Search This Blog

Showing posts with label Microsoft. Show all posts

Microsoft Announces the Microsoft Supply Chain Platform

 

Software as a Service (SaaS) applications from Microsoft that combine artificial intelligence, collaboration, low-code, security, and supply chain management have been launched as the Microsoft Supply Chain Platform.

Dynamics 365, Microsoft Teams, Power BI, Power Automate, Power Apps, Azure Machine Learning,
Azure Synapse Analytics, Azure IoT, the Microsoft Intelligent Data Platform, Azure Active Directory,
Defender for IoT and Microsoft Security Services for Enterprise are among the Microsoft
applications and platforms in this group.
 
Microsoft's PowerApps low-code development platform is intended to let users create a connected supply chain. It enables supply chain information, supply and demand insights, performance tracking, supplier management, real-time collaboration, and demand management to lessen risk.

Additionally, it addresses order tracking and traceability, pricing management, warehouse
management, and inventory optimization. According to Microsoft, businesses are suffering from an overabundance of petabytes of data that are dispersed among legacy systems, enterprise resource planning (ERP) software, and custom solutions, giving them a fragmented view of their supply chain.

The Microsoft Supply Chain Center preview has also been released by Microsoft. It promises to track global events that may impact a customer's supply chain, coordinate actions across a supply chain, and use AI to lessen supply and demand mismatches. According to Microsoft, this constitutes the foundation of the supply chain platform.

"Although supply chain disruption is not new, its complexity and the rate of change are outpacing organizations' ability to address issues at a global scale. Many solutions today are narrowly focused on supply chain execution and management and are not ready to support this new reality," said Charles Lamanna, corporate vice president, of Microsoft Business Applications and Platform, in a press release.

"Businesses are dealing with petabytes of data spread across legacy systems, ERP, supply chain management and point solutions, resulting in a fragmented view of the supply chain," Lamanna stated. 

"Supply chain agility and resilience are directly tied to how well organizations connect and orchestrate their data across all relevant systems. The Microsoft Supply Chain Platform and Supply Chain Center enable organizations to make the most of their existing investments to gain insights and act quickly." 

Even though it wants to serve as a platform for the entire supply chain, it will continue to collaborate with businesses like Accenture, Avanade, EY, KPMG, PwC, and TCS. Data from standalone supply chain systems, SAP and Oracle ERP systems, Dynamics 365, and other systems will be fed into the Microsoft Supply Chain Center.

Data ingestion for supply chain visibility is made possible via the Supply Chain Center's Data Manager capability. FedEx, FourKites, Overhaul, and C.H. Robinson are some of the partners in the preview launch. The supply and demand insights module, the order management module, the built-in Teams connection, and partner modules within the center are just a few of the prebuilt modules that the Supply Chain Center provides to solve supply chain disruptions.

According to Microsoft, the data remains consistent regardless of the module used because the center runs on a Dataverse common data service environment, eliminating the need to check which reports have the most recent data.

ProxyNotShell Exchange Zero-Day Exploit Fixed by Microsoft


 

There have been updates published by Microsoft to address two severe zero-day vulnerabilities in Microsoft Exchange, collectively known as ProxyNotShell. These vulnerabilities have already been exploited and will continue to be exploited.

There is evidence that attackers have been chaining the two security flaws together to deploy Chinese Chopper web shells on compromised servers. As a result, they have been able to persist, steal data, as well as move laterally within the networks of their victims since September this year. 

The software giant confirmed on September 30, "that limited targeted attacks have been launched using these vulnerabilities to gain access to users' systems," stating that "we are aware of limited targeted attacks using these vulnerabilities to enter users' systems." 

"Our team of security experts is monitoring these already deployed detection tools for malicious activity and will take action in order to protect customers in the future. We are working on a timeline that will allow us to release a fix in a short period of time," the company explained. 

It was announced later that the company had released mitigation measures that allowed defenders to block ProxyNotShell attacks that were originating. In spite of this, the guidance had to be updated twice after researchers showed that attackers could still bypass them.

Updates have been issued to administrators 

The security updates that have been released by Microsoft to address these two vulnerabilities are part of Patch Tuesday for November 2022. 

Due to the fact that they are aware of active exploits of these vulnerabilities (limited targeted attacks), their recommendation is that "all users comply with the guidelines and install these updates immediately to be protected from these attacks." 

"Exchange Server is affected by the vulnerabilities addressed in these SUs and Exchange Online customers are already protected from these vulnerabilities. They will not need to take any further action than just updating the Exchange servers within their environment." 

These two security flaws, CVE-2022-41082 and CVE-2022-41040, have been tracked since 2012. They have been found to affect Microsoft Exchange Server 2013, 2016, and 2019. 

Attackers can exploit these vulnerabilities by elevating privileges to execute PowerShell within the context of a system, thereby gaining arbitrary control over the system. 

CVE-2022-41082, an advisory for the vulnerability that Microsoft has released, warns that an attacker could exploit this vulnerability to execute arbitrary commands through server accounts. 

Using the account of the server as a proxy to trigger malicious code, "the attacker will be able to gain access to the account of the server as an authenticated user." 

There are some vulnerabilities identified with ProxyNotShell that can only be exploited remotely by authenticated threat actors. However, these flaws are only exploited when low-complexity attacks do not require user interaction.

Recent Updates in Microsoft Teams Includes Decreased Latency

At its Ignite 2022 conference, Microsoft released a number of new Teams chat and meeting capabilities. The major news is that Microsoft intends to revamp Microsoft Teams to enhance the current channel experience.

When dealing with the Teams desktop client in some crucial situations, Microsoft has considerably decreased latency for Windows and Mac users.

The software is now more than 30% faster when navigating between chat and channel threads, according to Jeff Chen, a Microsoft Principal Group Program Manager for Microsoft Teams.

Chen claimed that the updated Teams framework, which now renders the HTML tree more quickly, runs JavaScript more effectively, and serializes arrays with greater efficiency, is the cause of these significant speed increases.

Microsoft also made improvements to messaging latency and page load speeds in June, including 63% faster message-composing box loads and an 11% improvement in scrolling across chat and channel lists.

In February, the business announced that Teams dramatically reduces the amount of power needed for meetings, utilizing up to 50% less power for energy-intensive scenarios in video meetings with more than 10 participants.

New Updates on Teams

Assign seats in Together mode

During virtual meetings, the Together mode enhances the sense that everyone is present in the same space. Meeting planners and presenters can now assign seats to attendees in Together mode thanks to the most recent innovation.

Shared content will open in a separate window

Users will soon have the option to pop out shared meeting content in a separate window, making it easier to see both shared content and meeting participants.

Live captioning in Teams Premium

With live translated captions for Microsoft Teams, meeting attendees may read captions in their native tongue thanks to AI-powered, real-time translations from 40 spoken languages.

Comprehensive call history

Having access to call recordings and transcriptions from call details along with this comprehensive call history provides the background to be productive and effective.

Adobe PDF expertise (collaboration with Microsoft)

To view and edit PDF files in Microsoft Teams, tenant admins can set Adobe Acrobat as the default application in the Teams admin center.

Since June 2020, Redmond has been striving to reduce the number of resources used by Teams, implementing changes gradually. Since the beginning of the COVID-19 epidemic and the shift to remote working, Microsoft Teams has had a significant influx of new members, surpassing 270 million monthly active users in January 2021.








PowerToys Releases Version 0.64 With File LockSmith and Host File Editor

 

Microsoft has recently released the latest version of the PowerToys toolset, PowerToys 0.64 to the public. The new version will aid Windows users in finding the processes using selected files and unlock the same without the use of a third-party tool. 

PowerToy 0.64 additionally comes with significant enhancements in File Locksmith and Host File Editor. The first program, File Locksmith gives File Explorer a “What’s using the file?” context menu entry. It displays which Windows processes are currently using the file. 

The primary purpose of File LockSmith is to provide users with information that Windows does not provide when activities like delete or move are being executed. In case a file is in use, certain actions may not be performed by the operating system. Windows do not provide certain important information about that to the user, but File LockSmith does so.  

The second program, the Host File tool allows a user to edit the Hosts file in Window11 (or Window10) via an appropriate editor UI, instead of the user having to use Notepad. For example, the Hosts file allows users to block access to certain domains. Having this UI should make it a little less difficult to make changes to it. 

In addition to this, the PowerToy settings now possess a new feature that allows users to export or import the current settings from a file, making it easier to migrate settings across devices as per user requirements. Users now have the option to back up and restore the settings, which is useful in case PowerToy is running on various devices, or simply for backup purposes. 

Moreover, Microsoft has also made enhancements in FancyZones that lets a user set default behaviors for horizontal and vertical screens. The improvements are done, as in some cases monitor IDs tend to get reset, additionally, FancyZones settings do not apply anymore. With the latest enhancements, even if the aforementioned situation occurs, the user layout should at least make some sense based on the orientation of his screen.

Microsoft Reveals 65,000 Companies' Data Breach

 

In response to a security breach that left an endpoint freely available over the internet without any authentication, Microsoft this week acknowledged that it unintentionally exposed data related to customers.

The IT giant was contacted on September 24, 2022, when the cybersecurity intelligence company SOCRadar identified the data leak.

2.4 TB of privileged data, such as names, phone numbers, email addresses, company names, and connected files containing information like proof-of-concept documents, sales data, and product orders, may have been exposed due to a compromised Azure Blob Storage, according to SOCRadar, which claims to have informed Microsoft upon its findings.

Microsoft highlighted that there was no security flaw to blame for the B2B leak, which was "generated by an unintended misconfiguration on an endpoint that is not used across the Microsoft ecosystem." However, Microsoft has contested the scope of the problem, claiming that the information in question included names, email addresses, email content, company names, contact numbers, and attached files pertaining to transactions between such a user and Microsoft or an authorized Microsoft partner.

Organizations can find out if their data were exposed thanks to a website called BlueBleed that SOCRadata set up. "According to our study, the leak, known as BlueBleed Part I, contains crucial data that belongs to more than 65,000 companies from 111 countries. So far, the leaks have exposed 548,000 individuals, 133,000 projects, and more than 335,000 emails," as per the SOCRadar researchers. 

Additionally, Redmond highlighted its dissatisfaction with SOCRadar's choice to make a public search function available, claiming that doing so exposes users to unnecessarily high-security risks.

In a follow-up post published on Thursday, SOCRadar compared the BlueBleed search engine to the 'Have I Been Pwned' data breach notification tool, presenting it as a way for businesses to determine whether their data had been compromised in a cloud data leak.

The research company maintains that it did not violate any privacy policies while conducting its investigation and that none of the data it found were saved on its end. According to SOCRadar's VP of Research and CISO Ensar Eker, "No data was downloaded, Some of the data were crawled by our engine, but as we promised to Microsoft, no data has been given so far. All this crawled data was erased from our servers."

Microsoft has not yet made any specific figures concerning the data breach available to the public.


GitHub: Repositories Selling Fake Microsoft Exchange Exploits

 

Researchers have detected threat actors, impersonating security researchers and selling proof-of-concept ProxyNotShell exploits for the recently discovered Microsoft Exchange zero-day vulnerabilities. 

GTSC, a Vietnamese cybercrime firm confirmed last week their customers were being attacked using two new zero-day vulnerabilities in Microsoft Exchange. 

On being notified about the vulnerability, Microsoft confirmed that the bugs were being Exploited in attacks and that it is working on an accelerated timeline in order to release security updates.  

“Microsoft observed these attacks in fewer than 10 organizations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization," Microsoft states in an analysis.  

Microsoft and GTSC disclosed that the threat actors instigated the campaign to abuse Exchange flaws by creating GitHub repositories for exploits. 

Microsoft has since been tracking the flaws as CVE-2022-41040 and CVE-2022-41082, describing the first as a Server-Side Request Forgery (SSRF) bug. While the second allows scammers to conduct remote code execution (RCE) attacks via PowerShell. 

In one such instance, a threat actor impersonated a renowned security researcher Kevin Beaumont (aka GossTheDog) who is known for documenting the recently discovered Exchange flaws and available mitigation.  

The fraudulent repositories did not include anything necessary, but the README.md confirms what is currently known about the detected vulnerability, followed by a pitch on how they are selling one copy of the PoC exploit for the zero days. 

The README file consists of a link to a SatoshiDisk page, where the threat actor attempts to sell the fake exploit for 0.01825265 Bitcoin, worth $364. 

Since the security researchers are keeping the technical details of the exploit private, it seems only a small number of threat actors are behind the exploit. 

In light of this, more such researchers and threat actors are waiting for the initial publication of the vulnerabilities to the public before using them in their own operations, such as protecting a network of hacking into one. 

Evidently, one can deduce that there are more such threat actors looking forward to taking advantage of this situation. Since Microsoft Exchange Server zero-day vulnerability exploits could be traded for hundreds of thousands of dollars, one must be cautious of handing over any ready money or crypto to anyone suspicious, claiming to have an exploit. 

Performance Hit Experienced By File Copying Due to Windows 11 22H2

 


According to reports, Microsoft began rolling out Windows 11 version 22H2 last month, just a few months after announcing it. The experience has not been completely smooth as one might think. 

"22H2 has a performance problem when copying large files from a remote computer to a Windows 11 computer or when copying files on a local drive," explains Ned Pyle, Principal Program Manager at Windows Server engineering.

There have been several reports of users reporting that the update failed with an error code of "0x800f0806". Interestingly enough, one of our Neowin members was able to figure out a workaround for this problem. There are also the usual suspects, like printer problems as a result of a revised printer policy that leads to printers not being detected after the 2022 Update, which can result in a lot of frustration. 

There was another related issue that caused Microsoft to block the whole update on affected devices due to this problem. Afterward, Microsoft issued a warning to IT admins on the issue, stating that provisioning for Windows 11 22H2 is currently broken, as it discovered the existence of this issue.

Additionally, the Redmond-based firm revisited another problem that was resulting in the massive slow-down in the speed at which large files could be copied remotely on 22H2 systems as a result of a power failure. 

There have been reports that speeds are around 40% lower than expected, according to the company. Although users are experiencing more performance issues than before, the situation seems to be getting increasingly problematic.

Earlier this week, Microsoft released KB5017389 preview cumulative update for Windows operating systems. This update included the fixes for this issue as well as a free trial of the update for those who have not yet downloaded it. The support document provides more information regarding this issue and also offers a free trial of the release.

It might take longer than expected for Windows 11 version 22H2 to copy large files with multiple gigabytes (GB) to complete the task as previously thought.

Despite the newly acknowledged issue, Microsoft added that Windows devices that are used in small or personal networks are less likely to be affected by it than those used for business networks.

A workaround is available for this issue, it has also been reported that Microsoft has shared a workaround for customers who are affected by the known issue after updating their devices to Windows 11 22H2.

There are several ways in which impacted users can mitigate the performance hit of file copying over SMB by using file copy tools that do not use a cache manager (buffered I/O) such as any of the freeware applications available on the Internet.

To resolve this issue, Microsoft is currently investigating and working on a solution to address it. As part of a future release, the issue will be addressed in a more detailed way, and this will be included in a more detailed update. 

It has been more than two years since Microsoft released Windows 11 22H2, and they have now added compatibility holds to make sure the upgrade is no longer available on some systems, due to printer problems or blue screens.

As part of this week's announcement, Microsoft confirmed that the Windows 11 2022 Update is also causing provisioning issues, which is causing Windows 11 endpoints to be partially configured and not complete the installation process. 

After entering a new deployment phase on Tuesday, October 4, Windows 11 22H2 is now available to all seekers on qualifying devices, and it has been installed on some of the devices already.

Zinc APT is Conducting an Attack Against Victims in Critical Sectors


 
During recent months, Microsoft has detected cyberattacks targeted at security researchers by an actor tracked as ZINC, who is also called the author of these attacks. Originally, the campaign was brought to the attention after Microsoft Defender for Endpoints detected an attack that was taking place in the background. 

As a consequence, seven groups have been identified as being targeted, including pen testers, private offensive security researchers, and employees of security and technology companies. Based on the observations made by MSTIC, which is a Microsoft Threat Intelligence Center, we can attribute this campaign with high confidence to ZINC, which is a DPRK-affiliated and state-sponsored group, given its tradecraft, infrastructure, malware patterns, and account affiliations.


Campaigns designed to attack 


Using a high degree of confidence, Microsoft Threat Prevention and Defense has linked these recent attacks to a threat group identified as Zinc. The group is allegedly associated with recent attacks on LinkedIn. In addition, the group is also linked with one of the groups of the Lazarus movement.

• During their experiments, researchers noticed Zinc using a wide variety of open-source software, including KiTTY, TightVNC, Sumatra PDF Reader, PuTTY, and muPDF/Subliminal Recording software installers.

• As far as Microsoft is concerned, there are around five methods for trojanizing open-source applications, including packing with commercial software protection Themida, hijacking DLL Search orders, using custom encryption methods, encoding victim information in parameters associated with common keywords, and using SSH clients.

• A number of these applications are bundled with malicious shellcodes and malicious payloads that belong to the ZetaNile malware family that researchers have been tracking.

Is there anyone who has been affected by the crisis?


There has been a recent rash of attacks caused by Zinc on employees of various companies located in the United Kingdom, the United States, Russia, and India. These companies operate in different industries such as defense, aerospace, IT services, and media.


The tactical approach to the spread of infection 


A LinkedIn security team discovered Zinc impersonating recruiters from defense, technology, and media companies. This was malware that was delivered from LinkedIn to WhatsApp. Despite this, LinkedIn immediately suspended accounts linked to suspicious or fraudulent behavior as per its policies and the accounts spotted in these attacks.

Earlier this month, Mandiant reported about an ongoing campaign related to the weaponized version of PuTTY being used by some hackers; the operation Dream Job campaign was initiated by attackers to extract information about jobs on LinkedIn using job lures.

In essence, throughout its attack campaign, Zinc targets victims all over the world with a wide range of platforms and open-source software, making it one of the most dangerous cyber threats for businesses globally. 

To prevent such abuses, individuals and organizations that use open-source software should therefore ensure that they are vigilant. Whenever possible, it is highly recommended that you leverage a threat intelligence platform to find threats that are tailored to your needs.

Microsoft Accepts Breach of Two Zero Day Vulnerabilties

Exchange Server Vulnerabilities

Microsoft accepted that it knows about the two Exchange Server zero-day vulnerabilities that have been compromised in targeted cyberattacks. GSTC, a cybersecurity agency from Vietnam, reports finding attacks comprising two latest Microsoft Exchange zero-day vulnerabilities. It thinks that the attacks, which first surfaced in August and aimed at crucial infrastructure, were orchestrated by Chinese threat actors. 

Technical details about the vulnerabilities have not been disclosed publicly yet, however, GSTC says that the attacker's exploitation activities following the attack include the installation of backdoors, deployment of Malware, and lateral movement. 

Details about zero-day vulnerabilities

Microsoft was informed about vulnerabilities through the Zero Day Initiative (ZDI), by Trend Micro. Microsoft posted a blog telling its customers that the company is looking into two reported zero-day vulnerabilities. As per Microsoft, one flaw is a server-side request forgery (SSRF) issue, identified as CVE-2022-41040 and the second flaw is an RCE (remote code execution) flaw identified as CVE-2022-41082. The security loopholes seem to affect Exchange Server 2013, 2016, and 2019. 

According to Microsoft, it is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities. 

Microsoft fixing the issue

Microsoft is currently working on an accelerated timeline to fix the vulnerabilities. For the time being, it has given detailed guidelines to protect against the vulnerability. It believes that its products should identify post-exploitation malware and any malicious activities related to it. Microsoft Online Exchange users don't have to do anything. 

"Security researcher Kevin Beaumont has named the vulnerabilities ProxyNotShell due to similarities with the old ProxyShell flaw, which has been exploited in the wild for more than a year. In fact, before Microsoft confirmed the zero-days, Beaumont believed it might just be a new and more effective variant of the ProxyShell exploit, rather than an actual new vulnerability," reports Security Week.

Microsoft Alert a Major Click Fraud Scheme Targeting Gamers

Microsoft is keeping tabs on a widespread click fraud scheme that targets gamers and uses covertly installed browser extensions on hacked devices.

The act of exaggerating the number of clicks on pay-per-click advertisements that constitutes a fraudulent click. According to experts, botnets are responsible for approximately a third of the traffic created by advertising on ad networks. To safeguard their image and keep their clients happy, advertising platforms frequently use click fraud prevention techniques, such as the Google search engine. 

In a series of tweets over the weekend, Microsoft Security Intelligence stated that "attackers monetize clicks generated by a web node WebKit or malicious browser extension stealthily installed on devices."

The internet company clarified in a tweet that the initiative targets unaware people who click rogue advertising or comments on YouTube. 

By doing this, a fake game cheats ISO file will be downloaded, and when opened, it will install the threat actors' necessary browser node-webkit (NW.js) or browser extension. Microsoft also mentioned that they saw the actors using Apple Disk Image files, or DMG files, indicating that the campaign is a cross-platform endeavor. 

It's important to note that the ISO file contains hacks and cheats for the first-person shooter game Krunker. Cheats are software tools that provide users of a game with a distinct advantage over other players.

DMG files, which are Apple Disk Image files usually used to distribute software on macOS, are also employed in the attacks in place of ISO images, demonstrating that the threat actors are aiming their attacks at several operating systems.

The discovery is no longer shocking because threat actors frequently use gamers as fine targets in their efforts, especially those who are scrambling to locate free cheats online.

The prevalence of virus spreading through well-known game franchises was demonstrated earlier in September by a report from endpoint security provider and customer IT security software company Kaspersky. The most popular file was distributed via Minecraft, which had 131,005 users infected between July 2021 and June 2022. 



Microsoft Teams: Bugs Use GIFs to Construct Reverse Shells

Malicious hackers can utilize Microsoft Teams to launch innovative phishing attacks and discreetly carry out commands to steal data via GIFs using a new attack method known as "GIFShell."

The new attack pattern demonstrates how hackers can merge various Microsoft Teams flaws and security holes to reap the benefits of reliable Microsoft infrastructure and distribute malicious files, and orders, and perform data exfiltration via GIFs.

This attack chain can be highly destructive, especially in network security environments where Microsoft Teams may be one of a limited set of authorized, trusted hosts and apps, as per Raunch. The GIFShell stager can be persuasively dropped and implemented on the victim's computer by exploiting two additional vulnerabilities found in Microsoft Teams, including a lack of permission enforcement and attachment spoofing.

Bobby Rauch, a cybersecurity expert, and pentester revealed multiple holes in Microsoft Teams that may be chained together for code execution, data theft, cybersecurity bypasses, and phishing attacks. This led Rauch to the discovery of the new attack chain.

This attack's primary tool is referred to as "GIFShell," and it enables an attacker to build a reverse shell that sends malicious commands via base64-encoded GIFs in Teams and exfiltrates the output using GIFs recovered by Microsoft's own servers.

GIFShell Attack

Since the data exfiltration takes place through Microsoft's own systems, security software that interprets the traffic as normal Microsoft Team activity will have a hard time identifying it.

The attacker must first persuade a user to install a malicious stager that runs commands and uploads command outputs via a GIF URL to a Microsoft Teams web hook to construct this reverse shell.

Rauch created a new phishing attack on Microsoft Teams to help with this. As we know, phishing assaults are effective at infecting devices.

The 'stager,' a malicious program that GIFShell uses to mislead users into launching on their devices, continuously scans the Microsoft Teams logs.

Any malware on the system can access these logs because they contain all received messages and are viewable by all Windows user groups.

Hackers would build their own Microsoft Teams tenant after installing the stager and get in touch with other Microsoft Teams users from outside their organization. Attackers can easily accomplish this since Microsoft Teams by default permits external communication.

Rauch's GIFShell Python script enables the hackers to transmit a message to a Microsoft Teams user that comprises a specially created GIF to start the attack. This GIF file was altered to add instructions to run on the target's computer.

The email and the GIF will be saved in Microsoft Team's logs when the victim receives them, which the malware stager watches.

The base64-encoded commands will be extracted by the stager and run on the device when it recognizes a message that contains a GIF. The output of the command will subsequently be converted to base64 text by the GIFShell PoC.

The hacker's open Microsoft Teams webhook is accessed by the stager using this base64 text as the filename for a remote GIF placed in a Microsoft Teams poll card.

To get the GIF, which would be named using the base64-encoded result of the executed command, Microsoft's servers will link back to the hacker's server URL when Microsoft Teams creates flashcards for the user.

This request will be received by the GIFShell server, which is installed on the hacker's server, and will instantly decode the filename so that the hackers can view the results of the command issued to the targeted device.

The Microsoft Teams files folder has also been discovered to be accessed by other software, including malware and commercial monitoring tools like Veriato.

In a report to BleepingComputer, Microsoft purely reaffirmed its claim to Rauch stating, "We evaluated the methods mentioned by this researcher and found that the two stated do not satisfy the requirements for an immediate security fix. To help maintain customer security, we're always exploring for new ways to better combat phishing, and we might do something in a future release to assist prevent this tactic."

Users should ensure ethical computing habits online, including vigilance when clicking on links to websites, opening unexpected files, or allowing file transfers. Users shall remain aware of this type of phishing.

CISA, Microsoft Warn of Rise in Cyber-attacks From Iran

The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft witnessed a massive surge of Iranian state-sponsored cyberattacks against IT services firms. In the wake of the findings, the tech giant and the eminent law enforcement body sent out alerts regarding the same. 

In 2020, the cyberattacks from state-sponsored Iranian threat actors on IT services firms were virtually non-existent, however, in 2022 the cybercrimes exceeded to 1,500, said Microsoft. 

"Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks," Microsoft added. 

According to the report, the group was tracked as Phosphorus (aka Charming Kitten or APT35), compromising IP addresses on the internet for unpatched Fortinet FortiOS SSL VPN and on-premises Exchange Servers to gain access. 

Additionally, the organizations believed that an advanced persistent threat (APT) group sponsored by the Iranian government was using known vulnerabilities in both Microsoft Exchange and Fortinet to attack both government and private sector networks. 

"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia," reads the report.  

Nation-state operators with nexus to Iran are becoming more advanced and familiar with cyberattacks to generate revenue, they are also engaging in persistent social engineering campaigns and aggressive brute force attacks. 

Researchers from Microsoft Threat Intelligence Center (MSTIC) revealed that “these ransomware deployments were launched in waves every six to eight weeks on average.” 

"The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health sector, as well as Australian organizations," CISA said. 

As per the findings, the hackers systematically target prominent IT services firms worldwide including nations like the USA, the UK, United Arab Emirates, India, and so on. Microsoft further added that these attacks are examples of how nation-state actors are increasingly targeting supply chains as an indirect approach to fulfill their real motives.

TikTok Android Vulnerability Identified by Microsoft 

 

In the TikTok Android app, Microsoft has described a high-severity weakness that might have enabled a hacker to take over an account by luring users into clicking on a link.

The bug's current identification is CVE-2022-28799. According to Microsoft, the flaw has not yet been exploited by the public, despite the app having an estimated 1.5 billion downloads on the Play Store. Microsoft advises all TikTok users on Android to upgrade the app to the most recent version while it is being patched.

In fact, Microsoft detected over 70 vulnerable JavaScript methods that, when combined with a bug to take control of WebView, might be exploited to provide the attacker's capability.

Threat actors could execute authenticated HTTP queries or access or modify the private information of TikTok users using the ways that were publicly disclosed.

In essence, attackers who would have been successful in exploiting this vulnerability might have easily:
  • Retrieved the users' authentication tokens by triggering a request to a server under their control and logging the cookie and the request headers.
  • Retrieved or modified the users' TikTok account data, including private videos and profile settings by triggering a request to a TikTok endpoint and retrieving the reply via the JavaScript callback.
"The TikTok Android app was revealed to have a WebView Hijacking vulnerability due to an unvalidated deep link on an invalid argument. Through a JavaScript interface, this may have led to account hijacking, " The HackerOne  explained in an article.

Only about a month after Microsoft first revealed the security flaw, TikTok version 23.7.3 was launched with a patch to address the CVE-2022-28799 tracking number.

Microsoft further said that "Once the targeted TikTok user clicks the hacker's specially constructed malicious link, the attacker's server is granted total access to the JavaScript bridge and can activate any accessible functionality."

The server of the attacker sends back an HTML page with JavaScript code that modifies the user's profile biography and sends video upload tokens back to the attacker.

Attackers with complete access to users' accounts could modify their profile information, send messages, upload movies, and even post private videos.

Tiktok has also fixed further security vulnerabilities that might have let hackers steal customers' personal details or take over their accounts to tamper with footage.

Iran Based MuddyWater Attacks Israel Companies


What is MuddyWater?

A threat actor from Iran named "Muddy Water" (called by Microsoft MERCURY) has been elevating the abuse of Log4j2 vulnerabilities in SysAid applications to attack organizations in Israel. 

Microsoft security researchers released the news advisory and said on Thursday that they analyzed (with high confidence) that MERCURY's observed operations were linked with Iran's Ministry of Intelligence and Security (MOIS). 

On July 23 and 25, 2022, MERCURY was found using exploits against a vulnerable SysAid Server as its initial access vector. According to the observations from earlier campaigns and flaws found in victim environments, the researchers have assessed that the exploits used were most probably related to Log4j.2. 

Microsoft links attack to Iranian Hackers

Microsoft said it assesses with moderate confidence that MERCURY exploited remote code execution vulnerabilities in Apache Log4j 2 (also referred to as “Log4Shell”) in vulnerable SysAid Server instances the targets were running. MERCURY has used Log4j 2 exploits in past campaigns as well. 

MSTIC assesses with high confidence that MERCURY is coordinating its operations in affiliation with Iran’s Ministry of Intelligence and Security (MOIS). According to the US Cyber Command, MuddyWater, a group we track as MERCURY, “is a subordinate element within the Iranian Ministry of Intelligence and Security.”

As a matter of fact, the novel campaign found by Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team is different from earlier MERCURY variants as it is the only one in which the group exploits SysAid apps as a vector for earlier access. 

How does Mercury work?

Once MERCURY has gained access, it creates persistence, dumps credentials, and travels laterally within the victim organization via custom and popular hacking tools and built-in operating system tools for its hands-on-keyboard attacks. 

Microsoft has also added a list of common techniques and tooling used by MERCURY, these include spearphishing, along with programs like Venom proxy tool, the Ligolo reverse tunneling technique, and home-grown PowerShell programs. 

What next?

Microsoft confirmed that it informed customers that have been hit or targeted, giving them the info required to protect their accounts. Microsoft has also given a list of indicators of compromise (IOCs) linked to MERCURY's activity. 

Microsoft isn't the first company that has linked MERCURY with Iranian state actors. At the beginning of this year, both U.K. and U.S. governments released warnings linking the group with the state's MOIS. 

"We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems," said Microsoft. 

Microsoft Alert: APT29 is Back With its New Tool MagicWeb


Actors responsible for SolarWinds' are back

The attackers behind the Solar Winds supply chain attack APT29 are back and have included a latest weapon to their attack inventory. Known as MagicWeb, a post compromise capability, it is used to keep continuous access to breached environments and moves laterally. 

Experts at Microsoft noticed the Russia-backed Nobelium APT using the backdoor after gaining administrative rights to an Active Directory Federated Services (AD FS) server. 

Use of MagicWeb to get privileged access 

With the help of privileged access, the hackers change a genuine DLL with the malicious MagicWeb DLL, to load the malware with AD FS and make it look legitimate. 

Similar to domain controllers, AD FS servers can verify users. MagicWeb enables this on the behalf of hackers by letting the manipulation of the claims that pass through verification tokens generated by an AD FS server, therefore, they can verify as any user on the system. 

MagicWeb is better than previous versions 

As per Microsoft, MagicWeb is a better version of the earlier used FoggyWeb tool, which also makes a steady foothold inside the target networks. 

Researchers at Microsoft say that MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML.

In the report, Microsoft mentioned that the hackers are targeting corporate networks with the latest verification technique MagicWeb. It is highly sophisticated and allows hackers to take control of the victim's network even after the defender tries to eject them. 

Stealing data isn't the only aim

We should also note that the hackers are not depending on supply chain attacks, this time, they are exploiting admin credentials to execute MagicWeb. 

The backdoor secretly adds advanced access capability so that the threat actors can execute different exploits other than stealing data. For example, the threat actor can log in to the device's Active Director as any user. 

A lot of cybersecurity agencies have found sophisticated tools, this includes backdoors used by SolarWinds' hackers, among which MagicWeb is the latest one discovered and identified by Microsoft. 

How to protect yourself?

To stay safe from such attacks Microsoft recommends "practicing credential hygiene is critical for protecting and preventing the exposure of highly privileged administrator accounts. This especially applies on more easily compromised systems like workstations with controls like logon restrictions and preventing lateral movement to these systems with controls like the Windows Firewall."

Microsoft: Phishing Alert Over Russian-Related Threats

As part of the cybercrime gang's illegal surveillance and data theft operations, Microsoft claims to have banned accounts used by the Seaborgium troupe, which has ties to Russia, to spam and exploit login information.

In order to identify employees who work for the victims, the hackers exploited bogus LinkedIn profiles, email, OneDrive, and other Microsoft cloud services accounts.

Microsoft is keeping tabs on the cluster of espionage-related activities under the chemical element-themed moniker SEABORGIUM, which it claims is associated with a hacker organization also known as Callisto, COLDRIVER, and TA446.

Coldriver, alias Seaborgium, was accused of running a hack-and-leak campaign resulting in the publication of documents that were purportedly obtained from high-ranking Brexit supporters, including Richard Dearlove, a former British agent. 

Targets &Tactics

Microsoft reported that it had seen "only very modest changes in their social engineering tactics and in how they deliver the initial malicious URL to their targets."

The main targets are think tanks, higher education institutions, non-governmental and intergovernmental organizations (IGOs), defense and intelligence consulting firms, and to a lesser extent, nations in the Baltics, Nordics, and Eastern Europe.

Former secret services, Russian affairs experts, and Russian nationals living abroad are further subjects of interest. It is estimated that more than 30 businesses and individual accounts were infected.

The process begins with the reconnaissance of potential targets using fictitious personas made on social media sites like LinkedIn, and then contact is established with them through neutral email messages sent from recently registered accounts that have been set up to match the names of the fictitious subjects.

If the target falls prey to the malicious code tactic, hackers launch the attack sequence by sending a weaponized message that contains a PDF document that has been compromised or a link to a file stored on OneDrive. 

According to Microsoft, "SEABORGIUM also abuses OneDrive to host PDF files that contain a link to the malicious URL.  Since the start of 2022, The actors have included a OneDrive link in the email body that, when clicked, takes the subscriber to a PDF file held within a SEABORGIUM-controlled OneDrive account."

Additionally, it has been discovered that the adversary conceals its operational network using open redirects which appear to be innocent to drive visitors to the malicious server, which then asks them to input their credentials in order to view the material.

The last stage of the attack involves leveraging the victim's email accounts with the stolen login information, exploiting the illegal logins to exfiltrate emails and attachments, setting up email forwarding rules to assure ongoing data gathering, and executing other key work.

Caution

According to Redmond, "SEABORGIUM has been spotted in a number of instances employing their impersonation accounts to encourage dialog with certain people of interest and, as a result, were involved in conversations, sometimes unintentionally, involving several users."

The enterprise security firm Proofpoint noted the group's propensity for reconnaissance and skilled impersonation for the delivery of malicious links. Proofpoint records the actor under the moniker TA446.

As per Microsoft, there are steps that may be taken to counter Seaborgium's strategies. This entails turning off email auto-forwarding and configuring Office 365 email settings to stop fake emails, spam, and emails containing viruses.

The security team also suggests utilizing more secure MFA techniques, such as FIDO tokens or authenticator tools with number matching, in place of telephony-based MFA and demanding multi-factor authentication (MFA) for all users from all locations, even those that are trusted.

Microsoft Launches New External Attack Surface Audit Tool

 

Microsoft has released a new security solution that enables security teams to identify Internet-exposed resources in their organization's environment that attackers may use to access their networks. The emphasis is on unmanaged or unknown assets that have been introduced to the environment as a result of mergers or acquisitions, generated by shadow IT, are absent from inventory owing to insufficient cataloguing, or have been overlooked due to rapid corporate expansion. 

This new tool, dubbed Microsoft Defender External Attack Surface Management, offers users an overview of their organisations' attack surface, making it easier to uncover vulnerabilities and prevent possible attack routes. This tool will develop a database of the organization's full environment, including unmanaged and agentless devices, by continually scanning Internet connections. 

Microsoft Corporate VP for Security Vasu Jakkal said, "The new Defender External Attack Surface Management gives security teams the ability to discover unknown and unmanaged resources that are visible and accessible from the internet – essentially, the same view an attacker has when selecting a target. Defender External Attack Surface Management helps customers discover unmanaged resources that could be potential entry points for an attacker." 

Microsoft Defender External Attack Surface Management helps security teams to see their environment as an attacker does and uncover exploitable flaws before they do by continually watching connections and hunting for unsecured devices vulnerable to Internet assaults. 

Microsoft also introduced Microsoft Defender Threat Information, a second security solution that will provide threat intelligence to security operations (SecOps) teams in order to uncover attacker infrastructure and accelerate attack investigations and remediation efforts. It will also provide SecOps team members with real-time data from Microsoft's large database of 43 trillion daily security signals, allowing them to actively seek threats in their surroundings. The data is offered as a library of raw threat intelligence containing information on enemies' identities as well as correlations between their tools, strategies, and techniques. 

"This depth of threat intelligence is created from the security research teams formerly at RiskIQ with Microsoft's nation-state tracking team, Microsoft Threat Intelligence Center (MSTIC) and the Microsoft 365 Defender security research teams," Jakkal added. 

"The volume, scale and depth of intelligence is designed to empower Security Operations Centers to understand the specific threats their organization faces and to harden their security posture accordingly." 

According to Microsoft, all of this additional information about threat actors' TTPs and infrastructure will assist customers' security teams in detecting, removing, and blocking hidden adversary tools within their organization's environment.

Spyware Group ‘Knotweed’ Employs Windows and Adobe Bugs to Target Firms Worldwide

 

Microsoft has unearthed an Austrian “cyber mercenary” group employing Windows and Adobe exploits to target organizations with spyware since at least 2021. 

Security analysts at Microsoft’s Threat Intelligence Center and Security Response Center said the organization is a private-sector offensive actor (PSOA) called Decision Supporting Information Research Forensic (DSIRF), but dubbed by Microsoft with the codename Knotweed. 

A cyber-weapons broker has launched multiple attacks on law firms, banks, and strategic consultancies in countries across the globe via spyware — dubbed Subzero — that allows its users to remotely and silently infiltrate a victim’s computer, phone, network infrastructure, and internet-linked devices.

"DSIRF has been linked to the development and attempted sale of a malware toolset called Subzero, which enables customers to hack into their targets' computers, phones, network infrastructure, and internet-connected devices," Microsoft said in a blog post. 

DSIRF promotes Subzero as a “next generation cyber warfare” tool that can secure full control of a victim’s PC, steal passwords and disclose its real-time location, according to a copy of an internal presentation released by Netzpolitik, a German news website, in 2021. 

The report claims that DSIRF, which reportedly has links to the Russian state, promoted its tool for use during the 2016 U.S. presidential election. The German government was also considering the purchase and use of Subzero to enhance its cyber defense. 

Microsoft said it has issued a software update to mitigate the use of the identified vulnerabilities. The tech giant has also released signatures of the malware to shield Windows users from exploits Knotweed was employing to help deliver its malware. 

More action is needed on a broader level, given that DSIRF will not be the last PSOA to target organizations, as Microsoft researchers explained in a brief sent to Congress on Wednesday. 

"We are increasingly seeing PSOAs selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms," researchers explained. "We welcome Congress's focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world."

Windows 11: Account Lockout Policy Set Against Brute Force Attacks

Brute force exploits are injected into ransomware and other sorts of unauthorized access since they typically rely on automated methods to test a massive amount of passwords for one or more user accounts. 

Beginning with Insider Preview version 22528.1000, Windows 11 automatically mitigates such exploits by capping the number of unsuccessful sign-in attempts at 10, for a period of 10 minutes.

"In order to reduce RDP and other brute force password vectors, DEFAULT account lockout policy is now enabled in Win11 builds. The command will make brute forcing more tricky, which is decent. This technique is frequently used in Human Operated Ransomware and other attacks," stated David Weston, vice president of OS and enterprise security at Microsoft.

Setting Lockout Policy

By establishing a threshold of between 1 and 999 failed sign-in attempts that would cause a user account to be locked, IT security professionals already had the option of preventing brute force attacks using the account lockout policy.

The Account lockout threshold policy enables configuring the maximum number of unsuccessful sign-in attempts before a user account is locked. Once locked, an account cannot be used again until the administrator unlocks it or until the time period provided by the Account lockout duration policy setting has passed. 

It suggested restricting the account lockout time to no more than 15 minutes and setting the account lockout threshold to a high enough number to cater to users mistakenly mistyping their passwords.

However, the reset account lockout countdown will eventually run out, giving the user three more opportunities if they wait and try to log in again the following day, effectively making it appear as though there have been no failed logins.

The effectiveness of brute force attacks is considerably reduced by restricting the amount of password entry tries, but Microsoft warns that threat actors could abuse this security feature to perform denial-of-service (DoS) attacks by locking multiple user accounts in an enterprise.


Albania's Government Networks Were Disabled Amid Cyberattack

 

According to a report from the Albanian National Agency for the Information Society, a cyberattack from an anonymous source led the Albanian government to shut down the websites of the prime minister's office and the parliament. 

Most Albanian nationals and tourists from other countries utilize the e-Albania website, which currently acts as a hub for several formerly operational civil state offices. 

According to the Albanian National Agency for the Information Society (AKSHI), "we have been compelled to shut down government systems to survive these unprecedented and dangerous strikes until the enemy attacks are neutralized."

Only a few crucial services, like online tax filing, are still operating since they are provided by servers that were not targeted in the attack, while the majority of desk services for the public were disrupted.

Both the duration of the government systems' downtime and the identity of the cyberattack's perpetrator are unknown. According to Albanian media, the attack was comparable to those targeting critical systems in Ukraine, Belgium, Malta, Netherland, Germany, Lithuania, and Belgium.

While there have been instances of 'independent hacker groups' attacking countries in the past, Oliver Pinson-Roxburgh, CEO of cybersecurity platform Defense.com, said it is unlikely that such a group would be able to operate on this scale.

The report states that due to the early detection, the government's essential systems were able to shut down safely and they are all "backed-up and safe."

It said that to resolve the issue and 'restore normalcy,' Albanian officials were working with Microsoft and Jones Group International experts.