Tag Microsoft

Microsoft Thwarts Cyber Attack by Chinese State Actor Targeting Western European Governments

On July 12, 2023, Microsoft announced that it successfully defended against a cyber attack launched by a Chinese nation-state actor, aimed at over two dozen organizations, including various government agencies. This espionage campaign, which began on May 15, 2023, sought to obtain sensitive data by gaining access to email accounts linked to approximately 25 entities and a limited number of consumer accounts. The tech giant identified the perpetrator as Storm-0558, a state-sponsored group targeting Western European government bodies. Microsoft stated, “Their focus includes espionage, data theft, and credential access,” and noted the use of custom malware referred to as Cigril and Bling for credential harvesting. The breach was detected on June 16, 2023, after a customer reported unusual email activity to the company.

Microsoft Averts Chinese Cyber Espionage Targeting Western European Governments On July 11, 2023, Microsoft disclosed its successful defense against a sophisticated cyber attack orchestrated by a Chinese state-sponsored group. This operation targeted approximately two dozen organizations, including several governmental entities across Western Europe, in an effort to extract confidential information.…

Read More

Microsoft Thwarts Cyber Attack by Chinese State Actor Targeting Western European Governments

On July 12, 2023, Microsoft announced that it successfully defended against a cyber attack launched by a Chinese nation-state actor, aimed at over two dozen organizations, including various government agencies. This espionage campaign, which began on May 15, 2023, sought to obtain sensitive data by gaining access to email accounts linked to approximately 25 entities and a limited number of consumer accounts. The tech giant identified the perpetrator as Storm-0558, a state-sponsored group targeting Western European government bodies. Microsoft stated, “Their focus includes espionage, data theft, and credential access,” and noted the use of custom malware referred to as Cigril and Bling for credential harvesting. The breach was detected on June 16, 2023, after a customer reported unusual email activity to the company.

⚡ Weekly Highlights: Zero-Day Vulnerabilities, Insider Risks, APT Activity, Botnet Threats, and More

May 19, 2025
Threat Intelligence / Cybersecurity

Cybersecurity experts are not only combating attacks—they’re also safeguarding trust, ensuring system functionality, and upholding their organization’s reputation. This week’s events underscore a significant concern: as we deepen our reliance on digital tools, unseen vulnerabilities can silently intensify. Addressing issues isn’t sufficient anymore; resilience must be integrated from the ground up. This requires improved systems, fortified teams, and enhanced visibility across the organization. What we’re witnessing is not merely risk; it’s a clear indication that prompt action and informed decision-making are crucial, often more than striving for perfection. Here’s what emerged this week, along with key issues security teams need to prioritize.

Threat of the Week
Microsoft Addresses 5 Actively Exploited Zero-Day Flaws — In its May 2025 Patch Tuesday update, Microsoft remedied a total of 78 security vulnerabilities, five of which are currently being exploited in the wild. Noteworthy vulnerabilities include CVE-2025-30397, CVE-2025-…

Weekly Cybersecurity Recap: Zero-Day Exploits, Insider Threats, and Emerging Cyber Risks Date: May 19, 2025 In the ever-evolving landscape of cybersecurity, professionals face a dual challenge: defending against aggressive attacks while safeguarding trust, ensuring operational continuity, and preserving their organization’s reputation. Recent events have underscored a critical issue stemming from…

Read More

⚡ Weekly Highlights: Zero-Day Vulnerabilities, Insider Risks, APT Activity, Botnet Threats, and More

May 19, 2025
Threat Intelligence / Cybersecurity

Cybersecurity experts are not only combating attacks—they’re also safeguarding trust, ensuring system functionality, and upholding their organization’s reputation. This week’s events underscore a significant concern: as we deepen our reliance on digital tools, unseen vulnerabilities can silently intensify. Addressing issues isn’t sufficient anymore; resilience must be integrated from the ground up. This requires improved systems, fortified teams, and enhanced visibility across the organization. What we’re witnessing is not merely risk; it’s a clear indication that prompt action and informed decision-making are crucial, often more than striving for perfection. Here’s what emerged this week, along with key issues security teams need to prioritize.

Threat of the Week
Microsoft Addresses 5 Actively Exploited Zero-Day Flaws — In its May 2025 Patch Tuesday update, Microsoft remedied a total of 78 security vulnerabilities, five of which are currently being exploited in the wild. Noteworthy vulnerabilities include CVE-2025-30397, CVE-2025-…

Microsoft Alerts U.S. Healthcare Sector About New INC Ransomware Threat

September 19, 2024
Healthcare / Malware

Microsoft has reported that a financially motivated threat actor is utilizing a ransomware strain known as INC for the first time to specifically target the U.S. healthcare sector. The company’s threat intelligence team, tracking this activity under the name Vanilla Tempest (formerly DEV-0832), noted, “Vanilla Tempest is connected to GootLoader infections orchestrated by the threat actor Storm-0494, and employs tools such as the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) software, and MEGA for data synchronization.” Following this, attackers execute lateral movements using Remote Desktop Protocol (RDP) and deploy the INC ransomware payload via Windows Management Instrumentation (WMI) Provider Host. Microsoft revealed that Vanilla Tempest has been operational since at least July 2022, with previous targets including the education, healthcare, IT, and manufacturing sectors.

Microsoft Alerts Healthcare Sector to Emerging INC Ransomware Threat On September 19, 2024, Microsoft issued a warning regarding a new ransomware variant named INC, which has been identified as a potential threat to the U.S. healthcare sector. This alarming development comes in the wake of the company’s threat intelligence team,…

Read More

Microsoft Alerts U.S. Healthcare Sector About New INC Ransomware Threat

September 19, 2024
Healthcare / Malware

Microsoft has reported that a financially motivated threat actor is utilizing a ransomware strain known as INC for the first time to specifically target the U.S. healthcare sector. The company’s threat intelligence team, tracking this activity under the name Vanilla Tempest (formerly DEV-0832), noted, “Vanilla Tempest is connected to GootLoader infections orchestrated by the threat actor Storm-0494, and employs tools such as the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) software, and MEGA for data synchronization.” Following this, attackers execute lateral movements using Remote Desktop Protocol (RDP) and deploy the INC ransomware payload via Windows Management Instrumentation (WMI) Provider Host. Microsoft revealed that Vanilla Tempest has been operational since at least July 2022, with previous targets including the education, healthcare, IT, and manufacturing sectors.

Microsoft Flags Storm-0501 as a Significant Threat in Hybrid Cloud Ransomware Operations

September 27, 2024
Ransomware / Cloud Security

Microsoft has identified the cyber group Storm-0501 as a noteworthy threat, targeting key sectors such as government, manufacturing, transportation, and law enforcement in the United States. Their sophisticated, multi-stage attack strategy is designed to infiltrate hybrid cloud environments, allowing attackers to move laterally from on-premises systems to the cloud. This approach leads to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. According to Microsoft’s threat intelligence team, Storm-0501 operates as a financially driven cybercriminal organization, utilizing both commodity and open-source tools for their ransomware activities. Active since 2021, they initially focused on educational institutions with the Sabbath ransomware before transitioning to a ransomware-as-a-service (RaaS) model, distributing various ransomware variants including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.

Microsoft Flags Storm-0501 as Significant Threat in Hybrid Cloud Ransomware Incidents On September 27, 2024, Microsoft announced a notable increase in ransomware attacks orchestrated by the threat actor known as Storm-0501, which has predominantly targeted integral sectors such as government, manufacturing, transportation, and law enforcement across the United States. This…

Read More

Microsoft Flags Storm-0501 as a Significant Threat in Hybrid Cloud Ransomware Operations

September 27, 2024
Ransomware / Cloud Security

Microsoft has identified the cyber group Storm-0501 as a noteworthy threat, targeting key sectors such as government, manufacturing, transportation, and law enforcement in the United States. Their sophisticated, multi-stage attack strategy is designed to infiltrate hybrid cloud environments, allowing attackers to move laterally from on-premises systems to the cloud. This approach leads to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. According to Microsoft’s threat intelligence team, Storm-0501 operates as a financially driven cybercriminal organization, utilizing both commodity and open-source tools for their ransomware activities. Active since 2021, they initially focused on educational institutions with the Sabbath ransomware before transitioning to a ransomware-as-a-service (RaaS) model, distributing various ransomware variants including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.

Microsoft Alerts to Rising Use of File Hosting Services in Business Email Compromise Schemes

Microsoft has issued a warning about cyberattack strategies that exploit legitimate file hosting platforms like SharePoint, OneDrive, and Dropbox, commonly utilized in corporate environments as a tactic to evade defenses. These campaigns have diverse objectives, enabling threat actors to compromise identities and devices, facilitating business email compromise (BEC) incidents that lead to financial fraud, data theft, and further infiltration into networks.

The abuse of trusted internet services (LIS) is an increasingly prevalent risk factor, allowing adversaries to blend in with normal network activity, often circumventing traditional security measures and complicating threat attribution. This tactic, known as living-off-trusted-sites (LOTS), takes advantage of the inherent trust in these platforms to bypass email security protocols and deliver malware. Microsoft has noted a concerning trend in phishing attacks exploiting this strategy.

Microsoft Alerts on Increasing Use of File Hosting Services in Business Email Compromise Attacks October 9, 2024 Microsoft has issued a warning regarding a rise in cyber attack campaigns that exploit established file hosting services such as SharePoint, OneDrive, and Dropbox. These platforms, frequently utilized in corporate settings, are being…

Read More

Microsoft Alerts to Rising Use of File Hosting Services in Business Email Compromise Schemes

Microsoft has issued a warning about cyberattack strategies that exploit legitimate file hosting platforms like SharePoint, OneDrive, and Dropbox, commonly utilized in corporate environments as a tactic to evade defenses. These campaigns have diverse objectives, enabling threat actors to compromise identities and devices, facilitating business email compromise (BEC) incidents that lead to financial fraud, data theft, and further infiltration into networks.

The abuse of trusted internet services (LIS) is an increasingly prevalent risk factor, allowing adversaries to blend in with normal network activity, often circumventing traditional security measures and complicating threat attribution. This tactic, known as living-off-trusted-sites (LOTS), takes advantage of the inherent trust in these platforms to bypass email security protocols and deliver malware. Microsoft has noted a concerning trend in phishing attacks exploiting this strategy.

Hackers Compromise Canadian Government Using Microsoft Vulnerability

Government, Industry Specific Microsoft Issues Urgent Warning After SharePoint Vulnerability Breach Targeting State Actors Chris Riotta (@chrisriotta) • August 14, 2025 The Ottawa Parliament Building. (Image: Shutterstock) A significant security breach has occurred within Canada’s House of Commons, where hackers accessed a sensitive database containing confidential office locations and personal…

Read MoreHackers Compromise Canadian Government Using Microsoft Vulnerability

Russian Hackers Target Norwegian Dam

Cybercrime, Cyberwarfare / Nation-State Attacks, Fraud Management & Cybercrime Also: Spain Resists Pressure to Oust Huawei, North Korean Kimsuky Data Leaked Anviksha More (AnvikshaMore) • August 14, 2025 Image: Shutterstock/ISMG The Information Security Media Group (ISMG) regularly compiles significant cybersecurity incidents from around the globe. This week, a reported incident…

Read MoreRussian Hackers Target Norwegian Dam

Over 1,000 SOHO Devices Compromised in China-Linked LapDogs Cyber Espionage Operation

Jun 27, 2025
Threat Hunting / Vulnerability

Cybersecurity experts have uncovered a network of over 1,000 compromised small office/home office (SOHO) devices actively supporting an extensive cyber espionage campaign linked to China-based hacking groups. This operation, dubbed LapDogs by SecurityScorecard’s STRIKE team, reveals that victims are primarily located in the United States and Southeast Asia, with the network steadily expanding. Infections are also reported in Japan, South Korea, Hong Kong, and Taiwan, affecting sectors such as IT, networking, real estate, and media. The compromised devices include those from manufacturers like Ruckus Wireless, ASUS, Buffalo Technology, Cisco-Linksys, Cross DVR, D-Link, Microsoft, Panasonic, and Synology. At the core of the LapDogs operation is a custom backdoor known as ShortLeash, specifically designed to facilitate these attacks.

Over 1,000 SOHO Devices Compromised in Cyber Espionage Campaign Linked to China On June 27, 2025, cybersecurity experts reported the discovery of a significant network of more than 1,000 small office and home office (SOHO) devices that have been compromised for cyber espionage activities attributed to hacking groups with links…

Read More

Over 1,000 SOHO Devices Compromised in China-Linked LapDogs Cyber Espionage Operation

Jun 27, 2025
Threat Hunting / Vulnerability

Cybersecurity experts have uncovered a network of over 1,000 compromised small office/home office (SOHO) devices actively supporting an extensive cyber espionage campaign linked to China-based hacking groups. This operation, dubbed LapDogs by SecurityScorecard’s STRIKE team, reveals that victims are primarily located in the United States and Southeast Asia, with the network steadily expanding. Infections are also reported in Japan, South Korea, Hong Kong, and Taiwan, affecting sectors such as IT, networking, real estate, and media. The compromised devices include those from manufacturers like Ruckus Wireless, ASUS, Buffalo Technology, Cisco-Linksys, Cross DVR, D-Link, Microsoft, Panasonic, and Synology. At the core of the LapDogs operation is a custom backdoor known as ShortLeash, specifically designed to facilitate these attacks.

Microsoft Aids CBI in Busting Illegal Indian Call Centers Linked to Japanese Tech Support Scam

The Central Bureau of Investigation (CBI) in India has apprehended six suspects and shut down two unlawful call centers engaged in a sophisticated transnational tech support scam targeting Japanese citizens. The operations, part of “Operation Chakra V,” took place on May 28, 2025, across 19 locations in Delhi, Haryana, and Uttar Pradesh, focusing on combating cyber-enabled financial crimes. According to the CBI, the criminal networks defrauded foreign nationals, primarily Japanese citizens, by posing as technical support agents for various multinational companies, including Microsoft. The agency noted that the call centers were designed to look like legitimate customer service operations, misleading victims into believing their electronic devices had been compromised, which led them to transfer funds under duress.

Microsoft Collaborates with CBI to Disrupt Japanese Tech Support Scam Operated from India June 6, 2025 In a significant crackdown on cybercrime, India’s Central Bureau of Investigation (CBI) has arrested six suspects and shuttered two illicit call centers engaged in a sophisticated tech support scam targeting Japanese citizens. This operation,…

Read More

Microsoft Aids CBI in Busting Illegal Indian Call Centers Linked to Japanese Tech Support Scam

The Central Bureau of Investigation (CBI) in India has apprehended six suspects and shut down two unlawful call centers engaged in a sophisticated transnational tech support scam targeting Japanese citizens. The operations, part of “Operation Chakra V,” took place on May 28, 2025, across 19 locations in Delhi, Haryana, and Uttar Pradesh, focusing on combating cyber-enabled financial crimes. According to the CBI, the criminal networks defrauded foreign nationals, primarily Japanese citizens, by posing as technical support agents for various multinational companies, including Microsoft. The agency noted that the call centers were designed to look like legitimate customer service operations, misleading victims into believing their electronic devices had been compromised, which led them to transfer funds under duress.