exploits Archives

Winsage

November 8, 2024

Windows PCs targeted by new malware hitting a vulnerable driver

Researchers have identified a new threat campaign called SteelFox, which uses counterfeit software activators and cracks to infiltrate Windows systems. The campaign deploys a vulnerable driver, information-stealing malware, and a cryptocurrency miner, compromising sensitive data and exploiting system resources for illicit mining. Victims are reported globally, including regions from Brazil to China, affecting users of commercial software like Foxit PDF Editor, JetBrains, and AutoCAD. Cybercriminals continue to advertise these fake software solutions, increasing the potential for further infections.

Tech Optimizer

November 8, 2024

New malware SteelFox targets Windows users through fake software activators

A new malware named "SteelFox" is targeting Windows users by using counterfeit software activators to infiltrate systems, leading to cryptocurrency mining and data theft. Since February 2023, it has spread rapidly, primarily through torrent sites and online forums, masquerading as legitimate software cracks for programs like AutoCAD and Foxit PDF Editor. Upon installation, it deploys a risky driver called WinRingO.sys, exploiting vulnerabilities CVE-2021-41285 and CVE-2020-14979, which allows attackers to gain full access to the infected computer. The malware uses XMRig for crypto mining, causing performance issues and increased utility bills, while also stealing sensitive data from over 13 web browsers. Countries with high infection rates include Mexico, Brazil, Russia, China, and India. Kaspersky has blocked over 11,000 attempted attacks, but the actual number of infections may be much higher. To protect against SteelFox, users are advised to download software only from verified sources, maintain updated antivirus software, avoid pirated software, and keep systems current with security patches.

AppWizard

November 6, 2024

ToxicPanda Malware Targets Banking Apps on Android Devices

A new Android malware named "ToxicPanda" was first identified in late October 2024 and has been reclassified as a unique entity after initial classification under the TgToxic family. It poses a risk through account takeover via on-device fraud and primarily targets retail banking applications on Android devices. The malware has spread significantly in Italy, Portugal, Spain, and various Latin American regions, with over 1,500 devices reported as victims. ToxicPanda allows cybercriminals to gain remote access to infected devices, intercept one-time passwords, and bypass two-factor authentication. The threat actors are likely Chinese speakers, which is unusual for targeting European banking. The malware spreads through social engineering tactics, encouraging users to side-load the malicious app, and exploits Android’s accessibility services for elevated permissions. Cleafy’s analysis indicates that ToxicPanda's command-and-control infrastructure shows evolving operational strategies, and the malware may undergo further modifications. The challenges for security professionals are increasing as malware operators refine their tactics and expand their targets. Cleafy noted that contemporary antivirus solutions have struggled to detect ToxicPanda due to a lack of proactive, real-time detection systems.

Winsage

November 3, 2024

Your Windows 10 PC can’t be upgraded? You have 5 options before support ends in 2025

Windows 10 will reach its end-of-support date on October 14, 2025, after which it will no longer receive updates, including security patches. Users can choose to continue using Windows 10, buy new hardware, switch to a Linux distribution or ChromeOS Flex, pay for Extended Security Options (ESUs) from Microsoft, or attempt to upgrade incompatible hardware to Windows 11 despite potential risks. The final version of Windows 10, 22H2, will receive monthly security updates until the end-of-support date.

Winsage

October 31, 2024

Microsoft is making you pay to use Windows 10 securely after 2025. Here’s how much it’ll cost you

Microsoft has announced that Windows 10 users can purchase Extended Security Updates (ESU) for an additional year of coverage beyond the end of support date of October 14, 2025. This is the first time Microsoft is offering this option to consumers. Users unable to transition to Windows 11 can receive monthly security patches for an extra 12 months through the ESU program, but it is available for only one year. After the end of support, Microsoft will stop providing free monthly security updates and bug fixes for Windows 10, which may lead to compatibility issues over time as support from app developers and hardware manufacturers diminishes. Approximately 60% of Windows users are still on Windows 10, equating to around 900 million active devices, while Windows 11 accounts for about 30%, or roughly 500 million devices.

Winsage

October 30, 2024

New Zero-Day Vulnerability in Windows Themes Threatens NTLM Security – SOCRadar® Cyber Intelligence Inc.

A newly identified zero-day vulnerability in Windows Themes files allows attackers to exploit NTLM credential leaks by simply having a malicious theme file viewed in Windows Explorer. This vulnerability, reported by ACROS Security, affects fully updated Windows systems, including Windows 11 24H2, and enables remote credential theft without user interaction. Microsoft previously addressed a related issue with a patch for CVE-2024-21320, but researchers discovered that attackers could bypass this fix, leading to the emergence of CVE-2024-38030. ACROS Security has released a temporary micropatch via their 0patch service to prevent NTLM leaks by accurately detecting network paths within theme files. The vulnerability allows attackers to execute NTLM relay and pass-the-hash attacks across multiple Windows versions, from Windows 7 to Windows 11 24H2. A demonstration showed that transferring a malicious theme file to an unpatched PC triggers a network connection that sends NTLM credentials to the attacker, while the micropatch blocks this connection.

Winsage

October 28, 2024

Windows ‘Downdate’ Attack Makes Patched PCs Vulnerable

Recent findings have identified a vulnerability in fully patched Windows 11 systems that allows attackers to install custom rootkits, which can bypass endpoint security and maintain persistence on compromised systems. This vulnerability is linked to a downgrade attack technique demonstrated by SafeBreach researcher Alon Leviev at Black Hat USA 2024, using an exploit tool called Windows Downdate. This tool enables an attacker with administrative access to manipulate the Windows Update process, reverting patched components to vulnerable states. Leviev's demonstration showed that even systems using virtualization-based security (VBS) are at risk, as he could downgrade VBS features and expose previously fixed privilege escalation vulnerabilities. Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) but has not addressed the core issue of the downgrade capability. Microsoft maintains that the ability for an admin-level user to gain kernel code execution does not cross a security boundary. Leviev released details of a new downgrade attack on October 26, using the Windows Downdate tool to revive a driver signature enforcement bypass attack. He categorized this flaw as False File Immutability (FFI), exploiting incorrect assumptions about file immutability. He noted that downgrading specific OS modules, like CI.dll, allows exploitation even with VBS enabled. Tim Peck from Securonix highlighted that the attacks exploit Windows' failure to validate DLL version numbers properly, enabling the use of outdated, vulnerable files. Microsoft is actively developing mitigations against these risks, including a security update to revoke outdated VBS system files, although specific measures and timelines are not yet disclosed.

Winsage

October 26, 2024

New Windows Driver Signature bypass allows kernel rootkit installs

SafeBreach security researcher Alon Leviev has identified a vulnerability in the Windows operating system that allows attackers to downgrade kernel components, bypassing security measures like Driver Signature Enforcement (DSE). This vulnerability enables the installation of rootkits on fully patched systems. Leviev demonstrated that attackers can manipulate the Windows Update process to introduce outdated components without altering the system's patched status. He introduced a tool called Windows Downdate, which allows the creation of custom downgrades, exposing updated systems to previously patched vulnerabilities. Leviev's method, named "ItsNotASecurityBoundary," exploits a flaw in the DSE, allowing unsigned kernel drivers to be loaded and facilitating the deployment of rootkit malware. Despite Microsoft addressing the privilege escalation aspect of this vulnerability, it does not protect against downgrade attacks. Leviev's research shows that attackers can replace the 'ci.dll' file responsible for enforcing DSE with an unpatched version during the Windows Update process, thereby circumventing protections. He also discussed methods to disable Microsoft's Virtualization-based Security (VBS), which is designed to protect critical resources, by modifying registry keys. Leviev emphasizes the need for endpoint security tools to monitor downgrade procedures to mitigate these risks.

Winsage

October 24, 2024

The State of Windows Security: What’s Coming, What’s Obsolete and How To Deal — Redmondmag.com

Windows administrators are adapting to changes in security practices due to the rise of sophisticated cyber threats, increased remote work, cloud adoption, regulatory compliance, and supply chain attacks. Key strategies discussed include the integration of advanced threat protection tools, prioritizing endpoint security and zero-trust principles, extending security strategies to cloud environments, implementing strong data protection measures, and enhancing third-party security. The Crowdstrike incident highlighted the importance of change management, continuous monitoring, a layered security approach, proactive communication, disaster recovery planning, vendor accountability, regular security audits, and incident response readiness. AI's role in Windows security is evolving, with potential benefits in threat detection and response, but it also introduces new vulnerabilities and requires adherence to data privacy standards. Organizations must implement governance practices to mitigate risks associated with AI manipulation, ensure human oversight, navigate regulatory considerations, and build user trust for successful adoption.

Tech Optimizer

October 23, 2024

Avast One for Mac review: a free antivirus is all you need | Digital Trends

Avast One is an antivirus software package designed for macOS users, offering features such as antivirus protection, ransomware safeguards, and malware blocking. It is available in both free and paid subscription plans. The free version, Avast One Essential, includes a malware scanner, browser protection, and a VPN with a 5GB monthly data limit. Paid tiers include Avast One Silver, Gold, and Platinum, with prices increasing significantly upon renewal. Avast One has shown strong performance in malware protection evaluations by AV-Test, maintaining a near-perfect rating over the past five years. The software includes a user-friendly interface and offers support via chat and email. While the free version may display targeted ads, the paid plans reduce such concerns. Overall, Avast One Essential provides robust protection, making it a notable option for users seeking antivirus solutions for Apple devices.