#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

windows security | Breaking Cybersecurity News | The Hacker News

Category — windows security
Google Chrome Adds App-Bound Encryption to Protect Cookies from Malware

Google Chrome Adds App-Bound Encryption to Protect Cookies from Malware

Aug 01, 2024 Data Encryption / Browser Security
Google has announced that it's adding a new layer of protection to its Chrome browser through what's called app-bound encryption to prevent information-stealing malware from grabbing cookies on Windows systems. "On Windows, Chrome uses the Data Protection API ( DPAPI ) which protects the data at rest from other users on the system or cold boot attacks," Will Harris from the Chrome security team said . "However, the DPAPI does not protect against malicious applications able to execute code as the logged in user – which info-stealers take advantage of." App-bound encryption is an improvement over DPAPI in that it interweaves an app's identity (i.e., Chrome in this case) into encrypted data to prevent another app on the system from accessing it when decryption is attempted. "Because the app-bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app," Harris said. "Now, th
Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware

Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware

Jul 20, 2024 Malware / IT Outage
Cybersecurity firm CrowdStrike, which is facing the heat for causing worldwide IT disruptions by pushing out a flawed update to Windows devices, is now warning that threat actors are exploiting the situation to distribute Remcos RAT to its customers in Latin America under the guise of providing a hotfix. The attack chains involve distributing a ZIP archive file named " crowdstrike-hotfix.zip ," which contains a malware loader named Hijack Loader (aka DOILoader or IDAT Loader) that, in turn, launches the Remcos RAT payload. Specifically, the archive file also includes a text file ("instrucciones.txt") with Spanish-language instructions that urges targets to run an executable file ("setup.exe") to recover from the issue. "Notably, Spanish filenames and instructions within the ZIP archive indicate this campaign is likely targeting Latin America-based (LATAM) CrowdStrike customers," the company said , attributing the campaign to a suspected e-
The Secret Weakness Execs Are Overlooking: Non-Human Identities

The Secret Weakness Execs Are Overlooking: Non-Human Identities

Oct 03, 2024Enterprise Security / Cloud Security
For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,
Faulty CrowdStrike Update Crashes Windows Systems, Impacting Businesses Worldwide

Faulty CrowdStrike Update Crashes Windows Systems, Impacting Businesses Worldwide

Jul 19, 2024
Businesses across the world have been hit by widespread disruptions to their Windows workstations stemming from a faulty update pushed out by cybersecurity company CrowdStrike. "CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts," the company's CEO George Kurtz said in a statement . "Mac and Linux hosts are not impacted. This is not a security incident or cyber attack." The company, which acknowledged "reports of [ Blue Screens of Death ] on Windows hosts," further said it has identified the issue and a fix has been deployed for its Falcon Sensor product, urging customers to refer to the support portal for the latest updates. For systems that have been already impacted by the problem, the mitigation instructions are listed below - Boot Windows in Safe Mode or Windows Recovery Environment Navigate to the C:\Windows\System32\drivers\CrowdStrike directory Find the file named &qu
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
Alert: HotPage Adware Disguised as Ad Blocker Installs Malicious Kernel Driver

Alert: HotPage Adware Disguised as Ad Blocker Installs Malicious Kernel Driver

Jul 18, 2024 Malware / Windows Security
Cybersecurity researchers have shed light on an adware module that purports to block ads and malicious websites, while stealthily offloading a kernel driver component that grants attackers the ability to run arbitrary code with elevated permissions on Windows hosts. The malware, dubbed HotPage, gets its name from the eponymous installer ("HotPage.exe"), according to new findings from ESET, which discovered the malware towards the end of 2023. The installer "deploys a driver capable of injecting code into remote processes, and two libraries capable of intercepting and tampering with browsers' network traffic," ESET researcher Romain Dumont said in a technical analysis published today. "The malware can modify or replace the contents of a requested page, redirect the user to another page, or open a new page in a new tab based on certain conditions." Besides leveraging its browser traffic interception and filtering capabilities to display game-relat
Microsoft's July Update Patches 143 Flaws, Including Two Actively Exploited

Microsoft's July Update Patches 143 Flaws, Including Two Actively Exploited

Jul 10, 2024 Endpoint Security / Vulnerability
Microsoft has released patches to address a total of 143 security flaws as part of its monthly security updates, two of which have come under active exploitation in the wild. Five out of the 143 flaws are rated Critical, 136 are rated Important, and four are rated Moderate in severity. The fixes are in addition to 33 vulnerabilities that have been addressed in the Chromium-based Edge browser over the past month. The two security shortcomings that have come under exploitation are below - CVE-2024-38080 (CVSS score: 7.8) - Windows Hyper-V Elevation of Privilege Vulnerability CVE-2024-38112 (CVSS score: 7.5) - Windows MSHTML Platform Spoofing Vulnerability "Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment," Microsoft said of CVE-2024-38112. "An attacker would have to send the victim a malicious file that the victim would have to execute." Check Point securi
Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor

Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor

Jun 17, 2024 Web Security / Malware
Legitimate-but-compromised websites are being used as a conduit to deliver a Windows backdoor dubbed BadSpace under the guise of fake browser updates. "The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases a fake browser update, and a JScript downloader to deploy a backdoor into the victim's system," German cybersecurity company G DATA said in a report. Details of the malware were first shared by researchers kevross33 and Gi7w0rm last month. It all starts with a compromised website, including those built on WordPress, to inject code that incorporates logic to determine if a user has visited the site before.  Should it be the user's first visit, the code collects information about the device, IP address, user-agent, and location, and transmits it to a hard-coded domain via an HTTP GET request. The response from the server subsequently overlays the contents of the web page with a ph
Black Basta Ransomware May Have Exploited MS Windows Zero-Day Flaw

Black Basta Ransomware May Have Exploited MS Windows Zero-Day Flaw

Jun 12, 2024 Ransomware / Endpoint Security
Threat actors linked to the Black Basta ransomware may have exploited a recently disclosed privilege escalation flaw in the Microsoft Windows Error Reporting Service as a zero-day, according to new findings from Symantec. The security flaw in question is CVE-2024-26169 (CVSS score: 7.8), an elevation of privilege bug in the Windows Error Reporting Service that could be exploited to achieve SYSTEM privileges. It was patched by Microsoft in March 2024. "Analysis of an exploit tool deployed in recent attacks revealed evidence that it could have been compiled prior to patching, meaning at least one group may have been exploiting the vulnerability as a zero-day," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. The financially motivated threat cluster is being tracked by the company under the name Cardinal. It's also monitored by the cybersecurity community under the names Storm-1811 and UNC4393 . It's known to mon
New Phishing Campaign Deploys WARMCOOKIE Backdoor Targeting Job Seekers

New Phishing Campaign Deploys WARMCOOKIE Backdoor Targeting Job Seekers

Jun 12, 2024 Cyber Attack / Malware
Cybersecurity researchers have disclosed details of an ongoing phishing campaign that leverages recruiting- and job-themed lures to deliver a Windows-based backdoor named WARMCOOKIE. "WARMCOOKIE appears to be an initial backdoor tool used to scout out victim networks and deploy additional payloads," Elastic Security Labs researcher Daniel Stepanic said in a new analysis. "Each sample is compiled with a hard-coded [command-and-control] IP address and RC4 key." The backdoor comes with capabilities to fingerprint infected machines, capture screenshots, and drop more malicious programs. The company is tracking the activity under the name REF6127. The attack chains observed since late April involve the use of email messages purporting to be from recruitment firms like Hays, Michael Page, and PageGroup, urging recipients to click on an embedded link to view details about a job opportunity. Users who end up clicking on the link are then prompted to download a docume
Microsoft Patches 61 Flaws, Including Two Actively Exploited Zero-Days

Microsoft Patches 61 Flaws, Including Two Actively Exploited Zero-Days

May 15, 2024 Patch Tuesday / Vulnerability
Microsoft has addressed a total of  61 new security flaws  in its software as part of its Patch Tuesday updates for May 2024, including two zero-days which have been actively exploited in the wild. Of the 61 flaws, one is rated Critical, 59 are rated Important, and one is rated Moderate in severity. This is in addition to  30 vulnerabilities  resolved in the Chromium-based Edge browser over the past month, including two recently disclosed zero-days ( CVE-2024-4671  and  CVE-2024-4761 ) that have been tagged as exploited in attacks. The two security shortcomings that have been weaponized in the wild are below - CVE-2024-30040  (CVSS score: 8.8) - Windows MSHTML Platform Security Feature Bypass Vulnerability CVE-2024-30051  (CVSS score: 7.8) - Windows Desktop Window Manager ( DWM ) Core Library Elevation of Privilege Vulnerability "An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious
Microsoft's January 2024 Windows Update Patches 48 New Vulnerabilities

Microsoft's January 2024 Windows Update Patches 48 New Vulnerabilities

Jan 10, 2024 Vulnerability / Windows Security
Microsoft has addressed a total of  48 security flaws  spanning its software as part of its Patch Tuesday updates for January 2024. Of the 48 bugs, two are rated Critical and 46 are rated Important in severity. There is no evidence that any of the issues are publicly known or under active attack at the time of release, making it the second consecutive Patch Tuesday with no zero-days. The fixes are in addition to  nine security vulnerabilities  that have been resolved in the Chromium-based Edge browser since the release of  December 2023 Patch Tuesday  updates. This also includes a fix for a zero-day ( CVE-2023-7024 , CVSS score: 8.8) that Google said has been actively exploited in the wild. The most critical among the flaws patched this month are as follows - CVE-2024-20674  (CVSS score: 9.0) - Windows Kerberos Security Feature Bypass Vulnerability CVE-2024-20700  (CVSS score: 7.5) - Windows Hyper-V Remote Code Execution Vulnerability "The authentication feature could be bypas
New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections

New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections

Jan 01, 2024 Windows Security / Vulnerability
Security researchers have detailed a new variant of a dynamic link library ( DLL ) search order hijacking technique that could be used by threat actors to bypass security mechanisms and achieve execution of malicious code on systems running Microsoft Windows 10 and Windows 11. The approach "leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL search order hijacking technique," cybersecurity firm Security Joes  said  in a new report exclusively shared with The Hacker News. In doing so, it allows adversaries to eliminate the need for elevated privileges when attempting to run nefarious code on a compromised machine as well as introduce potentially vulnerable binaries into the attack chain, as  observed   in the   past . DLL search order hijacking , as the name implies, involves  gaming the search order  used to load DLLs in order to execute malicious payloads for purposes of defense evasion, persistence, and privilege escal
Researchers Find 34 Windows Drivers Vulnerable to Full Device Takeover

Researchers Find 34 Windows Drivers Vulnerable to Full Device Takeover

Nov 02, 2023 Endpoint Security / Malware
As many as 34 unique vulnerable Windows Driver Model ( WDM ) and Windows Driver Frameworks ( WDF ) drivers could be exploited by non-privileged threat actors to gain full control of the devices and execute arbitrary code on the underlying systems. "By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate [operating system] privileges," Takahiro Haruyama, a senior threat researcher at VMware Carbon Black,  said . The  research  expands on previous studies, such as  ScrewedDrivers  and  POPKORN  that utilized  symbolic execution  for automating the discovery of vulnerable drivers. It specifically focuses on drivers that contain firmware access through port I/O and memory-mapped I/O. The names of some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys ( CVE-2023-20598 ), RadHwMgr.sys, rtif.sys, rtport.sys, s
Expert Insights / Articles Videos
Cybersecurity Resources