Security News

Microsoft has addressed a new known issue causing DNS stub zones loading failures that could lead to DNS resolution issues on Windows Server 2019 systems. DNS stub zones are copies of DNS zones containing resource records needed to determine the authoritative DNS servers for a specific zone and resolve names between separate DNS namespaces.

The trick to this particular campaign is that it conceals its complex malware behind a Microsoft Compiled HTML Help file, Microsoft's proprietary file format for help documentation saved in HTML. In other words, it's the kind of file you almost never look at or even think about. CHM files in a nested attack that prioritizes obfuscation.

Microsoft on Tuesday confirmed that the LAPSUS$ extortion-focused hacking crew had gained "Limited access" to its systems, as authentication services provider Okta revealed that nearly 2.5% of its customers have been potentially impacted in the wake of the breach. Identity and access management company Okta, which also acknowledged the breach through the account of a customer support engineer working for a third-party provider, said that the attackers had access to the engineer's laptop during a five-day window between January 16 and 21, but that the service itself was not compromised.

Microsoft warns of destructive attacks by Lapsus$ cybercrime group. In a blog post published Tuesday, Microsoft provides insight into the group's tactics and techniques and offers tips on how to protect your organization from these attacks.

Microsoft says the Outlook PDF preview feature might be broken for some Microsoft 365 customers on systems where the company's PowerToys open-source toolset is also installed. According to Microsoft, one of the reasons this error is displayed is the PDF preview File Explorer add-on bundled with Microsoft PowerToys.

Microsoft has fixed a known Bluetooth issue causing some Windows 10 systems to crash with a blue screen of death after installing the January KB5009596 cumulative update. The list of affected Windows versions includes only client platforms: Windows 10 21H2, Windows 10 21H1, and Windows 10 20H2. "After installing KB5009596 or later updates, some organizations which have Windows devices paired to Bluetooth devices might receive an error message 'Your device ran into a problem and needs to restart.' with a blue screen and 'Stop code: IRQ NOT LESS OR EQUAL'," Microsoft explains.

"No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity," Microsoft explained in an advisory about the Lapsus$ threat actors. Lapsus$ shared a screenshot of what were allegedly Microsoft's internal source code repositories: leaked files that security researchers said appear to be legitimate internal source code.

Recent claims by the cyber extortion gang have been validated by Okta and Microsoft: Lapsus$ have managed to get their hands on some of Microsoft's source code and have gained access to the laptop of a support engineer working for a third-party contractor for Okta, allowing them to potentially impact approximately 2.5% of the company's customers. After the gang published screenshots from Okta's internal systems and said that they focused their incursion on Okta customers, the company's CEO first said that, in late January 2022, they detected an attempt to compromise the account of a customer support engineer working for one of their subprocessors, and that "There is no evidence of ongoing malicious activity beyond the activity detected in January."

In a new blog post published tonight, Microsoft has confirmed that one of their employee's accounts was compromised by Lapsus$, providing limited access to source code repositories. "No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity," explained Microsoft in an advisory about the Lapsus$ threat actors.

Both Microsoft and Okta are investigating claims by the new, precocious data extortion group Lapsus$ that the gang has breached their systems. The purported Okta screenshots included one that appears to show Okta's Slack channels and another with a Cloudflare interface.