This hacking group instead went straight to the source by targeting new and unreported vulnerabilities in Microsoft’s cloud, in contrast to what China has done, which was to individually break into Microsoft-powered email servers in order to take business data. China employed flaws that were not previously known in order to do this.

Microsoft said in a blog post that the hackers were able to get one of the business’s consumer signing keys, also known as an MSA key. These keys are used by the company to protect customer email accounts, such as those used to access Outlook.com. Microsoft has said that it first believed the hackers were forging authentication tokens using an obtained business signing key. These authentication tokens are used to safeguard corporate and enterprise email accounts. However, Microsoft discovered that the hackers were utilizing the consumer MSA key to manufacture tokens that enabled them to get into business inboxes. These tokens were forged using the consumer MSA key.

Microsoft has said that it has stopped “all actor activity” relating to this event, which may indicate that the attack is concluded and that the hackers have lost access to the system. Even though it is unknown how Microsoft lost control of its own keys, the corporation has said that it has tightened its key issuance processes, most likely to prevent hackers from producing another digital skeleton key. This is despite the fact that it is unclear how Microsoft lost control of its own keys.

The hackers did one very important thing wrong. Microsoft said that investigators were able “to see all actor access requests which followed this pattern across both our enterprise and consumer systems” since the hackers had used the same key to access many inboxes throughout their investigation.

Despite the fact that Microsoft’s extended disclosure provided a glimpse of more technical data and signs of penetration that incident responders may review to see whether their networks were targeted, the technology giant still has questions to answer.

The post With thousands of cybersecurity employees, Microsoft still doesn’t know how it got hacked appeared first on Information Security Newspaper | Hacking News.

It is believed that the attack is a multi-part process, with the first stage using a hacked version of the 3CX desktop application. Although the.exe file and the MSI package have the same name, preliminary research indicates that the MSI package is the one that may include DLLs that have been maliciously modified.

The beginning of the infection process occurs when 3CXDesktopApp.exe loads the ffmpeg.dll file. After that, ffmpeg.dll will read the encrypted code from d3dcompiler_47.dll and then decode it. It seems that the decrypted code is the backdoor payload that attempts to visit the IconStorage GiHub page in order to access an ICO file that contains the encrypted C&C server that the backdoor connects to in order to acquire the probable ultimate payload.

It is not a coincidence that the threat actors responsible for this attack chose these two DLLs (ffmpeg and d3dcompiler_47) as targets for their attack. The application in issue, known as 3CXDesktopApp, was developed using the open-source framework Electron. Both of the libraries in issue are often distributed along with the Electron runtime. As a result, it is very unlikely that they would arouse suspicion inside the surroundings of individual customers. In addition, the file that was tampered with, d3dcompiler 47, is signed with a certificate that was granted to Microsoft Corporation, and the digital signature details for Windows reflect that there are no problems associated to the signature. A signed binary that makes use of a valid certificate procured from a trustworthy company such as Microsoft is more likely to be given the “green light” when it comes to endpoint protection programs.

In this instance, the “smoking gun” was a combination of RC4 encrypted shellcode that was inserted into the signature appendix of d3dcompiler and a reference to the d3dcompiler library that was introduced to the ffmpeg library. Both of these things were added to the ffmpeg library.

Windows will show a notification saying the “digital signature of the item did not validate” whenever a signed executable is updated, but despite the fact that we are aware that the d3dcompiler_47.dll DLL was altered, Windows continued to present it as signed. This is despite the fact that we are aware of the fact that it was modified.

It seems the DLL is abusing the CVE-2013-3900 flaw, which is referred to as a “WinVerifyTrust Signature Validation Vulnerability.”

On December 10, 2013, Microsoft was the first company to publicly disclose this vulnerability. At the time, the company explained that it is possible to add content to the authenticode signature section of an EXE (the WIN CERTIFICATE structure) in a signed executable without rendering the signature invalid.

Microsoft made the final decision to make the fix optional, most likely because it would invalidate genuine, signed executables that contained data in the signature block of an executable. As a result, Microsoft made the decision to make the update optional.

According to the disclosure made by Microsoft for the CVE-2013-3900, the company changed the way signatures are verified for binaries signed with the Windows Authenticode signature format with the release of an update on December 10, 2013. This update was made available for all supported releases of Microsoft Windows.

This modification may be activated on a voluntary basis if desired.When the new behavior for Windows Authenticode signature verification is enabled, Windows will no longer regard non-compliant binaries as signed, and it will no longer allow unnecessary information to be stored in the WIN CERTIFICATE structure.

Even though it has been close to 10 years after the vulnerability was discovered, and even though it is known that several threat actors are exploiting it, the remedy is still an opt-in feature that can only be activated by manually modifying the Windows Registry. To make things worse, even if you add the Registry entries to apply the update, they will be deleted after you upgrade to Windows 11, putting your device susceptible once again.

Companies that are possibly impacted should immediately cease using the vulnerable version of the software, dlls if at all feasible and implement any patches or mitigating measures, if these are available. IT and security personnel should also search for proven compromised binaries and builds and watch for abnormal activity in 3CX processes, with a particular attention on C&C traffic.

In the meanwhile, activating behavioral monitoring in security solutions may assist in determining whether or not an attack is currently taking place inside the system.

The post d3dcompiler_47.dll: If AV raises an alerts about this Microsoft signed dll file, you are in trouble appeared first on Information Security Newspaper | Hacking News.

Researchers from Proofpoint found a new malicious third-party OAuth app campaign that used the Microsoft “certified publisher” status in order to meet certain of Microsoft’s criteria pertaining to the distribution of OAuth apps. This raised the likelihood that users would be duped into giving authorization when a malicious third-party OAuth app (from this point forward, referred to as a “OAuth app” or a “malicious app”) asks access to data that is available through a user’s account. Researchers found that the malicious applications had extensive delegated rights, such as the ability to read emails, change mailbox settings, and obtain access to files and other data that were associated with the user’s account.

According to Microsoft, a Microsoft account can achieve the status of “publisher verified” or “verified publisher” when the “publisher of the app has verified their identity using their Microsoft Partner Network (MPN) account and has associated this MPN account with their app registration.” Other terms for this achievement include “verified publisher” and “verified publisher.” (Just so there isn’t any misunderstanding, a “certified publisher” has absolutely nothing to do with the desktop program known as Microsoft Publisher, which is available in some levels of Microsoft 365.)

The material provided by Microsoft goes on to provide more clarification, stating that “after the publisher of an app has been confirmed, a blue verified badge displays in the Azure Active Directory (Azure AD) authorization prompt for the app and on other websites.” Note that when Microsoft discusses third-party OAuth applications, it is talking to apps that have been developed by companies that fall into this category. These businesses are referred to as “publishers” in the Microsoft environment.

Researchers were able to identify three malicious applications that were developed by three distinct malicious publishers. The same firms were singled out for attack by these applications, and they are connected to the same malicious infrastructure. Multiple people were seen giving permission to the malicious applications, which put the environment of their firm at risk.

According to the findings of their investigation, the majority of the participants in this campaign seemed to originate from the United Kingdom (UK). Individuals from the finance and marketing departments, as well as high-profile users such as managers and executives, were among those whose accounts were compromised. Beginning on December 6th, 2022, we made our first observation of this particular avatar of malicious third-party OAuth applications. In every instance, the specialized backend infrastructure that supports the applications was only put in place a few days or weeks before December 6th.

When users give their permission, malicious applications’ default delegated permissions allow threat actors to access and manipulate mailbox resources, calendar events, and meeting invitations that are linked to accounts that have been compromised. This access and manipulation is only possible when users give their consent. After receiving approval, gaining access does not need further action on the part of the user since the permissions also allow “offline access.” The given token, also known as the refresh token, often has a lengthy expiration time that is more than one year. This provided threat actors with access to the data associated with the hacked account as well as the potential to utilize the compromised Microsoft account in later BEC attempts or other types of attacks.

In addition to the possibility of user accounts being hijacked, firms that have been impersonated run the risk of having their brand abused. It is quite difficult for firms in this situation to determine whether or not their reputation is being sullied by one of these assaults. There is no necessary contact that must take place between the entity that is being impersonated and the malicious verified publisher.

Even though an OAuth third-party app has been validated by Microsoft, it is imperative to proceed with extreme care when allowing access to the app. OAuth applications are not reliable and should not be trusted only on the basis of their verified publisher status. End users are likely to become victims of sophisticated social engineering approaches because of the complexity of the assaults that are being carried out.

The post Hackers gained access to O365 email accounts by using OAuth applications “certified” by Microsoft appeared first on Information Security Newspaper | Hacking News.

The SOCRadar reports that the misconfigured server, SQLServer databases, and other Microsoft files exposed 2.4 TB of private data. Files with dates ranging from 2017 to August 2022 are among the exposed data.

According to SOCRadar, the breach, known as BlueBleed Part I, contains sensitive information from more than 65,000 firms in 111 countries. This information comprises more than 335,000 emails, 133,000 projects, and 548,000 exposed users in the dumps to far.

In the incorrectly configured bucket, the exposed files consist of; invoices, product orders, product offers, POE documents, SOW papers, project information ,Customer-signed contracts, POC (Proof of Concept) projects, client emails (as well as .EML files), client stock levels and the pricing list for their products, Internal feedback for clients (High risk etc.), Customer asset records, sales methods, and Partner ecosystem details.

Companies may use the BlueBleed search tool, which SOCRadar released, to discover whether any of the BlueBleed leaks had an impact on their company names.

Microsoft laments SOCRadar’s decision to make a “search tool” available to the public, claiming it is not in the best interest of protecting consumer privacy or security and may put them at undue danger.

In the blog entry, Microsoft stated:

“Our investigation revealed no evidence that any systems or customer accounts had been accessed. The impacted consumers have been immediately informed by us.

“The problem was not the consequence of a security vulnerability, but rather an unintended configuration error on an endpoint that is not in use throughout the Microsoft ecosystem.

“No evidence of corrupted customer accounts or systems was identified throughout our examination. The impacted clients have already been informed immediately.”

“The problem wasn’t the consequence of a security flaw, but rather an unintended setup error on an endpoint that wasn’t being utilized by the whole Microsoft ecosystem.

To further prevent this kind of misconfiguration, we are striving to strengthen our procedures. We are also carrying out more due diligence to check the security of all Microsoft endpoints.”

The post Microsoft leaked confidential data of 150,000 businesses across 123 nations appeared first on Information Security Newspaper | Hacking News.

Microsoft fixes numerous bugs

Since Microsoft they have released security patches to fix a total of 121 bugs. One of these flaws, they indicate, is being exploited and that makes it even more important to correct it as soon as possible. It is a vulnerability registered as CVE-2022-34713, with a score of 7.8, which allows remote code execution and affects the Microsoft Support Diagnostic Tool.

According to reports, for this vulnerability to be executed, the user must open a specifically designed file. For example, through email an attacker could send a file and convince the victim to open it. From there someone could exploit this bug.

Another option is to sneak a malicious file through a web page. They can somehow invite the victim to click on a website and end up downloading a file. With this, the attacker would gain control.

Going back to the 121 bugs that Microsoft has fixed, 17 of them are rated as critical, 102 are important, one is moderate, and one is low risk. All of these security flaws can compromise your Windows system, so it’s a good idea to fix them.

In addition, Microsoft has resolved three privilege escalation bugs in Exchange, which could be exploited and put messages and attachments at risk. These are vulnerabilities that should also be taken into account and corrected. These three flaws are:

• CVE-2022-21980
• CVE-2022-24477
• CVE-2022-24516

What to do to protect Windows

As you can see, Microsoft has released a series of patches to correct numerous vulnerabilities. Some of them are classified as critical and can really be exploited and pose a significant security problem. This means that we must take action as soon as possible.

The first thing you need to do is to properly update Windows. To do this you can go to Start, enter Settings and go to Windows Update. There it will show you possible updates that are pending. It is important that you do not leave any files uninstalled and that the entire update completes successfully.

On the other hand, you have seen that some of these vulnerabilities are exploited by attackers through mistakes they cause the victim to make. For example, downloading an attached file that arrives by mail or downloading it from a web page that is actually a fraud. In this case, what you should do is maintain common sense and not make mistakes of this type.

Likewise, to further increase the security of Windows, it is interesting to have a good antivirus. There are many options, both free and paid, and you should always choose one with guarantees, one that works correctly and allows you to improve network security and avoid problems.

The post Fix these Windows vulnerabilities before someone exploits them appeared first on Information Security Newspaper | Hacking News.

These kinds of attacks against RDP are quite common in human operated ransomware. With this relatively simple measure, it is possible to complicate brute force attacks, being quite effective in discouraging them. However, it was already possible to activate this measure in Windows 10, so the novelty is really enabling it by default.

On the other hand, it is expected that, as happened with the blocking of VBA macros for Office documents, it will also be implemented for previous versions of Windows and Windows Server. Aside from malicious macros, brute force RDP access has long been one of the most popular methods used in cyberattacks. This strategy was successful in gaining initial unauthorized access to Windows systems. Among other ransomware, LockBit, Conti, Hive, PYSA, Crysis, SamSam, and Dharma are known to rely on these types of attacks to gain initial access to victims’ computers.

Effects of the security measure

Microsoft hopes with this measure to significantly reduce the number of intrusions in those computers that use its operating system. In this way, those cyberattacks based on obtaining passwords by brute force against RDP (especially against weak passwords) would be prevented. In addition, cybercriminals gain access to victim systems using this methodology to later sell the credentials on the Dark Web.

However, Microsoft warns that this protection measure could be exploited by cybercriminal groups to orchestrate a denial of service (DoS) attack. To do this, it would be enough to launch brute force attacks in parallel to all the accounts of the organization against the RDP in intervals of ten minutes to block them all for the duration of the attack.

The post Windows enables default account lockout policy for RDP (Remote Desktop Protocol) to reduce ransomware attacks based on brute forcing RDP appeared first on Information Security Newspaper | Hacking News.

Microsoft blocks macros again

Microsoft decided to block macros to avoid attacks through a simple Word or Excel file. However, some time later they re-enabled them and now they have finally backed down and are going to block them again. These are the VBA macros that can be enabled when downloading an Office file.

They ensure that they already have the documentation ready for both users and administrators and can now block them without problems. This novelty will gradually reach the users’ systems. From then on, macros will be automatically blocked in Microsoft Office documents arriving over the Internet.

This affects the different Office applications, such as Access, Excel, PowerPoint or Word. The objective is to break one of the ways that hackers have to sneak malware. They are very common in Phishing attacks, through which cybercriminals invite the victim to click on a file and download it. Malicious macros were automatically executed and the problem started. That will no longer be possible.

They have been working on this change for a long time. In fact, the idea was to launch it between April and June. So it was. But from Microsoft, suddenly, they decided to put it aside and re-enable macros. But it didn’t take long to back down.

The reason there has been some uncertainty is that many users claimed that they could not easily find the option to unlock macros manually. Others, on the other hand, said that it was inconvenient to have to do this step continuously every time they downloaded a file.

Avoid attacks with Word files

We have seen that Microsoft has taken a first step to help us maintain secure when downloading Word or Excel files that we download by email. But it is important to take other additional measures to ensure that our privacy and security are protected at all times and there are no problems.

The most important thing is common sense. You should never download and open documents without really knowing who is behind it. It is advisable to know the source and not download files that may be dangerous. It is essential to avoid making mistakes to protect the system from many types of malware that arrive through this means. 

It is also a good idea to have a good antivirus. This type of program will help you detect malware that may reach the system and eliminate it if necessary. There are many options to protect your computer, but you should always choose one that is guaranteed to work properly.

Likewise, having everything updated is going to be very important to avoid security problems. Always install all Windows patches and updates and thus avoid vulnerabilities that can be exploited.

The post MICROSOFT MAKES THINGS HARDER FOR CYBER CRIMINALS BY DISABLING MACROS AGAIN BY DEFAULT IN OFFICE PRODUCTS appeared first on Information Security Newspaper | Hacking News.

Although the attack sounds simple, the researchers note that a threat actor would have to overcome multiple obstacles to replicate this scenario on a commonly used device: “By their nature, Bluetooth Low Energy (BLE) wireless tracking beacons could pose a significant risk to users’ privacy. For example, an adversary could track a device by placing BLE receivers near public places and then record the presence of the user’s beacons.”

Examples of this are the BLE beacons that Microsoft and Apple added to their operating systems for functions such as tracking lost devices, connecting smartphones to wireless devices such as headphones or wireless speakers, and allowing users to switch devices easily.

The devices transmit signals at a speed close to 500 beacon signals per minute. To address security and privacy issues, many BLE proximity apps use measures such as cryptographically anonymizing and periodically rotating the identity of a mobile device on their beacons. They will routinely re-encrypt the device’s MAC address, while apps rotate identifiers so receivers can’t link beacons from the same device.

Any user could evade these obstacles by taking the device’s logs on a lower layer. Previous studies have shown that wireless transmitters have small imperfections accidentally introduced during manufacturing that are unique to each device.

Experts found that similar imperfections in Bluetooth transmitters create distortions that can be used to create a unique fingerprint. These fingerprints can be used to track devices and therefore unsuspecting users.

As mentioned above, this is not a straightforward process. To begin with, threat actors would need to isolate the target to capture the log in wireless transmissions and find the unique features of the physical layer of the Bluetooth transmitter; subsequently, hackers would require a receiver in a place where a device might be and force passive detection of the target’s Bluetooth transmissions.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Bluetooth signals on smartphones allow tracking any user’s location by exploiting BLE appeared first on Information Security Newspaper | Hacking News.

After the flaw, dubbed as Follina, was publicly disclosed and various exploits were released, Microsoft acknowledged the bug and assigned it the CVE-2022-30190 tracking key, describing it as a remote code execution (RCE) error.

Security specialist Kevin Beaumont explained that malicious documents use Word’s remote template feature to retrieve an HTML file from a remote web server, which in turn uses the MSProtocol ms-msdt URI scheme to load code and run PowerShell. Beaumont also explains that the Follina error can also be exploited using ms-search MSProtocol.

Vulnerable PDF tools

Although this was already a considerable security risk, things did not stop there, as it was recently confirmed that the vulnerability could also be activated in Foxit PDF Reader. Through their Twitter account, user @j00sean mentioned: “While testing PDF readers, I found a way to trigger error CVE-2022-30190, also known as #Follina, in Foxit PDF Reader. This doesn’t work in Adobe because of sandbox protections.”

The user shared a video of their proof of concept (PoC), showing that the tests were performed on Foxit PDF Reader v11.2.2.53575, the latest version of the tool. At the moment, the developers of the PDF reader have not released security updates to address the bug or issued security alerts about it.

The researcher also posted the payload to trigger the bug in Foxit, adding that successful exploitation requires the target user to allow connection in the pop-up window of a security warning.

Known exploitation

Groups of allegedly Chinese threat actors have been actively exploiting this vulnerability. The reports specifically point to TA413, an advanced persistent threat (APT) group that launches ongoing hacking campaigns against the Tibetan community.

Finally, a Report by Proofpoint details how various officials in Europe and the United States have fallen victim to this campaign, receiving malicious documents through phishing emails allegedly sent by legitimate entities.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Follina, Microsoft Office vulnerability, also affects Foxit PDF Reader; no patches available appeared first on Information Security Newspaper | Hacking News.

The report, by Bitdefender, mentions: “Users in a position to validate a link in an email client before clicking on it, will be susceptible to clicking on it because it has not yet been translated into a real domain name in their browser. The actual domain name would only be seen after the page has started to open.”

The term IDN refers to domain names that, in whole or in part use characters from a non-Latin script or alphabet, which are encoded by the Unicode standard. In order for the Domain Name System (DNS) to interpret them correctly, IDNs are stored in the DNS as ASCII strings using Punycode transcription.

Counterfeit IDN homograph domains can be created by combining letters from different alphabets, which to the user look so similar to each other that it is impossible to distinguish them, although Unicode treats them as separate entities. This is not a new concept, although it is still a problem for many users.

Most browsers, for example, display in the address bar the real name of an internationalized domain name (https://xn--n1aag8f.com, for example) instead of the name to display the real name (https://žugec.com) if the site is suspicious. However, Office applications, including Outlook, display the name in another method:

Since domain registration verification greatly limits which counterfeit domains can be registered and most browsers display the real name of the spoofed IDN domain, IDN homograph attacks have ceased to be a constant cybersecurity threat, although threat actors may find ways to deploy these attacks on a large scale.

Microsoft acknowledged the problem when it received the Bitdefender report, though it’s unclear if the issue will be fixed. While the issue is resolved, endpoint security solutions and IP and URL reputation services could collaborate by blocking most suspicious domains.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post How to hide spoofed malicious domain when users hover above a link in a phishing email in Microsoft Outlook, Word or Excel document? appeared first on Information Security Newspaper | Hacking News.

Identified as YourCyanide, this new ransomware integrates documents from PasteBin, Discord and Microsoft Office to hide its payload before the final stage of infection, in addition to employing other obfuscation methods and exploiting the variables in each compromised environment. While the malware is still in development and some of its tasks are still not working as expected, the researchers believe this variant could evolve into its final form soon.

Attack process

The diagram shown below describes the infection process that YourCyanide follows:

The malware is delivered as an LNK file containing a PowerShell script to download Discord’s 64-bit “YourCyanide.exe” executable and run it:

The executable will create and run a CMD file with the file name YourCyanide.cmd.

The dropped YourCyanide.cmd file contains a script downloaded from Pastebin that is saved with the same file name:

The ransomware will create a registry key for debugging and run advpack.dll to remove the folder containing the malicious CMD file to remove traces of the downloader from the machine.

Once the infection is complete, the malware operators send messages to all users of the compromised network notifying them about the attack. Along with this message is sent another note in which hackers suggest that the attacks will continue eventually.

Bypass-focused

The continuous use of obfuscated scripts makes the task of identifying malicious YourCyanide payloads very difficult, which is very favorable for threat actors. Although this is not a completely new technique, the way the operators of this malware variant use it makes the obfuscation process much more effective.

In addition, it is highly likely that the developers of this malware will continuously monitor reports such as the one prepared by Trend Micro, collecting potentially critical information to improve the operation of the ransomware. As mentioned above, the samples analyzed are incomplete versions of YourCyanide, so it is difficult to say for sure how dangerous its final version will be, so it is best for individuals and organizations to stay on top of potential ransomware attack infections and other hacking variants.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post <strong>YourCyanide, new and sophisticated ransomware variant that integrates documents into PasteBin, Discord and Microsoft Office</strong> appeared first on Information Security Newspaper | Hacking News.

This malware, loaded from Belarus to the VirusTotal platform, was analyzed by expert Kevin Beaumont, who reports that this document uses Word’s remote template function to retrieve an HTML file from a remote web server that uses MSProtocol ms-msdt to load code and execute PowerShell code.

Beaumont mentions that the code runs regardless of whether macros are disabled on the target system, not to mention that Microsoft Defender can’t seem to prevent the attack: “Although the protected view is activated if you change the document to RTF format, the malicious code will run without even opening the document.”  

The flaw was dubbed “Follina,” as a nod to the malicious file referencing 0438, the area code of a small Italian town. The researcher, and other members of the cybersecurity community, confirmed that the known exploit allows remote code to run on some versions of Windows and Office, including Office Pro Plus, Office 2013, Office 2016, and Office 2021.

The exploit doesn’t appear to work in recent versions of Office and in Windows Insider deployments, which could mean Microsoft is already working to address this issue. Beaumont also believes that the exploit could work on these versions with some modifications.

A hacking group hosted a web domain on Namecheap to use as a C&C server; the hosting company quickly shut down this website. The cybersecurity community has proposed some mitigation mechanisms, so a wave of active exploitation is very unlikely.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Zero-day vulnerability in Microsoft Office Pro Plus, Office 2013, Office 2016, and Office 2021 allows remote network hacking with just a single click appeared first on Information Security Newspaper | Hacking News.