Tag Microsoft

Storm-0501 Exploits Entra ID for Azure Data Exfiltration and Deletion in Hybrid Cloud Attacks

August 27, 2025
Ransomware / Cloud Security

The financially motivated threat actor known as Storm-0501 has been observed enhancing its tactics to carry out data exfiltration and extortion attacks in cloud environments. “Unlike traditional on-premises ransomware that relies on deploying malware to encrypt essential files across compromised network endpoints and negotiating for a decryption key, cloud-based ransomware represents a significant change,” noted the Microsoft Threat Intelligence team in a report shared with The Hacker News. “Utilizing cloud-native capabilities, Storm-0501 swiftly exfiltrates substantial data volumes, deletes data and backups within the victim’s environment, and demands ransom—all without conventional malware deployment.” Storm-0501 was initially documented by Microsoft nearly a year ago, focusing on its hybrid cloud ransomware attacks against sectors such as government, manufacturing, transportation, and law enforcement in the U.S.

Storm-0501 Leveraging Entra ID in Sophisticated Hybrid Cloud Attacks August 27, 2025 Ransomware / Cloud Security A financially motivated threat actor known as Storm-0501 has intensified its focus on cloud environments, employing advanced strategies for data exfiltration and extortion. Unlike traditional ransomware that typically employs malware to encrypt files across…

Read More

Storm-0501 Exploits Entra ID for Azure Data Exfiltration and Deletion in Hybrid Cloud Attacks

August 27, 2025
Ransomware / Cloud Security

The financially motivated threat actor known as Storm-0501 has been observed enhancing its tactics to carry out data exfiltration and extortion attacks in cloud environments. “Unlike traditional on-premises ransomware that relies on deploying malware to encrypt essential files across compromised network endpoints and negotiating for a decryption key, cloud-based ransomware represents a significant change,” noted the Microsoft Threat Intelligence team in a report shared with The Hacker News. “Utilizing cloud-native capabilities, Storm-0501 swiftly exfiltrates substantial data volumes, deletes data and backups within the victim’s environment, and demands ransom—all without conventional malware deployment.” Storm-0501 was initially documented by Microsoft nearly a year ago, focusing on its hybrid cloud ransomware attacks against sectors such as government, manufacturing, transportation, and law enforcement in the U.S.

Microsoft’s Emergency Patch Ineffective Against PrintNightmare RCE Vulnerability

July 8, 2021

Microsoft’s attempt to mitigate the notorious PrintNightmare vulnerability across Windows 10 version 1607, Windows Server 2012, and Windows Server 2016 has proven inadequate. Reports indicate that the fix for the remote code execution exploit within the Windows Print Spooler service can still be circumvented under certain conditions, allowing attackers to execute arbitrary code on compromised systems. The company released an emergency out-of-band update for CVE-2021-34527 (CVSS score: 8.8) after researchers from Hong Kong-based cybersecurity firm Sangfor unintentionally disclosed the flaw late last month. Notably, this vulnerability is distinct from another issue, CVE-2021-1675, which Microsoft addressed on June 8. “Several days ago, two security vulnerabilities were identified in Microsoft Windows’ existing printing mechanism,” explained Yaniv Balmas, head of cyber research at C…

Microsoft’s Emergency Patch Fails to Fully Resolve PrintNightmare RCE Vulnerability On July 8, 2021, Microsoft announced the release of an emergency out-of-band update intended to address the PrintNightmare vulnerability, officially identified as CVE-2021-34527. This flaw pertains to a remote code execution (RCE) exploit within the Windows Print Spooler service, impacting…

Read More

Microsoft’s Emergency Patch Ineffective Against PrintNightmare RCE Vulnerability

July 8, 2021

Microsoft’s attempt to mitigate the notorious PrintNightmare vulnerability across Windows 10 version 1607, Windows Server 2012, and Windows Server 2016 has proven inadequate. Reports indicate that the fix for the remote code execution exploit within the Windows Print Spooler service can still be circumvented under certain conditions, allowing attackers to execute arbitrary code on compromised systems. The company released an emergency out-of-band update for CVE-2021-34527 (CVSS score: 8.8) after researchers from Hong Kong-based cybersecurity firm Sangfor unintentionally disclosed the flaw late last month. Notably, this vulnerability is distinct from another issue, CVE-2021-1675, which Microsoft addressed on June 8. “Several days ago, two security vulnerabilities were identified in Microsoft Windows’ existing printing mechanism,” explained Yaniv Balmas, head of cyber research at C…

How to Address the Microsoft Print Spooler Vulnerability: Understanding PrintNightmare

Published on July 8, 2021

Recently, the PrintNightmare vulnerability in Microsoft’s Print Spooler (CVE-2021-34527) was escalated from ‘Low’ to ‘Critical’ severity. This change follows the release of a Proof of Concept on GitHub, which attackers might exploit to gain access to Domain Controllers. Although Microsoft issued a patch in June 2021, it fell short in preventing further exploits, as the Print Spooler feature remains accessible for remote connections. This article provides crucial insights into the vulnerability and offers guidance on mitigation strategies.

Overview of Print Spooler: The Print Spooler is a Microsoft service responsible for managing and monitoring print jobs. It is one of the oldest components in the Microsoft ecosystem and has seen minimal updates since its inception. By default, this service is enabled on all Microsoft devices, including servers and endpoints.

Understanding the PrintNightmare Vulnerability: Once an attacker achieves limited user access, they can exploit the Print Spooler to escalate privileges…

Understanding the Microsoft Print Spooler Vulnerability – PrintNightmare On July 8, 2021, the PrintNightmare flaw related to Microsoft’s Print Spooler service was escalated from a ‘Low’ to a ‘Critical’ threat level. This significant shift in classification stems from a Proof of Concept (PoC) shared on GitHub, which exposes a pathway…

Read More

How to Address the Microsoft Print Spooler Vulnerability: Understanding PrintNightmare

Published on July 8, 2021

Recently, the PrintNightmare vulnerability in Microsoft’s Print Spooler (CVE-2021-34527) was escalated from ‘Low’ to ‘Critical’ severity. This change follows the release of a Proof of Concept on GitHub, which attackers might exploit to gain access to Domain Controllers. Although Microsoft issued a patch in June 2021, it fell short in preventing further exploits, as the Print Spooler feature remains accessible for remote connections. This article provides crucial insights into the vulnerability and offers guidance on mitigation strategies.

Overview of Print Spooler: The Print Spooler is a Microsoft service responsible for managing and monitoring print jobs. It is one of the oldest components in the Microsoft ecosystem and has seen minimal updates since its inception. By default, this service is enabled on all Microsoft devices, including servers and endpoints.

Understanding the PrintNightmare Vulnerability: Once an attacker achieves limited user access, they can exploit the Print Spooler to escalate privileges…

Critical Windows Update: Address 117 Security Flaws, Including 9 Active Zero-Days

July 14, 2021

Microsoft has released its July Patch Tuesday updates, addressing a total of 117 security vulnerabilities, among which are nine zero-day flaws—four of which are currently being exploited in the wild, potentially allowing attackers to gain control of affected systems. Out of these vulnerabilities, 13 are classified as Critical, 103 as Important, and one as Moderate in severity. Notably, six of these vulnerabilities were publicly known at the time of the update.

The updates affect a wide range of Microsoft products, including Windows, Bing, Dynamics, Exchange Server, Office, the Scripting Engine, Windows DNS, and Visual Studio Code. This month saw a significant increase in the number of vulnerabilities patched, surpassing the totals from May (55) and June (50).

Among the most critical actively exploited vulnerabilities are:

  • CVE-2021-34527 (CVSS Score: 8.8) – Windows Print Spooler Remote Code Execution…

Microsoft Addresses 117 Security Vulnerabilities in July Patch Update, Including Nine Zero-Day Flaws Microsoft has released its July Patch Tuesday updates, addressing a total of 117 security vulnerabilities across a wide range of its products. Among these, there are nine critical zero-day flaws, four of which are reportedly under active…

Read More

Critical Windows Update: Address 117 Security Flaws, Including 9 Active Zero-Days

July 14, 2021

Microsoft has released its July Patch Tuesday updates, addressing a total of 117 security vulnerabilities, among which are nine zero-day flaws—four of which are currently being exploited in the wild, potentially allowing attackers to gain control of affected systems. Out of these vulnerabilities, 13 are classified as Critical, 103 as Important, and one as Moderate in severity. Notably, six of these vulnerabilities were publicly known at the time of the update.

The updates affect a wide range of Microsoft products, including Windows, Bing, Dynamics, Exchange Server, Office, the Scripting Engine, Windows DNS, and Visual Studio Code. This month saw a significant increase in the number of vulnerabilities patched, surpassing the totals from May (55) and June (50).

Among the most critical actively exploited vulnerabilities are:

  • CVE-2021-34527 (CVSS Score: 8.8) – Windows Print Spooler Remote Code Execution…

Microsoft Alerts Users to Unpatched Vulnerability in Windows Print Spooler

On July 16, 2021, Microsoft issued new guidance about a vulnerability in the Windows Print Spooler service, stating that it is working on a fix for an upcoming security update. Identified as CVE-2021-34481 (CVSS score: 7.8), this local privilege escalation flaw can be exploited for unauthorized actions on affected systems. The vulnerability was discovered and reported by security researcher Jacob Baines.

According to Microsoft’s advisory, “An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability could execute arbitrary code with SYSTEM privileges.” This would allow them to install software, access, modify, or delete data, and create new accounts with full user rights. It is important to note that successful exploitation requires the attacker to have specific conditions met.

Microsoft Issues Warning on Unpatched Print Spooler Vulnerability On July 16, 2021, Microsoft announced the emergence of a new vulnerability impacting the Windows Print Spooler service, raising alarms among cybersecurity circles. The company is currently working on a security update to address this issue, identified as CVE-2021-34481, which carries a…

Read More

Microsoft Alerts Users to Unpatched Vulnerability in Windows Print Spooler

On July 16, 2021, Microsoft issued new guidance about a vulnerability in the Windows Print Spooler service, stating that it is working on a fix for an upcoming security update. Identified as CVE-2021-34481 (CVSS score: 7.8), this local privilege escalation flaw can be exploited for unauthorized actions on affected systems. The vulnerability was discovered and reported by security researcher Jacob Baines.

According to Microsoft’s advisory, “An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability could execute arbitrary code with SYSTEM privileges.” This would allow them to install software, access, modify, or delete data, and create new accounts with full user rights. It is important to note that successful exploitation requires the attacker to have specific conditions met.

Recent Advances Bring Big Tech Closer to the Q-Day Risk Zone

In 2010, a sophisticated piece of malware dubbed Flame infiltrated Microsoft’s update distribution mechanism, impacting millions of Windows computers globally. It is believed that this malware was developed collaboratively by U.S. and Israeli intelligence agencies to compromise networks associated with the Iranian government. At the crux of this attack was…

Read MoreRecent Advances Bring Big Tech Closer to the Q-Day Risk Zone

Amazon Disrupts APT29’s Watering Hole Campaign Utilizing Microsoft Device Code Authentication

On August 29, 2025, in a significant security intervention, Amazon revealed it had identified and dismantled a watering hole campaign orchestrated by the Russia-linked APT29 group. This campaign exploited compromised websites to direct users towards malicious infrastructure, tricking them into authorizing attacker-controlled devices via Microsoft’s device code authentication process. Amazon’s Chief Information Security Officer, CJ Moses, provided insights into the threat. APT29, also known by aliases such as BlueBravo, Cozy Bear, and Midnight Blizzard, is a state-sponsored hacking group linked to Russia’s Foreign Intelligence Service (SVR). Recently, the group has been associated with attacks employing malicious Remote Desktop Protocol (RDP) configurations to target Ukrainian entities and extract sensitive information. As the year progresses, the adversary’s extensive targeting strategies continue to raise concerns.

Amazon Disrupts APT29 Watering Hole Campaign Exploiting Microsoft Device Code Authentication On August 29, 2025, Amazon disclosed its successful intervention in a watering hole campaign linked to the Russian cyber-espionage group APT29. This operation was characterized as opportunistic, aiming to gather intelligence by misleading users through compromised websites. These malicious…

Read More

Amazon Disrupts APT29’s Watering Hole Campaign Utilizing Microsoft Device Code Authentication

On August 29, 2025, in a significant security intervention, Amazon revealed it had identified and dismantled a watering hole campaign orchestrated by the Russia-linked APT29 group. This campaign exploited compromised websites to direct users towards malicious infrastructure, tricking them into authorizing attacker-controlled devices via Microsoft’s device code authentication process. Amazon’s Chief Information Security Officer, CJ Moses, provided insights into the threat. APT29, also known by aliases such as BlueBravo, Cozy Bear, and Midnight Blizzard, is a state-sponsored hacking group linked to Russia’s Foreign Intelligence Service (SVR). Recently, the group has been associated with attacks employing malicious Remote Desktop Protocol (RDP) configurations to target Ukrainian entities and extract sensitive information. As the year progresses, the adversary’s extensive targeting strategies continue to raise concerns.

Internet Explorer 8 Zero-Day Attack Expands to Nine Additional Websites

May 08, 2013

A recent zero-day attack targeting Internet Explorer 8 on the U.S. Department of Labor’s website has now affected nine more global sites, including those operated by a major European aerospace, defense, and security company, alongside various non-profit organizations and institutions.

The attacks leverage a previously unknown and unpatched vulnerability in Microsoft’s Internet Explorer browser. Researchers have linked this campaign to a China-based hacking group known as “DeepPanda.” Security firm CrowdStrike reports that their investigations indicate the attack commenced in mid-March. Analysis of malicious infrastructure logs revealed visitor IP addresses from 37 different countries, with 71% based in the U.S., 11% in South/Southeast Asia, and 10% in Europe.

Internet Explorer 8 Zero-Day Exploit Expands to Nine Additional Websites May 8, 2013 A zero-day exploit targeting Internet Explorer 8 has spread beyond its initial attack, impacting nine more websites over the weekend. This includes a significant European corporation in the aerospace, defense, and security sectors, along with various non-profit…

Read More

Internet Explorer 8 Zero-Day Attack Expands to Nine Additional Websites

May 08, 2013

A recent zero-day attack targeting Internet Explorer 8 on the U.S. Department of Labor’s website has now affected nine more global sites, including those operated by a major European aerospace, defense, and security company, alongside various non-profit organizations and institutions.

The attacks leverage a previously unknown and unpatched vulnerability in Microsoft’s Internet Explorer browser. Researchers have linked this campaign to a China-based hacking group known as “DeepPanda.” Security firm CrowdStrike reports that their investigations indicate the attack commenced in mid-March. Analysis of malicious infrastructure logs revealed visitor IP addresses from 37 different countries, with 71% based in the U.S., 11% in South/Southeast Asia, and 10% in Europe.

Researcher Reveals Yet Another Unpatched Vulnerability in Windows Printer Spooler

Date: July 19, 2021

Just days after Microsoft raised alarms about an unpatched security flaw in the Windows Print Spooler service, yet another potential zero-day vulnerability has surfaced, marking the fourth printer-related issue identified in recent weeks. Will Dormann from the CERT Coordination Center noted in an advisory on Sunday that “Microsoft Windows allows non-admin users to install printer drivers through Point and Print.” He highlighted that printers installed this way can load arbitrary libraries by the privileged Windows Print Spooler process. Security researcher Benjamin Delpy, known for creating Mimikatz, has disclosed an exploit for this vulnerability. #printnightmare – Episode 4

New Unpatched Vulnerability Found in Windows Print Spooler Service On July 19, 2021, researchers revealed yet another unaddressed security flaw within Microsoft’s Windows Print Spooler service. This recent discovery surfaces only days after Microsoft issued a warning regarding a previously identified vulnerability in the same service, marking the fourth significant…

Read More

Researcher Reveals Yet Another Unpatched Vulnerability in Windows Printer Spooler

Date: July 19, 2021

Just days after Microsoft raised alarms about an unpatched security flaw in the Windows Print Spooler service, yet another potential zero-day vulnerability has surfaced, marking the fourth printer-related issue identified in recent weeks. Will Dormann from the CERT Coordination Center noted in an advisory on Sunday that “Microsoft Windows allows non-admin users to install printer drivers through Point and Print.” He highlighted that printers installed this way can load arbitrary libraries by the privileged Windows Print Spooler process. Security researcher Benjamin Delpy, known for creating Mimikatz, has disclosed an exploit for this vulnerability. #printnightmare – Episode 4