. 

This ISO file contains a Windows Shortcut (.LNK) file, a ‘control.exe’ (Windows 10 Control Panel) executable, and two DLL files named edputil.dll (used for DLL hijack) and msoffice32.dll (QBot malware). 

The Windows shortcut (.LNK) included in the ISO uses an icon that attempts to make it look like a genuine folder. 

The shortcut, however, opens the Windows 10 Control Panel executable, control.exe, which is kept in the ISO file, when a user tries to open this fabricated folder. 

The genuine edputil.dll DLL, which is placed in the C:WindowsSystem32 folder, will automatically be loaded when control.exe is opened. It does not, however, look for the DLL in specific folders and will load any DLL with the same name that is put in the same folder as the program control.exe. 

As the hackers are bundling a malicious edputil.dil DLL in the same folder as control.exe, instead the fraudulent DLL will be loaded by the users. Once the malicious edputil.dll DLL is loaded, it infects the device with the QBot malware (msoffice32.dll) using the regsvr32.exe msoffice32.dll command.

Security software may not recognize QBot as malicious if it is installed using a trustworthy tool, such as the Windows 10 Control Panel, allowing the malware to avoid detection. 

QBot will now covertly run in the background, accessing and stealing emails to use them later for the phishing attacks and install additional payloads like Brute Ratel or Cobalt Strike, that are post-exploitations toolkits that hackers use to acquire remote access to corporate networks. This remote access further leads to corporate data theft and ransomware attacks.  

Read more »
Windows 11
Cyber Security Microsoft Versions Windows Windows 10 Windows 11

PowerToys Releases Version 0.64 With File LockSmith and Host File Editor

 

Microsoft has recently released the latest version of the PowerToys toolset, PowerToys 0.64 to the public. The new version will aid Windows users in finding the processes using selected files and unlock the same without the use of a third-party tool. 

PowerToy 0.64 additionally comes with significant enhancements in File Locksmith and Host File Editor. The first program, File Locksmith gives File Explorer a “What’s using the file?” context menu entry. It displays which Windows processes are currently using the file. 

The primary purpose of File LockSmith is to provide users with information that Windows does not provide when activities like delete or move are being executed. In case a file is in use, certain actions may not be performed by the operating system. Windows do not provide certain important information about that to the user, but File LockSmith does so.  

The second program, the Host File tool allows a user to edit the Hosts file in Window11 (or Window10) via an appropriate editor UI, instead of the user having to use Notepad. For example, the Hosts file allows users to block access to certain domains. Having this UI should make it a little less difficult to make changes to it. 

In addition to this, the PowerToy settings now possess a new feature that allows users to export or import the current settings from a file, making it easier to migrate settings across devices as per user requirements. Users now have the option to back up and restore the settings, which is useful in case PowerToy is running on various devices, or simply for backup purposes. 

Moreover, Microsoft has also made enhancements in FancyZones that lets a user set default behaviors for horizontal and vertical screens. The improvements are done, as in some cases monitor IDs tend to get reset, additionally, FancyZones settings do not apply anymore. With the latest enhancements, even if the aforementioned situation occurs, the user layout should at least make some sense based on the orientation of his screen.
Read more »
Windows 10
Bug CVE vulnerability HP Patch Fix User Privacy Vulnerabilities and Exploits Windows 10

HP Bug Left Unpatched for a Year

Six high-severity software flaws have been known since July 2021, they cause a range of vulnerabilities in HP products used in enterprise settings and are not yet patched.

Firmware defects can result in malware infections that last even after an OS re-installation or allow long-term breaches that would not be detected by regular security techniques, making them extremely dangerous.

Although some of the weaknesses were made public by Binarly at Black Hat 2022 a month ago, the manufacturer hasn't delivered security upgrades for all afflicted models, leaving many customers vulnerable to attacks.

Binarly contributed to the resolution of six serious flaws that not only affect these devices but also numerous other HP product lines. This disclosure, which details arbitrary code execution flaws linked to System Management Mode, was coordinated with the HP PSIRT team (HPSBHF03806) (SMM).

SMM is a component of the UEFI firmware, which offers system-wide features including power management and low-level device control. Since this SMM sub-system has greater privileges than the operating system kernel (ring 0), vulnerabilities affecting the SMM can render security mechanisms ineffective.

According to Binarly, HP has not fixed the following six vulnerabilities for months:
  • Stack-based buffer overflow resulting in unauthorized code execution is CVE-2022-23930. Score for CVSS v3: 8.2 'High'
  • Out-of-bounds write on CommBuffer, which permits evading some validation, is CVE-2022-31644. Score for CVSS v3: 7.5 'High'
  • Out-of-bounds write on CommBuffer due to failure to verify the size of the pointer given to the SMI handler, CVE-2022-31645. Score for CVSS v3: 8.2 'High'
  • Out-of-bounds writing using the direct memory manipulation API feature can result in privilege elevation and arbitrary code execution, according to CVE-2022-31646. Score for CVSS v3: 8.2 'High'
  • CVE-2022-31640 - Inadequate input validation gives attackers access to the CommBuffer data and creates a conduit for unauthorized changes. Score for CVSS v3: 7.5 'High'
  • Callout vulnerability in the SMI handler that allows for arbitrary code execution is CVE-2022-31641. Score for CVSS v3: 7.5 'High'
Patch fix updates

Three security advisories have been posted by HP acknowledging the aforementioned vulnerabilities, and an equal number of BIOS updates have been released to remedy the problems for some of the vulnerable models; with the exception of thin client PCs, which received security updates on August 9, 2022. 

While CVE-2022-31640 and CVE-2022-31641 were fixed during August, the most recent update was released on September 7, 2022, and many HP workstations are still vulnerable. Furthermore, CVE-2022-23930 was patched on all impacted systems in March 2022.

The BIOS is a crucial component that guarantees compatibility between updated software and legacy hardware. Before installing Windows 10, make certain that your computer has the most recent BIOS installed.

The Windows update may fail and roll back due to an outdated graphics driver. Before beginning the update procedure, it is advised to check and make sure the most recent Graphics drivers are installed on your computer.


Read more »
Windows 10
Cyber Attacks Ransomware security threat User Security Windows 10

Magniber Ransomware Tricking Users via Fake Windows 10 Updates

 

Security analysts have unearthed a new ransomware campaign targeting Windows systems. Malicious actors are using fake Windows 10 updates to spread the Magniber ransomware strain. 

Since April 27, users around the world have been posting their stories on the BleepingComputer forum seeking a solution. According to the publication, these fake Windows 10 updates are being distributed under multiple names such as Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi via platforms such as pirated sites, posing as legitimate cumulative or security updates.

Aside from these files, there also are other fake knowledge-based articles on Microsoft that can install the Magniber ransomware: 

• System.Upgrade.Win10.0-KB47287134.msi 
• System.Upgrade.Win10.0-KB82260712.msi 
• System.Upgrade.Win10.0-KB18062410.msi 
• System.Upgrade.Win10.0-KB66846525.msi

Based on the submissions to VirusTotal, this malicious campaign appears to have started on April 8th, 2022 and has seen massive distribution worldwide since then. Meanwhile, it remains unclear how the fake Windows 10 updates are being promoted and distributed from fake warez and crack sites. 

Once installed, Magniber will erase shadow volume copies and then encrypt files. When encrypting files, the ransomware will append a random 8-character extension, such as .gtearevf,. The ransomware also produces a README.html document in each folder which it encrypts. The documents then redirect users to Magniber’s Tor payment site, which is called 'My Decryptor'.

The payment site allows a victim to decrypt one file for free, contact 'support,' or determine cryptocurrency address to send coins to if they decide to pay the ransom. The ransomware demands tend to be around $2,500 or 0.068 bitcoin, Bleeping Computer reported. 

“The only 1 way to decrypt your files is to receive the private key and decryption program,” the ransom note reads. “Any attempts to restore your files with the third-party software will be fatal for your files!”

According to security researchers, no safe decryptor exists for the ransomware. Nor any weaknesses of the malware are known to reverse its infection. The ransomware presently targets regular users and students, and not corporate customers. Thus, the users need to remain vigilant, avoid downloading cracked versions, and use legit sites only. 

The ransomware was first spotted in 2017 targeting victims in South Korea. Back in 2021, the ransomware was using the PrintNightmare exploit to Target Windows user, and earlier this year in January, it was distributed via Microsoft Edge and Chrome.
Read more »
Windows 10
Antivirus Cyber Security Microsoft Windows Defender Windows 10

Microsoft Discreetly Upgrades Defender Antivirus to Patch a Major Flaw

 

Microsoft Defender, a protection software, has recently been updated to fix a severe security concern. The issue, which was traced back to 2014 and impacts Windows 10, lets users exclude some locations from antivirus scanning, in turn allowing malware to be installed. 

Due to a misconfigured registry key, this weakness, which has been present since 2014, allows users to access antivirus security safeguards. As a result, the key HKLM\Software\Microsoft\Windows Defender\Exclusions contains all spaces which aren't scanned by antivirus software. The issue is that the key is quite easy to obtain, as long as the 'Everyone' group has access to it. To change the contents of Windows, users are required to use a command prompt or a small click in the Settings menu. 

On Twitter, security researcher Antonio Cocomazzi says, Microsoft has patched the problem on Windows 10 20H2 PCs after deploying the February 2022 Patch Windows updates. Another researcher, Will Dormann of CERT/CC, validated this information, stating they acquired the privileges to change without installing any updates, implying the change might have been applied by both Windows updates and Microsoft Defender’s cybersecurity updates. 

After determining which directories were assigned to the antivirus block list, attackers might transmit and operate malware from a prohibited folder on an exploited Windows PC without danger of detection and neutralization. The permissions for Windows advanced security setups for Defender restrictions have been modified, with the 'Everyone' group deleted from the Register key's permission. 

  • The Exclusions Register key now has new permissions.
  • Access to Defender exclusions is now blocked.
  • Users with admin credentials are now required to access the database of exclusions through the command prompt or when creating exclusions using the Windows Security setup screen on Windows 10 systems in which this change has already been carried out. 
Microsoft is yet to comment on this problem, which was found as of late and has existed since the introduction of Windows 10. However, it is clear that Redmond's publisher has taken the appropriate steps. Furthermore, administrator rights are now required to view the list of locations blocked by the antivirus.
Read more »
Subscribe to: Posts (Atom)