CyberSecurity news
FlagThis - #microsoft
|
@www.microsoft.com
//
References:
www.microsoft.com
Microsoft is aggressively integrating artificial intelligence across its products and services, striving to revolutionize the user experience. The company is focused on developing agentic systems that can work independently, proactively identify problems, suggest solutions, and maintain context across interactions. Microsoft envisions a future where AI agents will augment and amplify organizational capabilities, leading to significant transformations in various fields. To facilitate secure and flexible interactions, Microsoft is employing Model Context Protocol (MCP) to enable AI models to interact with external services.
As AI agents become more sophisticated and integrated into business processes, Microsoft recognizes the importance of evolving identity standards. The company is actively working on robust mechanisms to ensure agents can securely access data and act across connected systems, including APIs, code repositories, and enterprise systems. Microsoft emphasizes that industry collaboration on identity standards is crucial for the safe and effective deployment of AI agents. To aid organizations in safely adopting AI, Microsoft Deputy CISO Yonatan Zunger shares guidance for efficient implementation and defense against evolving identity attack techniques. Microsoft CVP Charles Lamanna offers an AI adoption playbook, emphasizing the importance of "customer obsession" and "extreme ownership" for both startups and large enterprises navigating the age of AI. Lamanna suggests focusing on a few high-impact AI projects instead of spreading resources thinly across numerous pilots. Recommended read:
References :
Ddos@securityonline.info
//
A new cyber-espionage campaign has been uncovered, targeting public sector organizations in Tajikistan. The threat actor behind this campaign is TAG-110, a group linked to Russia and also known as UAC-0063 and APT28 (BlueDelta). Recorded Future’s Insikt Group discovered that TAG-110 is using macro-enabled Microsoft Word templates (.dotm files) to gain access to and exfiltrate intelligence from Tajik government, educational, and research institutions, particularly those involved in military affairs or electoral processes. This campaign reflects Russia’s strategic interest in Central Asia through intelligence-gathering operations.
These malicious Word templates are deployed through phishing lures disguised as official Tajik government documents. The templates are saved in the Microsoft Word STARTUP folder, ensuring automatic execution each time Word is launched. This tactic represents a shift from TAG-110’s previous use of HTA-based payloads like HATVIBE. The two malicious documents identified are themed around radiation safety for Tajikistan’s armed forces and election schedules in Dushanbe. Upon execution, the embedded VBA macros collect system metadata such as username, computer name, language, and resolution. This data is then sent to a hardcoded command-and-control (C2) server. The macros also establish persistence by copying themselves to the %APPDATA%\Microsoft\Word\STARTUP\ directory. Researchers state that this evolution highlights a tactical shift prioritizing persistence. The use of .dotm files and VBA macros allows TAG-110 to maintain a stealthy presence and collect data from compromised systems, turning them into surveillance nodes. Recommended read:
References :
Dhara Shrivastava@cysecurity.news
//
Marks & Spencer (M&S) and Co-op, major UK retailers, have been hit by a Scattered Spider cyberattack involving DragonForce ransomware. The attack has caused weeks-long disruptions, impacting online transactions and the availability of food, fashion, and home goods. M&S warns that the disruption to online transactions could last until July. The cybercrime gang Scattered Spider is also believed to be behind attacks on other UK retailers, including Harrods.
The financial impact on M&S is expected to be significant. The company anticipates the cyberattack will cut $400 million from its profits and reported losing over £40 million in weekly sales since the attack began over the Easter bank holiday weekend. As a precaution, M&S took down some of its systems, resulting in short-term disruptions. This decision was made to protect its systems, customers, and partners from further compromise. In response to the attack, M&S plans to accelerate its technology improvement plan, shortening the timeframe from two years to six months. This reflects the urgent need to bolster its cybersecurity defenses and prevent future disruptions. The company previously outlined plans in 2023 to improve its technology stack, including investments in infrastructure, network connectivity, store technology, and supply-chain systems. M&S acknowledged that personal data of customers had been stolen, including names, dates of birth, telephone numbers, home and email addresses, and online order histories. However, the retailer insisted that the data theft did not include usable card, payment, or login information. Recommended read:
References :
@www.microsoft.com
//
Microsoft is taking a significant step towards future-proofing cybersecurity by integrating post-quantum cryptography (PQC) into Windows Insider builds. This move aims to protect data against the potential threat of quantum computers, which could render current encryption methods vulnerable. The integration of PQC is a critical step toward quantum-resilient cybersecurity, ensuring that Windows systems can withstand attacks from more advanced computing power in the future.
Microsoft announced the availability of PQC support in Windows Insider Canary builds (27852 and above). This release allows developers and organizations to begin experimenting with PQC in real-world environments, assessing integration challenges, performance trade-offs, and compatibility. This is being done in an attempt to jump-start what’s likely to be the most formidable and important technology transition in modern history. The urgency behind this transition stems from the "harvest now, decrypt later" threat, where malicious actors store encrypted communications today, with the intent to decrypt them once quantum computers become capable. These captured secrets, such as passwords, encryption keys, or medical data, could remain valuable to attackers for years to come. By adopting PQC algorithms, Microsoft aims to safeguard sensitive information against this future risk, emphasizing the importance of starting the transition now. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A critical privilege escalation vulnerability has been discovered in the delegated Managed Service Account (dMSA) feature of Windows Server 2025's Active Directory. This flaw, dubbed "BadSuccessor," allows attackers with minimal permissions, specifically the ability to create objects inside an Active Directory organizational unit, to gain control over any user in the Active Directory domain, including Domain Admins. The vulnerability stems from improper permission handling during dMSA migration, where unauthorized users can simulate a migration process and inherit permissions of other accounts, even those with Domain Admin privileges. Security researchers have detailed that only write permissions over the attributes of a dMSA are required to execute this attack.
Microsoft has acknowledged the "BadSuccessor" issue in Windows Server 2025 but has rated it as moderate severity, sparking disagreement from security researchers who believe it poses a significant risk. Currently, there is no official patch available from Microsoft to address this vulnerability. This lack of an immediate patch has led security firms such as Akamai to document the privilege escalation flaw, emphasizing the potential for attackers to fully compromise an Active Directory domain by exploiting the dMSA feature. Akamai researchers found that in 91% of the environments they examined, users outside the domain admins group had the required permissions to perform this attack. Organizations utilizing Active Directory are strongly advised to be aware of this vulnerability and actively monitor for suspicious activity related to dMSA objects. Security researchers are suggesting workarounds to mitigate the risk until Microsoft releases a formal patch. The core of the attack involves abusing the dMSA feature to elevate privileges, highlighting the importance of carefully reviewing and restricting permissions related to dMSA creation and management. Furthermore, the discovery of this vulnerability emphasizes the need for organizations to stay informed about the latest security research and apply necessary security measures to protect their Active Directory environments. Recommended read:
References :
@arstechnica.com
//
Signal, the privacy-focused messaging application, has taken action to block Microsoft's controversial Recall feature from capturing screenshots of its desktop app content on Windows 11. Citing privacy concerns over Recall's ability to automatically take screenshots of on-screen activity, Signal has implemented a "screen security" setting, enabled by default, that leverages Digital Rights Management (DRM) to prevent the tool from accessing and recording private conversations. This move comes as Signal expresses discontent with Microsoft's approach, arguing that Recall lacks sufficient developer controls to exclude specific apps and protect sensitive information.
Microsoft's Recall feature, designed for Copilot+ PCs, works by continuously taking screenshots and creating a searchable database of user activity. Signal argues that this poses a significant risk to the privacy of its users, as private conversations could be inadvertently captured and stored. By implementing DRM, Signal sets a flag on its application window that instructs Recall, and any other screenshotting application, to ignore its content. While Signal acknowledges this is a blunt tool that may interfere with accessibility software, it believes Microsoft left them with no other choice. Signal has criticized Microsoft for not providing developers with the necessary tools to manage how Recall interacts with their applications. The messaging app argues that it shouldn't have to resort to using DRM "content protection hacks" to safeguard user privacy. Signal hopes that AI teams building systems like Recall will carefully consider the privacy implications and avoid forcing apps to use workarounds to protect the integrity of their services. They want the AI teams to know that this will potentially affect accessibility options like screen readers. Recommended read:
References :
Dhara Shrivastava@cysecurity.news
//
British retailer giant Marks & Spencer (M&S) is facing a major financial impact following a recent cyberattack, with potential profit losses estimated at £300 million, equivalent to $402 million. The attack has caused widespread operational and sales disruptions, particularly affecting the company's online retail systems. According to a recent filing with the London Stock Exchange, M&S anticipates these disruptions to continue until at least July, impacting its fiscal year 2025/26 profits.
The cyberattack has significantly impacted M&S’s online sales channels, forcing the company to temporarily halt online shopping in its Fashion, Home & Beauty divisions. This downtime has led to substantial revenue loss, despite the resilience of its physical stores. The company has also faced increased logistics and waste management costs as it reverted to manual processes. CEO Stuart Machin acknowledged the challenging situation but expressed confidence in the company's recovery, emphasizing a focus on restoring systems and accelerating technical transformation. M&S is actively implementing strategies to mitigate the financial repercussions, including cost management, insurance claims, and strategic trading actions. The retailer is reportedly preparing to claim up to £100 million from its cyber insurance policy to offset some of the losses. The company views this crisis as an opportunity to expedite its technical transformation, although specific details of this transformation have not yet been disclosed. The costs related to the attack itself and technical recovery are expected to be communicated at a later date as an adjustment item. Recommended read:
References :
@www.eweek.com
//
Microsoft is embracing the Model Context Protocol (MCP) as a core component of Windows 11, aiming to transform the operating system into an "agentic" platform. This integration will enable AI agents to interact seamlessly with applications, files, and services, streamlining tasks for users without requiring manual inputs. Announced at the Build 2025 developer conference, this move will allow AI agents to carry out tasks across apps and services.
MCP functions as a lightweight, open-source protocol that allows AI agents, apps, and services to share information and access tools securely. It standardizes communication, making it easier for different applications and agents to interact, whether they are local tools or online services. Windows 11 will enforce multiple security layers, including proxy-mediated communication and tool-level authorization. Microsoft's commitment to AI agents also includes the NLWeb project, designed to transform websites into conversational interfaces. NLWeb enables users to interact directly with website content through natural language, without needing apps or plugins. Furthermore, the NLWeb project turns supported websites into MCP servers, allowing agents to discover and utilize the site’s content. GenAIScript has also been updated to enhance security of Model Context Protocol (MCP) tools, addressing vulnerabilities. Options for tools signature hashing and prompt injection detection via content scanners provide safeguards across tool definitions and outputs. Recommended read:
References :
@www.bleepingcomputer.com
//
Cybercriminals have been actively distributing trojanized versions of the KeePass password manager for at least eight months, leading to significant security breaches. These malicious versions are designed to install Cobalt Strike beacons, steal stored credentials, and ultimately deploy ransomware on compromised networks. The attacks often begin with users downloading fake KeePass installers promoted through malicious advertisements on search engines like Bing and DuckDuckGo, which redirect victims to lookalike websites.
Once installed, the trojanized KeePass variants, sometimes referred to as "KeeLoader," function as both a credential stealer and a loader for additional malware. These altered versions export the password database in clear text, relaying it to attackers via the Cobalt Strike beacon. This allows the cybercriminals to gain unauthorized access to sensitive networks, VPNs, and cloud services. The compromised credentials enable attackers to deploy ransomware payloads, often targeting VMware ESXi servers to encrypt datastores, disrupting operations and demanding ransom payments. Researchers at WithSecure have uncovered that the attackers modify the open-source KeePass code, embedding malicious functionality directly into the application. This makes the altered KeePass builds difficult to detect as they retain all legitimate functionalities while secretly logging credentials and exporting them as CSV files. The use of valid, trusted code-signing certificates further helps the malicious versions evade detection. Security experts emphasize the importance of downloading software only from official websites and verifying the application's authenticity to avoid falling victim to these sophisticated attacks. Recommended read:
References :
@www.csoonline.com
//
A new cybersecurity threat has emerged, putting Windows users at risk. A tool called 'Defendnot' can disable Microsoft Defender, the built-in antivirus software in Windows 10 and 11. This is achieved by registering a fake antivirus product through an exploited vulnerability in the Windows Security Center (WSC) API. This exploit tricks Windows into thinking another antivirus solution is managing real-time protection, causing it to automatically disable Microsoft Defender to avoid conflicts. Even if no real antivirus software is installed, Defendnot can still successfully deactivate the system's primary defense, leaving the computer vulnerable to malicious attacks.
The Defendnot tool, created by a security researcher known as es3n1n, takes advantage of an undocumented WSC API intended for antivirus software manufacturers. This API allows legitimate antivirus programs to inform Windows that they are installed and handling real-time protection. Defendnot abuses this functionality by simulating a valid antivirus product, passing all of Windows' verification checks. This exploitation raises concerns about the security of the WSC API and the potential for other malicious actors to utilize similar techniques to bypass Windows' built-in security measures. This isn't the first attempt to exploit this vulnerability. An earlier tool, named "no-defender," was previously released but faced a DMCA takedown request after gaining significant attention. The developer was accused of using code from a third-party antivirus product to spoof registration with the WSC. Defendnot is a replacement for that tool, and it also features a loader enabling customized antivirus names, registration deactivation, and verbose logging, as well as allows automated execution via the Windows Task Scheduler for persistence. Microsoft is aware of the problem and has begun flagging the tool as potentially malicious software, being tracked and quarantined as 'Win32/Sabsik.FL.!ml'. Recommended read:
References :
@siliconangle.com
//
Microsoft Corp. has announced a significant expansion of its AI security and governance offerings, introducing new features aimed at securing the emerging "agentic workforce," where AI agents and humans work collaboratively. The announcement, made at the company’s annual Build developer conference, reflects Microsoft's commitment to addressing the growing challenges of securing AI systems from vulnerabilities like prompt injection, data leakage, and identity sprawl, while also ensuring regulatory compliance. This expansion involves integrating Microsoft Entra, Defender, and Purview directly into Azure AI Foundry and Copilot Studio, enabling organizations to secure AI applications and agents throughout their development lifecycle.
Leading the charge is the launch of Entra Agent ID, a new centralized solution for managing the identities of AI agents built in Copilot Studio and Azure AI Foundry. This system automatically assigns each agent a secure and trackable identity within Microsoft Entra, providing security teams with visibility and governance over these nonhuman actors within the enterprise. The integration extends to third-party platforms through partnerships with ServiceNow Inc. and Workday Inc., supporting identity provisioning across human resource and workforce systems. By unifying oversight of AI agents and human users within a single administrative interface, Entra Agent ID lays the groundwork for broader nonhuman identity governance across the enterprise. In addition, Microsoft is integrating security insights from Microsoft Defender for Cloud directly into Azure AI Foundry, providing developers with AI-specific threat alerts and posture recommendations within their development environment. These alerts cover more than 15 detection types, including jailbreaks, misconfigurations, and sensitive data leakage. This integration aims to facilitate faster response to evolving threats by removing friction between development and security teams. Furthermore, Purview, Microsoft’s integrated data security, compliance, and governance platform, is receiving a new software development kit that allows developers to embed policy enforcement, auditing, and data loss prevention into AI systems, ensuring consistent data protection from development through production. Recommended read:
References :
@blogs.microsoft.com
//
Microsoft Build 2025 showcased the company's vision for the future of AI with a focus on AI agents and the agentic web. The event highlighted new advancements and tools aimed at empowering developers to build the next generation of AI-driven applications. Microsoft introduced Microsoft Entra Agent ID, designed to extend industry-leading identity management and access capabilities to AI agents, providing a secure foundation for AI agents in enterprise environments using zero-trust principles.
The announcements at Microsoft Build 2025 demonstrate Microsoft's commitment to making AI agents more practical and secure for enterprise use. A key advancement is the introduction of multi-agent systems within Copilot Studio, enabling AI agents to collaborate on complex business tasks. This system allows agents to delegate tasks to each other, streamlining processes such as sales data retrieval, proposal drafting, and follow-up scheduling. The integration of Microsoft 365, Azure AI Agents Service, and Azure Fabric further enhances these capabilities, addressing limitations that have previously hindered the broader adoption of agent technology in business settings. Furthermore, Microsoft is emphasizing interoperability and user-friendly AI interaction. Support for the agent-to-agent protocol announced by Google could enable cross-platform agent communication. The "computer use" feature for Copilot Studio agents allows them to interact with desktop applications and websites by directly controlling user interfaces, even without API dependencies. This feature enhances the functionality of AI agents by enabling them to perform tasks that require interaction with existing software and systems, regardless of API availability. Recommended read:
References :
@gbhackers.com
//
References:
cyberpress.org
, isc.sans.edu
,
Cybersecurity researchers have recently uncovered a sophisticated malware campaign targeting Windows systems through the exploitation of AutoIT scripts. AutoIT, a scripting language initially designed for Windows automation, has become a popular tool in the malware ecosystem due to its simplicity and ability to interact with various Windows components. This particular campaign stands out for its use of a double layer of AutoIT code and intricate obfuscation techniques, allowing it to evade detection and maintain persistence on infected machines.
The attack begins with a compiled AutoIT executable file named "1. Project & Profit.exe" (SHA256: b5fbae9376db12a3fcbc99e83ccad97c87fb9e23370152d1452768a3676f5aeb). Upon execution, this file downloads an AutoIT interpreter, saving it as "C:\Users\Public\Guard.exe," along with another AutoIT script, stored as "Secure.au3," and a PowerShell script named "PublicProfile.ps1." The "PublicProfile.ps1" script is immediately generated and executed, facilitating further stages of the infection. Persistence is achieved by creating a .url shortcut in the Windows Startup directory, ensuring that a JavaScript file is triggered upon each user login. This JavaScript file then re-executes the AutoIT interpreter with a second-stage script, keeping the malicious processes active. The second layer of AutoIT code, referred to as script "G," employs heavy obfuscation to hinder analysis. All strings within this script are encoded using a custom function called "Wales," which transforms ASCII values into a readable format only after decoding. An example of this obfuscation is the encoded sequence "80]114]111]99]101]115]115]69]120]105]115]116]115]40]39]97]118]97]115]116]117]105]46]101]120]101]39]41," which, when decoded, reveals "ProcessExists('avastui.exe')." This suggests the malware checks for antivirus processes to potentially avoid detection or alter its behavior. The attack culminates in the execution of a malicious DLL named "Urshqbgpm.dll" by injecting it into a "jsc.exe" process. Recommended read:
References :
@blogs.microsoft.com
//
Microsoft is doubling down on its commitment to artificial intelligence, particularly through its Copilot platform. The company is showcasing Copilot as a central AI model for Windows users and is planning to roll out new features. A new memory feature is undergoing testing for Copilot Pro users, enabling the AI to retain contextual information about users, mimicking the functionality of ChatGPT. This personalization feature, accessible via the "Privacy" tab in Copilot's settings, allows the AI to remember user preferences and prior tasks, enhancing its utility for tasks like drafting documents or scheduling.
Microsoft is also making strategic moves concerning its Office 365 and Microsoft 365 suites in response to an EU antitrust investigation. To address concerns about anti-competitive bundling practices related to its Teams communication app, Microsoft plans to offer these productivity suites without Teams at a lower price point. Teams will also be available as a standalone product. This initiative aims to provide users with more choice and address complaints that the inclusion of Teams unfairly disadvantages competitors. Microsoft has also committed to improving interoperability, enabling rival software to integrate more effectively with its services. Satya Nadella, Microsoft's CEO, is focused on making AI models accessible to customers through Azure, regardless of their origin. Microsoft's strategy involves providing various AI models to maximize profit gains, even those developed outside of Microsoft. Nadella emphasizes that Microsoft's allegiance isn't tied exclusively to OpenAI's models but encompasses a broader approach to AI accessibility. Microsoft believes ChatGPT and Copilot are similar however the company is working hard to encourage users to use Copilot by adding features such as its new memory function and not supporting the training of the ChatGPT model. Recommended read:
References :
@borncity.com
//
Microsoft has confirmed that the May 2025 security updates for Windows 10 and Windows 11 are triggering BitLocker recovery issues on some systems. Specifically, cumulative update KB5058379, released on May 13, 2025, for Windows 10 22H2, is causing the operating system to request the BitLocker recovery key upon boot. In some instances, affected systems are hanging, effectively locking users out of their devices. The problem appears to extend to Windows 11 as well, with reports indicating similar BitLocker recovery prompts after installing the update.
Microsoft has acknowledged the issue and posted a support article in the Windows Release Health dashboard of Windows Server 10 22H2. The company stated that after installing KB5058379, Windows 10 22H2 might repeatedly display the BitLocker recovery screen at startup. The issue is particularly prevalent on devices with Intel Trusted Execution Technology (TXT) enabled on Intel vPro processors of the 10th generation or later. Microsoft has identified that the update can cause lsass.exe to terminate unexpectedly, triggering an automatic repair and subsequently prompting for the BitLocker recovery key. The BitLocker recovery issue is causing widespread disruption, especially for businesses, with IT departments reporting numerous devices simultaneously stuck at the recovery prompt. While BitLocker typically only requests the recovery key after significant hardware or firmware changes, KB5058379 is triggering the prompt unexpectedly, even when no such changes have occurred. In addition to the BitLocker prompts, some users are reporting Blue Screens of Death (BSOD) during or immediately after the update process. While Microsoft works on a fix, IT professionals have found that disabling Intel Trusted Execution Technology (TXT) in the BIOS allows the update to complete without triggering the BitLocker prompt. Recommended read:
References :
@msrc.microsoft.com
//
Microsoft has released its May 2025 Patch Tuesday updates, addressing a total of 71 or 72 vulnerabilities, depending on the source, across its software. This includes fixes for five actively exploited zero-day vulnerabilities and two publicly known vulnerabilities. The updates target flaws in various Windows components, including the Windows Common Log File System (CLFS), DWM Core Library, Scripting Engine, and Winsock.
Among the critical issues addressed are elevation of privilege (EoP) and remote code execution (RCE) vulnerabilities. Specifically, two zero-days in the CLFS (CVE-2025-32701 and CVE-2025-32706) allow attackers to gain SYSTEM privileges. Another zero-day (CVE-2025-30400) is a use-after-free vulnerability in the Windows Desktop Window Manager (DWM) Core Library, which can also lead to privilege escalation. A scripting engine memory corruption vulnerability (CVE-2025-30397) could allow for remote code execution if a user visits a malicious web page while using Internet Explorer mode in Edge. The Cybersecurity and Infrastructure Security Agency (CISA) has added all five exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog, urging administrators to patch these flaws by June 3, 2025. Security experts emphasize the importance of prioritizing these updates to prevent potential privilege escalation, code execution, and other malicious activities. The identified vulnerabilities highlight the ongoing risk posed by CLFS exploitation and the need for continuous monitoring and patching efforts. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A Türkiye-linked hacking group, tracked by Microsoft as Marbled Dust, has been exploiting a zero-day vulnerability, CVE-2025-27920, in the Output Messenger application since April 2024. This espionage campaign has targeted Kurdish military personnel operating in Iraq, resulting in the collection of related user data. The vulnerability impacts Output Messenger version 2.0.62 and involves a directory traversal flaw that allows remote attackers to access and execute arbitrary files. A fix was released by the developer, Srimax, in late December 2024 with version 2.0.63.
The attack chain commences with the threat actor gaining authenticated access to Output Messenger's Server Manager. It is suspected that Marbled Dust uses techniques like DNS hijacking or typosquatted domains to intercept the credentials required for authentication. This access is then abused to collect user credentials and exploit CVE-2025-27920 to drop malicious payloads. These payloads include scripts like "OM.vbs" and "OMServerService.vbs" into the server's startup folder, and an executable "OMServerService.exe" into the server's "Users/public/videos" directory. The final stage involves the execution of a multi-stage backdoor deployment. The "OMServerService.vbs" script is used to invoke "OM.vbs" and "OMServerService.exe." The latter is a Golang backdoor that connects to a hard-coded domain, "api.wordinfos[.]com," for data exfiltration. On the client side, the installer extracts and executes both the legitimate OutputMessenger.exe file and OMClientService.exe, another Golang backdoor. This client-side backdoor also connects to a Marbled Dust command-and-control (C2) domain, enabling further malicious activities. Recommended read:
References :
@cyberscoop.com
//
CISA has added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This action follows Microsoft's May 2025 Patch Tuesday, which addressed a total of 72 vulnerabilities, including these five zero-day exploits. The vulnerabilities affect various Windows components, posing a significant risk to systems if left unpatched. The addition to the KEV catalog underscores the urgency for organizations to apply the relevant Microsoft patches.
The zero-day vulnerabilities include CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, and CVE-2025-32709. CVE-2025-30397 is a memory corruption vulnerability in the Windows scripting engine, while CVE-2025-30400 affects the Microsoft DWM Core Library. CVE-2025-32701 and CVE-2025-32706 are defects in the Windows Common Log File System (CLFS) Driver, which are particularly concerning as they can lead to elevation of privilege to SYSTEM. CVE-2025-32709 resides in the Windows Ancillary Function Driver for WinSock. Security experts recommend immediate patching, especially for the CLFS driver vulnerabilities. Mike Walters of Action1 warned that attackers could exploit the CLFS zero-days to gain full control of systems, allowing them to run arbitrary code, install malware, modify data, or disable security protections. The Cybersecurity and Infrastructure Security Agency (CISA) encourages all organizations to review and apply the necessary updates to mitigate the risk of exploitation. Recommended read:
References :
@cyberpress.org
//
A new method has emerged for stealing Microsoft Entra refresh tokens using Beacon Command & Control (C2) frameworks. This novel technique leverages browser-based authorization flows and Windows API functions to bypass traditional detection mechanisms, allowing attackers to maintain persistent access to cloud resources, even on devices not joined to a domain. The exploit utilizes Beacon Object Files (BOFs) to extract Entra tokens from compromised endpoints, posing a significant risk to enterprise cloud environments. By exploiting the OAuth 2.0 authorization code flow with modifications for offensive operations, attackers can initiate a hidden browser session and scrape the authorization code from the browser window title using the GetWindowTextA Win32 API.
The attack method capitalizes on First-Party Client IDs (FOCI) such as Microsoft Teams, allowing access to multiple Microsoft services through "family refresh tokens." This provides operational advantages by blending token requests with legitimate user activity as they originate from the compromised host's IP address. Furthermore, it is compatible with Bring Your Own Device (BYOD) scenarios, where traditional Primary Refresh Token (PRT) extraction methods fail. After acquiring refresh tokens, attackers can conduct AzureAD reconnaissance via tools like ROADrecon. A separate but related flaw in Microsoft Entra ID's legacy login process has also been exploited to bypass MFA and Conditional Access, targeting admin accounts across various sectors including finance, healthcare, manufacturing, and technology. This vulnerability resides in the Basic Authentication Version 2 – Resource Owner Password Credential (BAV2ROPC), a legacy login method that allows authentication using simple usernames and passwords. The attacks, which occurred between March 18 and April 7, 2025, demonstrate the dangers of outdated authentication protocols in cloud environments, highlighting how attackers can circumvent modern protections by exploiting compatibility features within Entra ID. Recommended read:
References :
@cyberalerts.io
//
A new malware campaign is exploiting the hype surrounding artificial intelligence to distribute the Noodlophile Stealer, an information-stealing malware. Morphisec researcher Shmuel Uzan discovered that attackers are enticing victims with fake AI video generation tools advertised on social media platforms, particularly Facebook. These platforms masquerade as legitimate AI services for creating videos, logos, images, and even websites, attracting users eager to leverage AI for content creation.
Posts promoting these fake AI tools have garnered significant attention, with some reaching over 62,000 views. Users who click on the advertised links are directed to bogus websites, such as one impersonating CapCut AI, where they are prompted to upload images or videos. Instead of receiving the promised AI-generated content, users are tricked into downloading a malicious ZIP archive named "VideoDreamAI.zip," which contains an executable file designed to initiate the infection chain. The "Video Dream MachineAI.mp4.exe" file within the archive launches a legitimate binary associated with ByteDance's CapCut video editor, which is then used to execute a .NET-based loader. This loader, in turn, retrieves a Python payload from a remote server, ultimately leading to the deployment of the Noodlophile Stealer. This malware is capable of harvesting browser credentials, cryptocurrency wallet information, and other sensitive data. In some instances, the stealer is bundled with a remote access trojan like XWorm, enabling attackers to gain entrenched access to infected systems. Recommended read:
References :
@securityonline.info
//
Microsoft has recently addressed several critical security vulnerabilities affecting its Azure cloud services and Microsoft Power Apps. The flaws, identified in Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps, highlighted the importance of proactive security measures within cloud-native development environments. One vulnerability, CVE-2025-29813, received the maximum Common Vulnerability Scoring System (CVSS) score of 10, indicating its severity.
The most critical vulnerability, found in Azure DevOps, allowed attackers with project-level access to escalate their privileges by exchanging short-term pipeline job tokens for long-term ones, potentially gaining extensive access within a project environment. Additional vulnerabilities included CVE-2025-29827 in Azure Automation, where improper authorization could enable a user to elevate privileges, CVE-2025-29972, an SSRF vulnerability in Azure Storage Resource Provider, and CVE-2025-47733 in Microsoft Power Apps, which allowed unauthorized information disclosure over a network through a Server-Side Request Forgery (SSRF). Despite the severity of these vulnerabilities, Microsoft has assured users that no action is required on their part. The company has already mitigated the flaws at the platform level, preventing potential exploitation. These patches underscore Microsoft's commitment to maintaining a secure cloud environment and highlight the ongoing need for robust security practices within cloud-native development. Recommended read:
References :
@industrialcyber.co
//
References:
Industrial Cyber
, NCSC News Feed
,
The UK's National Cyber Security Centre (NCSC) has issued a warning that critical systems in the United Kingdom face increasing risks due to AI-driven vulnerabilities. The agency highlighted a growing 'digital divide' between organizations capable of defending against AI-enabled threats and those that are not, exposing the latter to greater cyber risk. According to a new report, developments in AI are expected to accelerate the exploitation of software vulnerabilities by malicious actors, intensifying cyber threats by 2027.
The report, presented at the NCSC's CYBERUK conference, predicts that AI will significantly enhance the efficiency and effectiveness of cyber intrusions. Paul Chichester, NCSC director of operations, stated that AI is transforming the cyber threat landscape by expanding attack surfaces, increasing the volume of threats, and accelerating malicious capabilities. He emphasized the need for organizations to implement robust cybersecurity practices across their AI systems and dependencies, ensuring up-to-date defenses. The NCSC assessment emphasizes that by 2027, AI-enabled tools will almost certainly improve threat actors' ability to exploit known vulnerabilities, leading to a surge in attacks against systems lacking security updates. With the time between vulnerability disclosure and exploitation already shrinking, AI is expected to further reduce this timeframe. The agency urges organizations to adopt its guidance on securely implementing AI tools while maintaining strong cybersecurity measures across all systems. Recommended read:
References :
@securityonline.info
//
The Play ransomware gang has been actively exploiting a zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824. This high-severity flaw allows attackers to gain SYSTEM privileges on compromised systems, enabling them to deploy malware and carry out other malicious activities. The vulnerability was patched by Microsoft in April 2025; however, it was actively exploited in targeted attacks across various sectors before the patch was released.
The Play ransomware gang's attack methodology is sophisticated, employing custom tools and techniques such as dual extortion. A key tool used is the Grixba infostealer, which scans networks and steals information. In addition to the Grixba infostealer, the group uses a payload injection technique where a malicious payload is injected into the winlogon.exe process. This allows them to inject the Sysinternals procdump.exe tool into various processes for malicious purposes. The Symantec Threat Hunter Team identified this zero-day vulnerability being actively exploited, including an attack targeting an unnamed organization in the United States. The attackers likely used a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point. During the execution of the exploit, batch files are created to escalate privileges, dump the SAM, SYSTEM, and SECURITY Registry hives, create a new user, and clean up traces of exploitation. The exploitation of CVE-2025-29824 highlights the trend of ransomware actors using zero-days to infiltrate targets, underscoring the importance of prompt patching and robust security measures. Recommended read:
References :
@zdnet.com
//
Microsoft is rolling out a wave of new AI-powered features for Windows 11 and Copilot+ PCs, aiming to enhance user experience and streamline various tasks. A key addition is an AI agent designed to assist users in navigating and adjusting Windows 11 settings. This agent will understand user intent through natural language, allowing them to simply describe the setting they wish to change, such as adjusting mouse pointer size or enabling voice control. With user permission, the AI agent can then automate and execute the necessary adjustments. This feature, initially available to Windows Insiders on Snapdragon X Copilot+ PCs, seeks to eliminate the frustration of searching for and changing settings manually.
Microsoft is also enhancing Copilot with new AI skills, including the ability to act on screen content. One such action, "Ask Copilot," will enable users to draft content in Microsoft Word based on on-screen information, or create bulleted lists from selected text. These capabilities aim to boost productivity by leveraging generative AI to quickly process and manipulate information. Furthermore, the Windows 11 Start menu is undergoing a revamp, offering easier access to apps and a phone companion panel for quick access to information from synced iPhones or Android devices. The updated Start menu, along with the new AI features, will first be available to Windows Insiders running Snapdragon X Copilot Plus PCs. In a shift toward passwordless security, Microsoft is removing the password autofill feature from its Authenticator app, encouraging users to transition to Microsoft Edge for password management. Starting in June 2025, users will no longer be able to save new passwords in the Authenticator app, with autofill functionality being removed in July 2025. By August 2025, saved passwords will no longer be accessible in the app. Microsoft argues that this change streamlines the process, as passwords will be synced with the Microsoft account and accessible through Edge. However, users who do not use Edge may find this transition less seamless, as they will need to install Edge and make it the default autofill provider to maintain access to their saved passwords. Recommended read:
References :
|