CyberSecurity news
FlagThis - #microsoft
|
@www.marktechpost.com
//
References:
MarkTechPost
, The Microsoft Cloud Blog
,
Microsoft is taking significant steps to address the burgeoning field of agentic AI with a multi-pronged approach encompassing both proactive risk management and practical applications. The company has recently released a comprehensive guide to failure modes in agentic AI systems, underscoring the importance of establishing a secure foundation as AI becomes more deeply embedded in organizational workflows. This guide aims to help organizations navigate the unique challenges and risks associated with AI agents, including data leakage, emerging cyber threats, and evolving regulatory landscapes, such as the European Union AI Act. The report from Microsoft’s AI Red Team (AIRT) offers a structured analysis distinguishing between novel failure modes unique to agentic systems and the amplification of risks already observed in generative AI contexts.
Microsoft's efforts extend beyond theoretical frameworks into real-world applications, they are actively developing intelligent, use-case driven agents designed to collaborate with human analysts. These agents are intended to automate routine tasks and enhance decision-making processes within security operations, highlighting Microsoft's commitment to securing AI and building robust, reliable agentic systems suitable for safe deployment. Specifically, Microsoft details the Dynamics 365 Supplier Communications Agent, and the Azure MCP Server that empowers AI Agents With Azure Resources. The MCP Server, which implements the Model Context Protocol, is an open protocol that standardizes the communication between AI agents and external resources. This proactive stance on AI safety is further evidenced by Microsoft's exploration of Model Context Protocol (MCP), an emerging standard for AI interoperability. As of April 2025, major players including OpenAI, Google, Meta, and Amazon have committed to adopting MCP, which promises a unified language for AI systems to access and interact with business tools and repositories. The protocol aims to streamline development, improve system reliability, and enable smarter AI by standardizing data exchange and context management across different AI interactions. Other companies such as Appian are also embedding agentic AI into business processes. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
References:
securityaffairs.com
, The Hacker News
,
Microsoft has issued a warning regarding a recent password spraying attack targeting the education sector. The tech giant has identified the threat actor behind these attacks as Storm-1977. This group is actively targeting cloud tenants within educational institutions, attempting to gain unauthorized access through compromised credentials.
Storm-1977 employs a Command Line Interface (CLI) tool called AzureChecker.exe in its attacks. This tool is used to retrieve AES-encrypted data from an external server, which contains a list of targets for the password spraying. Additionally, AzureChecker accepts a text file ("accounts.txt") containing username and password combinations. It then uses this information to attempt validation against target tenants. In one successful instance, Storm-1977 exploited a guest account to create a resource group within a compromised subscription. The attackers proceeded to create over 200 containers within this group, using them for illicit cryptocurrency mining. Microsoft advises organizations to secure container deployments and runtimes, monitor Kubernetes API requests, and implement policies to prevent deployments from untrusted registries to mitigate such activities. Recommended read:
References :
Shira Landau@Email Security - Blog
//
A sophisticated phishing campaign is currently targeting Microsoft Office 365 users, leveraging OAuth application functionality to bypass traditional security measures and enterprise-grade spam filters. Attackers are creating applications with embedded phishing messages as the app name, allowing them to generate properly signed security notifications that appear legitimate. These deceptive emails bypass email authentication checks and appear to come from official "no-reply" addresses, successfully navigating through standard email security checks and creating a significant deception that threatens enterprise security frameworks. Security leaders are urged to reassess their defense strategies to address these emerging threats that specifically target authentication mechanisms.
Attackers register a domain and create an associated account to establish their malicious operation. They then create an OAuth app with the phishing message embedded in the app name. Granting their newly created account access to this OAuth app generates a properly signed security notification. This authenticated message is then forwarded to potential victims, directing them to fake sign-in pages that function as credential harvesting mechanisms under the guise of legitimate support pages. These pages, hosted on legitimate subdomains of the email service provider, prompt users to "upload additional documents" or "view case," both leading to credential harvesting. The "SessionShark" phishing kit is also being used to target Microsoft Office 365 accounts, designed to bypass multi-factor authentication (MFA) by stealing session tokens. This kit operates as an adversary-in-the-middle, intercepting login credentials and user session tokens. It creates a webpage that closely mimics the legitimate Microsoft Office 365 login interface, dynamically adapting to various conditions to increase believability. Once a victim submits their credentials, including completing MFA, the sensitive details and session cookie are instantly logged and exfiltrated to the attacker via Telegram bot integration. Recommended read:
References :
@betanews.com
//
A new proof-of-concept rootkit, dubbed Curing, has been developed by ARMO researchers to demonstrate a significant security blindspot in Linux runtime security. This rootkit leverages the 'io_uring' interface, a Linux asynchronous I/O mechanism, to bypass traditional system call monitoring. This means that many existing security tools like Falco, Tetragon, and even Microsoft Defender are unable to detect malicious activity carried out using this method, leaving systems vulnerable to stealthy rootkit attacks. The vulnerability stems from the fact that io_uring allows user applications to perform actions without relying on standard system calls, rendering security tools that depend on system call monitoring ineffective.
io_uring was introduced in Linux kernel version 5.1 in March 2019, designed to improve I/O operation efficiency by using circular buffers (submission queue and completion queue) between the kernel and user space. However, ARMO's Curing rootkit exploits this mechanism to communicate with a command-and-control server, fetch commands, and execute them on the infected host without triggering traditional security alerts. This is achieved by performing operations using io_uring instead of direct system calls. ARMO's analysis found that popular Linux runtime security tools are blind to io_uring-based operations. This is because these tools rely heavily on system call hooking, a method bypassed by io_uring. While the security risks associated with io_uring have been acknowledged, as evidenced by Google's decision to limit its use across Android, ChromeOS, and its production servers due to its exploitation potential, a broader industry solution is still needed to address this Linux kernel blindspot effectively. Recommendations for detecting io_uring-based threats include monitoring for anomalous usage of io_uring, leveraging Kernel Runtime Security Instrumentation (KRSI), and identifying alternative hook points across the Linux stack. Recommended read:
References :
@www.volexity.com
//
Russian threat actors have been actively targeting Microsoft 365 accounts belonging to individuals and organizations with connections to Ukraine and human rights causes. These malicious actors are exploiting legitimate OAuth 2.0 authentication workflows to gain unauthorized access. Researchers at Volexity have been monitoring these campaigns since early March 2025, observing a shift in tactics from previous device code phishing attempts to methods that rely more heavily on direct interaction with targets. These new attacks involve convincing victims to click on links and provide Microsoft-generated codes.
These campaigns involve sophisticated social engineering techniques, where attackers impersonate officials from various European nations and, in one instance, utilized a compromised Ukrainian Government account. The attackers are using messaging apps like Signal and WhatsApp to contact their targets, inviting them to join fake video calls or register for private meetings with European political figures or Ukraine-related events. The goal is to lure victims into clicking links hosted on Microsoft 365 infrastructure, ultimately tricking them into sharing Microsoft Authorization codes. Volexity is tracking at least two suspected Russian threat actors, identified as UTA0352 and UTA0355, believed to be behind these attacks. The primary tactic involves requesting Microsoft Authorization codes from victims, which then allows the attackers to join attacker-controlled devices to Entra ID (formerly Azure AD) and download emails and other account-related data. This activity demonstrates a continuous effort by Russian threat actors to refine their techniques and circumvent security measures, highlighting the ongoing threat to individuals and organizations associated with Ukraine and human rights. Recommended read:
References :
@securityonline.info
//
Cybercriminals are exploiting a legitimate Microsoft utility called mavinject.exe to inject malicious Dynamic Link Libraries (DLLs) into unsuspecting systems. This technique allows attackers to bypass security measures and execute sophisticated malicious payloads while appearing to be a benign process. Mavinject.exe is a command-line utility designed for Application Virtualization (App-V) environments, intended for injecting DLLs into specific processes. Because it's signed by Microsoft and has been a default component of Windows since version 1607, it is typically whitelisted by security solutions.
The exploitation of mavinject.exe involves using key Windows APIs such as OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. These APIs allow attackers to retrieve a handle to the target process, allocate memory within it, write the DLL path to the allocated memory, and create a new thread to load and execute the malicious DLL. By leveraging mavinject.exe, threat actors can achieve external code execution while circumventing detection, as the utility is considered a trusted application. This technique is categorized as Signed Binary Proxy Execution. Several Advanced Persistent Threat (APT) groups have been observed using mavinject.exe in real-world attacks. Earth Preta (Mustang Panda), a Chinese government-supported APT group, has used it to inject malicious DLLs, like backdoors, into legitimate processes such as waitfor.exe after initial access through phishing emails. The Lazarus Group has also employed mavinject.exe to inject malware into explorer.exe. Security measures recommended include monitoring mavinject.exe execution with specific arguments and API calls and, when not using App-V, blocking the utility altogether. Recommended read:
References :
Lawrence Abrams@BleepingComputer
//
A recent Microsoft Entra ID security update caused widespread account lockouts across numerous organizations, highlighting the potential risks associated with new security feature deployments. The issue stemmed from the rollout of a new "leaked credentials" detection app called MACE (Microsoft Account Credential Evaluation). This new feature inadvertently flagged legitimate user accounts, triggering automatic lockouts despite strong, unique passwords and multi-factor authentication (MFA) being in place.
Microsoft confirmed that the Entra account lockouts over the weekend were due to the invalidation of short-lived user refresh tokens mistakenly logged into internal systems. The problem was traced back to an internal logging mishap involving these tokens, where a subset of them were being logged internally, which deviates from the standard practice of logging only metadata. This logging error was identified on April 18, 2025, and promptly corrected. The incident caused significant disruption as Windows administrators from numerous organizations reported receiving alerts that user credentials had been found leaked on the dark web. However, users noticed discrepancies, such as passwordless accounts being affected and no matches on Have I Been Pwned (HIBP), raising suspicions of false positives. Microsoft has advised affected customers to use the “Confirm User Safe” feature in response to the erroneous alerts and is working to prevent future occurrences. Recommended read:
References :
@unit42.paloaltonetworks.com
//
References:
Virus Bulletin
, The Hacker News
,
A new multi-stage malware attack has been identified, deploying a range of malware families including Agent Tesla, Remcos RAT, and XLoader. This intricate attack chain employs multiple execution paths, designed to evade detection, bypass traditional sandboxes, and ensure the successful delivery and execution of malicious payloads. Attackers are increasingly relying on these complex delivery mechanisms to compromise systems.
This campaign, observed in December 2024, begins with phishing emails disguised as order release requests, enticing recipients to open malicious archive attachments. These attachments contain JavaScript encoded (.JSE) files, which initiate the infection chain by downloading and executing a PowerShell script from an external server. The PowerShell script then decodes and executes a Base64-encoded payload. The attack then diverges into two possible execution paths. One involves a .NET executable that decrypts an embedded payload, like Agent Tesla or XLoader, and injects it into a running "RegAsm.exe" process. The other path uses an AutoIt compiled executable containing an encrypted payload that loads shellcode, ultimately injecting a .NET file into a "RegSvcs.exe" process, ultimately leading to Agent Tesla deployment. This dual-path approach highlights the attacker's focus on resilience and evasion, using simple, stacked stages to complicate analysis and detection. Recommended read:
References :
Zeljka Zorz@Help Net Security
//
Microsoft is warning Windows users about a actively exploited vulnerability, CVE-2025-24054, which allows attackers to capture NTLMv2 responses. This can lead to the leakage of NTLM hashes and potentially user passwords, compromising systems. The vulnerability is exploited through phishing attacks utilizing maliciously crafted .library-ms files, prompting users to interact with the files through actions like right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. The original version,NTLMv1, had several security flaws that made it vulnerable to attacks such aspass-the-hashandrainbow table attacks.
Attackers have been actively exploiting CVE-2025-24054 since March 19, 2025, even though Microsoft released a patch on March 11, 2025. Active exploitation has been observed in campaigns targeting government entities and private institutions in Poland and Romania between March 20 and 21, 2025. The attack campaign used email phishing links to distribute a Dropbox link containing an archive file that exploits the vulnerability, which harvests NTLMv2-SSP hashes. The captured NTLMv2 response, can be leveraged by attackers to attempt brute-force attacks offline or to perform NTLM relay attacks, which fall under the category of man-in-the-middle attacks. NTLM relay attacks are much more dangerous when the stolen credentials belong to a privileged user, as the attacker is using it for privilege escalation and lateral movement on the network. Microsoft released a patch on March 11, 2025 addressing the vulnerability with users being advised to apply the patches. Recommended read:
References :
Jenna McLaughlin@NPR Topics: Technology
//
A whistleblower at the US National Labor Relations Board (NLRB) has come forward with allegations of a significant cybersecurity breach involving the Department of Government Efficiency (DOGE), overseen by Elon Musk. According to the whistleblower, Daniel Berulis, DOGE operatives arrived at the agency in early March and were granted unrestricted access to internal systems, a move that deviated from standard operating procedures. The whistleblower claims that these DOGE employees ignored infosec rules and were instructed to hand over any requested accounts and stay out of DOGE’s way.
According to the affidavit submitted to the Senate Intelligence Committee, these actions led to a "significant cybersecurity breach" potentially exposing the agency's data to foreign adversaries. The whistleblower also alleges that during their activity, DOGE employees exfiltrated 10GB of data to servers in the US and disabled monitoring tools, raising concerns about potential data exposure. Berulis’s document points out that not even his CIO enjoyed the level of access given to DOGE unit operatives, and that the NLRB already had auditor accounts set up that provided enough privileges to check data without being able to edit, copy, or remove it. The most alarming aspect of the allegations involves attempted access to the NLRB's systems from a Russian IP address using legitimate accounts created by DOGE staffers. These attempts were reportedly blocked, but the valid credentials used suggest a potential compromise. The NPR has reported that the data that DOGE moved could have included sensitive information on unions, ongoing legal cases and corporate secrets. Democratic lawmakers are calling for an investigation into the matter. Recommended read:
References :
David Jones@cybersecuritydive.com
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning on April 17, 2025, regarding increased breach risks following a potential compromise of legacy Oracle Cloud servers. This alert comes in response to public reporting of alleged threat activity targeting Oracle customers, though the scope and impact of the activity are currently unconfirmed. CISA's guidance urges organizations and individuals to take immediate steps to secure their IT environments amid claims of a large trove of customer credentials being compromised. The agency is also asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.
CISA is particularly concerned about situations where credential material may be exposed, reused across separate and unaffiliated systems, or embedded into applications and tools. Embedded credential material, which can be hardcoded into scripts, applications, infrastructure templates, or automation tools, is especially difficult to detect and can enable long-term unauthorized access if exposed. The compromise of credentials like usernames, emails, passwords, authentication tokens, and encryption keys can pose a significant risk to enterprise environments. To mitigate these risks, CISA recommends organizations reset passwords for known affected users, especially those not federated through enterprise identity solutions. Additionally, they should review source code, infrastructure as code templates, automation scripts, and configuration files for hardcoded credentials, replacing them with secure authentication methods supported by centralized secret management. Monitoring authentication logs for anomalous activity, particularly using privileged, service, or federated identity accounts, is also crucial. Finally, CISA advises enforcing phishing-resistant multi-factor authentication for all user and administrator accounts whenever possible. Recommended read:
References :
@www.microsoft.com
//
Microsoft is warning of a rise in cyberattacks where threat actors are misusing Node.js to deliver malware and steal sensitive information. These campaigns, ongoing since October 2024, involve tricking users into downloading malicious installers from fraudulent websites disguised as legitimate software, often related to cryptocurrency platforms like Binance and TradingView. The attackers utilize malvertising campaigns to lure unsuspecting victims. Once the malicious installer is downloaded, a chain of events is triggered, leading to information theft and data exfiltration from compromised systems.
The attack chain involves multiple stages, beginning with a malicious DLL embedded within the downloaded installer. This DLL gathers system information and establishes persistence via a scheduled task. To maintain the illusion of legitimacy, a decoy browser window is opened, displaying a real cryptocurrency trading website. The scheduled task then executes PowerShell commands designed to evade detection by Microsoft Defender. These commands exclude both the PowerShell process and the current directory from being scanned. Subsequently, obfuscated scripts are launched to collect extensive system, BIOS, and OS information, which is then structured and exfiltrated in JSON format via HTTP POST. The final stage involves downloading and launching the Node.js runtime, along with a compiled JavaScript file and supporting library modules. Once executed, the malware establishes network connections, installs certificates, and exfiltrates browser credentials and other sensitive data. Microsoft has observed threat actors leveraging Node.js characteristics, such as cross-platform compatibility and access to system resources, to blend malware with legitimate applications, bypass conventional security controls, and persist in target environments. This shift in tactics highlights the evolving threat landscape, where Node.js is increasingly being exploited for malicious purposes. Recommended read:
References :
@www.bleepingcomputer.com
//
Microsoft is set to block ActiveX controls by default in the Windows versions of Microsoft 365 Apps and Office 2024. This move, announced in April 2025, aims to enhance security by addressing vulnerabilities associated with the legacy software framework. ActiveX controls, introduced in 1996, enabled developers to create interactive objects embedded in Office documents. However, over time, these controls have become a significant point of entry for cybercriminals, similar to macros in Excel, with examples such as the propagation of the TrickBot malware through ActiveX.
Microsoft's decision to disable ActiveX controls by default is part of a broader effort to bolster the security of its products. Since 2018, the company has implemented various measures to block attack vectors exploiting Office applications. These include blocking VBA macros, disabling Excel 4.0 (XLM) macros by default, blocking untrusted XLL add-ins, and phasing out VBScript. The default setting previously was to prompt users before enabling ActiveX, which required users to understand the risks before granting permissions. When the change is deployed, users will receive a notification stating "BLOCKED CONTENT: The ActiveX content in this file is blocked" if a document contains an ActiveX control. This measure is intended to reduce the risk of malware or unauthorized code execution. Users can re-enable ActiveX controls through the Trust Center, provided administrators have granted them access to the ActiveX settings page. This change is more secure as it blocks the controls entirely. Recommended read:
References :
@unit42.paloaltonetworks.com
//
North Korean state-sponsored group Slow Pisces, also known as Jade Sleet, TraderTraitor, and PUKCHONG, is actively targeting cryptocurrency developers through social engineering campaigns on LinkedIn. Security researchers at Palo Alto Networks have uncovered a scheme where the group poses as potential employers, enticing developers with coding challenges that are actually malware delivery mechanisms. The malicious activity is suspected to be connected to the massive Bybit hack that occurred in February 2025.
The attackers send what appear to be legitimate coding assignments to the developers, but these challenges contain malware disguised within compromised projects. When the developers run these projects, their systems become infected with new customized Python malware dubbed RN Loader and RN Stealer. RN Loader collects basic information about the victim's machine and operating system, sending it to a remote server, while RN Stealer is designed to harvest sensitive data from infected Apple macOS systems, including system metadata and installed applications. GitHub and LinkedIn have taken action to remove the malicious accounts used by Slow Pisces. Both companies affirm that they use automated technology, expert teams, and user reporting to combat malicious actors. Palo Alto Networks customers are protected through their Next-Generation Firewall with Advanced URL Filtering and Advanced DNS Security subscriptions. They urge those who suspect they might be compromised to contact the Unit 42 Incident Response team. Recommended read:
References :
@learn.microsoft.com
//
Microsoft is alerting IT administrators to a significant issue affecting Windows Server 2025 domain controllers (DCs). After a restart, these DCs may experience a loss of network connectivity due to the servers loading the standard firewall profile instead of the domain firewall profile. This problem can render the domain controllers inaccessible on the network, disrupting Active Directory (AD) environments and potentially causing applications and services running on those servers or remote devices to fail or remain unreachable. The issue primarily impacts systems running the Active Directory Domain Services role on Windows Server 2025, with no client systems or earlier server versions affected.
This problem arises from the domain controllers failing to apply the correct network profile after a reboot, instead defaulting to a "Public" or standard firewall profile rather than the required "Domain Authenticated" profile. This misconfiguration can lead to ports and protocols that should be restricted by the domain firewall profile remaining open, posing potential security risks. Essential AD functions like Group Policy application, replication, and authentication are also disrupted, further compounding the problem for organizations relying on Active Directory for network management. While Microsoft is actively working on a permanent fix for this issue, which is expected to be included in a future update, they have provided a temporary workaround for affected systems. Administrators can manually restart the network adapter on the affected servers using PowerShell with the command 'Restart-NetAdapter *'. However, because the issue reoccurs after each system restart, this workaround must be applied repeatedly. To streamline this process, Microsoft suggests creating a scheduled task that automatically restarts the network adapter each time the domain controller reboots. Recommended read:
References :
@www.microsoft.com
//
Microsoft is enhancing the security of its Exchange Server and SharePoint Server platforms by integrating the Windows Antimalware Scan Interface (AMSI). These servers, considered "crown jewels" for many organizations, have become frequent targets for cyberattacks. The AMSI integration provides a vital layer of defense by preventing malicious web requests from reaching backend endpoints, effectively stopping attacks before they can cause harm. Microsoft emphasizes that threat actors often exploit outdated or misconfigured assets and vulnerabilities, highlighting the importance of this proactive security measure.
The integration of AMSI with Exchange and SharePoint Servers enables them to work seamlessly with any AMSI-compatible antimalware product. This measure is designed to counter sophisticated attack vectors targeting on-premises infrastructure. The enhanced AMSI capabilities extend scanning to HTTP request bodies, allowing for a broader detection of malicious payloads. While these features are not enabled by default, Microsoft strongly recommends that organizations activate them to bolster defenses against remote code execution and post-authentication vulnerabilities. Microsoft also addressed a zero-day vulnerability in the Windows Common Log File System (CLFS), tracked as CVE-2025-29824, with a security update released on April 8, 2025. This vulnerability allowed attackers with user access to escalate privileges and deploy ransomware. The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) discovered exploitation of this flaw against a limited number of targets, including organizations in the IT, real estate, and financial sectors. Microsoft urges organizations to prioritize security updates for elevation of privilege vulnerabilities to defend against ransomware attacks. Recommended read:
References :
@Talkback Resources
//
A critical spoofing vulnerability, identified as CVE-2025-30401, has been discovered in WhatsApp for Windows. Meta, the parent company of WhatsApp, has released a security update to address this flaw, which impacts versions prior to 2.2450.6. The vulnerability could allow attackers to trick users and enable remote code execution on their devices. Users of WhatsApp for Windows are strongly advised to update to the latest version immediately to mitigate the risk. This issue arises from a discrepancy in how WhatsApp handles file attachments, specifically the mismatch between the MIME type and file extension handling.
The exploit mechanism involves attackers sending maliciously crafted files with altered file types to potential targets. The WhatsApp application displays attachments based on their MIME type but selects the file opening handler based on the attachment's filename extension. This allows an attacker to craft a malicious file that appears harmless, such as an image, but when opened, executes arbitrary code. The spoofing technique takes advantage of the discrepancy between MIME type and file extension handling, allowing attackers to execute arbitrary code on the victim’s system. The discovery of CVE-2025-30401 has raised concerns within the cybersecurity community, highlighting the importance of maintaining robust security practices in widely-used applications. While Meta has not reported any exploitation of this vulnerability in the wild, vulnerabilities in messaging applications like WhatsApp are frequently targeted by malicious actors. The impact of a successful exploit could include unauthorized system access and data theft, posing significant risks to users. To ensure protection, users should promptly update their WhatsApp for Windows application to version 2.2450.6 or later. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Microsoft has issued a critical security update as part of its April 2025 Patch Tuesday to address a zero-day vulnerability (CVE-2025-29824) in the Windows Common Log File System (CLFS). The vulnerability, classified as an elevation of privilege flaw, is being actively exploited by the RansomEXX ransomware gang to gain SYSTEM privileges on compromised systems. According to Microsoft, the attacks have targeted a limited number of organizations across various sectors and countries, including the IT and real estate sectors in the United States, the financial sector in Venezuela, a software company in Spain, and the retail sector in Saudi Arabia.
Microsoft Threat Intelligence Center (MSTIC) has attributed the exploitation activity to a group tracked as Storm-2460, which deployed the PipeMagic malware to facilitate the attacks. Successful exploitation of CVE-2025-29824 allows an attacker with a standard user account to escalate privileges, enabling them to install malware, modify system files, disable security features, access sensitive data, and maintain persistent access. This can result in full system compromise and lateral movement across networks, leading to the widespread deployment and detonation of ransomware within the affected environment. The zero-day vulnerability is located in the CLFS kernel driver and is due to a use-after-free weakness. Microsoft recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks. While Microsoft has issued security updates for impacted Windows versions, patches for Windows 10 x64 and 32-bit systems are pending release. In addition to fixing the zero-day flaw, Microsoft's April 2025 Patch Tuesday includes fixes for 134 other vulnerabilities, with 11 of them classified as critical remote code execution vulnerabilities. Recommended read:
References :
@The DefendOps Diaries
//
A critical security flaw, identified as CVE-2025-31334, has been discovered in WinRAR versions prior to 7.11. This vulnerability allows attackers to bypass Windows' Mark of the Web (MotW) security feature using symlinks. MotW is designed to warn users about potentially unsafe files downloaded from the internet, but this flaw enables the silent execution of malicious code without any warning prompts, essentially rendering the MotW security layer ineffective. This issue underscores the importance of timely software updates and robust security practices to protect against evolving cyber threats.
WinRAR, a widely used file archiver, has a history of security vulnerabilities. Previous exploits, such as the ACE file format vulnerability, have allowed attackers to execute malicious code with minimal user interaction. The current flaw, CVE-2025-31334, involves using symlinks within RAR archives to point to executable files. When these executables are launched from the WinRAR shell, the MotW data is ignored, allowing arbitrary code execution without user awareness. This vulnerability highlights a weakness in Microsoft's layered security model, as it can be bypassed by exploiting the fragmented trust between different components of the operating system. The vulnerability was responsibly disclosed by Shimamine Taihei through Japan’s Information Technology Promotion Agency and has been addressed in WinRAR version 7.11. The update included a fix to ensure that WinRAR respects the MotW tag on symlinked executables. Users are strongly advised to update to the latest version of WinRAR to mitigate the risk. Bypassing MotW is a tactic already exploited by malicious actors, highlighting the need for continuous vigilance and prompt patching to maintain system security. Recommended read:
References :
@blog.extensiontotal.com
//
Multiple malicious Visual Studio Code (VSCode) extensions have been identified, posing a significant threat to developers. Discovered on April 4, 2025, these extensions, found on the Microsoft VSCode Marketplace, masquerade as legitimate development tools. They include names such as "Discord Rich Presence" and "Rojo – Roblox Studio Sync" and operate by surreptitiously downloading and executing a PowerShell script. This script then disables Windows security features, establishes persistence through scheduled tasks, and installs the XMRig cryptominer, designed to mine Ethereum and Monero, all without the user's knowledge.
The attack employs a sophisticated multi-stage approach. Once installed, the malicious extensions download a PowerShell loader from a remote command-and-control (C2) server. This loader then disables security services to evade detection and deploys the XMRig cryptominer to exploit the victim's system resources for cryptocurrency mining. Notably, the attackers even install legitimate versions of the extensions they impersonate, a tactic designed to maintain the appearance of normalcy and prevent users from suspecting any malicious activity, further highlighting the deceptive nature of this campaign. Researchers at ExtensionTotal uncovered the malicious extensions and noted many had artificially inflated install counts designed to reduce suspicion. This incident underscores the growing threat of supply chain attacks targeting development environments. By exploiting vulnerabilities in the VSCode Marketplace, malicious actors can distribute malware to a wide range of developers. The fact that these extensions were able to bypass Microsoft's safety review processes raises concerns about the security of the marketplace. Users are strongly advised to exercise caution when installing VSCode extensions, carefully reviewing publisher details and extension permissions before installation. This serves as a reminder of the importance of robust security measures and constant vigilance to protect against evolving cyber threats. Recommended read:
References :
@cyberalerts.io
//
Microsoft has publicly credited EncryptHub, a cybercriminal actor linked to over 618 breaches, for disclosing vulnerabilities in Windows. This revelation highlights the complex and often contradictory nature of modern cybersecurity, where a known threat actor can also contribute to improving system security. The vulnerabilities reported by EncryptHub, tracked under the alias "SkorikARI with SkorikARI," included a Mark-of-the-Web security feature bypass (CVE-2025-24061) and a File Explorer spoofing vulnerability (CVE-2025-24071), both of which were patched in Microsoft's latest Patch Tuesday update.
Outpost24 KrakenLabs, a Swedish security company, has been investigating EncryptHub, unmasking details about their operations, infrastructure, and the mistakes that led to their exposure. These operational security (OPSEC) failures, combined with the actor's reliance on ChatGPT, allowed researchers to gain unprecedented insights into their tactics, techniques, and procedures (TTPs). EncryptHub's activities have been traced back to a lone wolf actor who allegedly fled Ukraine for Romania, seeking computer-related jobs while studying computer science through online courses. EncryptHub compromised 618+ targets using Microsoft flaws and custom malware after failed freelance attempts. EncryptHub's reliance on ChatGPT as a development assistant is a notable aspect of their operations. The AI chatbot was used to create malware components, configure command-and-control (C2) servers, develop phishing sites, and even draft posts for underground forums. In one instance, EncryptHub used ChatGPT to draft posts selling exploits for vulnerabilities they had previously reported under an alias to Microsoft’s Security Response Center (MSRC). The actor’s most recent exploit, CVE-2025-26633 (aka MSC EvilTwin), targeted the Microsoft Management Console to deliver info stealers and zero-day backdoors. Despite EncryptHub's technical capabilities, their operational sloppiness, including self-infections and reused credentials, ultimately led to their exposure. Recommended read:
References :
|