domains Archives

Winsage

May 23, 2025

Unpatched Windows Server vulnerability allows full domain compromise

A newly discovered privilege escalation vulnerability in Windows Server 2025, known as the “BadSuccessor” attack, allows attackers to compromise any user within Active Directory (AD), including those with Domain Admin privileges. This vulnerability stems from the delegated Managed Service Account (dMSA) feature, which can be exploited by creating a new dMSA linked to any user or computer account without requiring direct access to the original account. Researchers found that 91% of examined environments had users outside the Domain Admin group with the necessary permissions to execute this attack. Microsoft has been notified and is working on a patch, while organizations are advised to restrict dMSA creation to trusted administrators and enhance their security measures.

Tech Optimizer

May 23, 2025

Cloudflare, Microsoft & police disrupt global malware service

Cloudflare, in collaboration with Microsoft and international law enforcement, has dismantled the infrastructure of LummaC2, an information-stealing malware service. This initiative led to the seizure and blocking of malicious domains and disrupted digital marketplaces used by criminals. Lumma Stealer operates as a subscription service providing threat actors access to a central panel for customized malware builds and stolen data retrieval. The stolen information includes credentials, cryptocurrency wallets, and sensitive data, posing risks of identity theft and financial fraud. Lumma Stealer was first identified on Russian-language crime forums in early 2023 and has since migrated to Telegram for distribution. Its proliferation is facilitated by social engineering campaigns, including deceptive pop-ups and bundled malware in cracked software. Cloudflare implemented measures to block access to Lumma's command and control servers and collaborated with various authorities to prevent the criminals from regaining control. Mitigation strategies for users include restricting unknown scripts, limiting password storage in browsers, and using reputable endpoint protection tools. The operation has significantly hindered Lumma's operations and aims to undermine the infostealer-as-a-service model contributing to cybercrime.

Winsage

May 22, 2025

Microsoft says Lumma password stealer malware found on 394,000 Windows PCs

Microsoft, in collaboration with law enforcement, has taken legal action against the Lumma malware operation, which has affected over 394,000 Windows PCs globally, particularly in Brazil, Europe, and the United States. A federal court authorized the seizure of 2,300 domains used as command and control servers for Lumma, and the Justice Department confiscated five additional domains related to its infrastructure. Lumma is primarily spread through questionable games or cracked applications and extracts sensitive information such as logins, passwords, credit card details, and cryptocurrency wallets, which is then sold to other cybercriminals. Lumma also facilitates the deployment of additional malware, including ransomware, and has been linked to significant cyberattacks on major tech companies like PowerSchool and Snowflake, resulting in substantial data theft.

Winsage

May 22, 2025

Microsoft says 394,000 Windows computers infected by Lumma malware

Microsoft announced the dismantling of the Lumma Stealer malware project in collaboration with global law enforcement. Over 394,000 Windows computers were identified as infected by Lumma between March 16 and May 16. The malware is known for stealing sensitive information such as passwords and credit card details. Microsoft, with a court order, dismantled the web domains supporting Lumma's infrastructure, while the U.S. Department of Justice took control of its central command structure. More than 1,300 domains were seized or transferred to Microsoft, with 300 acted upon by law enforcement and Europol. Other tech firms like Cloudflare and Lumen assisted in this effort. Since 2022, hackers have been acquiring Lumma through underground forums, and it has been used in phishing campaigns and attacks on various sectors, including gaming, education, and critical infrastructure.

Winsage

May 22, 2025

US and Europe crack down on hacking tool used by cybercriminals worldwide

US and European authorities have seized computer systems used by hackers to access a sophisticated hacking tool called Lumma, which has been involved in high-profile cybercrimes, including ransomware attacks and bank thefts. Microsoft took offline approximately 2,300 web domains linked to this activity. Around 394,000 computers worldwide running Windows software were found to be infected by Lumma, targeting various institutions, including airlines, universities, banks, and hospitals, resulting in credit card losses of .5 million in 2023. The primary developer of Lumma is based in Russia, where he markets the tool on platforms like Telegram, charging between [openai_gpt model="gpt-4o-mini" prompt="Summarize the content and extract only the fact described in the text bellow. The summary shall NOT include a title, introduction and conclusion. Text: US and European authorities have taken significant steps to dismantle a sophisticated hacking tool that has been instrumental in a series of high-profile cybercrimes, including ransomware attacks and bank thefts. On Wednesday, the US Justice Department announced the seizure of the computer systems utilized by hackers to access the tool, known as Lumma. Concurrently, Microsoft executed a court order to take offline approximately 2,300 web domains associated with this cybercriminal activity. Impact on Cybercrime This coordinated effort represents a substantial setback for a global hacking enterprise that has proliferated over the past two months. Microsoft reported discovering around 394,000 computers worldwide running Windows software infected by Lumma. The tool has been leveraged to target a range of institutions, from airlines and universities to banks and hospitals, with several Fortune 500 companies also falling victim. Brett Leatherman, the FBI’s deputy assistant director for cyber operations, revealed that Lumma-related attacks resulted in credit card losses totaling .5 million in 2023 alone. However, the crackdown faces challenges, particularly due to the involvement of Russian sovereignty. Analysts from Microsoft have identified the primary developer of Lumma as being based in Russia, where he markets various access levels to the tool on platforms like Telegram and other Russian-language forums, charging between 0 and ,000. The US has previously charged numerous Russian hackers with serious cyber offenses against American entities, yet only a fraction of these individuals have been brought to trial in the US. Russian diplomats have consistently opposed the extradition of accused cybercriminals, complicating efforts to hold them accountable. When asked whether the FBI believes Lumma’s lead developer is currently in Russia, Leatherman refrained from providing specific details, stating, “Regardless of where these individuals sit, even if we can’t charge them with criminal conduct, our victim-centric approach is really focused on targeting that underlying ecosystem … because it brings relief to victims.” The law enforcement operation was a collaborative effort involving Europol, several American and European tech firms, and a Japanese organization. This strategy underscores a growing trend in combating cybercrime, leveraging the extensive reach of software companies within the global economy. Leatherman emphasized the broader implications of this investigation, stating, “This is part of a greater law enforcement investigation into the group [behind Lumma], and we hope that this will also fracture trust within the ecosystem itself.”" max_tokens="3500" temperature="0.3" top_p="1.0" best_of="1" presence_penalty="0.1" frequency_penalty="frequency_penalty"] and ,000. The law enforcement operation involved Europol and several tech firms and aims to disrupt the ecosystem supporting cybercrime.

Tech Optimizer

May 21, 2025

Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Microsoft has monitored Lumma Stealer, an infostealer malware used by financially motivated threat actors. Lumma Stealer, also known as LummaC2, functions as a malware-as-a-service (MaaS) solution that extracts data from browsers and applications, including cryptocurrency wallets. The entity behind Lumma is identified as Storm-2477, which maintains the malware and its command-and-control (C2) infrastructure. Affiliates can create malware binaries and manage C2 communications through a panel provided by Storm-2477. Ransomware groups have integrated Lumma Stealer into their operations. Lumma Stealer employs various delivery techniques, including phishing emails, malvertising, drive-by downloads, Trojanized applications, and abuse of legitimate services. Specific campaigns have been identified, such as one in April 2025 that used EtherHiding and ClickFix techniques to deliver Lumma Stealer via compromised websites. Another campaign on April 7, 2025, targeted Canadian organizations with emails containing invoice lures that led to malicious downloads. The malware is developed using C++ and ASM, employing advanced obfuscation techniques to evade detection. It can extract a wide range of user data, including browser credentials, cryptocurrency wallet information, and user documents. Lumma Stealer maintains a robust C2 infrastructure with multiple hardcoded and fallback C2 servers, utilizing encryption methods to secure communications. Microsoft's Digital Crimes Unit has disrupted Lumma Stealer's infrastructure by blocking approximately 2,300 malicious domains. Recommendations to mitigate the impact of Lumma Stealer include strengthening Microsoft Defender configurations, implementing multifactor authentication, and utilizing phishing-resistant authentication methods. Microsoft Defender products can detect and block activities associated with Lumma Stealer, providing alerts and insights for incident response.

AppWizard

May 20, 2025

Best Android Security Apps for Enterprise and Personal Use

Android holds a 71.65% market share as the leading mobile operating system. In 2025, users face sophisticated cyber threats such as ransomware and phishing scams. Android Enterprise provides a multi-layered defense system validated by the U.S. Department of Defense, featuring AI-driven threat detection that blocks 99.8% of malware through 100,000 daily app scans. It supports three device management models: Fully Managed Devices (COBO), Work Profiles (BYOD), and Dedicated Kiosk Mode. Recent enhancements include automated security patch deployment and hardware-backed key attestation. Leading Mobile Device Management (MDM) solutions include TinyMDM, which offers real-time location tracking and remote device wiping, and integrates with Microsoft Intune for conditional access. Harmony Mobile combines app reputation scanning with network-level phishing prevention. Emerging trends in enterprise security include AI-powered anomaly detection, with 42% of enterprises adopting Zero Trust principles, and rugged device management optimized for industrial environments. For personal protection, Bitdefender Mobile Security leads AV-Test rankings, Kaspersky Premium blocks 5.6 million malware attacks monthly, and Norton 360 Deluxe includes biometric app locking. Privacy tools like ExpressVPN and DuckDuckGo Privacy Browser enhance user security. Google's Project Zero reports a 35% decline in critical Android vulnerabilities, attributed to improved patch adoption. The convergence of enterprise and personal security solutions is emphasized, with a focus on AI/ML integration for enterprises and comprehensive protection suites for individuals.

Winsage

May 14, 2025

WSL is the best feature added to Windows in the last decade

Microsoft introduced the Windows Subsystem for Linux (WSL) in the Windows 10 Anniversary Update in August 2016, initially as a tool for developers. WSL debuted as a beta version with a native-kernel translation layer, allowing Windows to run unmodified Linux ELF binaries. Its early performance was limited, leading users to prefer Linux virtual machines for full compatibility. The launch of WSL2 in May 2020 replaced the translation layer with a lightweight, real Linux kernel running in a Hyper-V utility VM, providing near-native performance and comprehensive syscall coverage. WSL2 has since seen continuous improvements, including GPU-compute and CUDA support in 2021, full GUI support for X11 and Wayland applications in 2022, and systemd support in September 2022. WSL2 approaches the performance of bare-metal Linux while integrating seamlessly with Windows, allowing users to launch a Linux shell easily. It enables developers to access the C drive and interact between Windows and Linux environments without dual-booting. WSL2 enhances productivity for data science workflows, allowing the use of tools like PyTorch with CUDA. It also offers features for non-developers, such as creating aliases for launching Windows applications and running Linux GUI applications. WSL's integration into Windows represents a significant shift, providing opportunities for users across various domains to explore Linux functionalities.

AppWizard

May 14, 2025

Marbled Dust leverages zero-day in Output Messenger for regional espionage

Since April 2024, the threat actor Marbled Dust has been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger chat application, targeting user accounts that have not applied necessary fixes. This exploitation has resulted in the collection of sensitive data from users in Iraq, specifically linked to the Kurdish military. Microsoft has high confidence in this assessment and notes that Marbled Dust conducts reconnaissance to identify potential targets using Output Messenger. Marbled Dust has successfully utilized this vulnerability to deploy malicious files and exfiltrate data. Microsoft notified the application’s developer, Srimax, about the vulnerability, leading to the release of a software update. A second vulnerability (CVE-2025-27921) was also found, but no exploitation of this second flaw has been observed. The zero-day vulnerability allows an authenticated user to upload malicious files to the server's startup directory. Marbled Dust has exploited this flaw to place a backdoor file, OMServerService.vbs, in the startup folder, enabling them to access communications and sensitive data indiscriminately. The attack chain begins with Marbled Dust gaining access to the Output Messenger Server Manager, likely through DNS hijacking or other credential interception techniques. Once inside, they exploit the vulnerability to drop malicious files, including a GoLang backdoor, which connects to a Marbled Dust command-and-control domain for data exfiltration. To mitigate this threat, Microsoft recommends updating to the latest version of Output Messenger, activating various security protections, and implementing rigorous vulnerability management strategies. Microsoft Defender XDR customers can identify potential threat activity through specific alerts related to Marbled Dust and utilize advanced hunting queries for detection. Indicators of compromise include traffic to the domain api.wordinfos[.]com, associated with Marbled Dust activities.

AppWizard

May 13, 2025

Turkish spies caught exploiting zero-day for over a year

Microsoft reported that Turkish espionage operatives have been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger app to gather intelligence on the Kurdish military in Iraq. This operation, attributed to the group Marbled Dust, began in April 2024. The vulnerability is a directory traversal flaw in version 2.0.62 of the app, and many users have not yet updated to the patched version released in December. Marbled Dust has used this flaw to access sensitive user data and deploy malicious files within the Output Messenger server. The group has a history of targeting entities opposing Turkish interests and has evolved its tactics by leveraging this vulnerability for unauthorized access. Srimax and Microsoft are advising users to upgrade to version V2.0.63 to mitigate the risks associated with the exploit.