microsoft (23)

12374281897?profile=RESIZE_400xAttackers are abusing Microsoft Teams to send phishing messages, according to researchers at AT&T Cybersecurity.  “While most end users are well-acquainted with the dangers of traditional phishing attacks, such as those delivered via email or other media, a large proportion are likely unaware that Microsoft Teams chats could be a phishing vector,” the researchers write.  “Most Teams activity is intra-organizational, but Microsoft enables External Access by default, which allows members of one or

12336973288?profile=RESIZE_400xA new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the Nim programming language.  Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers' unfamiliarity can hamper their investigation.  Nim-based malware has been a rarity in the threat landscape, although that has been slowly changing in recent years as attackers continue to either develop custom tools from scra

12239035273?profile=RESIZE_400xMalicious ADs served inside Microsoft Bing's artificial intelligence (AI) chatbot are being used to distribute malware when searching for popular tools.  The findings come from researchers, who revealed that unsuspecting users can be tricked into visiting booby-trapped sites and installing malware directly from Bing Chat conversations.

Introduced by Microsoft in February 2023, Bing Chat is an interactive search experience that's powered by OpenAI's large language model called GPT-4.  A month lat

12213058659?profile=RESIZE_400xMicrosoft spokesmen disclosed on 17 August 2023 that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution.  "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the company's threat intelligence team said in a series of posts on X (formerly Twitter).  "This Bla

12213048281?profile=RESIZE_400xThreat actors' use of Cloudflare R2 to host phishing pages has witnessed a 61-fold increase over the past six months.  The majority of the phishing campaigns target Microsoft login credentials, although some pages are targeting Adobe, Dropbox, and other cloud apps, was recently reported by security researchers.   Cloudflare R2, analogous to Amazon Web Service S3, Google Cloud Storage, and Azure Blob Storage, is a data storage service for the cloud.[1]

Cloudflare R2 is a zero-egress distributed o

12185081291?profile=RESIZE_400xMultiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.  Users whose accounts are configured to have fewer user rights on the system could be less impacted than those with administrative user rights.[1]

THREAT INTELLIGEN

11148338501?profile=RESIZE_400xAround the time that the US Federal Bureau of Investigation (FBI) was examining the equipment recovered from the wreckage of the Chinese spy balloon shot down off the South Carolina coast in February, American intelligence agencies and Microsoft detected what they feared was a more worrisome intruder: mysterious computer code that has been popping up in telecommunications systems in Guam and elsewhere in the US.

The code, which Microsoft said was installed by a Chinese government hacking group,

10887944079?profile=RESIZE_400xAccording to cyber experts, threat groups are making nearly 1,000 attempts to hack account passwords every single second and they are more determined to succeed with the number of attacks increasing.  This analysis comes from Microsoft's Digital Defense Report 2022 and are based on research of trillions of alerts and signals collected from the company's worldwide ecosystem of products and services. 

The report cautions that cyber-attacks are increasing, with account passwords still very much the

10834958069?profile=RESIZE_400xFortinet researchers recently found some malicious Microsoft Office documents that attempted to leverage legitimate websites, MediaFire and Blogger, to execute a shell script and then dropped two malware variants of Agent Tesla and njRat.  Agent Tesla is a well-known spyware, first discovered in 2014, which can steal personal data from web browsers, mail clients, and FTP servers, collect screenshots and videos, and capture clipboard data.  njRat (also known as Bladabindi) is a remote agent Troja

10796711491?profile=RESIZE_400xRussian cyberespionage group APT29, responsible for the devastating SolarWinds supply chain attacks in 2020, is back in the news.  In a technical report published by Microsoft, the APT29 cyber-spies have acquired authentication bypass of a new post-exploitation tactic.  Microsoft previously tracked the actors as Nobelium (a), Cozy Bear (b), and the Dukes (C).

Findings Details:  Microsoft wrote in its report that the hackers are targeting corporate networks with a new authentication bypassing tec

10090371874?profile=RESIZE_400xThe Microsoft Security Intelligence team is warning that Office 365 customers are receiving phishing emails that aim to trick them into giving OAuth permissions to a bogus app that then lets attackers read and write emails.   The team reported that attackers are sending the OAuth phishing emails to "hundreds" of Office 365 customers.

OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other we

9840518456?profile=RESIZE_400xMicrosoft (MS) announced recently that data collected by its network of honeypot servers, that most brute-force attackers primarily attempt to guess short passwords, with very few attacks targeting credentials that are either long or contain complex characters.

“I analyzed the credentials entered from over >25 million brute force attacks against SSH.  This is around 30 days of data in Microsoft’s sensor network,” said a security researcher at Microsoft.  77% of attempts used a password between 1

9739418301?profile=RESIZE_400xMicrosoft has teamed up with Intel and Goldman Sachs to push for hardware security improvements that could help to mitigate supply chain risks.  Working under the auspices of the non-profit Trusted Computing Group (TCG), the companies have created a new Supply Chain Security workgroup that will aim to bring in experts from across the tech sphere.

The TCG argued that malicious and counterfeit hardware is particularly difficult to detect as most organizations don’t have the tools or in-house knowl

9553661087?profile=RESIZE_400xActivity Summary - Week Ending 10 September 2021:

  • Red Sky Alliance identified 47,398 connections from new unique IP addresses- Sinkholes
  • Analysts identified 1,034 new IP addresses participating in various Botnets
  • 4 unique email accounts compromised with Keyloggers were used to log into Personal Accounts
  • Sality Malware Variant seen 42252 times this past week
  • Hive Ransomware Alert
  • STRRAT RAT
  • FIN7 again
  • Microsoft and $20 billion in Cyber Security
  • South Korea and TrickBot Arrest
  • To SOAR, or to SIEM

9428788269?profile=RESIZE_400xSome things seem to come full circle.  Morse Code was invented in the 1800’s by Samuel Morse when he worked with an electrical telegraph system sending pulses of electric current and an electromagnet.  His code used the pulse and breaks between them to transmit information.  Popular with amateur radio operators, this code is no longer required if you want to get a pilots or air traffic controller license, though these individuals often have a basic understanding of the code. Morse code is a meth

9158672090?profile=RESIZE_400xIT companies are making up the majority of organizations being targeted amid new activity by the group behind last year’s SolarWinds supply-chain attack, with at least one victim coming from Microsoft’s customer support ranks. 

On 25 June 2021, the Microsoft Threat Intelligence Center said it was monitoring new activity from the Nobelium threat actor, which Microsoft is calling the group, with the vendor observing password spray and brute-force attacks, among other potential methods and tactics.

8684060481?profile=RESIZE_400xIn addition to the aggravation of having to find the “car” in a series of pictures, a phishing attack targeting Microsoft users leverages a bogus Google reCAPTCHA system.  Microsoft users are being targeted with thousands of phishing emails, in an ongoing attack aiming to steal their Office 365 credentials.  The attackers add an air of legitimacy to the campaign by leveraging a fake Google reCAPTCHA system and top-level domain landing pages that include the logos of victims’ companies.

According

8467359093?profile=RESIZE_400xThe president of Microsoft, Brad Smith, provided a warning of increasing cyber-threats to society as technology plays a more powerful role in our lives.  This warning delivered during his recent talk at the Consumer Electronics Show (CES) 2021.  Smith delineated the potential enormous benefits and advancements that technologies offer, including in areas like; sustainability, the cyber-threats being faced are correspondingly becoming increasingly concerning. “As computers create all this promise,

8226972266?profile=RESIZE_400xDespite attempted to stop the criminal hacking group responsible for managing the Trickbot trojan, they continue malicious activities by introducing new versions that make this malware more difficult terminate.  Trickbot now can offer other malware with Access-as-a Service capabilities (AaaS).  Many cyber threat attacks start with a successful phishing campaign.  This allows for the Trickbot malware trojan to be used as a pathway for ransomware infections and Denial-of-Service Attacks (DDoS atta

8198050864?profile=RESIZE_400xActivity Summary - Week Ending 20 November 2020:

  • Red Sky Alliance identified 35,859 connections from new unique IP addresses
  • Microsoft IP is a compromised C2
  • APT 10 – Stone Panda back in the Top 5 Threat Actor Groups
  • Capcom Hack - Part II
  • Kucoin Exchange Hacked
  • Kucoin-activity[.]com - Beware
  • Cryptocurrency Challenges
  • Plowshares going to Prison
  • Black activists in Portland OR doing the Moonwalk
  • Sodinokibi using BLM as Registry key

Link to full report: IR-20-325-001-Tactical Cyber Brief325_FINAL.