Incidents – Page 3 – WindowsTechs.com

Malicious code in APKPure app

Posted on April 9, 2021 by Igor Golovin, Anton Kivva

Malicious code was detected in version 3.17.18 of the APKPure alternative app store for Android. We recommend deleting the infected version and installing APKPure 3.17.19 asap. Continue reading Malicious code in APKPure app→

Zero-day vulnerabilities in Microsoft Exchange Server

Posted on March 4, 2021 by Vladimir Kuskov, Alexey Kulaev, Nikita Galimov

The four vulnerabilities inside Microsoft Exchange Server allow an attacker to compromise a vulnerable server. As a result, an attacker will gain access to all registered email accounts, or be able to execute arbitrary code (remote code execution or RCE) within the Exchange Server context. Continue reading Zero-day vulnerabilities in Microsoft Exchange Server→

Sunburst: connecting the dots in the DNS requests

Posted on December 18, 2020 by Igor Kuznetsov

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs. Continue reading Sunburst: connecting the dots in the DNS requests→

The FBI Intrusion Notification Program

Posted on September 3, 2020 by Richard Bejtlich

The FBI intrusion notification program is one of the most important developments in cyber security during the last 15 years. This program achieved mainstream recognition on 24 March 2014 when Ellen Nakashima reported on it for the Washington Post … Continue reading The FBI Intrusion Notification Program→

Corona and How We Work From Home

Posted on March 13, 2020 by Roger Halbheer

We are asked in quite some calls, how we handle the pandemic situation at Microsoft. As a lot of us are used to home office, the change is intense but not that big. Customer events were cancelled (as in a lot of other companies as well) or moved to vir… Continue reading Corona and How We Work From Home→

Mokes and Buerak distributed under the guise of security certificates

Posted on March 5, 2020 by AMR

We recently discovered a new approach to the well-known distributing malware technique: visitors to infected sites were informed that some kind of security certificate had expired. Continue reading Mokes and Buerak distributed under the guise of security certificates→

AZORult spreads as a fake ProtonVPN installer

Posted on February 18, 2020 by Dmitry Bestuzhev

We discovered what appears to be one of AZORult’s most unusual campaigns: abusing the ProtonVPN service and dropping malware via fake ProtonVPN installers for Windows. Continue reading AZORult spreads as a fake ProtonVPN installer→

Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium

Posted on November 1, 2019 by AMR

Recently, we caught a new unknown exploit for Chrome browser. We promptly reported this to the Google. After reviewing of the PoC we provided, the company confirmed there was a zero-day vulnerability and assigned it CVE-2019-13720. Continue reading Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium→

An advertising dropper in Google Play

Posted on August 27, 2019 by Igor Golovin

Recently, the popular CamScanner – Phone PDF creator app caught our attention. After analyzing the app, we saw that the developer added an advertising library to it that contains a malicious dropper component. Continue reading An advertising dropper in Google Play→

How to leverage “Secure Access Workstations” for the Cloud

Posted on August 16, 2019 by Roger Halbheer

This is a questions I get fairly often. But before I try to answer, let’s take a step back: We know that attackers typically try to compromise user accounts and then move laterally until they find higher-value credentials. The holy grail in this … Continue reading How to leverage “Secure Access Workstations” for the Cloud→