A critical vulnerability in Windows Defender Application Control (WDAC) has been uncovered, allowing attackers to bypass strict security policies using WinDbg Preview, a Microsoft Store app. A vulnerability in the FireEye EDR agent allows attackers to trigger a persistent denial of service by exploiting tamper protection, potentially disabling endpoint security and leaving systems exposed. A high-severity vulnerability in HPE’s cluster management software lets remote attackers bypass authentication and gain privileged access to critical computing resources. The Cybersecurity and Infrastructure Security Agency (CISA) has notified its threat hunting division to discontinue use of VirusTotal and Censys, two critical tools for malware analysis and threat intelligence. Attackers are leveraging Google Forms to bypass email security and steal credentials, exploiting the platform’s trusted domain and HTTPS encryption. A flaw in Synology DiskStation Manager’s NFS service lets unauthenticated remote attackers read arbitrary files, risking sensitive data exposure. A critical flaw in WinZip allows attackers to bypass Windows’ Mark-of-the-Web (MotW) protection, enabling silent execution of malicious files extracted from ZIP archives. The tool enables users to create structured, detailed cybersecurity scenarios using a knowledge graph approach, supporting functions from threat intelligence analysis to incident investigation. A critical flaw in Google Cloud Composer (now patched) could have let attackers with minimal permissions gain control over privileged service accounts. Attackers exploit unpatched vulnerabilities and weak credentials to gain initial access, often leading to ransomware or data theft. The flaw allows unauthenticated remote code execution, with attackers targeting unpatched systems. This technique helps them bypass firewalls, maintain persistence, and facilitate data exfiltration or remote access, making detection and mitigation more challenging. Victims receive emails claiming to offer fraud recovery help, but are tricked into installing malware via “verification software.” The campaign uses multi-stage encryption and fileless execution to evade detection, resulting in over $1.2 million in losses in just three weeks. Russian threat actors are abusing OAuth 2.0 authentication workflows to hijack Microsoft 365 accounts, particularly targeting organizations linked to Ukraine and human rights. MITRE has introduced the D3FEND CAD tool as part of its D3FEND 1.0 release, revolutionizing how security practitioners model, analyze, and defend against cyber threats. The “ToyMaker” threat group has compromised numerous critical infrastructure hosts by exploiting exposed systems and deploying custom backdoors. Expect regular features like threat intelligence briefings, tool recommendations, and spotlights on emerging technologies shaping the future of security. A new malware tool, “Baldwin Killer,” is being sold on underground forums, boasting advanced techniques to bypass antivirus and endpoint detection and response (EDR) systems. By injecting malicious PyPI packages, attackers could escalate privileges and access sensitive cloud resources. British retail giant Marks & Spencer (M&S) has confirmed a significant cyber incident that disrupted contactless payment systems and its Click and Collect service, leaving customers frustrated during the busy Easter period. Attackers are using open-source repositories like npm and PyPI to distribute malicious packages disguised as legitimate developer tools. The Akira ransomware group has escalated its operations, targeting organizations by exploiting compromised VPN credentials-especially those lacking multi-factor authentication. A sophisticated backdoor has been discovered targeting Russian organizations, disguised as legitimate updates for ViPNet secure networking software. Researchers have identified a malware campaign targeting Docker environments, using a multi-layered obfuscation technique to evade detection. Two critical vulnerabilities in Redis allow authenticated users to trigger denial-of-service or execute remote code via malformed ACL selectors and malicious Lua scripts. The attack, suspected to involve ransomware, forced the company to implement emergency security protocols and temporarily disable certain digital services across its 1,049 UK stores. The move, part of broader agency reductions, affects over 500 cyber threat hunters and is expected to impact CISA’s ability to rapidly analyze and triage cyber threats across federal networks. A design flaw in the Windows Update Stack could allow local attackers to escalate privileges to SYSTEM by abusing directory junctions. Organizations are urged to disable the Microsoft Store in secure environments and explicitly block WinDbgX.exe in WDAC policies to mitigate this threat.
This Cyber News was published on cybersecuritynews.com. Publication date: Sun, 27 Apr 2025 14:10:10 +0000