Security News

The state-backed Russian cyberespionage group Cozy Bear has been particularly prolific in 2022, targeting Microsoft 365 accounts in NATO countries and attempting to access foreign policy information. Mandiant, who has been tracking the activities of Cozy Bear, reports that the Russian hackers have been vigorously targeting Microsoft 365 accounts in espionage campaigns.

Microsoft has released Sysmon 14 with a new 'FileBlockExecutable' option that lets you block the creation of malicious executables, such as EXE, DLL, and SYS files, for better protection against malware. Users can find the complete list of directives in the Sysmon schema, which can be viewed by running the sysmon -s command at the command line.

The tamper protection feature in Microsoft Defender for Endpoint for macOS is getting rolled out to all customers, the company has announced on Monday. "While in Audit mode, TP signals can be viewed via Advanced Hunting and in local on-device logs. No tampering alerts are raised in the Security Center while in Audit mode. Alerts are raised in the portal only in block mode," explained Camilla Sophie Djamalov, a Program Manager Intern at Microsoft.

Microsoft on Monday revealed it took steps to disrupt phishing operations undertaken by a "Highly persistent threat actor" whose objectives align closely with Russian state interests. "SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries," Microsoft's threat hunting teams said.

Microsoft Defender for Endpoint's Tamper Protection in macOS has entered general availability. It represents one more layer of protection and prevents the unauthorized removal of Microsoft Defender for Endpoint on macOS. It also prevents tampering with files, process and configuration settings for Defender for Endpoint, and applies at device level.

This included using email, OneDrive and other Microsoft cloud services accounts, as well as phony LinkedIn profiles that the criminals used to scope out employees who work for target organizations. In May, Google and Reuters attributed a hack-and-leak campaign to Coldriver, aka Seaborgium, in which the criminals leaked emails and documents reportedly stolen from high-level Brexit proponents, including former British spymaster Richard Dearlove.

The Microsoft Threat Intelligence Center has disrupted a hacking and social engineering operation linked to a Russian threat actor tracked as SEABORGIUM that targets people and organizations in NATO countries. "Within the target countries, SEABORGIUM primarily focuses operations on defense and intelligence consulting companies, non-governmental organizations and intergovernmental organizations, think tanks, and higher education," explains Microsoft in a report released today.

A security feature bypass vulnerability has been uncovered in three signed third-party Unified Extensible Firmware Interface boot loaders that allow bypass of the UEFI Secure Boot feature. "These vulnerabilities can be exploited by mounting the EFI System Partition and replacing the existing bootloader with the vulnerable one, or modifying a UEFI variable to load the vulnerable loader instead of the existing one," hardware security firm Eclypsium said in a report shared with The Hacker News.

Microsoft is showing ads for Microsoft 365 Family subscriptions to its Office 2021 customers, offering them discounts of over $28 to get a 3-month Family plan subscription. Several users have reported seeing these ads this week, starting on August 10, with Lee Holmes, a Principal Security Architect at Microsoft Azure Security, also sharing today a screenshot showing the ad displayed as an alert bar under the Office menu.

Some signed third-party bootloaders for the Unified Extensible Firmware Interface could allow attackers to execute unauthorized code in an early stage of the boot process, before the operating system loads. Eclypsium security researchers Mickey Shkatov and Jesse Michael discovered vulnerabilities affecting UEFI bootloaders from third-party vendors that could be exploited to bypass the Secure Boot feature on Windows machines.