North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware
A group of actors originating from North Korea that MSTIC tracks as DEV-0530 has been developing and using ransomware in attacks since June 2021.
-
-
Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706
Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. -
From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud
A large-scale phishing campaign that attempted to target over 10,000 organizations since September 2021 used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a userโs sign-in session, and skip the authentication process, even if the user had enabled multifactor authentication (MFA). -
Hive ransomware gets upgrades in Rust
With its latest variant carrying several major upgrades, Hive proves itโs one of the fastest evolving ransomware payload, exemplifying the continuously changing ransomware ecosystem. -
Toll fraud malware: How an Android application can drain your wallet
Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware โ and it continues to evolve. -
Using process creation properties to catch evasion techniques
We developed a robust detection method in Microsoft Defender for Endpoint that can catch known and unknown variations of a process execution class used by attackers to evade detection. -
Improving AI-based defenses to disrupt human-operated ransomware
To disrupt human-operated ransomware attacks as early as possible, we enhanced the AI-based protections in Microsoft Defender for Endpoint with a range of specialized machine learning techniques that swiftly identify and block malicious files, processes, or behavior observed during active attacks. -
The many lives of BlackCat ransomware
The use of an unconventional programming language, multiple target devices and possible entry points, and affiliation with prolific threat activity groups have made the BlackCat ransomware a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy. -
Exposing POLONIUM activity and infrastructure targeting Israeli organizations
Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM. -
Using Python to unearth a goldmine of threat intelligence from leaked chat logs
Dealing with a great amount of data can be time consuming, thus using Python can be very powerful to help analysts sort information and extract the most relevant data for their investigation. -
Android apps with millions of downloads exposed to high-severity vulnerabilities
Microsoft uncovered high-severity vulnerabilities in a mobile framework used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote or local attacks. -
Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)
The privilege escalation hacking tool KrbRelayUp is a wrapper that can streamline the use of some features in Rubeus, KrbRelay, SCMUACBypass, PowerMad/ SharpMad, Whisker, and ADCSPwn tools in attacks.
