vulnerability management Archives

AppWizard

May 14, 2025

Marbled Dust leverages zero-day in Output Messenger for regional espionage

Since April 2024, the threat actor Marbled Dust has been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger chat application, targeting user accounts that have not applied necessary fixes. This exploitation has resulted in the collection of sensitive data from users in Iraq, specifically linked to the Kurdish military. Microsoft has high confidence in this assessment and notes that Marbled Dust conducts reconnaissance to identify potential targets using Output Messenger. Marbled Dust has successfully utilized this vulnerability to deploy malicious files and exfiltrate data. Microsoft notified the application’s developer, Srimax, about the vulnerability, leading to the release of a software update. A second vulnerability (CVE-2025-27921) was also found, but no exploitation of this second flaw has been observed. The zero-day vulnerability allows an authenticated user to upload malicious files to the server's startup directory. Marbled Dust has exploited this flaw to place a backdoor file, OMServerService.vbs, in the startup folder, enabling them to access communications and sensitive data indiscriminately. The attack chain begins with Marbled Dust gaining access to the Output Messenger Server Manager, likely through DNS hijacking or other credential interception techniques. Once inside, they exploit the vulnerability to drop malicious files, including a GoLang backdoor, which connects to a Marbled Dust command-and-control domain for data exfiltration. To mitigate this threat, Microsoft recommends updating to the latest version of Output Messenger, activating various security protections, and implementing rigorous vulnerability management strategies. Microsoft Defender XDR customers can identify potential threat activity through specific alerts related to Marbled Dust and utilize advanced hunting queries for detection. Indicators of compromise include traffic to the domain api.wordinfos[.]com, associated with Marbled Dust activities.

Winsage

April 28, 2025

While Windows 10 users panic, Ubuntu makes extending support easy

Ubuntu offers a service called Ubuntu Pro that allows home users to extend support for Ubuntu 20.04 at no cost through Extended Security Maintenance (ESM), providing a decade of vulnerability management for critical, high, and select medium security issues. Ubuntu 20.04, launched in 2020, has five years of support remaining. Users can create a free Ubuntu Pro account to link their operating system to ESM, which can be done by executing the command "sudo pro attach TOKEN" after obtaining a unique token from their account. ESM is available for all Long Term Support (LTS) versions of Ubuntu, including 20.04, 22.04, and 24.04, with support lasting until 2030, 2032, and 2034, respectively.

Winsage

March 12, 2025

Microsoft patches Windows Kernel zero-day exploited since 2023

ESET has identified a zero-day vulnerability in the Windows Win32 Kernel Subsystem, designated as CVE-2025-24983, which has been exploited since March 2023. This vulnerability, stemming from a use-after-free weakness, allows low-privileged attackers to escalate access to SYSTEM privileges without user interaction. It primarily affects older Windows versions, including Windows Server 2012 R2 and Windows 8.1, but also poses risks to newer versions like Windows Server 2016 and Windows 10 (build 1809 and earlier). The exploit was first seen in the wild in March 2023, targeting systems compromised by the PipeMagic malware. Microsoft has addressed this vulnerability in the recent Patch Tuesday updates. Additionally, five other zero-day vulnerabilities were also patched, and CISA has mandated that Federal Civilian Executive Branch agencies secure their systems by April 1st.

Winsage

March 4, 2025

CISA Alerts on Active Exploitation of Cisco Small Business Router Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert about a command injection vulnerability (CVE-2023-20118) affecting Cisco Small Business RV Series Routers, which are end-of-life. This vulnerability, rated 6.5 on the CVSSv3.1 scale, allows authenticated attackers to execute arbitrary commands with root privileges. The affected models include RV016, RV042, RV042G, RV082, RV320, and RV325, running firmware versions released before April 2023. Cisco will not provide patches for these devices. CISA mandates that federal agencies either implement mitigations or stop using the routers by March 24, 2025. Private organizations are also encouraged to address the issue, especially due to exploitation attempts linked to the PolarEdge botnet campaign. Administrators are advised to restrict administrative access, monitor logs for unusual activity, and consider decommissioning affected devices. The continued use of unpatched routers poses significant risks to critical infrastructure, particularly in small business and remote work environments.

Tech Optimizer

February 7, 2025

What is Managed Endpoint Protection?

Managed Endpoint Protection involves outsourcing endpoint security for devices like laptops, desktops, and servers to specialized providers. These services offer continuous monitoring, automated responses, and compliance checks, utilizing advanced analytics and real-time threat intelligence. Key features include continuous monitoring, automated threat containment, vulnerability management, forensic analysis, compliance tools, and threat hunting. Managed services address various threats such as ransomware, phishing, zero-day exploits, credential theft, insider threats, DDoS attacks, and data exfiltration. Benefits include 24/7 expert coverage, access to specialized threat intelligence, faster incident response, reduced operational complexity, predictable pricing, and improved compliance. Challenges include the rapidly evolving threat landscape, skills shortage, budget constraints, and ensuring real-time visibility. Best practices for implementation involve maintaining asset inventories, defining roles, fine-tuning detection thresholds, conducting regular drills, and integrating with broader security measures. When choosing a provider, factors to consider include technical expertise, service level agreements, integration capabilities, pricing, compliance, and ongoing support. SentinelOne offers an autonomous cybersecurity platform that enhances endpoint security through superior visibility, automated responses, and customizable features.

Winsage

December 17, 2024

New Microsoft Windows Security Deadline—CISA Says Update Before Jan. 6

CISA has added the Microsoft Windows kernel security vulnerability CVE-2024-35250 to its Known Exploited Vulnerabilities catalog, requiring organizations to address it by January 6, 2025. This vulnerability, characterized as a "Windows Kernel-Mode Driver Elevation of Privilege Vulnerability," allows attackers to escalate privileges from local user to administrator and was patched in June 2024. The attack complexity is rated as low, making it easier to exploit. CISA advises all organizations to prioritize remediation of this vulnerability, which affects all versions from Windows 10 and Windows Server 2008 onward.

Winsage

December 13, 2024

Ready to ditch Windows? 5 factors to help you decide between Linux or MacOS

Microsoft will end support for Windows 10 in October 2025, leaving users vulnerable to security threats without updates. Upgrading to Windows 11 requires hardware compatibility checks. MacOS is free but requires expensive Apple hardware, while Linux can be downloaded for free and installed on multiple machines. MacOS limits users to three hardware options, whereas Linux offers a wide range of hardware choices and customization options. MacOS is user-friendly but less customizable, while Linux provides extensive personalization. Open-source Linux software typically receives faster security updates compared to proprietary systems like MacOS. Both Linux and MacOS are reliable, with Linux often considered more stable than MacOS.

Winsage

October 28, 2024

Tenable reveals vulnerability in Open Policy Agent for Windows

Tenable has identified a vulnerability, tracked as CVE-2024-8260, affecting all versions of Open Policy Agent (OPA) for Windows prior to version 0.68.0. This medium-severity Server Message Block (SMB) force-authentication vulnerability arises from improper input validation, allowing an arbitrary SMB share to be passed instead of a legitimate Rego file. This can lead to unauthorized access and the leakage of a user's Net-NTLMv2 hash, posing a significant security threat. Organizations using older versions of OPA on Windows are advised to update to version 0.68.0 to mitigate this risk.

Winsage

October 9, 2024

October 2024 Patch Tuesday: Updates and Analysis

Microsoft released a patch for CVE-2024-43572, a vulnerability in the Microsoft Management Console, rated Important with a CVSS score of 7.8, allowing remote code execution through malicious MSC files. Another patch was issued for CVE-2024-43573, a Moderate spoofing vulnerability in the Windows MSHTML Platform with a CVSS score of 6.5, affecting multiple Microsoft products. Additionally, three critical vulnerabilities were identified: CVE-2024-43468 in Microsoft Configuration Manager (CVSS score 9.8), CVE-2024-43488 in the Arduino extension for Visual Studio Code (CVSS score 8.8), and CVE-2024-43582 in the Remote Desktop Protocol Server (CVSS score 8.1). The CrowdStrike Falcon® platform introduced a Patch Tuesday dashboard for tracking vulnerabilities, and organizations are encouraged to adopt comprehensive cybersecurity strategies beyond just patching.

Winsage

September 25, 2024

Will Windows Server 2025 release spark VMware migrations? | TechTarget

Microsoft is positioning itself to attract VMware customers following VMware's acquisition by Broadcom. The upcoming release of Windows Server 2025 will include enhanced features for Hyper-V, such as revised GPU partitioning, dynamic compatibility for live migrations between hosts with different CPU architectures, improved virtualization-based security, and simplified deployment for smaller organizations. Broadcom's history of selling off underperforming products raises concerns about VMware's stability, prompting customers to reconsider their options. Microsoft is offering solutions like the Azure VMware Solution and the VMware Rapid Migration program to facilitate transitions away from VMware. The enhancements in Windows Server 2025 aim to address enterprise needs and may encourage users to switch from VMware.