Dropbox Archives

Winsage

April 19, 2025

Windows vulnerability with NTLM hash abuse exploited for phishing

A vulnerability in Windows, identified as CVE-2025-24054, is being exploited in phishing campaigns targeting government and private organizations. Initially considered low-risk, it was addressed in Microsoft's March 2025 Patch Tuesday updates. Following the release of these patches, Check Point observed a rise in exploitation attempts, particularly linked to the Russian group APT28. Attackers sent phishing emails with Dropbox links containing .library-ms files, which, when accessed, connected to an external SMB server controlled by the attackers, allowing interception of NTLM hashes. A subsequent wave of attacks involved .library-ms files sent as direct attachments, requiring minimal user interaction to exploit the vulnerability. The malicious ZIP archive also contained files exploiting older NTLM vulnerabilities. Check Point identified the attackers' SMB servers with specific IP addresses. Despite being classified as medium-severity, the vulnerability's potential impact is significant, prompting organizations to apply the March 2025 updates and consider disabling NTLM authentication if not essential.

Winsage

April 17, 2025

Windows NTLM hash leak flaw exploited in phishing attacks on governments

A vulnerability in Windows, identified as CVE-2025-24054, is being actively exploited in phishing campaigns targeting government and private sectors. Initially addressed in Microsoft's March 2025 Patch Tuesday, it was not considered actively exploited at that time. Researchers from Check Point reported increased exploitation activities shortly after the patches were released, particularly between March 20 and 25, 2025. Some attacks were linked to the Russian state-sponsored group APT28, but definitive attribution is lacking. The vulnerability allows attackers to capture NTLM hashes through phishing emails containing manipulated .library-ms files that trigger the flaw when interacted with. Check Point noted that subsequent attacks involved .library-ms files sent directly, requiring minimal user interaction to exploit. The malicious files also included additional components that exploit older vulnerabilities related to NTLM hash leaks. The attacker-controlled SMB servers were traced to specific IP addresses. Although rated as medium severity, the potential for authentication bypass and privilege escalation makes it a significant concern, prompting recommendations for organizations to install updates and disable NTLM authentication if not necessary.

Winsage

April 17, 2025

Hackers Exploiting NTLM Spoofing Vulnerability in Wild to Compromise Systems

Cybercriminals are exploiting a vulnerability in Windows systems known as CVE-2025-24054, which involves NTLM hash disclosure through spoofing techniques. This flaw allows attackers to leak NTLM hashes, leading to privilege escalation and lateral movement within networks. It is triggered when a user extracts a ZIP archive containing a malicious .library-ms file, causing Windows Explorer to initiate SMB authentication requests that expose NTLMv2-SSP hashes. Exploitation of this vulnerability began shortly after a security patch was released on March 11, 2025, with campaigns targeting government and private institutions in Poland and Romania. These campaigns utilized spear-phishing emails containing malicious ZIP archives, which, when interacted with, leaked NTLM hashes. The malicious files included various types designed to initiate SMB connections to attacker-controlled servers, allowing for pass-the-hash attacks and privilege escalation. The stolen hashes were sent to servers in several countries, indicating potential links to state-sponsored groups. One campaign involved Dropbox links that exploited the vulnerability upon user interaction. Microsoft has recommended immediate patching, enhancing network defenses, user education, network segmentation, and regular security audits to mitigate risks associated with this vulnerability.

Winsage

April 17, 2025

Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)

CVE-2025-24054 is a vulnerability that allows attackers to capture NTLMv2-SSP hashes from a victim's machine during authentication requests to an attacker-controlled SMB server. Active exploitation of this vulnerability has been observed since March 19, 2025, targeting government and private sectors in Poland and Romania. The attacks involve phishing emails that lead victims to download an archive file containing exploits designed to leak NTLMv2-SSP hashes. Microsoft has released patches for this vulnerability, but users on older, unsupported versions may need to consider micropatching.

AppWizard

March 17, 2025

Rise of the Ronin’s PC troubles continue as players report disappearing saves on Steam

Players of Rise of the Ronin have reported lost save data following its release on Steam, compounding existing performance issues. Koei Tecmo acknowledged the problem and is investigating the save data issues, suggesting potential remedies such as resolving conflicts with third-party file sharing services, restoring from backup save data, and ensuring Steam Cloud is activated. Players have experienced significant losses of progress due to an error code that appears when closing the game, affecting both local and cloud saves. Koei Tecmo plans to release a patch to improve PC performance and recommends capping the frame rate at 60 FPS, which has disappointed some players expecting higher performance. Players are advised to save frequently and check their Steam Cloud backups to avoid losing progress.

Winsage

March 8, 2025

Nearly 1 million Windows devices targeted in advanced “malvertising” spree

A recent cyber campaign targeted nearly 1 million devices across various sectors, using GitHub as the primary platform for hosting malicious payloads, with Discord and Dropbox also involved. The malware exfiltrated sensitive information from infected systems, including critical browser files that store login cookies, passwords, and browsing histories. Compromised files included specific SQLite and JSON files from Mozilla Firefox, Google Chrome, and Microsoft Edge, as well as files stored on Microsoft's OneDrive. The malware also targeted cryptocurrency wallet applications like Ledger Live and Trezor Suite. Microsoft identified that the domains hosting malicious advertisements were linked to unauthorized streaming platforms. Microsoft Defender has been updated to detect the attack-related files, and guidance has been provided for those who may have been affected.

Winsage

December 11, 2024

Windows 10 KB5048652 out with fixes (direct download .msu)

Today marks the rollout of Windows 10 KB5048652, the final security update for this operating system. This update focuses on essential bug fixes and will automatically download and install unless auto-updates are blocked. Users can also manually install it via Settings > Updates & Security > Windows Update, upgrading their system to build 19045.5427. The update addresses existing vulnerabilities and includes offline installer files (.msu) for those unable to update through the Settings app. The update omits the new Recommended section in the Start menu, which has been criticized for promoting unnecessary Microsoft Store apps. Bug fixes in this update resolve issues with copying files from cloud storage services, ensure Win32 app shortcuts back up correctly to the cloud, and address Windows 10 activation issues after a motherboard change, as well as problems with Internet Printing Protocol (IPP) printers. As the end-of-support date for Windows 10 approaches, users are encouraged to consider their options, as security and feature updates will cease after the deadline. There is an option to extend Windows 10 security support for an additional year at a cost, but opportunities to continue using the operating system are limited.

Winsage

November 17, 2024

Did you know that you can double-sort Windows File Explorer contents?

The Downloads folder can become cluttered over time, but users can utilize a secondary sorting feature in the Details view of their folders to organize files more efficiently. To use this feature, open the desired folder, click on a column heading for a primary sort (e.g., by file type), and then Shift-click on a second column (e.g., Date modified) to refine the search. This allows for dual sorting, organizing files by type and further arranging them based on the secondary criterion.

AppWizard

October 16, 2024

How to print from Android

Smartphones have made mobile printing a necessity, with various built-in features and compatible apps available for Android devices. To print from an Android phone, users need a compatible home printer (Wi-Fi enabled, Bluetooth, or USB), the content to print, and an internet connection for cloud printing. Google Cloud Print was discontinued in December 2020, but some users may still access it. For built-in Android printing, users can navigate to the content, tap the three-dot menu, select "Print," choose the printer, adjust settings, and tap the print icon. If the printer is not visible, a specific print service plugin may need to be installed. Popular apps like Gmail and Google Docs have native print options. Users can print from Gmail by accessing the email, tapping the three-dot menu, selecting "Print," choosing the printer, adjusting settings, and tapping "Print." The same steps apply to Google Docs and other Google apps. Users can also print images or PDFs directly from their phone's storage by opening the file, tapping the menu or share icon, selecting "Print," choosing the printer, adjusting settings, and tapping "Print." For printers that do not support Android printing natively, third-party apps like PrinterShare and Mopria Print Service can be used. Users can download these apps, connect their printer, choose a file, adjust settings, and print. Tips for printing from WhatsApp include ensuring printer compatibility, using Wi-Fi for faster printing, keeping the Android OS and apps updated, checking printer settings, utilizing cloud storage for easier access, and saving documents as PDFs to preserve formatting.

Winsage

October 16, 2024

North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware

ScarCruft, a North Korean cyber group, exploited a zero-day vulnerability in Windows, identified as CVE-2024-38178, which has a CVSS score of 7.5 and is a memory corruption issue in the Scripting Engine. This vulnerability allows for remote code execution when users interact with the Edge browser in Internet Explorer Mode. Attackers entice users to click on a malicious URL to execute code. Microsoft patched this flaw in August 2024. The attack, dubbed "Operation Code on Toast," involved compromising a domestic advertising agency's server to inject exploit code into toast advertisement programs, which are pop-up notifications in South Korea. The exploitation led to a type confusion error in the JavaScript Engine of Internet Explorer, allowing the attackers to infect PCs with the vulnerable toast program. The malware associated with this attack, RokRAT, has advanced capabilities and uses legitimate cloud services for command-and-control operations. ScarCruft has a history of exploiting vulnerabilities in legacy browsers and has previously targeted other vulnerabilities in the Scripting Engine. Users are advised to keep their systems updated to mitigate risks.