attack Archives

AppWizard

May 22, 2025

‘TMNT: Tactical Takedown’ Is an Ingenious Bite-Sized Twist on Strategy RPGs

Teenage Mutant Ninja Turtles: Tactical Takedown is a strategy game that features the Turtles in a unique narrative where they are without their mentor, Splinter, or their nemesis, Shredder, as the Foot Clan invades New York City. The game lasts approximately six hours and is divided into four chapters, allowing players to control one Turtle at a time, which enhances character exploration. Each Turtle has a distinct moveset, and gameplay involves optimizing moves and managing action points in evolving battle stages. The game combines strategic elements with a narrative that highlights the Turtles' growth and brotherhood. Tactical Takedown is available on PC.

Winsage

May 22, 2025

BadSuccessor: Unpatched Microsoft Active Directory attack enables domain takeover

The dMSA account in Active Directory manages service accounts with enhanced security and automation. Key attributes include msDS-DelegatedMSAState, which indicates the migration status (unknown, in progress, or completed), and msDS-ManagedAccountPrecededByLink, which identifies the superseded account. The msDS-GroupMSAMembership attribute specifies authorized principals for authentication as the dMSA account. After migration, systems using the old service account receive a notification from the Domain Controller that the previous account is disabled, along with a KERB-SUPERSEDED-BY-USER field pointing to the new dMSA. The Key Distribution Center (KDC) within the Kerberos protocol validates user identities and grants access based on permissions, ensuring secure network resource access.

Winsage

May 22, 2025

Windows Server Flaw a Shortcut to Privilege Escalation

An unpatched vulnerability in Windows Server 2025, identified by Akamai researchers, is associated with a method called "BadSuccessor." This flaw, considered "trivial" to exploit and present in the default configuration, allows for privilege escalation and potential full domain compromise. The vulnerability arises from delegated managed service accounts (dMSA), which were intended to enhance security during the migration of legacy service accounts. However, dMSAs can inherit permissions from legacy accounts, enabling attackers to simulate a migration and gain access to the permissions and encryption keys of those accounts without verification. The attack requires prior permissions within an Active Directory organizational unit, indicating a previous breach. Akamai reported the vulnerability to Microsoft on April 1, but Microsoft classified its severity as "moderate." Akamai recommends organizations restrict the creation of dMSAs to mitigate risks associated with this vulnerability.

AppWizard

May 22, 2025

Turn-Based Tactical RPG Critical Shift Announced For PC & Consoles

Indie game developer Rhinotales Studio has announced their new game, Critical Shift, a hardcore turn-based tactical RPG set in an Antarctic research station. Players lead a squad of elite agents to investigate a distress call from ICE-1 Station, where communications have ceased. The game features a tactical combat system that emphasizes positioning and weapon range, allowing players to adapt their strategies in real-time. It includes over 30 levels with unique challenges, a story-driven narrative crafted by writer Guilty Three, and will be available on PC via Steam, Xbox, and PlayStation, though a release date has not been announced.

Winsage

May 22, 2025

Windows 95 chime composer Brian Eno denounces Microsoft for its ties to Israeli government

Renowned musician Brian Eno announced he will donate the earnings from his Windows 95 startup chime to support those affected in Gaza. This decision follows scrutiny of Microsoft’s contracts with the Israeli government amid ongoing humanitarian crises. Eno criticized Microsoft for its involvement in operations contributing to violations of international law and called for the company to suspend services supporting such actions. Microsoft acknowledged its contracts with Israel’s Ministry of Defense but claimed an internal review found no evidence of its technologies targeting civilians in Gaza. Following the October 7, 2023 attack by Hamas, significant casualties have been reported in Gaza, with estimates of over 52,000 to as high as 109,000 deaths. Human rights organizations have accused Israel of war crimes. Protests by Microsoft employees have occurred, demanding accountability for the company's actions. Eno emphasized the need for artists and corporations to consider the implications of their contributions.

Tech Optimizer

May 21, 2025

Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Microsoft has monitored Lumma Stealer, an infostealer malware used by financially motivated threat actors. Lumma Stealer, also known as LummaC2, functions as a malware-as-a-service (MaaS) solution that extracts data from browsers and applications, including cryptocurrency wallets. The entity behind Lumma is identified as Storm-2477, which maintains the malware and its command-and-control (C2) infrastructure. Affiliates can create malware binaries and manage C2 communications through a panel provided by Storm-2477. Ransomware groups have integrated Lumma Stealer into their operations. Lumma Stealer employs various delivery techniques, including phishing emails, malvertising, drive-by downloads, Trojanized applications, and abuse of legitimate services. Specific campaigns have been identified, such as one in April 2025 that used EtherHiding and ClickFix techniques to deliver Lumma Stealer via compromised websites. Another campaign on April 7, 2025, targeted Canadian organizations with emails containing invoice lures that led to malicious downloads. The malware is developed using C++ and ASM, employing advanced obfuscation techniques to evade detection. It can extract a wide range of user data, including browser credentials, cryptocurrency wallet information, and user documents. Lumma Stealer maintains a robust C2 infrastructure with multiple hardcoded and fallback C2 servers, utilizing encryption methods to secure communications. Microsoft's Digital Crimes Unit has disrupted Lumma Stealer's infrastructure by blocking approximately 2,300 malicious domains. Recommendations to mitigate the impact of Lumma Stealer include strengthening Microsoft Defender configurations, implementing multifactor authentication, and utilizing phishing-resistant authentication methods. Microsoft Defender products can detect and block activities associated with Lumma Stealer, providing alerts and insights for incident response.

Winsage

May 21, 2025

New Windows Server 2025 Attack Compromises Any Active Directory User

A significant security flaw, named BadSuccessor, has been discovered in Windows Server 2025, posing a serious risk to Active Directory users. This privilege escalation vulnerability allows attackers to compromise any user in Active Directory and is alarmingly easy to exploit, requiring only basic permissions on any organizational unit. Currently, no patch is available for this vulnerability. In 91% of environments examined, users outside the domain admins group had the necessary permissions to execute the attack. The exploit leverages the delegated Managed Service Account (dMSA) feature, enabling attackers to take control of any principal within the domain. Microsoft has rated the vulnerability as moderate severity and plans to address it in a future update, noting that elevated user permissions are required for successful exploitation. Organizations are advised to identify and eliminate unnecessary permissions to mitigate potential threats.

Winsage

May 21, 2025

Active Directory DMSA Attack Detailed By Researchers

The delegated Managed Service Account (dMSA) feature in Windows Server 2025 has a privilege escalation vulnerability that allows attackers to compromise any user in an Active Directory (AD) environment. Research by Yuval Gordon revealed that in 91% of examined environments, users outside the domain admins group had the necessary permissions to exploit this vulnerability. The attack can be executed with benign permissions on any organizational unit (OU) and does not require actual migration of accounts. Gordon's technique, called “BadSuccessor,” enables an attacker controlling a dMSA object to inherit the permissions and keys of any user, including those with high privileges. Microsoft has acknowledged the vulnerability but categorized it as a Moderate severity issue. Akamai recommends limiting the creation of dMSAs and tightening permissions until a patch is released.

Winsage

May 21, 2025

Windows 11 Introduces Enhanced Administrator Protection to Strengthen Security Against Elevated Privilege Attacks

Microsoft has launched Administrator Protection for Windows 11, a feature designed to enhance cybersecurity by preventing privilege escalation attacks. This feature creates a security boundary around administrative operations, reducing the attack surface for cybercriminals. It introduces a hidden, system-managed local user account that generates isolated admin tokens, preventing user-level malware from compromising elevated processes. Administrator Protection eliminates auto-elevation functionality, requiring users to explicitly authorize administrative actions. It utilizes a System Managed Administrator Account (SMAA) that generates non-persistent admin tokens for specific tasks, which are discarded after use. The feature is currently available to Windows Insiders in the Canary channel and will expand to the Dev channel, with broader deployment expected in the 24H2 release. Compatibility challenges may arise in complex development environments, such as with Visual Studio.

AppWizard

May 20, 2025

Preventing App-Based Threats on Android Devices

By 2025, the Android platform faces increasingly sophisticated app-based threats, including ransomware, fake apps, social engineering, and remote access attacks. Cybercriminals exploit Android's open architecture, prompting the need for advanced security measures. Android's security architecture includes: 1. Google Play Protect: Scans applications before installation using real-time machine learning to detect emerging malware and deceptive tactics. 2. Application Sandboxing: Isolates apps to prevent data access between them, utilizing Linux permissions and SELinux policies. 3. App Signing and Code Integrity: Requires cryptographic signatures for apps, complicating the introduction of rogue certificates and runtime modifications. Advanced protections include Runtime Application Self-Protection (RASP) for high-security apps, which monitors behavior in real time, and secure coding practices that encourage regular code reviews, strong authentication, and data encryption. User vigilance is crucial, emphasizing responsible downloading, limiting permissions, keeping software updated, enabling two-factor authentication, and being cautious with public Wi-Fi. Google continuously updates security measures, ensuring older devices receive new protections, while collaboration with the security community aids in identifying and countering emerging threats.