Tag Microsoft

New Vulnerabilities in Windows and Linux Grant Attackers Elevated System Privileges

July 21, 2021

Recent findings have uncovered a local privilege escalation vulnerability in Microsoft’s Windows 10 and the soon-to-be-released Windows 11, enabling users with limited permissions to access critical system files. This loophole, referred to as “SeriousSAM,” allows unauthorized individuals to potentially reveal the operating system installation password and decrypt private keys.

According to a vulnerability note from the CERT Coordination Center (CERT/CC), since Windows 10 build 1809, non-administrative users have had access to the SAM, SYSTEM, and SECURITY registry hive files, which could lead to local privilege escalation (LPE). The affected operating system configuration files include:

  • c:\Windows\System32\config\sam
  • c:\Windows\System32\config\system
  • c:\Windows\System32\config\security

Microsoft, which has assigned the identifier CVE-2021-36934 to this vulnerability, has acknowledged the issue but has not yet released a patch.

New Windows and Linux Vulnerabilities Grant Attackers Elevated System Privileges July 21, 2021 Recent discoveries have unveiled significant local privilege escalation vulnerabilities affecting Microsoft’s Windows 10 and the soon-to-be-released Windows 11. These flaws allow users with limited permissions to gain access to critical system files, creating avenues for attackers to…

Read More

New Vulnerabilities in Windows and Linux Grant Attackers Elevated System Privileges

July 21, 2021

Recent findings have uncovered a local privilege escalation vulnerability in Microsoft’s Windows 10 and the soon-to-be-released Windows 11, enabling users with limited permissions to access critical system files. This loophole, referred to as “SeriousSAM,” allows unauthorized individuals to potentially reveal the operating system installation password and decrypt private keys.

According to a vulnerability note from the CERT Coordination Center (CERT/CC), since Windows 10 build 1809, non-administrative users have had access to the SAM, SYSTEM, and SECURITY registry hive files, which could lead to local privilege escalation (LPE). The affected operating system configuration files include:

  • c:\Windows\System32\config\sam
  • c:\Windows\System32\config\system
  • c:\Windows\System32\config\security

Microsoft, which has assigned the identifier CVE-2021-36934 to this vulnerability, has acknowledged the issue but has not yet released a patch.

Significant Cyber Espionage Campaign Targeting Pakistan Linked to India

May 20, 2013

Cybersecurity researchers have uncovered a series of information-stealing malware attacks aimed at Pakistan that are believed to originate from India. Norman Shark, a leader in malware analysis solutions for enterprises, service providers, and government agencies, has released a report detailing a complex cyber-attack infrastructure traced back to India.

This ongoing campaign, attributed to private threat actors over three years, shows no direct evidence of state involvement. The primary aim of the extensive command-and-control network appears to be intelligence gathering from both national security targets and private sector companies.

Attackers exploited vulnerabilities in Microsoft software, deploying malware known as HangOver onto their targets, the majority of which were located in Pakistan. A total of 511 infections related to this campaign have been identified. HangOver is capable of installing keyloggers and capturing screenshots, among other functionalities.

Significant Cyber Espionage Campaign Targeting Pakistan Linked to India May 20, 2013 Cybersecurity experts have uncovered a sophisticated family of malware designed for information theft, predominantly targeting Pakistan, and traced its origins to India. In a comprehensive report released by Norman Shark, a global leader in malware analysis for enterprises,…

Read More

Significant Cyber Espionage Campaign Targeting Pakistan Linked to India

May 20, 2013

Cybersecurity researchers have uncovered a series of information-stealing malware attacks aimed at Pakistan that are believed to originate from India. Norman Shark, a leader in malware analysis solutions for enterprises, service providers, and government agencies, has released a report detailing a complex cyber-attack infrastructure traced back to India.

This ongoing campaign, attributed to private threat actors over three years, shows no direct evidence of state involvement. The primary aim of the extensive command-and-control network appears to be intelligence gathering from both national security targets and private sector companies.

Attackers exploited vulnerabilities in Microsoft software, deploying malware known as HangOver onto their targets, the majority of which were located in Pakistan. A total of 511 infections related to this campaign have been identified. HangOver is capable of installing keyloggers and capturing screenshots, among other functionalities.

Microsoft Alerts Users to New Unresolved Windows Print Spooler RCE Vulnerability

August 12, 2021

Following the release of its Patch Tuesday updates, Microsoft has revealed yet another remote code execution (RCE) vulnerability in the Windows Print Spooler component. The company is actively working on a fix for this issue, scheduled for an upcoming security update. Identified as CVE-2021-36958 (CVSS score: 7.3), this unaddressed vulnerability adds to the ongoing list of issues collectively referred to as PrintNightmare, which have affected the printing service in recent months. Victor Mata from FusionX, Accenture Security, credited with reporting the flaw, noted that the issue was disclosed to Microsoft back in December 2020. “A remote code execution vulnerability occurs when the Windows Print Spooler service improperly handles privileged file operations,” the company stated in its out-of-band bulletin, while reiterating the details of CVE-2021-34481. “An attacker who successfully exploits this vulnerability could execute arbitrary code with system-level privileges…

Microsoft Issues Warning Over New Unpatched Windows Print Spooler RCE Vulnerability On August 12, 2021, Microsoft publicly acknowledged a newly discovered remote code execution (RCE) vulnerability affecting the Windows Print Spooler service. This announcement came just a day after the company’s Patch Tuesday updates, which typically address various security flaws…

Read More

Microsoft Alerts Users to New Unresolved Windows Print Spooler RCE Vulnerability

August 12, 2021

Following the release of its Patch Tuesday updates, Microsoft has revealed yet another remote code execution (RCE) vulnerability in the Windows Print Spooler component. The company is actively working on a fix for this issue, scheduled for an upcoming security update. Identified as CVE-2021-36958 (CVSS score: 7.3), this unaddressed vulnerability adds to the ongoing list of issues collectively referred to as PrintNightmare, which have affected the printing service in recent months. Victor Mata from FusionX, Accenture Security, credited with reporting the flaw, noted that the issue was disclosed to Microsoft back in December 2020. “A remote code execution vulnerability occurs when the Windows Print Spooler service improperly handles privileged file operations,” the company stated in its out-of-band bulletin, while reiterating the details of CVE-2021-34481. “An attacker who successfully exploits this vulnerability could execute arbitrary code with system-level privileges…

Google Researcher Uncovers Internet Explorer Vulnerability Now Exploited in Targeted Attacks

July 11, 2013

Tensions are rising between Google and Microsoft once again. Recently, Microsoft announced that hackers have been actively taking advantage of a vulnerability disclosed by Google researcher Tavis Ormandy. This flaw, affecting Windows 7 and 8, allows local users to gain escalated privileges, facilitating system compromise.

Microsoft has addressed the vulnerability in its July “Patch Tuesday” updates. However, Ormandy has faced criticism from Microsoft and parts of the security community for publicly revealing the flaw before it was patched—an approach some believe undermines the opportunity for the software developer to respond. Ormandy, in turn, expressed frustrations with Microsoft’s hostile treatment of vulnerability researchers, suggesting that they are often difficult to collaborate with. He advised fellow researchers to consider using pseudonyms when interacting with major tech companies.

Targeted Exploitation of Internet Explorer Vulnerability by Google Researcher On July 11, 2013, a significant vulnerability within Internet Explorer was brought to light by Google researcher Tavis Ormandy, prompting a rapid response from Microsoft. Reports indicate that this specific flaw is being actively exploited by cybercriminals in targeted attacks against…

Read More

Google Researcher Uncovers Internet Explorer Vulnerability Now Exploited in Targeted Attacks

July 11, 2013

Tensions are rising between Google and Microsoft once again. Recently, Microsoft announced that hackers have been actively taking advantage of a vulnerability disclosed by Google researcher Tavis Ormandy. This flaw, affecting Windows 7 and 8, allows local users to gain escalated privileges, facilitating system compromise.

Microsoft has addressed the vulnerability in its July “Patch Tuesday” updates. However, Ormandy has faced criticism from Microsoft and parts of the security community for publicly revealing the flaw before it was patched—an approach some believe undermines the opportunity for the software developer to respond. Ormandy, in turn, expressed frustrations with Microsoft’s hostile treatment of vulnerability researchers, suggesting that they are often difficult to collaborate with. He advised fellow researchers to consider using pseudonyms when interacting with major tech companies.

Critical BadAlloc Vulnerability Impacts BlackBerry QNX in Millions of Vehicles and Medical Devices

August 18, 2021

A significant security flaw in older versions of BlackBerry’s QNX Real-Time Operating System (RTOS) poses a risk of enabling malicious actors to take control of various devices, including cars and medical equipment. This issue, identified as CVE-2021-22156 with a CVSS score of 9.0, is part of a larger series of vulnerabilities dubbed BadAlloc that was first revealed by Microsoft in April 2021. The flaw could potentially serve as a backdoor for attackers, allowing them to disrupt operations or commandeer devices. According to a bulletin from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), “A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices.” As of now, there are no indications that this vulnerability has been actively exploited. BlackBerry QNX technology serves over 195 million vehicles and embedded systems globally.

Critical Vulnerability in BlackBerry QNX Poses Risk to Millions of Devices August 18, 2021 A significant security vulnerability has been identified in older versions of BlackBerry’s QNX Real-Time Operating System (RTOS), which underpins a vast array of products, including automotive systems, medical equipment, and industrial machinery. This flaw, officially designated…

Read More

Critical BadAlloc Vulnerability Impacts BlackBerry QNX in Millions of Vehicles and Medical Devices

August 18, 2021

A significant security flaw in older versions of BlackBerry’s QNX Real-Time Operating System (RTOS) poses a risk of enabling malicious actors to take control of various devices, including cars and medical equipment. This issue, identified as CVE-2021-22156 with a CVSS score of 9.0, is part of a larger series of vulnerabilities dubbed BadAlloc that was first revealed by Microsoft in April 2021. The flaw could potentially serve as a backdoor for attackers, allowing them to disrupt operations or commandeer devices. According to a bulletin from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), “A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices.” As of now, there are no indications that this vulnerability has been actively exploited. BlackBerry QNX technology serves over 195 million vehicles and embedded systems globally.

New Microsoft Exchange ‘ProxyToken’ Vulnerability Allows Attackers to Alter Mailbox Configurations

Details have surfaced regarding a recently patched security flaw in Microsoft Exchange Server that could be exploited by unauthenticated attackers to change server settings, potentially exposing Personally Identifiable Information (PII). The vulnerability, identified as CVE-2021-33766 (CVSS score: 7.3) and referred to as “ProxyToken,” was found by Le Xuan Tuyen, a researcher at the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC), and reported through the Zero-Day Initiative (ZDI) program in March 2021. According to the ZDI, “With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users.” For instance, the attacker could redirect all emails sent to a targeted account to a mailbox they control. Microsoft addressed this issue in its Patch Tuesday updates for July 2021.

New Vulnerability in Microsoft Exchange Server Exposes Mailbox Configurations August 31, 2021 A critical security flaw, now patched, has been identified in Microsoft Exchange Server, raising significant concerns for businesses relying on this platform for email communication. This vulnerability allows unauthenticated attackers to alter server configurations, potentially leading to the…

Read More

New Microsoft Exchange ‘ProxyToken’ Vulnerability Allows Attackers to Alter Mailbox Configurations

Details have surfaced regarding a recently patched security flaw in Microsoft Exchange Server that could be exploited by unauthenticated attackers to change server settings, potentially exposing Personally Identifiable Information (PII). The vulnerability, identified as CVE-2021-33766 (CVSS score: 7.3) and referred to as “ProxyToken,” was found by Le Xuan Tuyen, a researcher at the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC), and reported through the Zero-Day Initiative (ZDI) program in March 2021. According to the ZDI, “With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users.” For instance, the attacker could redirect all emails sent to a targeted account to a mailbox they control. Microsoft addressed this issue in its Patch Tuesday updates for July 2021.

Zero-Day Exploit in Internet Explorer Used for Targeted Watering Hole Attacks on Japanese Users

Sep 24, 2013

Attackers are leveraging a zero-day vulnerability, CVE-2013-3893, in Microsoft’s Internet Explorer browser to target Japanese users through compromised popular news websites. According to FireEye, at least three major Japanese media outlets fell victim to these watering hole attacks, part of an operation dubbed “DeputyDog,” which appears to focus on manufacturers, government entities, and media organizations within Japan. The compromised sites experienced over 75,000 page views before the exploits were detected. This vulnerability in Internet Explorer versions 8 and 9 enables the covert installation of malware on users’ devices, granting hackers remote access. Typically, these attackers deploy Trojans tailored for targeted operations aimed at stealing intellectual property. Researchers identified a payload disguised as an image file hosted on a Hong Kong server that was used against a Japanese target. The attacks were uncovered just two days after Microsoft disclosed the vulnerability.

Zero-Day Exploit Targets Japanese Users via Watering Hole Attacks In a significant cybersecurity incident reported on September 24, 2013, a zero-day vulnerability identified as CVE-2013-3893 in Microsoft’s Internet Explorer browser has been exploited through a series of watering hole attacks intended to compromise Japanese users. Attackers have reportedly targeted at…

Read More

Zero-Day Exploit in Internet Explorer Used for Targeted Watering Hole Attacks on Japanese Users

Sep 24, 2013

Attackers are leveraging a zero-day vulnerability, CVE-2013-3893, in Microsoft’s Internet Explorer browser to target Japanese users through compromised popular news websites. According to FireEye, at least three major Japanese media outlets fell victim to these watering hole attacks, part of an operation dubbed “DeputyDog,” which appears to focus on manufacturers, government entities, and media organizations within Japan. The compromised sites experienced over 75,000 page views before the exploits were detected. This vulnerability in Internet Explorer versions 8 and 9 enables the covert installation of malware on users’ devices, granting hackers remote access. Typically, these attackers deploy Trojans tailored for targeted operations aimed at stealing intellectual property. Researchers identified a payload disguised as an image file hosted on a Hong Kong server that was used against a Japanese target. The attacks were uncovered just two days after Microsoft disclosed the vulnerability.

Microsoft Alerts Users to Cross-Account Takeover Vulnerability in Azure Container Instances

On September 10, 2021, Microsoft announced that it had fixed a security flaw in its Azure Container Instances (ACI) service that could be exploited by malicious actors to gain unauthorized access to information from other customers. Researchers referred to this vulnerability as the “first cross-account container takeover in the public cloud.” An attacker could use this weakness to execute harmful commands on other users’ containers, potentially stealing customer secrets and deployed images. Microsoft did not provide further details about the flaw but advised affected customers to “revoke any privileged credentials that were deployed to the platform before August 31, 2021.” Azure Container Instances enables users to run Docker containers directly in a serverless cloud environment without the need for virtual machines, clusters, or orchestration tools. Palo Alto Networks’ Unit 42 threat intelligence team identified the vulnerability…

Microsoft Identifies Vulnerability in Azure Container Instances Leading to Potential Cross-Account Breach On September 8, 2021, Microsoft announced the mitigation of a critical vulnerability in its Azure Container Instances (ACI) service that posed a significant threat to the security of multiple customers. This flaw, noted by researchers as the “first…

Read More

Microsoft Alerts Users to Cross-Account Takeover Vulnerability in Azure Container Instances

On September 10, 2021, Microsoft announced that it had fixed a security flaw in its Azure Container Instances (ACI) service that could be exploited by malicious actors to gain unauthorized access to information from other customers. Researchers referred to this vulnerability as the “first cross-account container takeover in the public cloud.” An attacker could use this weakness to execute harmful commands on other users’ containers, potentially stealing customer secrets and deployed images. Microsoft did not provide further details about the flaw but advised affected customers to “revoke any privileged credentials that were deployed to the platform before August 31, 2021.” Azure Container Instances enables users to run Docker containers directly in a serverless cloud environment without the need for virtual machines, clusters, or orchestration tools. Palo Alto Networks’ Unit 42 threat intelligence team identified the vulnerability…