Microsoft experienced a significant security lapse, failing to collect customer security logs for a period of two weeks. This issue resulted in the loss of critical security data for various Microsoft products and services, including Microsoft Entra, Microsoft Sentinel, and Azure Monitor. The incident highlights the importance of robust logging and monitoring systems for ensuring effective security. This vulnerability likely impacted a large number of Microsoft customers, raising concerns about potential security breaches and making it difficult to identify and respond to security threats.
The Microsoft Digital Defense Report 2024 highlights a significant increase in cyberattacks targeting Microsoft customers, averaging 600 million attacks per day. This report underscores the growing role of nation-state-affiliated threat actors, often collaborating with cybercrime gangs to escalate attack sophistication. The report analyzes ransomware trends, DDoS attacks, and the importance of identity security, emphasizing the need for robust defense mechanisms to counter these evolving threats.
Microsoft Threat Intelligence has discovered a new macOS vulnerability, dubbed “HM Surf”, that allows attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to protected user data. The vulnerability involves removing TCC protection for the Safari browser directory and modifying a configuration file to access user data, including browsing history, camera, microphone, and location, without user consent. Microsoft has reported the vulnerability to Apple, which has released a fix as part of a macOS security update. Users are urged to install the update as soon as possible to mitigate the risk. This vulnerability highlights the importance of keeping operating systems and applications updated to protect against emerging threats and the persistent challenges of maintaining robust security in complex software environments.
Microsoft has acknowledged a significant security incident that resulted in the loss of customer security logs for a month. The incident, attributed to a vulnerability, impacted various Microsoft services, including Microsoft Entra, Microsoft Sentinel, Azure Logic Apps, Azure Monitor, Azure Healthcare APIs, Azure Trusted Signing, Azure Virtual Desktop, and Power Platform.
This incident underscores the importance of robust security measures and the need for companies to promptly disclose security incidents to their customers. The lack of security logs during this period could pose significant risks for organizations relying on these services for security monitoring and threat detection.
The Earth Simnavaz APT, a suspected Iranian state-sponsored threat actor, has been targeting organizations in the Gulf region using a backdoor in Microsoft Exchange servers. The backdoor allows the attackers to gain unauthorized access to sensitive information and potentially deploy ransomware. The attacks highlight the growing threat of nation-state actors targeting critical infrastructure and businesses.
A design flaw in older Windows operating systems, specifically Windows NT 4.0 through Windows 7, allows kernel shellcode to persist and be launched during system boot by writing specially crafted data to the system registry. This vulnerability is due to the incomplete fix for a vulnerability in the RtlQueryRegistryValues function. The function can be used to query multiple registry values with a single call, but the way it handles values of unexpected types can lead to a buffer overflow, which can be exploited to execute malicious code. The vulnerability was exploited in a targeted attack in 2018, and researchers at Kaspersky GReAT discovered that it was only partially fixed by Microsoft, making it possible for attackers with administrator privileges to stealthily store and execute kernel shellcode. The vulnerability was exposed in a challenge at the SAS CTF, an international cybersecurity competition organized by Kaspersky GReAT.
Microsoft has announced that it is increasingly successful in stopping ransomware attacks before they can encrypt data. The company has been working to improve its ransomware detection and prevention capabilities, and this announcement suggests that these efforts are paying off. However, the company did not release any specific figures on the number of attacks that have been blocked, nor did they disclose details about the specific techniques being used to thwart these attacks.
The Iranian state-sponsored hacking group, OilRig, has been observed exploiting a vulnerability in the Windows Kernel to conduct cyber espionage operations. This vulnerability allows attackers to escalate their privileges, enabling them to gain unauthorized access and control over targeted systems. The campaign targets government and critical infrastructure entities in the UAE and the broader Gulf region.
Kerberoasting is an Active Directory (AD) attack targeting the Kerberos authentication protocol to steal credentials. Attackers request service tickets encrypted with a key derived from an account password, then use offline brute-force attacks to guess and steal passwords. Accounts with weak passwords or using weaker encryption algorithms, particularly RC4, are more vulnerable. Microsoft recommends using gMSA or dMSA for service accounts, enforcing AES encryption, and employing multi-factor authentication (MFA) to strengthen security against this attack vector.
Microsoft has released its October 2024 Patch Tuesday updates, addressing a total of 117 vulnerabilities across its ecosystem. This includes three critical vulnerabilities, two of which have been actively exploited in the wild, highlighting the importance of prompt patching to mitigate these risks. The first actively exploited vulnerability, CVE-2024-43572, is a remote code execution vulnerability in the Microsoft Management Console (MMC). It allows attackers to execute arbitrary code on a targeted system by tricking users into loading a malicious MMC snap-in. The second actively exploited vulnerability, CVE-2024-43573, is a platform spoofing vulnerability in Windows MSHTML. This vulnerability allows attackers to disguise themselves as trusted sources, potentially gaining unauthorized access to systems or data. The third critical vulnerability, CVE-2024-43468, is a remote code execution vulnerability in Microsoft Configuration Manager, which could allow attackers to execute commands on the targeted server or database without user interaction. The release also includes other critical vulnerabilities affecting various Microsoft products, including .NET, OpenSSH for Windows, Power BI, and Windows Hyper-V. Organizations are strongly advised to prioritize the installation of these security updates to protect their systems from potential attacks.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added three new security vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, due to confirmed reports of active exploitation in the wild. These vulnerabilities pose significant risks to organizations and require immediate attention. The three vulnerabilities added to the KEV Catalog include a format string vulnerability in multiple Fortinet products, a SQL injection vulnerability in Ivanti Cloud Services Appliance (CSA), and an OS command injection vulnerability in Ivanti CSA. The addition of these vulnerabilities to the KEV Catalog highlights the ongoing threat posed by malicious cyber actors who actively exploit known vulnerabilities. CISA urges all organizations to prioritize timely remediation of vulnerabilities listed in the KEV Catalog as part of their vulnerability management practices to reduce their exposure to cyberattacks.