Security News

Microsoft warned customers today that it will finally disable basic authentication in random tenants worldwide to improve Exchange Online security starting October 1, 2022."Since our first announcement nearly three years ago, we've seen millions of users move away from basic auth, and we've disabled it in millions of tenants to proactively protect them. We're not done yet though, and unfortunately usage isn't yet at zero. Despite that, we will start to turn off basic auth for several protocols for tenants not previously disabled," the Exchange Team said today.

"Attackers could have leveraged the vulnerability to hijack an account without users' awareness if a targeted user simply clicked a specially crafted link," Dimitrios Valsamaras of the Microsoft 365 Defender Research Team said in a write-up. Successful exploitation of the flaw could have permitted malicious actors to access and modify users' TikTok profiles and sensitive information, leading to the unauthorized exposure of private videos.

Microsoft found and reported a high severity flaw in the TikTok Android app in February that allowed attackers to "Quickly and quietly" take over accounts with one click by tricking targets into clicking a specially crafted malicious link."Attackers could have leveraged the vulnerability to hijack an account without users' awareness if a targeted user simply clicked a specially crafted link," Microsoft 365 Defender Research Team's Dimitrios Valsamaras said.

Microsoft Azure customers' virtual machines running Ubuntu 18.04 have been taken offline by an ongoing outage caused by a faulty systemd update. Microsoft says in an incident report published on the Azure status page that these DNS issues only affect VMs running Ubuntu 18.04.

Hackers continue to exploit the Log4j vulnerability in vulnerable applications, as shown by the Iranian 'MuddyWater' threat actor who was found targeting Israeli organizations using the SysAid software. The latest MuddyWater hacking campaign outlined in a Microsoft report yesterday constitutes the first example of leveraging vulnerable SysAid applications to breach corporate networks.

To protect the victim's account, the organization had implemented Microsoft MFA through the Microsoft Authenticator app, which should have stopped any use of stolen credentials. Microsoft MFA doesn't always require a second form of authentication.

Microsoft has discovered a new malware used by the Russian hacker group APT29 that enables authentication as anyone in a compromised network. Dubbed 'MagicWeb', the new malicious tool is an evolution of 'FoggyWeb', which allowed hackers to exfiltrate the configuration database of compromised Active Directory Federation Services servers, decrypt token-signing and token-decryption certificates, and fetch additional payloads from the command and control server.

The threat actor behind the SolarWinds supply chain attack has been linked to yet another "Highly targeted" post-exploitation malware that could be used to maintain persistent access to compromised environments. "Nobelium remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations, intergovernmental organizations, and think tanks across the US, Europe, and Central Asia," Microsoft said.

A new business email compromise campaign has been discovered combining sophisticated spear-phishing with Adversary-in-The-Middle tactics to hack corporate executives' Microsoft 365 accounts, even those protected by MFA. By accessing accounts of high-ranking employees like CEOs or CFOs of large organizations, the threat actors can monitor communications and respond to emails at the right moment to divert a large transaction to their bank accounts. The phishing emails sent in these attacks tell the target that the corporate bank account they usually send payments to has been frozen due to a financial audit, enclosing new payment instructions that switch to the account of an alleged subsidiary.

More recently, Mandiant and Mitiga researchers have documented different approaches that allow attackers touse Microsoft MFA to their advantage. Attackers take over dormant Microsoft accounts and set up MFA. Douglas Bienstock, an IR manager at Mandiant, shared last week a new tactic by APT29 and other threat actors that involves taking advantage of the self-enrollment process for MFA in Azure Active Directory and other platforms.