bug bounty Archives

Winsage

March 29, 2025

Hackers Bypass Windows Defender Security—What You Need To Know

Elite red team hackers have revealed a significant vulnerability in the Windows ecosystem, specifically a method to bypass Windows Defender Application Control (WDAC), which is designed to restrict application execution to trusted software. Bobby Cooke from IBM X-Force Red confirmed that the Microsoft Teams application was successfully targeted to bypass WDAC, allowing the execution of a Command and Control payload. The techniques used included utilizing "Living Off The Land Binaries" (LOLBINS), side-loading a trusted application with an untrusted dynamic linked library, exploiting a custom exclusion rule from a client WDAC policy, and discovering a new execution chain within a trusted application. Microsoft acknowledged awareness of the WDAC bypass report and stated they would take action as needed to protect customers.

Winsage

March 20, 2025

11 nation-state groups exploit unpatched Microsoft zero-day

Since 2017, at least 11 state-sponsored threat groups have exploited a Microsoft zero-day vulnerability in Windows shortcut files for data theft and cyber espionage. Researchers from Trend Micro's Trend Zero Day Initiative have identified nearly 1,000 malicious .lnk files utilizing this flaw, designated as ZDI-CAN-25373, which allows attackers to execute hidden commands on victims' devices. The attacks involve various payloads, including the Lumma infostealer and Remcos remote access Trojan, with North Korean operatives responsible for over 45% of the incidents, while Iran, Russia, and China account for approximately 18% each. Notable advanced persistent threat groups involved include Evil Corp, Kimsuky, Bitter, and Mustang Panda. Microsoft has not yet released a patch for this vulnerability, which is considered unusual, and while Microsoft Defender can detect and block related threats, organizations are advised to remain vigilant and implement protective measures against potential exploitation.

Winsage

March 18, 2025

New Windows zero-day exploited by 11 state hacking groups since 2017

At least 11 state-backed hacking groups from North Korea, Iran, Russia, and China have been exploiting a Windows vulnerability tracked as ZDI-CAN-25373 since 2017 for data theft and cyber espionage. Microsoft has classified this vulnerability as "not meeting the bar for servicing," meaning no security updates will be released. The flaw allows attackers to execute arbitrary code on affected Windows systems by concealing malicious command-line arguments within .LNK shortcut files, using padded whitespaces to evade detection. Nearly 70% of the analyzed attacks linked to this vulnerability were related to espionage, while 20% aimed for financial gain. Various malware payloads, including Ursnif, Gh0st RAT, and Trickbot, have been associated with these attacks. User interaction is required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file. Microsoft has not assigned a CVE-ID to this vulnerability but is tracking it internally as ZDI-CAN-25373. A Microsoft spokesperson mentioned that the company is considering addressing the flaw in the future.

Winsage

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

Microsoft's Windows Defender Application Control (WDAC) has become a target for cybersecurity researchers, with bug bounty payouts for successful bypasses. IBM's X-Force team reported various outcomes from WDAC bypass submissions, including successful bypasses that lead to potential bounties, those added to the WDAC recommended block list, and submissions without recognition. Notable contributors like Jimmy Bayne and Casey Smith have made significant discoveries, while the LOLBAS Project has documented additional bypasses, including the Microsoft Teams application. The X-Force team successfully bypassed WDAC during Red Team Operations using techniques such as utilizing known LOLBINs, DLL side-loading, exploiting custom exclusion rules, and identifying new execution chains in trusted applications. Electron applications, which can execute JavaScript and interact with the operating system, present unique vulnerabilities, as demonstrated by a supply-chain attack on the MiMi chat application. In preparation for a Red Team operation, Bobby Cooke's team explored the legacy Microsoft Teams application, discovering vulnerabilities in signed Node modules that allowed them to execute shellcode without triggering WDAC restrictions. They developed a JavaScript-based C2 framework called Loki C2, designed to operate within WDAC policies and facilitate reconnaissance and payload deployment. A demonstration of Loki C2 showcased its ability to bypass strict WDAC policies by modifying resources of the legitimate Teams application, allowing undetected code execution. The ongoing development of techniques and tools by the X-Force team reflects the evolving cybersecurity landscape and the continuous adaptation required to counter emerging threats.

Winsage

March 15, 2025

Microsoft Pays Hackers $16.6 Million—But Windows Zero Days Continue

Microsoft's bug bounty program, established in 2013, has paid over million to ethical hackers for identifying vulnerabilities in its products. In the latest reporting period, Microsoft allocated .6 million to reward these contributions. External security researchers, referred to as hackers, are compensated through this program, which promotes coordinated vulnerability disclosure. A zero-day attack occurs when a vulnerability is known to the vendor but not yet patched, creating a risk for exploitation. While ethical hackers help reduce zero-day threats, some individuals exploit vulnerabilities for profit, highlighting that bug bounty programs cannot fully eliminate these risks.

Winsage

December 7, 2024

Microsoft Expands Access to Windows Recall AI Feature

Microsoft has expanded its Windows Recall feature to Copilot+ PCs with AMD and Intel chipsets, following its initial availability on Snapdragon devices. The feature is currently in a preview stage for Windows Insiders and allows users to capture and revisit specific snapshots of their work. Microsoft has implemented privacy and security measures, including data encryption, turning Recall off by default, and requiring Windows Hello biometrics for recording sessions. Recall is also part of Microsoft's bug bounty program to address security vulnerabilities. The rollout was delayed from June to October and then to November before being launched in a limited capacity.

Winsage

December 6, 2024

Previewing More Copilot+ Experiences with Windows Insiders in the Dev Channel

Windows 11 Insider Preview Build 26120.2510 (KB5048780) has been released to the Dev Channel, introducing new features for AMD and Intel®-powered Copilot+ PCs, including the Recall feature and an expansion of Click to Do (Preview). To join the Dev Channel, users must register for the Windows Insider Program, link their Microsoft account, select the Dev Channel, and check for updates. The Recall feature allows users to find apps, websites, images, or documents by describing their content and includes timeline control for revisiting past activities. The Cocreator feature in Microsoft Paint enables AI-assisted artwork generation from text prompts. The Photos app has been updated with Image Creator and Restyle Image features for generating new images and applying artistic styles to existing photos, respectively. Click to Do has been enhanced with new activation methods and intelligent text actions, allowing users to summarize or rewrite text. Additional changes include a modernized Windows Hello experience, improvements to the system tray, and various fixes for audio and application stability. Known issues include problems with Recall and Click to Do functionalities, which will be addressed in future updates. The Microsoft Store now supports direct updates for Win32 apps.

Winsage

November 28, 2024

Microsoft Releases Recall in Windows Insider Preview

Microsoft has released a first-look preview of its revamped Windows Recall feature for Windows Insiders via the Dev Channel, specifically for users with Qualcomm Snapdragon X Elite and Plus Copilot+ PCs, through Windows 11 Insider Preview Build 26120.2415 (KB5046723). Recall allows users to take "snapshots" of their PC activities, retrieving application actions, websites visited, or documents accessed. It uses optical character recognition (OCR) to extract text from screenshots, storing images and text in a searchable database. Recall includes a built-in neural processing unit for local AI and machine learning tasks, ensuring user data is not stored in the cloud. To enhance privacy and security, users must opt in to save snapshots, and the system requires BitLocker disk encryption, Secure Boot, and Windows Hello for reauthentication. Users can delete snapshots and opt out of using Recall for specific applications. IT administrators will manage Recall for enterprise and educational users. The preview allows users to provide feedback on Recall and its security framework through the Feedback Hub and Windows Insider Preview Bug Bounty Program. Microsoft has not announced a timeline for the general release of Recall.

Winsage

November 23, 2024

Previewing Recall with Click to Do on Copilot+ PCs with Windows Insiders in the Dev Channel

Windows 11 Insider Preview Build 26120.2415 (KB5046723) has been released to the Dev Channel, introducing features like Recall (Preview) and Click to Do (Preview) for Snapdragon-powered Copilot+ PCs. Users can join the Dev Channel by registering for the Windows Insider Program and selecting the Dev Channel in the settings. Recall allows users to search for previously interacted items on their PC using AI, requiring Windows Hello for authentication and enabling BitLocker and Secure Boot. Users can manage saved snapshots, delete unwanted ones, and ensure their data remains private. Recall detects sensitive information and does not save such snapshots. Click to Do integrates with Recall to enhance productivity by offering actions for recognized text and images within snapshots. This feature is also currently exclusive to Snapdragon-powered Copilot+ PCs. The update includes various improvements and fixes across Windows 11 PCs, such as enhancements to Windows Hello, Narrator, and speech functionalities. Known issues with Recall and Click to Do will be addressed in future updates.

AppWizard

August 22, 2024

Google to wind down app store bug bounty

Google is winding down its bug bounty program, the Google Play Security Reward Program (GPSRP), due to a decline in reported vulnerabilities attributed to improvements in Android security. The program, launched in 2017, aimed to incentivize the discovery of vulnerabilities in apps on the Google Play Store, which has seen over 113 billion downloads in 2023. The GPSRP will officially conclude on August 31, with vulnerability reports submitted before this date evaluated by September 15 and final reward decisions communicated by September 30. Some security researchers express concern that the program's closure may overlook ongoing security risks, while others suggest that companies on the Google platform could establish their own bounty programs.