mitigation Archives

Winsage

June 17, 2025

Microsoft fixes Surface Hub boot issues with emergency update

Microsoft released an emergency update (KB5063159) to address startup failures in certain Surface Hub v1 devices running Windows 10, specifically those encountering Secure Boot Violation errors after installing the June 2025 Windows security update (KB5060533). The issue was limited to Surface Hub v1 systems on Windows 10, version 22H2, and did not affect Surface Hub 2S and 3 devices. Microsoft paused the rollout of the KB5060533 update on June 11, 2025, to prevent further complications. Additionally, the June 2025 Patch Tuesday updates included security patches for 66 vulnerabilities, including critical ones that allowed remote code execution and privilege escalation.

Winsage

June 13, 2025

Microsoft: KB5060533 update triggers boot errors on Surface Hub v1 devices

Microsoft is addressing an issue with Surface Hub v1 devices running Windows 10, version 22H2, where users encounter Secure Boot errors after installing the KB5060533 security update released in June 2025. The error message states: 'Secure Boot Violation. Invalid signature detected. Check Secure Boot Policy in Setup.' This issue is specific to Surface Hub v1 and does not affect Surface Hub 2S and Surface Hub 3 models. Microsoft implemented a mitigation strategy on July 11, 2025, to prevent further startup failures on additional Surface Hub v1 devices. The KB5060533 update aimed to fix issues with Hyper-V virtual machines and was part of a larger rollout addressing 66 vulnerabilities, including critical ones related to WebDAV and Windows SMB. Additionally, an emergency update for Windows 11 (KB5063060) was released to fix an incompatibility with Easy Anti-Cheat causing BSOD errors.

Tech Optimizer

June 5, 2025

CISA releases TTPs & IoCs for Play Ransomware That Hacked 900+ Orgs

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and the Australian Cyber Security Centre, released an advisory on the Play ransomware group, which has targeted around 900 entities since its inception in June 2022. The group employs a double extortion model, exploiting vulnerabilities in public-facing applications and using tools for lateral movement and credential dumping. Their operations involve recompiling ransomware binaries for each attack to evade detection. The advisory highlights mitigation measures such as multifactor authentication and regular software patching. The Play ransomware specifically targets virtual environments and encrypts files using AES-256 encryption. Indicators of Compromise (IoCs) include: - SVCHost.dll (Backdoor) - SHA-256: 47B7B2DD88959CD7224A5542AE8D5BCE928BFC986BF0D0321532A7515C244A1E - Backdoor - SHA-256: 75B525B220169F07AECFB3B1991702FBD9A1E170CAF0040D1FCB07C3E819F54A - PSexesvc.exe (Custom Play “psexesvc”) - SHA-256: 1409E010675BF4A40DB0A845B60DB3AAE5B302834E80ADEEC884AEBC55ECCBF7 - HRsword.exe (Disables endpoint protection) - SHA-256: 0E408AED1ACF902A9F97ABF71CF0DD354024109C5D52A79054C421BE35D93549 - Hi.exe (Associated with ransomware) - SHA-256: 6DE8DD5757F9A3AC5E2AC28E8A77682D7A29BE25C106F785A061DCF582A20DC6

AppWizard

June 3, 2025

Meta and Yandex are de-anonymizing Android users’ web browsing identifiers

Recent developments in browser technology have raised concerns about user privacy and data tracking by companies like Meta and Yandex. In response, several Android browsers are enhancing user privacy by blocking abusive JavaScript linked to web trackers. DuckDuckGo has implemented measures to block domains and IP addresses associated with trackers, preventing the transmission of identifiers to Meta and restricting access to Yandex Metrica. Following feedback, DuckDuckGo's developers updated their blacklist to include missing addresses. The Brave browser uses extensive blocklists to prevent identifier sharing and blocks requests to localhost without user consent. Vivaldi forwards identifiers to local Android ports by default but allows users to adjust settings to block trackers. Researchers warn that these solutions may not be foolproof and emphasize the ongoing challenge of maintaining effective blocklists. Chrome and most other Chromium-based browsers execute JavaScript as intended by Meta and Yandex, while Firefox has faced challenges with SDP munging and has not yet announced plans to address this behavior.

Tech Optimizer

May 23, 2025

Cloudflare, Microsoft & police disrupt global malware service

Cloudflare, in collaboration with Microsoft and international law enforcement, has dismantled the infrastructure of LummaC2, an information-stealing malware service. This initiative led to the seizure and blocking of malicious domains and disrupted digital marketplaces used by criminals. Lumma Stealer operates as a subscription service providing threat actors access to a central panel for customized malware builds and stolen data retrieval. The stolen information includes credentials, cryptocurrency wallets, and sensitive data, posing risks of identity theft and financial fraud. Lumma Stealer was first identified on Russian-language crime forums in early 2023 and has since migrated to Telegram for distribution. Its proliferation is facilitated by social engineering campaigns, including deceptive pop-ups and bundled malware in cracked software. Cloudflare implemented measures to block access to Lumma's command and control servers and collaborated with various authorities to prevent the criminals from regaining control. Mitigation strategies for users include restricting unknown scripts, limiting password storage in browsers, and using reputable endpoint protection tools. The operation has significantly hindered Lumma's operations and aims to undermine the infostealer-as-a-service model contributing to cybercrime.

AppWizard

May 14, 2025

Marbled Dust leverages zero-day in Output Messenger for regional espionage

Since April 2024, the threat actor Marbled Dust has been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger chat application, targeting user accounts that have not applied necessary fixes. This exploitation has resulted in the collection of sensitive data from users in Iraq, specifically linked to the Kurdish military. Microsoft has high confidence in this assessment and notes that Marbled Dust conducts reconnaissance to identify potential targets using Output Messenger. Marbled Dust has successfully utilized this vulnerability to deploy malicious files and exfiltrate data. Microsoft notified the application’s developer, Srimax, about the vulnerability, leading to the release of a software update. A second vulnerability (CVE-2025-27921) was also found, but no exploitation of this second flaw has been observed. The zero-day vulnerability allows an authenticated user to upload malicious files to the server's startup directory. Marbled Dust has exploited this flaw to place a backdoor file, OMServerService.vbs, in the startup folder, enabling them to access communications and sensitive data indiscriminately. The attack chain begins with Marbled Dust gaining access to the Output Messenger Server Manager, likely through DNS hijacking or other credential interception techniques. Once inside, they exploit the vulnerability to drop malicious files, including a GoLang backdoor, which connects to a Marbled Dust command-and-control domain for data exfiltration. To mitigate this threat, Microsoft recommends updating to the latest version of Output Messenger, activating various security protections, and implementing rigorous vulnerability management strategies. Microsoft Defender XDR customers can identify potential threat activity through specific alerts related to Marbled Dust and utilize advanced hunting queries for detection. Indicators of compromise include traffic to the domain api.wordinfos[.]com, associated with Marbled Dust activities.

Winsage

May 10, 2025

Hackers Using Windows Remote Management to Stealthily Navigate Active Directory Network

Threat actors are exploiting Windows Remote Management (WinRM) to navigate through Active Directory environments stealthily, allowing them to bypass detection systems, escalate privileges, and deploy malicious payloads. WinRM operates on HTTP port 5985 and HTTPS port 5986, enabling remote command execution and management tasks. Attackers can gain access through compromised credentials and use WinRM-enabled PowerShell commands for reconnaissance, deploying payloads while evading detection. The attack chain includes initial access, reconnaissance, payload deployment, persistence, and lateral movement, often utilizing techniques that obfuscate malicious activities. Detecting such attacks is challenging due to the use of built-in Windows functionalities and encrypted channels. Recommended mitigation strategies include monitoring for unusual activity, restricting WinRM access, enforcing credential hygiene, and implementing advanced monitoring solutions.

Tech Optimizer

April 30, 2025

5 Free Antivirus Programs To Eliminate Malware and Viruses (2025)

Users are increasingly seeking effective malware protection without the cost of premium software, leading to the emergence of free antivirus programs that offer robust security features. This trend is particularly beneficial for Windows 11 users who want real-time protection while staying within budget. Several leading cybersecurity firms provide free antivirus solutions equipped with advanced features such as real-time scanning, phishing defenses, cloud-based malware detection, and system optimization tools. These free programs can adequately protect a diverse audience, including gamers, remote workers, students, and casual users. Top free antivirus programs for Windows 11 in 2025 include: 1. Bitdefender Antivirus Free: Utilizes the same malware engine as its paid version, offers real-time detection, anti-phishing protection, and is ultra-light on system resources. 2. Microsoft Defender Antivirus: Integrated into Windows 11, provides cloud-delivered protection and built-in ransomware mitigation without ads. 3. Avast Free Antivirus: Offers additional tools like network scanning and a Do Not Disturb mode for gaming. 4. AVG AntiVirus Free: Features a simpler interface, link and attachment protection, and fewer pop-ups. 5. TotalAV Free Antivirus: A newer option with a clean interface, real-time protection, and a junk file cleaner. Key factors to consider when selecting free antivirus software include real-time protection, low resource usage, minimal intrusion, and extra security tools. While free solutions are suitable for most users, premium protection may be necessary for small businesses or those handling sensitive data. For gamers, Bitdefender and Avast are recommended for their low system impact and gaming modes. For remote workers, Microsoft Defender and TotalAV are highlighted for their ease of use and integrated protections. Essential features of effective antivirus programs include robust virus protection, real-time scanning, and a behavior shield to detect new threats. Performance should not significantly slow down the system, and the interface should be user-friendly. Experts recommend Windows Defender for basic protection, with AVG and Avast receiving endorsements for their feature balance, while Bitdefender Free is noted for its detection rates and minimal system impact. Free antivirus programs may lack advanced features and technical support compared to paid versions.

Winsage

April 25, 2025

Microsoft’s Patch for Symlink Vulnerability Introduces New Windows Denial-of-Service Flaw

In early April 2025, Microsoft addressed a security vulnerability (CVE-2025-21204) related to symbolic links in the Windows servicing stack, specifically affecting the c:inetpub directory used by Internet Information Services (IIS). The updates created the c:inetpub folder with appropriate permissions to mitigate risks. However, this fix introduced a new denial-of-service (DoS) vulnerability, allowing non-administrative users to create junction points on the c: drive, disrupting the Windows Update mechanism. A command such as "mklink /j c:inetpub c:windowssystem32notepad.exe" could be used to exploit this flaw, preventing systems from receiving future security patches. As of April 25, Microsoft had not released a patch or acknowledged the issue, leaving systems vulnerable and emphasizing the need for monitoring user permissions and manually removing suspicious symlinks.

Winsage

April 24, 2025

Microsoft mystery folder fix might need a fix of its own

Microsoft's recent patch for CVE-2025-21204 inadvertently reintroduced the inetpub folder at c:inetpub as part of its mitigation strategy, raising concerns among system administrators. Security researcher Kevin Beaumont discovered that this folder created a new vulnerability when he used the mklink command with the /j parameter to redirect the folder to a system executable (notepad.exe). This allowed standard users to prevent Windows updates without administrative rights, as the command could be executed on default-configured systems. Beaumont has notified Microsoft of this vulnerability, but the company has not yet responded.