Security News

A cyber mercenary that "Ostensibly sells general security and information analysis services to commercial customers" used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities. The company, which Microsoft describes as a private-sector offensive actor, is an Austria-based outfit called DSIRF that's linked to the development and attempted sale of a piece of cyberweapon referred to as Subzero, which can be used to hack targets' phones, computers, and internet-connected devices.

Microsoft has released the first preview build of Windows 10, version 22H2, to Windows Insiders for enterprise testing before the general release later this year. "Commercial devices configured for the Release Preview Channel via the Windows Insider Program Settings page or via Windows Update for Business policy, whether through Microsoft Intune or through Group Policy, will automatically be offered Windows 10, version 22H2 as an optional update."

Threat actors are generating revenue by using adware bundles, malware, or even hacking into Microsoft SQL servers, to convert devices into proxies rented through online proxy services. To steal a device's bandwidth, the threat actors install software called 'proxyware' that allocates a device's available internet bandwidth as a proxy server that remote users can use for various tasks, like testing, intelligence collection, content distribution, or market research.

Threat actors are finding their way around Microsoft's default blocking of macros in its Office suite, using alternative files to host malicious payloads now that a primary channel for threat delivery is being cut off, researchers have found. The beginning of the decrease coincided with Microsoft's plan to start blocking XL4 macros by default for Excel users, followed up with the blocking of VBA macros by default across the Office suite this year.

Microsoft is investigating an ongoing incident impacting administrators in North America who report seeing blank pages and 404 errors when trying to access the Microsoft 365 admin center.This outage could affect any admin in North America, as the company revealed on the Microsoft 365 Service health status page.

Hackers who normally distributed malware via phishing attachments with malicious macros gradually changed tactics after Microsoft Office began blocking them by default, switching to new file types such as ISO, RAR, and Windows Shortcut attachments.VBA and XL4 Macros are small programs created to automate repetitive tasks in Microsoft Office applications, which threat actors abuse for loading, dropping, or installing malware via malicious Microsoft Office document attachments sent in phishing emails.

Microsoft says Microsoft Edge users will notice improved performance and a smaller disk footprint because the web browser now automatically compresses disk caches. "Beginning with Microsoft Edge 102 on Windows, Microsoft Edge automatically compresses disk caches on devices that meet eligibility checks, to ensure the compression will be beneficial without degrading performance," the Microsoft Edge Team said Wednesday.

Microsoft has published an analysis of a Europe-based "Private-sector offensive actor" with a view to helping its customers spot signs of attacks by money-hungry gangsters. Dubbed Knotweed by Microsoft's Threat Intelligence Center and Security Response Center, the private sector targeting crew has made use of multiple Windows and Adobe zero-day exploits in attacks against European and Central American customers.

Microsoft has linked a threat group it tracks as Knotweed to a cyber mercenary outfit named DSIRF, targeting European and Central American entities using a malware toolset dubbed Subzero. Using passive DNS data while investigating Knotweed attacks, threat intelligence firm RiskIQ also found that infrastructure actively serving malware since February 2020 linked to DSIRF, including its official website and domains likely used to debug and stage the Subzero malware.

Microsoft says attackers increasingly use malicious Internet Information Services web server extensions to backdoor unpatched Exchange servers as they have lower detection rates compared to web shells. Microsoft previously saw custom IIS backdoors installed after threat actors exploited ZOHO ManageEngine ADSelfService Plus and SolarWinds Orion vulnerabilities.