mitigation strategies Archives

Winsage

March 20, 2025

11 nation-state groups exploit unpatched Microsoft zero-day

Since 2017, at least 11 state-sponsored threat groups have exploited a Microsoft zero-day vulnerability in Windows shortcut files for data theft and cyber espionage. Researchers from Trend Micro's Trend Zero Day Initiative have identified nearly 1,000 malicious .lnk files utilizing this flaw, designated as ZDI-CAN-25373, which allows attackers to execute hidden commands on victims' devices. The attacks involve various payloads, including the Lumma infostealer and Remcos remote access Trojan, with North Korean operatives responsible for over 45% of the incidents, while Iran, Russia, and China account for approximately 18% each. Notable advanced persistent threat groups involved include Evil Corp, Kimsuky, Bitter, and Mustang Panda. Microsoft has not yet released a patch for this vulnerability, which is considered unusual, and while Microsoft Defender can detect and block related threats, organizations are advised to remain vigilant and implement protective measures against potential exploitation.

Winsage

March 3, 2025

Windows Hyper-V NT Kernel Vulnerability Let Attackers Gain SYSTEM Privileges

Threat actors are exploiting CVE-2025-21333, a critical heap-based buffer overflow vulnerability in Microsoft’s Windows Hyper-V NT Kernel Integration Virtual Service Provider (VSP), which allows local attackers to escalate privileges to the SYSTEM level. The vulnerability has a CVSS score of 7.8 and is actively exploited. It resides in the vkrnlintvsp.sys driver, which facilitates communication between the host OS and container-like virtual machines. A Proof of Concept (PoC) demonstrates exploitation through I/O ring buffer manipulation, allowing arbitrary read/write in kernel memory and SYSTEM-level privilege escalation. The PoC was developed by a group of researchers including @yarden_shafir and others. Affected systems include Windows 11 Version 23H2 and potentially Version 24H2, with specific binary hashes provided. Limitations of the PoC include the need for Windows Sandbox and potential system crashes due to overflow. Mitigation strategies involve updating systems, enabling protections like Hyper-V isolation, and monitoring for exploitation signs. Microsoft addressed this vulnerability in January 2025 Patch Tuesday updates, urging users to apply patches promptly.

Winsage

February 23, 2025

Microsoft Windows Warning—Do Not Install This Critical Update

A significant alert has been issued regarding a new browser update threat targeting Microsoft Windows users, as reported by Palo Alto Networks’ Unit 42. Attackers are injecting malicious JavaScript into legitimate websites, misleading users into believing they need to update their browsers. These deceptive messages often use realistic branding and create urgency, prompting users to download and execute scripts that enable malware to retrieve the NetSupport RAT code. This malware allows for remote device control, data exfiltration, and modification of the Windows Registry, complicating its removal. On February 18, 2025, the NetSupport RAT delivered StealC, a credential-stealing malware designed to capture sensitive login information. The SmartApeSG campaign highlights the risks of social engineering and fileless attack techniques, exploiting trusted software update mechanisms. Recommended mitigation strategies include blocking domains linked to SmartApeSG, deploying signatures to detect malicious JavaScript, monitoring anomalous process relationships, restricting PowerShell execution policies, and educating employees about fake update prompts. Users are advised to follow conventional methods for browser updates, check for updates through their browsers, and ensure automatic updates are enabled.

Winsage

December 26, 2024

New Sophisticated Attack Weaponizes Windows Defender to Bypass EDR

A new attack technique exploits Windows Defender Application Control (WDAC) to disable Endpoint Detection and Response (EDR) sensors on Windows systems. Attackers with administrative privileges can create and deploy custom WDAC policies that prevent EDR sensors from loading during system boot, leaving networks vulnerable. The attack involves three phases: crafting a malicious WDAC policy, rebooting the machine to enforce the policy, and disabling the EDR upon reboot. A proof-of-concept tool called "Krueger" has been developed for this purpose. Mitigation strategies include enforcing WDAC policies via Group Policy Objects (GPOs), applying the principle of least privilege, and implementing secure administrative practices.

Winsage

December 9, 2024

Zero-day Windows NTLM hash vulnerability gets patched by third-party —credentials can be hijacked by merely viewing a malicious file in File Explorer

In June 2023, Microsoft announced the deprecation of the NTLM authentication protocol and recommended transitioning to the Windows Negotiate protocol. Security firm 0Patch discovered a new vulnerability in NTLM that allows credential hijacking by merely viewing an infected folder. Patches for Windows 11 are expected soon, but older systems like Windows 7 remain vulnerable. Windows 10 is nearing its end-of-life phase in October 2024, and users may need a paid support plan for continued coverage. 0Patch has not reported any attacks exploiting this NTLM issue in the wild, and their micropatch addresses a specific vulnerable NTLM instruction. However, this patch is unofficial, and users should consider their risk tolerance before installation.

Winsage

November 1, 2024

Microsoft releases a fix for non-working apps on Windows 10

Users of Windows 11 version 24H2 and Windows 10 version 22H2 are experiencing issues with the Task Manager displaying incorrect numbers of running applications and processes. A newly identified bug affecting Windows 10 users has arisen after installing the September 2024 preview update (KB5043131), which prevents non-admin users from launching certain applications, including Quick Assist, Microsoft Teams, and Windows Narrator. The issue is linked to the UIAccess attribute in the manifest file of these applications, which is set to "true" to grant higher privileges for launching from secure paths. Microsoft has introduced the Known Issue Rollback feature to retract problematic updates, though it may take up to 24 hours to take effect. A temporary solution may be found through a system restart, and IT administrators can apply a specialized policy to reverse the changes causing application failures. A permanent resolution is expected in a future update.

Winsage

October 29, 2024

New Windows Themes zero-day gets free, unofficial patches

Free unofficial patches have been released to address a zero-day vulnerability in Windows Themes that allows attackers to remotely steal NTLM credentials. This vulnerability affects all fully updated Windows versions, from Windows 7 to Windows 11 24H2. ACROS Security identified the issue while developing a micropatch for another vulnerability (CVE-2024-38030) and created a comprehensive patch that covers all execution paths leading to unauthorized network requests from theme files. They are offering these micropatches for free through their 0patch service until Microsoft provides an official fix. Users need to create a 0patch account and install the 0patch agent to apply the micropatch. Microsoft has acknowledged the issue and intends to release a patch, but the timeline is uncertain.

Winsage

October 28, 2024

Windows Update takeover lets an attacker revive a patched flaw

Microsoft's approach to security vulnerabilities has been criticized for not classifying scenarios where an attacker with administrative privileges can execute kernel-level code as critical vulnerabilities. SafeBreach researchers highlighted that this narrow definition leaves systems vulnerable to custom rootkits that can bypass essential security controls. They identified CVE-2024-21302, a privilege escalation vulnerability affecting the Windows virtualization stack, and CVE-2024-38202, which allows attackers to exploit the Windows Update process to disable security features like Driver Signature Enforcement and virtualization-based security. Microsoft is actively developing mitigations for these vulnerabilities and has released a security update for CVE-2024-38202 on October 15, with further updates planned for CVE-2024-21302.

Winsage

October 9, 2024

October 2024 Patch Tuesday: Updates and Analysis

Microsoft released a patch for CVE-2024-43572, a vulnerability in the Microsoft Management Console, rated Important with a CVSS score of 7.8, allowing remote code execution through malicious MSC files. Another patch was issued for CVE-2024-43573, a Moderate spoofing vulnerability in the Windows MSHTML Platform with a CVSS score of 6.5, affecting multiple Microsoft products. Additionally, three critical vulnerabilities were identified: CVE-2024-43468 in Microsoft Configuration Manager (CVSS score 9.8), CVE-2024-43488 in the Arduino extension for Visual Studio Code (CVSS score 8.8), and CVE-2024-43582 in the Remote Desktop Protocol Server (CVSS score 8.1). The CrowdStrike Falcon® platform introduced a Patch Tuesday dashboard for tracking vulnerabilities, and organizations are encouraged to adopt comprehensive cybersecurity strategies beyond just patching.

Winsage

September 28, 2024

Microsoft announces sweeping changes to controversial Recall feature for Windows 11 Copilot+ PCs

Microsoft's Recall feature, designed for Copilot+ PCs running Windows 11, aims to provide an AI-driven "photographic memory" to help users manage information overload. Due to privacy and security concerns, Microsoft halted the initial preview and redesigned the feature, which will now only activate if the system drive is encrypted and a Trusted Platform Module (TPM version 2.0) is enabled. Recall will be opt-in, allowing users to choose whether to enable or disable snapshot saving during setup. Users can also remove Recall from OEM and retail versions of Windows 11, while Enterprise users will need to deploy it separately. New privacy settings will notify users when snapshots are saved and allow them to pause the feature or exclude certain content. Recall is designed to filter out sensitive information and requires biometric authentication for access. Microsoft has conducted multiple security reviews and testing to ensure the feature's safety and has committed to bug bounties for serious security issues.