proactive security measures Archives

Winsage

April 17, 2025

Hackers Exploiting NTLM Spoofing Vulnerability in Wild to Compromise Systems

Cybercriminals are exploiting a vulnerability in Windows systems known as CVE-2025-24054, which involves NTLM hash disclosure through spoofing techniques. This flaw allows attackers to leak NTLM hashes, leading to privilege escalation and lateral movement within networks. It is triggered when a user extracts a ZIP archive containing a malicious .library-ms file, causing Windows Explorer to initiate SMB authentication requests that expose NTLMv2-SSP hashes. Exploitation of this vulnerability began shortly after a security patch was released on March 11, 2025, with campaigns targeting government and private institutions in Poland and Romania. These campaigns utilized spear-phishing emails containing malicious ZIP archives, which, when interacted with, leaked NTLM hashes. The malicious files included various types designed to initiate SMB connections to attacker-controlled servers, allowing for pass-the-hash attacks and privilege escalation. The stolen hashes were sent to servers in several countries, indicating potential links to state-sponsored groups. One campaign involved Dropbox links that exploited the vulnerability upon user interaction. Microsoft has recommended immediate patching, enhancing network defenses, user education, network segmentation, and regular security audits to mitigate risks associated with this vulnerability.

Winsage

March 26, 2025

New Windows Zero-Day Vulnerability Exposes NTLM Credentials – Unofficial Patch Now Available

A zero-day vulnerability has been identified in the Windows operating system, affecting versions from Windows 7 and Server 2008 R2 to Windows 11 v24H2 and Server 2025. This vulnerability allows attackers to obtain NTLM credentials by tricking users into opening malicious files in Windows Explorer. Microsoft has been notified, and while there is no official CVE number yet, an unofficial patch is available through 0patch. The flaw is similar to previous vulnerabilities related to NTLM hash disclosures but has not been widely discussed. To exploit it, attackers need network access to the victim's system or a way to relay stolen credentials. 0patch has created micropatches for all affected Windows versions, which are available for free until Microsoft provides an official fix. This is the fourth zero-day vulnerability reported by 0patch recently, with previous vulnerabilities including those in Windows Theme files and the Mark of the Web issue on Server 2012. 0patch also offers patches for NTLM-related vulnerabilities that Microsoft has classified as “wont fix.” Users can create a free account with 0patch for automatic protection against these vulnerabilities. Micropatches are available for various Windows versions, including both legacy and currently supported systems, and will remain free until an official Microsoft fix is released.

Winsage

March 12, 2025

CISA Warns of Microsoft Windows Win32 Kernel Subsystem Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has identified a vulnerability in the Microsoft Windows Win32 kernel subsystem, designated as CVE-2025-24983. This use-after-free vulnerability in the Win32k component could allow an authorized attacker to elevate privileges locally. It is categorized under Common Weakness Enumeration (CWE) 416. CISA recommends users apply Microsoft’s mitigation instructions, follow Binding Operational Directive (BOD) 22-01 for cloud services, and discontinue use of affected products if necessary. The deadline for addressing this vulnerability is April 1, 2025.

Winsage

February 19, 2025

Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots

Cybersecurity experts at FortiGuard Labs have identified a new variant of the Snake Keylogger, known as AutoIt/Injector.GTY!tr, which targets Windows users and has blocked over 280 million infection attempts worldwide, particularly in China, Turkey, Indonesia, Taiwan, and Spain. The malware spreads primarily through phishing emails with malicious attachments or links and focuses on popular web browsers to steal sensitive information by logging keystrokes, capturing credentials, and monitoring clipboard activity. It exfiltrates data to its command-and-control server via email and Telegram bots. The malware uses AutoIt scripting to create standalone executables that evade antivirus detection. It installs itself by dropping "ageless.exe" in the %Local_AppData%supergroup folder and "ageless.vbs" in the %Startup% folder to ensure persistence. The malware employs process hollowing to inject its payload into a legitimate .NET process, allowing it to hide from detection. Additionally, the Snake Keylogger can retrieve the victim’s geolocation and extract sensitive information from browser autofill systems, including credit card details. It utilizes various techniques for data collection, credential access, defense evasion, and exfiltration, posing a significant threat to Windows users.

AppWizard

December 13, 2024

Only 3 of the top 150 Android apps can detect reverse engineering tool Frida — here’s why that’s bad

A recent examination by the Norwegian cybersecurity firm Promon found that 144 out of the top 150 Android applications are vulnerable to manipulation using the Frida dynamic instrumentation toolkit. Only three of the tested apps could detect Frida and limit their functionality. This indicates that approximately 97% of popular Android applications are susceptible to exploitation. The analysis highlights a significant security gap, prompting calls for enhanced detection mechanisms in apps handling sensitive data. The specific apps tested have over 550 million daily users and an average of 206 million monthly users as of November 2024. Users are advised to keep their devices updated, install reputable antivirus applications, and consider using Google Play Protect for additional security.

AppWizard

November 7, 2024

Uninstall these 12 Android apps that record your conversations

Twelve malicious Android applications have been identified that can take control of devices to record audio and perform other harmful activities. These apps include: 1. Rafaqat 2. Privee Talk 3. MeetMe 4. Let’s Chat 5. Quick Chat 6. Chit Chat 7. YohooTalk 8. TikTalk 9. Hello Cha 10. Nidus 11. GlowChat 12. Wave Chat The first six were available on the Google Play Store and were downloaded over 1,400 times before removal. Users are advised to uninstall these apps immediately and remain cautious about downloading unfamiliar applications or clicking on suspicious links.

Winsage

September 18, 2024

Internet Explorer rises from the dead through Windows vulnerability

Cybercriminals, specifically the group Void Banshee, are exploiting vulnerabilities in remnants of Internet Explorer 11, which was retired over two years ago. They are using the vulnerabilities CVE-2024-43461 and CVE-2024-38112 to infiltrate systems in Europe, North America, and Southeast Asia, targeting sensitive information like cookies and passwords. The attacks involve specially crafted .url files that can reactivate Internet Explorer, which still exists within Windows. Additionally, attackers are disguising .hta files as PDFs to bypass security warnings, leading to the installation of the Atlantida InfoStealer, a tool for harvesting sensitive data. Security solutions from companies like Symantec can help protect against these threats.

Tech Optimizer

July 1, 2024

The U.S. Bans Kaspersky Antivirus, WordPress Plugin Supply Chain Attacks

The Biden administration has banned Kaspersky antivirus software in the U.S. due to security concerns related to its Russian origins.

AppWizard

July 1, 2024

Android users warned about horrifying attack that locks their phone

- Malware known as Rafel RAT is posing a significant threat to Android users - The malware can disguise itself as legitimate apps and compromise user data and phone functionality - Most affected users have older model Samsung phones - Users running unsupported Android versions are more vulnerable to malware attacks - Experts recommend continuous vigilance and proactive security measures to protect against malicious exploitation

Winsage

June 24, 2024

Warning: New Adware Threat Poses as Meta Quest App for Windows

- The adware AdsDeception targets users interacting with the fraudulent Meta Quest app - Users can protect themselves by being vigilant and taking proactive security measures - Ongoing investigations are being conducted into the operators behind AdsDeception and their motives - The ever-evolving tactics of adware creators pose challenges for cybersecurity professionals - Increased awareness among users can help defend against deceptive schemes - AdsDeception's advanced capabilities in concealing actions present a significant disadvantage for users