Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft. Show all posts
Ransomware
Black Basta Cyber Attacks GoodSync Microsoft Ransomware

Hackers Tricking Employees with Fake IT Calls and Email Floods in New Ransomware Scam

 


A growing number of cyberattacks are being carried out by a group linked to the 3AM ransomware. These attackers are using a combination of spam emails and fake phone calls pretending to be a company’s tech support team. Their goal is to fool employees into giving them access to internal systems.

This method, which has been seen in past cyber incidents involving other groups like Black Basta and FIN7, is becoming more widespread due to how effective it is. Cybersecurity company Sophos has confirmed at least 55 attacks using this approach between November 2024 and January 2025. These incidents appear to come from two different hacker groups following similar tactics.

In one recent case during early 2025, the attackers targeted a company using a slightly different method than before. Instead of pretending to be tech support over Microsoft Teams, they called an employee using a fake caller ID that showed the company’s actual IT department number. The call took place while the employee’s inbox was being flooded with dozens of spam emails in just minutes — a technique known as email bombing.

During the call, the attacker claimed the employee's device had security issues and asked them to open Microsoft’s Quick Assist tool. This is a real remote help feature that allows another person to take control of the screen. Trusting the caller, the employee followed instructions and unknowingly handed over access to the attacker.

Once inside, the hacker downloaded a dangerous file disguised as a support tool. Inside the file were harmful components including a backdoor, a virtual machine emulator (QEMU), and an old Windows system image. These tools allowed the attacker to hide their presence and avoid detection by using virtual machines to move through the network.

The hacker then used tools like PowerShell and WMIC to explore the system, created a new admin account, installed a remote support tool called XEOXRemote, and gained control of a domain-level account. Although Sophos security software stopped the ransomware from spreading and blocked attempts to shut down protections, the hacker managed to steal 868 GB of company data. This data was sent to cloud storage using a syncing tool called GoodSync.

The full attack lasted around nine days. The majority of the data theft happened in the first three days before the attackers were cut off from further access.

To protect against such attacks, Sophos suggests reviewing admin accounts for weaknesses, using security tools that can spot unusual uses of trusted programs, and setting strict rules for running scripts. Most importantly, companies should train employees to recognize signs of fake support calls and suspicious emails, as these scams depend on fooling people — not just machines.

The 3AM ransomware group is relatively new, first spotted in late 2023, but appears to have links with well-known cybercrime networks like Conti and Royal.


Read more »
Microsoft
cyberattacks trending news cybercrime news FBI malware Microsoft

U.S. Shuts Down LummaC2 Malware Network in Major Takedown

 

In a major crackdown on cybercrime, the U.S. Department of Justice (DOJ), in coordination with the FBI and Microsoft, has dismantled a global malware operation known as LummaC2 by seizing five internet domains used to deploy the infostealer malware. LummaC2, notorious for stealing personal and financial data such as browser history, login credentials, and cryptocurrency wallet information, had compromised at least 1.7 million systems worldwide. 

The takedown occurred over three days in May 2025, with two domains seized on May 19, followed by the rapid seizure of three additional domains after the malware operators attempted to restore access. These domains acted as user panels for cybercriminals leasing or buying access to the malware, allowing them to deploy it across networks and extract stolen data. 

FBI Assistant Director Bryan Vorndran said, “We took action against the most popular infostealer service available in online criminal markets. Thanks to partnerships with the private sector, we were able to disrupt the LummaC2 infrastructure and seize user panels.” 

DOJ Criminal Division head Matthew R. Galeotti added, “This type of malware is used to steal personal data from millions, facilitating crimes such as fraudulent bank transfers and cryptocurrency theft.” In a parallel move, Microsoft launched a civil legal action to take down 2,300 more domains believed to be linked to LummaC2 actors or their proxies. 

Emphasising the value of collaboration, Sue J. Bai, chief of the DOJ’s National Security Division, said, “Today’s disruption is another instance where our prosecutors, agents, and private sector partners came together to protect us from the persistent cybersecurity threats targeting our country.” 

The operation, led by the FBI’s Dallas Field Office and supported by several DOJ divisions, forms part of a broader U.S. strategy to counter cyber threats, including a State Department programme offering up to $10 million for information on individuals targeting U.S. critical infrastructure.
Read more »
takedown
CloudFlare Cybersecurity DOJ Europol FBI Infostealer Lumma malware Microsoft takedown

Global Operation Dismantles Lumma Malware Network, Seizes 2,300 Domains and Infrastructure

 

In a sweeping international crackdown earlier this month, a collaborative operation involving major tech firms and law enforcement agencies significantly disrupted the Lumma malware-as-a-service (MaaS) operation. This effort resulted in the seizure of thousands of domains and dismantling of key components of Lumma's infrastructure across the globe.

A major milestone in the operation occurred on May 13, 2025, when Microsoft, through legal action, successfully took control of around 2,300 domains associated with the malware. Simultaneously, the U.S. Department of Justice (DOJ) dismantled online marketplaces used by cybercriminals to rent Lumma’s services, while Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3) helped take down Lumma’s infrastructure in their respective regions.

"Between March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware. Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims," said Steven Masada, Assistant General Counsel of Microsoft's Digital Crimes Unit.

Cloudflare, one of the key players in the effort, highlighted the impact of the takedown.

“The Lumma Stealer disruption effort denies the Lumma operators access to their control panel, marketplace of stolen data, and the Internet infrastructure used to facilitate the collection and management of that data. These actions impose operational and financial costs on both the Lumma operators and their customers, forcing them to rebuild their services on alternative infrastructure,” Cloudflare stated.

The operation saw contributions from companies like ESET, CleanDNS, Bitsight, Lumen, GMO Registry, and law firm Orrick. According to Cloudflare, the Lumma malware misused their platform to mask server IP addresses that were used to siphon off stolen credentials and sensitive data.

Even after suspending malicious domains, the malware managed to bypass Cloudflare’s interstitial warning page, prompting the company to reinforce its security measures.

"Cloudflare's Trust and Safety team repeatedly flagged domains used by the criminals and suspended their accounts," the company explained.

“In February 2025, Lumma’s malware was observed bypassing Cloudflare’s interstitial warning page, which is one countermeasure that Cloudflare employs to disrupt malicious actors. In response, Cloudflare added the Turnstile service to the interstitial warning page, so the malware could not bypass it." 

Also known as LummaC2, Lumma is a sophisticated information-stealing malware offered as a subscription-based service, ranging from $250 to $1,000. It targets both Windows and macOS systems, enabling cybercriminals to exfiltrate data from browsers and apps.

Once installed, Lumma can extract a broad range of data, including login credentials, credit card numbers, cryptocurrency wallets, cookies, and browsing history from popular browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium-based platforms. The stolen data is packaged and sent to attacker-controlled servers, where it is either sold on dark web marketplaces or used in follow-up cyberattacks.

Initially spotted in December 2022 on cybercrime forums, the malware quickly gained traction. Cybersecurity firm KELA reported its rapid rise in popularity among cybercriminals.

IBM X-Force’s 2025 threat intelligence report revealed a 12% year-on-year increase in the number of stolen credentials being sold online, largely driven by the use of infostealers like Lumma. Phishing campaigns delivering such malware have surged by 84%, making Lumma the most dominant player in this threat landscape.

Lumma has been linked to major malvertising campaigns affecting hundreds of thousands of users and has been used by notorious groups such as the Scattered Spider cybercrime collective.

Recently, stolen data linked to Lumma has played a role in high-profile breaches at companies like PowerSchool, HotTopic, CircleCI, and Snowflake. In some cases, infostealer malware has been used to manipulate internet infrastructure, such as the Orange Spain RIPE account hijacking incident that disrupted BGP and RPKI configurations.

On the day of the crackdown, the FBI and CISA jointly issued a security advisory outlining indicators of compromise (IOCs) and detailing the tactics, techniques, and procedures (TTPs) employed by threat actors using Lumma malware.


Read more »
Microsoft
Infostealer Lumma Stealer Malicious Campaign malware Microsoft

Microsoft Uncover Password Stealer Malware on 4 lakh Windows PCs

 

Microsoft's Digital Crimes Unit (DCU) and global partners have halted Lumma Stealer, one of cybercriminals' most common info-stealing malware tools. On May 13, Microsoft and law enforcement agencies seized nearly 2,300 domains that comprise Lumma's infrastructure, inflicting a significant blow to cybercrime networks targeting sensitive private and institutional data. 

Lumma is a Malware-as-a-Service (MaaS) that has been advertised on underground forums since 2022. It specialises in siphoning passwords, banking credentials, cryptocurrency wallets, and other information. Its victims include individual consumers, schools, banks, and critical service providers. Between March and May 2025, Microsoft found about 394,000 Lumma-infected Windows systems. The majority of these systems were located in Brazil, the United States, and other parts of Europe.

The operation, which was permitted by the US District Court for the Northern District of Georgia, involved Microsoft, the US Department of Justice, Europol, and Japan's Cybercrime Control Centre. The DOJ removed Lumma's command infrastructure, while law enforcement assisted in the suspension of local networks that supported the malware. 

Microsoft is sending over 1,300 confiscated or transferred domains to its "sinkholes"—a defensive infrastructure that intercepts malicious traffic in order to detect and prevent further attempts. The insights gained from these sinkholes will help public and private cybersecurity operations to investigate, track, and neutralise Lumma-related threats. 

Lumma, which is designed to avoid detection, has been popular among ransomware gangs such as Octo Tempest (also known as Scattered Spider). It spreads via phishing attacks, malvertising, and impersonation frauds, such as a recent attack that used Booking.com to perpetrate financial theft. Lumma has been used against sectors like healthcare, telecom, and logistics in addition to financial fraud, highlighting the wide-ranging and persistent threat it poses.

“We know cybercriminals are persistent and creative. We, too, must evolve to identify new ways to disrupt malicious activities. Microsoft’s DCU will continue to adapt and innovate to counteract cybercrime and help ensure the safety of critical infrastructure, customers, and online users,” noted Microsoft in a blog post.
Read more »
Technology
AI Chatbots Artificial Intelligence DeepSeek Microsoft Technology

Why Microsoft Says DeepSeek Is Too Dangerous to Use

 


Microsoft has openly said that its workers are not allowed to use the DeepSeek app. This announcement came from Brad Smith, the company’s Vice Chairman and President, during a recent hearing in the U.S. Senate. He said the decision was made because of serious concerns about user privacy and the risk of biased content being shared through the app.

According to Smith, Microsoft does not allow DeepSeek on company devices and hasn’t included the app in its official store either. Although other organizations and even governments have taken similar steps, this is the first time Microsoft has spoken publicly about such a restriction.

The main worry is where the app stores user data. DeepSeek's privacy terms say that all user information is saved on servers based in China. This is important because Chinese laws require companies to hand over data if asked by the government. That means any data stored through DeepSeek could be accessed by Chinese authorities.

Another major issue is how the app answers questions. It’s been noted that DeepSeek avoids topics that the Chinese government sees as sensitive. This has led to fears that the app’s responses might be influenced by government-approved messaging instead of being neutral or fact-based.

Interestingly, even though Microsoft is blocking the app itself, it did allow DeepSeek’s AI model—called R1—to be used through its Azure cloud service earlier this year. But that version works differently. Developers can download it and run it on their own servers without sending any data back to China. This makes it more secure, at least in terms of data storage.

However, there are still other risks involved. Even if the model is hosted outside China, it might still share biased content or produce low-quality or unsafe code.

At the Senate hearing, Smith added that Microsoft took extra steps to make the model safer before making it available. He said the company made internal changes to reduce any harmful behavior from the model, but didn’t go into detail about what those changes were.

When DeepSeek was first added to Azure, Microsoft said the model had passed safety checks and gone through deep testing to make sure it met company standards.

Some people have pointed out that DeepSeek could be seen as a competitor to Microsoft’s own chatbot, Copilot. But Microsoft doesn’t block every competing chatbot. For example, Perplexity is available in the Windows app store. Still, some other popular apps, like Google’s Chrome browser and its Gemini chatbot, weren’t found during a search of the store.

Read more »
Zero-day Flaw
Microsoft Play ransomware Storm-2460 Vulnerabilities and Exploits Zero-day Flaw

Windows CLFS Zero-Day Flaw Exploited in Play Ransomware Attacks

 

In zero-day attacks, the Play ransomware gang exploited a critical Windows Common Log File System flaw to gain SYSTEM access and install malware on infected PCs. The vulnerability, known as CVE-2025-29824, was identified by Microsoft as being exploited in a small number of attacks and addressed during last month's patch.

"The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia," Microsoft noted in April. 

Microsoft attributed these assaults to the RansomEXX ransomware outfit, claiming that the perpetrators installed the PipeMagic backdoor malware, which was employed to deliver the CVE-2025-29824 exploit, ransomware payloads, and ransom letters after encrypting files. 

Since then, Symantec's Threat Hunter Team has discovered evidence linking them to the Play ransomware-as-a-service operation, claiming that the hackers used a CVE-2025-29824 zero-day privilege escalation exploit after breaching a US organization's network. 

"Although no ransomware payload was deployed in the intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation," Symantec added. "Balloonfly is a cybercrime group that has been active since at least June 2022 and uses the Play ransomware (also known as PlayCrypt) in attacks.” 

The Grixba custom network-scanning and information-stealing program was discovered two years ago, and Play ransomware operators often use it to list users and computers in compromised networks. The Play cybercrime gang first appeared in June 2022, and it is also renowned for double-extortion attacks, in which its affiliates coerce victims into paying ransoms to prevent their stolen data from being exposed online. 

As of October 2023, the Play ransomware gang has compromised the networks of around 300 organisations globally, according to a joint alert released by the FBI, CISA, and the Australian Cyber Security Centre (ACSC) in December 2023. 

The cloud computing company Rackspace, the massive auto retailer Arnold Clark, the City of Oakland in California, Dallas County, the Belgian city of Antwerp, and, more recently, the American semiconductor supplier Microchip Technology and doughnut chain Krispy Kreme are among the notable victims of the Play ransomware.
Read more »
zero data
Backup commvault Cyber Attacks Data Microsoft zero data

Commvault Confirms Cyberattack, Says Customer Backup Data Remains Secure


Commvault, a well-known company that helps other businesses protect and manage their digital data, recently shared that it had experienced a cyberattack. However, the company clarified that none of the backup data it stores for customers was accessed or harmed during the incident.

The breach was discovered in February 2025 after Microsoft alerted Commvault about suspicious activity taking place in its Azure cloud services. After being notified, the company began investigating the issue and found that a very small group of customers had been affected. Importantly, Commvault stated that its systems remained up and running, and there was no major impact on its day-to-day operations.

Danielle Sheer, Commvault’s Chief Trust Officer, said the company is confident that hackers were not able to view or steal customer backup data. She also confirmed that Commvault is cooperating with government cybersecurity teams, including the FBI and CISA, and is receiving support from two independent cybersecurity firms.


Details About the Vulnerability

It was discovered that the attackers gained access by using a weakness in Commvault’s web server software. This flaw, now fixed, allowed hackers with limited permissions to install harmful software on affected systems. The vulnerability, known by the code CVE-2025-3928, had not been known or patched before the breach, making it what experts call a “zero-day” issue.

Because of the seriousness of this bug, CISA (Cybersecurity and Infrastructure Security Agency) added it to a list of known risks that hackers are actively exploiting. U.S. federal agencies have been instructed to update their Commvault software and fix the issue by May 19, 2025.


Steps Recommended to Stay Safe

To help customers stay protected, Commvault suggested the following steps:

• Use conditional access controls for all cloud-based apps linked to Microsoft services.

• Check sign-in logs often to see if anyone is trying to log in from suspicious locations.

• Update secret access credentials between Commvault and Azure every three months.


The company urged users to report any strange behavior right away so its support team can act quickly to reduce any damage.

Although this was a serious incident, Commvault’s response was quick and effective. No backup data was stolen, and the affected software has been patched. This event is a reminder to all businesses to regularly check for vulnerabilities and keep their systems up to date to prevent future attacks.

Read more »
Technology
AI AI news Artifical Inteligence Microsoft Technology

AI Now Writes Up to 30% of Microsoft’s Code, Says CEO Satya Nadella

 

Artificial intelligence is rapidly reshaping software development at major tech companies, with Microsoft CEO Satya Nadella revealing that between 20% and 30% of code in the company’s repositories is currently generated by AI tools. 

Speaking during a fireside chat with Meta CEO Mark Zuckerberg at Meta’s LlamaCon conference, Nadella shed light on how AI is becoming a core contributor to Microsoft’s development workflows. He noted that Microsoft is increasingly relying on AI not just for coding but also for quality assurance. 

“The agents we have for reviewing code; that usage has increased,” Nadella said, adding that the performance of AI-generated code differs depending on the programming language. While Python showed strong results, C++ remained a challenge. “C Sharp is pretty good but C++ is not that great. Python is fantastic,” he noted. 

When asked about the role of AI in Meta’s software development, Zuckerberg did not provide a specific figure but shared that the company is prioritizing AI-driven engineering to support the development of its Llama models. 

“Our bet is that probably half the development is done by AI as opposed to people and that will just kind of increase from there,” Zuckerberg said. 

Microsoft’s Chief Technology Officer Kevin Scott has previously projected that AI will be responsible for generating 95% of all code within the next five years. Speaking on the 20VC podcast, Scott emphasized that human developers will still play a vital role. 

“Very little is going to be — line by line — human-written code,” he said, but added that AI will “raise everyone’s level,” making it easier for non-experts to create functional software. The comments from two of tech’s biggest leaders point to a future where AI not only augments but significantly drives software creation, making development faster, more accessible, and increasingly automated.
Read more »
Subscribe to: Posts (Atom)