service providers Archives

Winsage

May 21, 2026

Microsoft Defender Zero-Day Vulnerabilities RedSun and UnDefend Actively Exploited on Windows 10, 11, and Server (April 2026 CVE Analysis)

In April 2026, two zero-day vulnerabilities, RedSun and UnDefend, were discovered in Microsoft Defender, affecting Windows 10, Windows 11, and Windows Server platforms. These vulnerabilities allow attackers to escalate privileges to SYSTEM and bypass Defender’s protections. RedSun exploits a flaw in Defender's remediation process, enabling low-privileged users to overwrite critical system files. UnDefend allows attackers to disrupt Defender’s updates, keeping it outdated and ineffective. Both vulnerabilities are actively being exploited, with attackers leveraging them to gain persistent access and deploy ransomware. The primary targets are organizations using Windows systems with Defender enabled, particularly in sectors like finance, healthcare, and government. Mitigation strategies include applying updates for related vulnerabilities, monitoring for suspicious activities, and implementing additional security measures.

Tech Optimizer

May 20, 2026

PostgreSQL backup tool gets some backup of its own after sole maintainer sounds alarm

A coalition of companies, including AWS, Percona, Supabase, pgEdge, and Tiger Data, has formed to support the maintenance of pgBackRest, an extension for the PostgreSQL database, after its long-time maintainer, David Steele, could no longer continue due to a lack of sponsorship following the acquisition of Crunchy Data by Snowflake. pgBackRest is a backup and restore solution for PostgreSQL, which is widely used by major cloud service providers. Steele had been seeking sponsorship to maintain the project but was unsuccessful, prompting concerns about its future. The coalition aims to provide stability and reduce reliance on a single sponsor by onboarding a new maintainer and seeking additional support. Percona's CEO emphasized the importance of collaboration to ensure the project's health for the community.

AppWizard

May 5, 2026

Meta enhances security of WhatsApp and Messenger encrypted backups

Meta has enhanced the security and transparency of its end-to-end encrypted backup system for WhatsApp and Messenger. The improvements focus on refining the distribution and verification of encryption keys, and allow for independent audits of certain infrastructure components. The updates are based on Meta's Hardware Security Module (HSM)-based Backup Key Vault architecture, which securely stores recovery secrets in tamper-resistant hardware, ensuring that neither Meta nor cloud service providers can access users' message archives. For encrypted backups, users' devices generate a 256-bit encryption key locally, which encrypts all backup data before uploading it to cloud storage. The key remains on the device in an encrypted format, with the user's password not visible to Meta or third parties. An encrypted version of the backup key is stored in the HSM-based vault using the OPAQUE password-authenticated key exchange protocol, enhancing recovery security without revealing the password. The recent updates include an over-the-air (OTA) fleet key distribution mechanism, which avoids hardcoding trusted infrastructure keys into Messenger applications. Clients receive a “validation bundle” containing the HSM fleet's public keys during runtime, with signatures verified against Cloudflare’s Key Transparency system. The vault operates across at least seven data centers using majority-consensus replication to ensure availability and integrity. Meta plans to publish cryptographic proof of each new HSM fleet deployment, allowing advanced users and researchers to verify these deployments through the open-source “mbt” (Meta Binary Transparency) CLI tool, which conducts multiple checks to confirm that fleet keys are untampered.

Winsage

April 23, 2026

Microsoft faces court battle in £2bn Windows Server class action

The Competition Appeal Tribunal (CAT) has approved a £2 billion class action against Microsoft, aimed at compensating approximately 59,000 businesses using the Windows Server operating system in non-Microsoft public clouds. The collective action, led by Maria Luisa Stasi, alleges that Microsoft has overcharged UK entities for Windows Server on competing cloud services. The tribunal dismissed Microsoft's objections and granted a Collective Proceedings Order on an opt-out basis. The class action addresses two main issues: pricing abuse related to the Microsoft Service Provider License Agreement (SPLA) and re-licensing abuse concerning the deployment of Windows Server on Azure versus other cloud providers. The UK Competition and Markets Authority is also investigating Microsoft's software licensing practices within the cloud market. James Hain-Cole from law firm Scott+Scott expressed satisfaction with the tribunal's decision, emphasizing its significance for securing compensation for affected businesses.

Winsage

April 22, 2026

“For years, Microsoft’s practices have had real financial impact on both public and private organizations” – Microsoft faces new legal challenge over licensing practices

Microsoft is facing a £2 billion lawsuit in the UK, led by competition lawyer Maria Luisa Stasi, representing nearly 60,000 businesses that claim the company imposes excessive charges for using Windows Server on competing cloud platforms. The allegations focus on higher licensing fees for organizations using services like Amazon Web Services, Google Cloud Platform, and Alibaba Cloud compared to those using Microsoft’s Azure. The lawsuit has been allowed to proceed on an opt-out basis by the Tribunal. Microsoft plans to appeal the decision and asserts that its business model promotes competition. The case is part of broader scrutiny of Microsoft's licensing practices, with investigations also initiated by the UK Competition and Markets Authority and the European Commission, as well as inquiries in Brazil, Switzerland, the United States, and Japan.

AppWizard

April 11, 2026

This Russian military intelligence group has been stealing people’s sensitive data, so you might want to connect your router through a VPN

The National Cyber Security Centre (NCSC) in the UK has reported that the Russian military intelligence group APT28 is exploiting vulnerabilities in routers to redirect internet traffic through malicious servers, siphoning off sensitive information from users. This includes login credentials, search histories, and private messages. APT28's servers function as anti-VPNs, designed to extract user data rather than protect it. The group appears to be gathering data for strategic objectives, particularly targeting businesses in sectors like manufacturing and military contracting, while also potentially weaponizing information from individuals to influence public opinion. The NCSC has issued guidance for businesses on online privacy, and recommends the use of VPNs as a protective measure for individuals, with NordVPN being highlighted as a top choice among various reliable options.

AppWizard

April 9, 2026

Why Russia is looking to China’s WeChat model for its Max messenger

Russia is developing the messaging app Max into a multifunctional "super app" inspired by Chinese platforms like WeChat and Douyin. The transformation aims to integrate messaging, payments, e-commerce, digital services, and content consumption into a single platform. The initiative is supported by the Russian government to enhance digital sovereignty and reduce reliance on foreign apps. Key features include a unified platform for services, payment systems, support for businesses, and content-driven commerce. However, Max faces challenges from established competitors, privacy concerns, and the need for a robust ecosystem. The success of Max could position it as a central hub for digital activity in Russia.

Tech Optimizer

April 6, 2026

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that impersonate Strapi CMS plugins. These packages exploit Redis and PostgreSQL, deploy reverse shells, harvest credentials, and establish persistent implants. Each package consists of three files—package.json, index.js, and postinstall.js—without descriptions or repositories, and all use version 3.6.8 to mimic legitimate Strapi plugins. The malicious packages follow a naming convention starting with "strapi-plugin-" and were uploaded by four accounts within 13 hours. The identified packages include names like strapi-plugin-cron, strapi-plugin-database, and strapi-plugin-server. The malicious code is embedded in the postinstall script, executing automatically upon installation with the same privileges as the user. The payloads evolve from exploiting Redis for remote code execution to attempting direct PostgreSQL database exploitation and deploying persistent implants for remote access. The campaign appears to target cryptocurrency platforms, as indicated by the focus on credential theft and digital assets. Users of these packages are advised to assume compromise and rotate credentials. This incident reflects a broader trend of supply chain attacks in the open-source ecosystem, with recent examples including credential exfiltration payloads in GitHub repositories and compromised GitHub Actions workflows. Group-IB reported that software supply chain attacks are increasingly reshaping the cyber threat landscape, targeting trusted vendors and open-source software to gain access to downstream organizations.

Winsage

April 2, 2026

Malwarebytes highlights Microsoft findings on WhatsApp attachments used in Windows attacks

A campaign targeting Windows users exploits WhatsApp attachments to execute a malicious .vbs script. Victims receive what appears to be a harmless attachment, which, when opened, duplicates legitimate Windows tools into a hidden folder and renames them to avoid detection. These tools are then used to download additional malware from reputable cloud services, disguising the malicious activity. The malware seeks administrator privileges by altering User Account Control settings and registry entries for persistence. It ultimately installs remote-access software and other payloads to maintain control over the compromised device. Malwarebytes recommends safety measures such as avoiding unsolicited attachments, enabling file extensions, using updated anti-malware tools, downloading software from official sites, being cautious of unexpected UAC prompts, and keeping systems updated.

Winsage

March 30, 2026

Microsoft’s March Security Update of High-Risk Vulnerability Notice for Multiple Products

On March 11, NSFOCUS CERT reported the release of Microsoft’s March Security Update, addressing 83 security vulnerabilities in products like Windows, Microsoft Office, Microsoft SQL Server, and Azure. The update includes eight critical vulnerabilities and 75 important ones, with risks such as privilege escalation and remote code execution. Key vulnerabilities include: - CVE-2026-26110: Microsoft Office Remote Code Execution Vulnerability (CVSS score: 8.4) - CVE-2026-26113: Microsoft Office Remote Code Execution Vulnerability (CVSS score: 8.4) - CVE-2026-26144: Microsoft Excel Information Disclosure Vulnerability (CVSS score: 7.5) - CVE-2026-23669: Windows Print Spooler Remote Code Execution Vulnerability (CVSS score: 8.8) - CVE-2026-24294: Windows SMB Server Privilege Escalation Vulnerability (CVSS score: 7.8) - CVE-2026-23668: Windows Graphics Component Privilege Escalation Vulnerability (CVSS score: 7.0) Affected product versions include various editions of Microsoft Office, Windows Server 2012 R2, Windows Server 2016, Windows 10, and Windows 11. Microsoft has released security patches for these vulnerabilities, and users are encouraged to install them promptly.