CyberSecurity news
FlagThis - #Microsoft
|
@Talkback Resources
//
Microsoft is making strategic shifts to bolster its AI capabilities, while addressing the financial demands of AI infrastructure. In a move to offset the high costs of running AI data centers, the company is implementing layoffs. This decision, viewed as a "double whammy" for tech workers, comes as Microsoft doubles down on its AI investments, suggesting further workforce adjustments may be on the horizon as AI technologies mature and become more efficient. The company is concurrently rolling out tools and features designed to streamline data interaction and enhance AI application development.
Microsoft has previewed the MCP (Model Context Protocol) tool for SQL Server, aiming to simplify data access for AI agents. Implemented in both Node.js and .NET, this open-source tool allows AI agents like GitHub Copilot or Claude Code to interact with databases using natural language, potentially revolutionizing how developers work with data. The MCP server, once set up locally, offers commands such as listing tables, describing tables, and creating or dropping tables. However, initial user experiences have been mixed, with some finding the tool limited and sometimes frustrating, citing slow operation speeds and the need for further refinement. In addition to database enhancements, Microsoft is also focused on leveraging AI to improve accessibility and documentation. The MCP server for Microsoft Learn is now in public preview, offering real-time AI agent access to Microsoft's vast documentation library. Furthermore, a new C# script leveraging .NET 10 and local AI models enables the generation of AltText for images, making online content more accessible to visually impaired users. Microsoft is unifying security operations by transitioning Microsoft Sentinel into the Microsoft Defender portal. This consolidation offers a single, comprehensive view of incidents, streamlines response, and integrates AI-driven features like Security Copilot and exposure management to enhance security posture. The Azure portal for Microsoft Sentinel is slated for retirement by July 1, 2026, encouraging customers to transition to the unified Defender portal for an improved security operations experience. Recommended read:
References :
@www.microsoft.com
//
The U.S. Department of Justice (DOJ) has announced a major crackdown on North Korean remote IT workers who have been infiltrating U.S. tech companies to generate revenue for the regime's nuclear weapons program and to steal data and cryptocurrency. The coordinated action involved the arrest of Zhenxing "Danny" Wang, a U.S. national, and the indictment of eight others, including Chinese and Taiwanese nationals. The DOJ also executed searches of 21 "laptop farms" across 14 states, seizing around 200 computers, 21 web domains, and 29 financial accounts.
The North Korean IT workers allegedly impersonated more than 80 U.S. individuals to gain remote employment at over 100 American companies. From 2021 to 2024, the scheme generated over $5 million in revenue for North Korea, while causing U.S. companies over $3 million in damages due to legal fees and data breach remediation efforts. The IT workers utilized stolen identities and hardware devices like keyboard-video-mouse (KVM) switches to obscure their origins and remotely access victim networks via company-provided laptops. Microsoft Threat Intelligence has observed North Korean remote IT workers using AI to improve the scale and sophistication of their operations, which also makes them harder to detect. Once employed, these workers not only receive regular salary payments but also gain access to proprietary information, including export-controlled U.S. military technology and virtual currency. In one instance, they allegedly stole over $900,000 in digital assets from an Atlanta-based blockchain research and development company. Authorities have seized $7.74 million in cryptocurrency, NFTs, and other digital assets linked to the scheme. Recommended read:
References :
Mona Thaker@Microsoft Security Blog
//
References:
Microsoft Security Blog
, Wiz Blog | RSS feed
,
Microsoft and Wiz have both been recognized as Leaders in the 2025 IDC MarketScape for Cloud-Native Application Protection Platforms (CNAPP). This recognition underscores the growing importance of CNAPP solutions as organizations grapple with securing increasingly complex cloud environments. The IDC MarketScape assesses vendors based on their capabilities and strategic vision, providing guidance for security leaders seeking to replace fragmented point tools with a unified approach to cloud security. Both Microsoft and Wiz have demonstrated a strong commitment to innovation and customer success in cloud security.
The IDC MarketScape emphasizes that selecting a CNAPP vendor involves more than just consolidating tools. It highlights the importance of seamless integration with existing security infrastructure and the ability to enhance the overall security posture. Key considerations include robust monitoring and reporting on cloud security posture, runtime, and application security. Microsoft's recognition stems from its comprehensive, AI-powered, and integrated security solutions for multicloud environments. Wiz is also committed to customer success across cloud security. Microsoft's Defender for Cloud was specifically lauded for providing visibility into cloud attacks across the entire environment, from endpoints to exposed identities. The platform's holistic approach examines attack vectors both inside and outside the cloud, integrating pre-breach posture graphs with live incidents for exposure risk assessment. Additionally, Microsoft was recognized for its detailed threat analytics, which combines information from various sources to create comprehensive attack paths and facilitate threat prioritization. Customers also highlighted the strong partnership with Microsoft, noting dedicated support and consulting for optimal product use. Recommended read:
References :
@www.helpnetsecurity.com
//
Russian hackers have found a way to bypass Gmail's multi-factor authentication (MFA) to conduct targeted attacks against academics and critics engaging with Russia discussions. According to Google Threat Intelligence Group (GTIG), the hackers are using stolen app passwords obtained through sophisticated and personalized social engineering attacks. These attacks involve posing as U.S. Department of State officials to build rapport with targets, eventually convincing them to create and share app-specific passwords.
App passwords are 16-digit codes that Google generates to allow certain apps or devices to access a Google Account, bypassing the usual second verification step of MFA. While useful for older or less secure apps that can't handle MFA, app passwords lack the extra layer of security, making them vulnerable to theft or phishing. In one instance, the attackers, tracked as UNC6293 and believed to be state-sponsored, contacted a target under the guise of a State Department representative, inviting them to a consultation in a private online conversation, further lending credibility by CCing four @state.gov accounts. This campaign, which took place between April and early June, involved meticulously crafted phishing messages that didn't rush the target into immediate action. Instead, the hackers focused on building trust through personalized emails and invitations to private conversations, using spoofed '@state.gov' addresses in the CC field to build credibility. Keir Giles, a prominent British researcher on Russia, was one such target. Google's researchers uncovered the slow-paced nature attackers used to build rapports with their victims, often sending them personalized emails and inviting them to private conversations or meetings. Recommended read:
References :
Rescana@Rescana
//
References:
infosec.exchange
, WIRED
,
Amidst escalating regional conflicts, Iran has taken the drastic measure of shutting down internet access for its citizens, a move the government defends as a necessary precaution against Israeli cyberattacks. This disruption has severely impacted communication within the country, leaving Iranians abroad unable to connect with loved ones. One such individual, Amir Rashidi, expressed his anxiety, stating he hadn't heard from his family in two days and was relying on someone else for updates. The situation highlights the growing intersection of cyber warfare and real-world consequences for civilians.
The internet blackout is not the first instance of Iran limiting connectivity. In the past, similar restrictions were imposed during periods of political unrest, such as protests in 2019 and 2022. These shutdowns are implemented by pushing people towards domestic apps, which are often less secure, while also severely restricting access to vital information. Experts like Doug Madory from Kentik have documented significant drops in internet connectivity within Iran following recent Israeli airstrikes, with reductions of 54% initially, followed by further declines of 49% and, subsequently, a staggering 90%. In a defensive maneuver against cyber threats, Iran is throttling its National Internet Infrastructure. The country claims it is restricting internet connectivity to counter cyber attacks amid regional conflict. The stated aim is to impede cyber intrusions and the synchronization of adversarial operations. An example of the threats Iran faces is demonstrated by the Israeli-linked hackers who seized and burned $90 million from Iran's Nobitex exchange. Recommended read:
References :
@blog.redteam-pentesting.de
//
A new Kerberos relay attack, identified as CVE-2025-33073, has been discovered that bypasses NTLM protections and allows attackers to escalate privileges to NT AUTHORITY\SYSTEM. This reflective Kerberos relay attack involves coercing a host to authenticate, intercepting the Kerberos ticket, and relaying it back to the same host, effectively exploiting misconfigurations and the lack of enforced SMB signing. RedTeam Pentesting discovered the vulnerability in January 2025 and disclosed it to Microsoft in an extensive whitepaper.
Microsoft addressed this vulnerability as part of the June 2025 Patch Tuesday. Technical analyses of CVE-2025-33073 have been published by RedTeam Pentesting and Synacktiv. The vulnerability is rooted in how the SMB client negotiates Kerberos authentication. When the SMB client has negotiated Kerberos instead of NTLM, a session key is inserted into a global list, KerbSKeyList, without proper checks, allowing attackers to reuse a subkey under specific conditions to forge a privileged token. The attack begins with authentication coercion via SMB, tricking a victim machine into connecting to a malicious SMB server. The server forces the client into Kerberos authentication, generates a subkey, logs it into KerbSKeyList with privileged token data, and forges a valid AP-REQ ticket using the subkey. The SMB client accepts and validates the forged ticket, leading to the generation of a SYSTEM token and granting administrative privileges. A proof-of-concept exploit has been made available to demonstrate the vulnerability's potential. Recommended read:
References :
Michael Kan@PCMag Middle East ai
//
A new cyber threat has emerged, targeting users eager to experiment with the DeepSeek AI model. Cybercriminals are exploiting the popularity of open-source AI by disguising malware as a legitimate installer for DeepSeek-R1. Unsuspecting victims are unknowingly downloading "BrowserVenom" malware, a malicious program designed to steal stored credentials, session cookies, and gain access to cryptocurrency wallets. This sophisticated attack highlights the growing trend of cybercriminals leveraging interest in AI to distribute malware.
This attack vector involves malicious Google ads that redirect users to a fake DeepSeek domain when they search for "deepseek r1." The fraudulent website, designed to mimic the official DeepSeek page, prompts users to download a file named "AI_Launcher_1.21.exe." Once executed, the installer displays a fake installation screen while silently installing BrowserVenom in the background. Security experts at Kaspersky have traced the threat and identified that the malware reconfigures browsers to route traffic through a proxy server controlled by the hackers, enabling them to intercept sensitive data. Kaspersky's investigation revealed that the BrowserVenom malware can evade many antivirus programs and has already infected computers in various countries, including Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. The analysis of the phishing and distribution websites revealed Russian-language comments within the source code, suggesting the involvement of Russian-speaking threat actors. This incident serves as a reminder to verify the legitimacy of websites and software before downloading, especially when dealing with open-source AI tools that require multiple installation steps. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A new account takeover (ATO) campaign, dubbed UNK_SneakyStrike, is actively targeting Microsoft Entra ID user accounts. Cybersecurity researchers at Proofpoint have identified that the campaign is leveraging the TeamFiltration pentesting framework to breach accounts. The activity has been ongoing since December 2024, with a surge in login attempts impacting over 80,000 user accounts across hundreds of organizations' cloud tenants. This poses a significant threat to cloud security, as successful account takeovers can lead to data exfiltration and further malicious activities.
The attackers are leveraging the TeamFiltration framework to identify valid user accounts and use password-spraying techniques to gain access. They have been observed utilizing Microsoft Teams API and Amazon Web Services (AWS) servers from various geographic locations to carry out user enumeration and password-spraying attacks. Once an account is compromised, the attackers are able to access sensitive data and potentially upload malicious files to the target user's OneDrive. This campaign demonstrates how legitimate pentesting tools can be exploited for malicious purposes, highlighting the need for robust security measures. Organizations are advised to monitor for indicators of compromise related to the UNK_SneakyStrike campaign. According to researchers, unauthorized access attempts tend to occur in concentrated bursts targeting a wide range of users within a single cloud environment. This is followed by quiet periods. The attackers appear to be attempting to access all user accounts within smaller cloud tenants while focusing on a subset of users in larger ones. Defenders are urged to check if any of their organization's accounts have been compromised and implement stronger authentication measures to prevent future account takeovers. Recommended read:
References :
@research.checkpoint.com
//
Microsoft's June 2025 Patch Tuesday has addressed a total of 66 vulnerabilities across its product range, with one zero-day vulnerability, CVE-2025-33053, being actively exploited in the wild. This critical flaw exists in the Web Distributed Authoring and Versioning (WebDAV) implementation, and its exploitation could lead to remote code execution. Microsoft has issued an urgent security update to mitigate this threat, even for outdated systems like Windows Server 2008 and components of the long-retired Internet Explorer. The urgency of this patch is underscored by the ongoing exploitation of the vulnerability by the Stealth Falcon APT group.
The actively exploited zero-day, CVE-2025-33053, poses a significant risk because attackers can achieve remote code execution at the local level simply by tricking a user into following a malicious link. This vulnerability has been exploited since March 2025 by Stealth Falcon, a hacking group known for targeted attacks in the Middle East. Researchers at Check Point discovered the flaw being used against a Turkish defense company, where malware was inserted to facilitate data exfiltration and the installation of a custom keylogger. The attack involves a .url file disguised as a PDF, which, when clicked, redirects to a WebDAV server controlled by the attacker, causing a legitimate Windows diagnostic tool to execute a malicious file. Alongside the actively exploited zero-day, Microsoft's June 2025 Patch Tuesday addresses a range of other vulnerabilities, including ten that are rated as "Critical". Another notable flaw, CVE-2025-33073, affects the Windows Server Message Block (SMB) client and could allow attackers to gain SYSTEM privileges. This vulnerability is considered less likely to be exploited but can be mitigated by enforcing server-side SMB signing via Group Policy. The updates also include fixes for vulnerabilities in Microsoft Office, .NET, Visual Studio, and other products, highlighting the breadth of the security update. Recommended read:
References :
@blogs.microsoft.com
//
Microsoft has launched the European Security Program (ESP), a new initiative aimed at significantly strengthening cybersecurity across Europe. The program provides critical resources to governments within the European Union, the United Kingdom, EU accession countries, and members of the European Free Trade Association. Microsoft Vice Chair Brad Smith unveiled the ESP in Berlin, emphasizing the need for enhanced cyber protection amidst growing sophistication and scope of cyber threats.
The ESP is a three-pronged strategy that includes AI-enhanced threat intelligence, direct collaboration with Europol, and automated disruption of malicious infrastructure. This program aims to counter the rising tide of cyberattacks from nation-state actors, specifically those originating from Russia, China, Iran, and North Korea. Microsoft is offering these AI-powered defense tools and threat intelligence resources free of charge, to the 27 EU nations. By offering these resources, Microsoft intends to bolster digital sovereignty and address the operational complexities faced by European governments in defending against cyber threats. The initiative underscores Microsoft's commitment to sharing threat intelligence, strengthening cybersecurity capacity, and expanding partnerships to effectively disrupt malicious cyber activities. The free cyber security support will help European governments combat state-sponsored hackers as attacks continue to intensify across the continent. Recommended read:
References :
Alex Simons@Microsoft Security Blog
//
References:
Microsoft Security Blog
, Davey Winder
,
Microsoft is grappling with ongoing issues related to its Windows Updates, with another out-of-band patch released to address problems caused by a previous update. The May Patch Tuesday update had failed to install correctly on some Windows 11 virtual machines, leaving them in recovery mode with an "ACPI.sys" error. KB5062170 aims to resolve this boot error which affected Windows 11 23H2 and 22H2 systems, with the caveat that it does not fix a separate issue causing blurry CJK fonts in Chromium browsers at 100 percent scaling, requiring users to increase scaling to 125 or 150 percent as a workaround. The increasing frequency of these out-of-band fixes highlights ongoing challenges with Microsoft's quality control, impacting both consumer and enterprise users.
Alongside addressing update failures, Microsoft is actively developing AI capabilities and integrating them into its services. While specific details are limited, Microsoft is working towards building a "robust and sophisticated set of agents" across various fields and is looking at evolving identity standards. This future vision involves AI agents that can proactively identify problems, suggest solutions, and maintain context across conversations, going beyond simple request-response interactions. The company recently launched a public preview of its Conditional Access Optimizer Agent and is investing in agents for developer and operations workflows. In the realm of cybersecurity, Microsoft Threat Intelligence has identified a new Russia-affiliated threat actor named Void Blizzard, active since at least April 2024. Void Blizzard is engaging in worldwide cloud abuse activity and cyberespionage, targeting organizations of interest to Russia in critical sectors such as government, defense, transportation, media, NGOs, and healthcare, primarily in Europe and North America. This discovery underscores the ongoing need for vigilance and proactive threat detection in the face of evolving cyber threats. Recommended read:
References :
Brian Fagioli@BetaNews
//
Microsoft is significantly expanding its cybersecurity support for European governments, providing a free security program specifically designed to combat AI-based cyberattacks. This initiative reflects Microsoft's commitment to bolstering the digital defenses of European nations. Furthermore, the company is actively addressing concerns related to competition within the European market, demonstrating a willingness to adapt to regulatory requirements and user preferences.
Microsoft is collaborating with CrowdStrike to harmonize cyber threat attribution. This partnership aims to establish a unified system for identifying and tracking cyber threat actors across different security platforms, which is designed to accelerate response times and strengthen global cyber defenses. The collaborative effort seeks to bridge the gaps created by differing naming systems for threat actors, creating a "Rosetta Stone" for cyber threat intelligence. This mapping will allow security teams to make informed decisions more quickly, correlate threat intelligence across sources, and disrupt malicious activity before it inflicts damage. In response to Europe’s Digital Markets Act (DMA), Microsoft is making changes to the user experience within the European Economic Area. The company will reduce the frequency with which it prompts users to switch to Edge as their default browser. This change is intended to address complaints from rival browser makers and others who felt that Microsoft was unfairly pushing its own products. Europeans will also find it easier to uninstall the Windows Store and sideline Bing, offering greater control over their digital environment and aligning with the principles of the DMA, which aims to promote competition and user choice in the digital market. Recommended read:
References :
@blog.checkpoint.com
//
References:
www.microsoft.com
, Catalin Cimpanu
Microsoft has revealed that Lumma Stealer malware has infected over 394,000 Windows computers across the globe. This data-stealing malware has been actively employed by financially motivated threat actors targeting various industries. Microsoft Threat Intelligence has been tracking the growth and increasing sophistication of Lumma Stealer for over a year, highlighting its persistent threat in the cyber landscape. The malware is designed to harvest sensitive information from infected systems, posing a significant risk to users and organizations alike.
Microsoft, in collaboration with industry partners and international law enforcement, has taken action to disrupt the infrastructure supporting Lumma Stealer. However, the developers behind the malware are reportedly making significant efforts to restore servers and bring the operation back online, indicating the tenacity of the threat. Despite these efforts, security researchers note that the Lumma Stealer operation has suffered reputational damage, potentially making it harder to regain trust among cybercriminals. In related news, a new Rust-based information stealer called EDDIESTEALER is actively spreading through fake CAPTCHA campaigns, using the ClickFix social engineering tactic to trick users into running malicious PowerShell scripts. EDDIESTEALER targets crypto wallets, browser data, and credentials, demonstrating a continued trend of malware developers utilizing Rust for its enhanced stealth and stability. These developments underscore the importance of vigilance and robust cybersecurity practices to protect against evolving malware threats. Recommended read:
References :
@securityonline.info
//
Elastic Security Labs has identified a new information stealer called EDDIESTEALER, a Rust-based malware distributed through fake CAPTCHA campaigns. These campaigns trick users into executing malicious PowerShell scripts, which then deploy the infostealer onto their systems. EDDIESTEALER is hosted on multiple adversary-controlled web properties and employs the ClickFix social engineering tactic, luring unsuspecting individuals with the promise of CAPTCHA verification. The malware aims to harvest sensitive data, including credentials, browser information, and cryptocurrency wallet details.
This attack chain begins with threat actors compromising legitimate websites, injecting malicious JavaScript payloads that present bogus CAPTCHA check pages. Users are instructed to copy and paste a PowerShell command into their Windows terminal as verification, which retrieves and executes a JavaScript file called gverify.js. This script, in turn, fetches the EDDIESTEALER binary from a remote server, saving it in the downloads folder with a pseudorandom filename. The malware dynamically retrieves configuration data from a command-and-control server, allowing it to adapt its behavior and target specific programs. EDDIESTEALER is designed to gather system metadata and siphon data of interest from infected hosts, including cryptocurrency wallets, web browsers, password managers, FTP clients, and messaging apps like Telegram. The malware incorporates string encryption, a custom WinAPI lookup mechanism, and a mutex to prevent multiple instances from running. It also includes anti-sandbox checks and a self-deletion technique using NTFS Alternate Data Streams to evade detection. The dynamic C2 tasking gives attackers flexibility, highlighting the ongoing threat of ClickFix campaigns and the increasing use of Rust in malware development. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A new Windows Remote Access Trojan (RAT) has been discovered that employs a novel technique to evade detection. The malware corrupts its own DOS and PE headers, making it significantly more difficult for security tools to analyze and reconstruct the malicious code. This method obstructs forensic analysis and allows the RAT to operate stealthily on compromised Windows machines for extended periods, in some cases, for weeks before being detected. The FortiGuard Incident Response Team conducted a detailed investigation into this malware.
The Fortinet team managed to obtain a memory dump of the live malware process (dllhost.exe process PID 8200) and a complete 33GB memory dump of the compromised system. By meticulously replicating the compromised environment, they were able to revive the dumped malware in a controlled setting. This allowed them to observe its operations and communication patterns. The researchers had to manually identify the malware's entry point, allocate memory, and resolve API addresses through debugging, address relocation, and parameter adjustments to emulate the malware's behaviour in a lab setting. Once operational, the malware was found to communicate with a command-and-control (C2) server at rushpaperscom over port 443, utilizing TLS encryption. Fortinet analysts identified the malware's use of Windows API functions like SealMessage() and DecryptMessage() to handle encrypted traffic, along with an additional layer of custom encryption. Analysis confirms that the malware is a RAT, allowing attackers to capture screenshots, manipulate system services, and establish connections with other clients. Recommended read:
References :
@www.microsoft.com
//
References:
www.microsoft.com
Microsoft is aggressively integrating artificial intelligence across its products and services, striving to revolutionize the user experience. The company is focused on developing agentic systems that can work independently, proactively identify problems, suggest solutions, and maintain context across interactions. Microsoft envisions a future where AI agents will augment and amplify organizational capabilities, leading to significant transformations in various fields. To facilitate secure and flexible interactions, Microsoft is employing Model Context Protocol (MCP) to enable AI models to interact with external services.
As AI agents become more sophisticated and integrated into business processes, Microsoft recognizes the importance of evolving identity standards. The company is actively working on robust mechanisms to ensure agents can securely access data and act across connected systems, including APIs, code repositories, and enterprise systems. Microsoft emphasizes that industry collaboration on identity standards is crucial for the safe and effective deployment of AI agents. To aid organizations in safely adopting AI, Microsoft Deputy CISO Yonatan Zunger shares guidance for efficient implementation and defense against evolving identity attack techniques. Microsoft CVP Charles Lamanna offers an AI adoption playbook, emphasizing the importance of "customer obsession" and "extreme ownership" for both startups and large enterprises navigating the age of AI. Lamanna suggests focusing on a few high-impact AI projects instead of spreading resources thinly across numerous pilots. Recommended read:
References :
@www.helpnetsecurity.com
//
A newly identified Russian cyber-espionage group, known as Laundry Bear by Dutch intelligence and Void Blizzard by Microsoft, has been actively targeting Western organizations since at least April 2024. This group is believed to be backed by the Russian government and is primarily focused on gathering intelligence to support Russian strategic interests. Laundry Bear's targets include government entities, defense contractors, aerospace firms, and high-tech businesses in Europe and North America, particularly those supporting Ukraine. The group's activities suggest an interest in sensitive information related to military goods, weapons deliveries, and advanced technologies that are difficult for Russia to acquire due to Western sanctions.
The primary objective of Laundry Bear is to steal sensitive emails and files from compromised systems. They achieve this by targeting cloud-based email environments, specifically Microsoft Exchange. The group employs a range of techniques, including pass-the-cookie attacks, password spraying, and spear phishing aimed at credential theft. Notably, the Dutch intelligence services identified Laundry Bear during an investigation into a credential-stealing attack against the Dutch National Police in September 2024. During this attack, Laundry Bear gained access to an account belonging to a Dutch police employee by using a stolen session cookie to obtain work-related contact information of other police employees. Microsoft has also observed Laundry Bear targeting critical sectors such as government, defense, transportation, media, NGOs, and healthcare, with a focus on organizations in Europe, North America, NATO member states, and Ukraine. The group frequently gains access by using stolen credentials, likely purchased from online marketplaces. Despite employing relatively simple attack methods and readily available tools, Laundry Bear has achieved a high success rate due to quick-paced cyber operations and efficient automation. Microsoft recommends organizations implement robust security measures to defend against such threats. Recommended read:
References :
Ddos@securityonline.info
//
A new cyber-espionage campaign has been uncovered, targeting public sector organizations in Tajikistan. The threat actor behind this campaign is TAG-110, a group linked to Russia and also known as UAC-0063 and APT28 (BlueDelta). Recorded Future’s Insikt Group discovered that TAG-110 is using macro-enabled Microsoft Word templates (.dotm files) to gain access to and exfiltrate intelligence from Tajik government, educational, and research institutions, particularly those involved in military affairs or electoral processes. This campaign reflects Russia’s strategic interest in Central Asia through intelligence-gathering operations.
These malicious Word templates are deployed through phishing lures disguised as official Tajik government documents. The templates are saved in the Microsoft Word STARTUP folder, ensuring automatic execution each time Word is launched. This tactic represents a shift from TAG-110’s previous use of HTA-based payloads like HATVIBE. The two malicious documents identified are themed around radiation safety for Tajikistan’s armed forces and election schedules in Dushanbe. Upon execution, the embedded VBA macros collect system metadata such as username, computer name, language, and resolution. This data is then sent to a hardcoded command-and-control (C2) server. The macros also establish persistence by copying themselves to the %APPDATA%\Microsoft\Word\STARTUP\ directory. Researchers state that this evolution highlights a tactical shift prioritizing persistence. The use of .dotm files and VBA macros allows TAG-110 to maintain a stealthy presence and collect data from compromised systems, turning them into surveillance nodes. Recommended read:
References :
Dhara Shrivastava@cysecurity.news
//
Marks & Spencer (M&S) and Co-op, major UK retailers, have been hit by a Scattered Spider cyberattack involving DragonForce ransomware. The attack has caused weeks-long disruptions, impacting online transactions and the availability of food, fashion, and home goods. M&S warns that the disruption to online transactions could last until July. The cybercrime gang Scattered Spider is also believed to be behind attacks on other UK retailers, including Harrods.
The financial impact on M&S is expected to be significant. The company anticipates the cyberattack will cut $400 million from its profits and reported losing over £40 million in weekly sales since the attack began over the Easter bank holiday weekend. As a precaution, M&S took down some of its systems, resulting in short-term disruptions. This decision was made to protect its systems, customers, and partners from further compromise. In response to the attack, M&S plans to accelerate its technology improvement plan, shortening the timeframe from two years to six months. This reflects the urgent need to bolster its cybersecurity defenses and prevent future disruptions. The company previously outlined plans in 2023 to improve its technology stack, including investments in infrastructure, network connectivity, store technology, and supply-chain systems. M&S acknowledged that personal data of customers had been stolen, including names, dates of birth, telephone numbers, home and email addresses, and online order histories. However, the retailer insisted that the data theft did not include usable card, payment, or login information. Recommended read:
References :
@www.microsoft.com
//
Microsoft is taking a significant step towards future-proofing cybersecurity by integrating post-quantum cryptography (PQC) into Windows Insider builds. This move aims to protect data against the potential threat of quantum computers, which could render current encryption methods vulnerable. The integration of PQC is a critical step toward quantum-resilient cybersecurity, ensuring that Windows systems can withstand attacks from more advanced computing power in the future.
Microsoft announced the availability of PQC support in Windows Insider Canary builds (27852 and above). This release allows developers and organizations to begin experimenting with PQC in real-world environments, assessing integration challenges, performance trade-offs, and compatibility. This is being done in an attempt to jump-start what’s likely to be the most formidable and important technology transition in modern history. The urgency behind this transition stems from the "harvest now, decrypt later" threat, where malicious actors store encrypted communications today, with the intent to decrypt them once quantum computers become capable. These captured secrets, such as passwords, encryption keys, or medical data, could remain valuable to attackers for years to come. By adopting PQC algorithms, Microsoft aims to safeguard sensitive information against this future risk, emphasizing the importance of starting the transition now. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A critical privilege escalation vulnerability has been discovered in the delegated Managed Service Account (dMSA) feature of Windows Server 2025's Active Directory. This flaw, dubbed "BadSuccessor," allows attackers with minimal permissions, specifically the ability to create objects inside an Active Directory organizational unit, to gain control over any user in the Active Directory domain, including Domain Admins. The vulnerability stems from improper permission handling during dMSA migration, where unauthorized users can simulate a migration process and inherit permissions of other accounts, even those with Domain Admin privileges. Security researchers have detailed that only write permissions over the attributes of a dMSA are required to execute this attack.
Microsoft has acknowledged the "BadSuccessor" issue in Windows Server 2025 but has rated it as moderate severity, sparking disagreement from security researchers who believe it poses a significant risk. Currently, there is no official patch available from Microsoft to address this vulnerability. This lack of an immediate patch has led security firms such as Akamai to document the privilege escalation flaw, emphasizing the potential for attackers to fully compromise an Active Directory domain by exploiting the dMSA feature. Akamai researchers found that in 91% of the environments they examined, users outside the domain admins group had the required permissions to perform this attack. Organizations utilizing Active Directory are strongly advised to be aware of this vulnerability and actively monitor for suspicious activity related to dMSA objects. Security researchers are suggesting workarounds to mitigate the risk until Microsoft releases a formal patch. The core of the attack involves abusing the dMSA feature to elevate privileges, highlighting the importance of carefully reviewing and restricting permissions related to dMSA creation and management. Furthermore, the discovery of this vulnerability emphasizes the need for organizations to stay informed about the latest security research and apply necessary security measures to protect their Active Directory environments. Recommended read:
References :
@arstechnica.com
//
Signal, the privacy-focused messaging application, has taken action to block Microsoft's controversial Recall feature from capturing screenshots of its desktop app content on Windows 11. Citing privacy concerns over Recall's ability to automatically take screenshots of on-screen activity, Signal has implemented a "screen security" setting, enabled by default, that leverages Digital Rights Management (DRM) to prevent the tool from accessing and recording private conversations. This move comes as Signal expresses discontent with Microsoft's approach, arguing that Recall lacks sufficient developer controls to exclude specific apps and protect sensitive information.
Microsoft's Recall feature, designed for Copilot+ PCs, works by continuously taking screenshots and creating a searchable database of user activity. Signal argues that this poses a significant risk to the privacy of its users, as private conversations could be inadvertently captured and stored. By implementing DRM, Signal sets a flag on its application window that instructs Recall, and any other screenshotting application, to ignore its content. While Signal acknowledges this is a blunt tool that may interfere with accessibility software, it believes Microsoft left them with no other choice. Signal has criticized Microsoft for not providing developers with the necessary tools to manage how Recall interacts with their applications. The messaging app argues that it shouldn't have to resort to using DRM "content protection hacks" to safeguard user privacy. Signal hopes that AI teams building systems like Recall will carefully consider the privacy implications and avoid forcing apps to use workarounds to protect the integrity of their services. They want the AI teams to know that this will potentially affect accessibility options like screen readers. Recommended read:
References :
|