Huge Cyberattack Found Hitting Vulnerable Microsoft-Signed Legacy Drivers to Get Past Security
A massive cybercriminal campaign has been discovered utilizing outdated and vulnerable Windows drivers to deploy malware against hundreds of thousands of devices. The attackers leveraged a signed driver, allowing them to disable antivirus programs and gain control over infected machines. This campaign is believed to be linked to the financially motivated group Silver Fox, which is known for its use of Chinese public cloud servers.
This type of attack highlights the importance of keeping drivers up-to-date, as even seemingly secure software can be compromised if it's not regularly patched.
As the cybersecurity landscape continues to evolve, how will future attacks on legacy systems and outdated software drive innovation in the development of more robust security measures?
Microsoft's Threat Intelligence has identified a new tactic from Chinese threat actor Silk Typhoon towards targeting "common IT solutions" such as cloud applications and remote management tools in order to gain access to victim systems. The group has been observed attacking a wide range of sectors, including IT services and infrastructure, healthcare, legal services, defense, government agencies, and many more. By exploiting zero-day vulnerabilities in edge devices, Silk Typhoon has established itself as one of the Chinese threat actors with the "largest targeting footprints".
The use of cloud applications by businesses may inadvertently provide a backdoor for hackers like Silk Typhoon to gain access to sensitive data, highlighting the need for robust security measures.
What measures can be taken by governments and private organizations to protect their critical infrastructure from such sophisticated cyber threats?
A broad overview of the four stages shows that nearly 1 million Windows devices were targeted by a sophisticated "malvertising" campaign, where malware was embedded in ads on popular streaming platforms. The malicious payload was hosted on platforms like GitHub and used Discord and Dropbox to spread, with infected devices losing login credentials, cryptocurrency, and other sensitive data. The attackers exploited browser files and cloud services like OneDrive to steal valuable information.
This massive "malvertising" spree highlights the vulnerability of online systems to targeted attacks, where even seemingly innocuous ads can be turned into malicious vectors.
What measures will tech companies and governments take to prevent such widespread exploitation in the future, and how can users better protect themselves against these types of attacks?
Microsoft has confirmed that its Windows drivers and software are being exploited by hackers through zero-day attacks, allowing them to escalate privileges and potentially drop ransomware on affected machines. The company patched five flaws in a kernel-level driver for Paragon Partition Manager, which were apparently found in BioNTdrv.sys, a piece of software used by the partition manager. Users are urged to apply updates as soon as possible to secure their systems.
This vulnerability highlights the importance of keeping software and drivers up-to-date, as outdated components can provide entry points for attackers.
What measures can individuals take to protect themselves from such attacks, and how can organizations ensure that their defenses against ransomware are robust?
Hackers are exploiting Microsoft Teams and other legitimate Windows tools to launch sophisticated attacks on corporate networks, employing social engineering tactics to gain access to remote desktop solutions. Once inside, they sideload flawed .DLL files that enable the installation of BackConnect, a remote access tool that allows persistent control over compromised devices. This emerging threat highlights the urgent need for businesses to enhance their cybersecurity measures, particularly through employee education and the implementation of multi-factor authentication.
The use of familiar tools for malicious purposes points to a concerning trend in cybersecurity, where attackers leverage trust in legitimate software to bypass traditional defenses, ultimately challenging the efficacy of current security protocols.
What innovative strategies can organizations adopt to combat the evolving tactics of cybercriminals in an increasingly digital workplace?
Security researchers spotted a new ClickFix campaign that has been abusing Microsoft SharePoint to distribute the Havoc post-exploitation framework. The attack chain starts with a phishing email, carrying a "restricted notice" as an .HTML attachment, which prompts the victim to update their DNS cache manually and then runs a script that downloads the Havoc framework as a DLL file. Cybercriminals are exploiting Microsoft tools to bypass email security and target victims with advanced red teaming and adversary simulation capabilities.
This devious two-step phishing campaign highlights the evolving threat landscape in cybersecurity, where attackers are leveraging legitimate tools and platforms to execute complex attacks.
What measures can organizations take to prevent similar ClickFix-like attacks from compromising their SharePoint servers and disrupting business operations?
Microsoft has identified and named four individuals allegedly responsible for creating and distributing explicit deepfakes using leaked API keys from multiple Microsoft customers. The group, dubbed the “Azure Abuse Enterprise”, is said to have developed malicious tools that allowed threat actors to bypass generative AI guardrails to generate harmful content. This discovery highlights the growing concern of cybercriminals exploiting AI-powered services for nefarious purposes.
The exploitation of AI-powered services by malicious actors underscores the need for robust cybersecurity measures and more effective safeguards against abuse.
How will Microsoft's efforts to combat deepfake-related crimes impact the broader fight against online misinformation and disinformation?
The modern-day cyber threat landscape has become increasingly crowded, with Advanced Persistent Threats (APTs) becoming a major concern for cybersecurity teams worldwide. Group-IB's recent research points to 2024 as a 'year of cybercriminal escalation', with a 10% rise in ransomware compared to the previous year, and a 22% rise in phishing attacks. The "Game-changing" role of AI is being used by both security teams and cybercriminals, but its maturity level is still not there yet.
This move signifies a growing trend in the beauty industry where founder-led companies are reclaiming control from outside investors, potentially setting a precedent for similar brands.
How will the dynamics of founder ownership impact the strategic direction and innovation within the beauty sector in the coming years?
Aviation firms in the United Arab Emirates (UAE) were recently targeted by a highly sophisticated business email compromise (BEC) attack looking to deploy advanced malware. The attackers used a compromised email account to share polyglot files with their victims, which deployed a hidden backdoor against aviation firms. Cybersecurity researchers Proofpoint observed that these attacks started in late 2024 and target organizations with a distinct interest in aviation and satellite communications.
This highly targeted attack highlights the evolving nature of cyber threats, where attackers are leveraging sophisticated tactics like polyglot files to evade traditional detection mechanisms.
How will the increasing use of polyglot malware impact the ability of cybersecurity professionals to detect and prevent similar attacks in the future?
Sophisticated, advanced threats have been found lurking in the depths of the internet, compromising Cisco, ASUS, QNAP, and Synology devices. A previously-undocumented botnet, named PolarEdge, has been expanding around the world for more than a year, targeting a range of network devices. The botnet's goal is unknown at this time, but experts have warned that it poses a significant threat to global internet security.
As network device vulnerabilities continue to rise, the increasing sophistication of cyber threats underscores the need for robust cybersecurity measures and regular software updates.
Will governments and industries be able to effectively counter this growing threat by establishing standardized protocols for vulnerability reporting and response?
Broadcom has released patches for three critical vulnerabilities in its VMware products, which are already being exploited in the wild. The bugs were described as VM escape flaws and affect all supported versions of VMware ESX, vSphere, Cloud Foundation, and Telco Cloud Platform. These issues were deemed severe enough to warrant immediate attention from users, who are urged to apply the fixes as soon as possible.
The emphasis on timely patching highlights the evolving nature of cybersecurity threats, where vulnerabilities can be rapidly exploited before solutions are available.
How will this incident influence the broader discussion around vendor responsibility and the accountability of large corporations in addressing security concerns that affect their customers?
Cybersecurity experts have successfully disrupted the BadBox 2.0 botnet, which had compromised over 500,000 low-cost Android devices by removing numerous malicious apps from the Play Store and sinkholing multiple communication domains. This malware, primarily affecting off-brand devices manufactured in mainland China, has been linked to various forms of cybercrime, including ad fraud and credential stuffing. Despite the disruption, the infected devices remain compromised, raising concerns about the broader implications for consumers using uncertified technology.
The incident highlights the vulnerabilities associated with low-cost tech products, suggesting a need for better regulatory measures and consumer awareness regarding device security.
What steps can consumers take to protect themselves from malware on low-cost devices, and should there be stricter regulations on the manufacturing of such products?
A "hidden feature" was found in a Chinese-made Bluetooth chip that allows malicious actors to run arbitrary commands, unlock additional functionalities, and extract sensitive information from millions of Internet of Things (IoT) devices worldwide. The ESP32 chip's affordability and widespread use have made it a prime target for cyber threats, putting the personal data of billions of users at risk. Cybersecurity researchers Tarlogic discovered the vulnerability, which they claim could be used to obtain confidential information, spy on citizens and companies, and execute more sophisticated attacks.
This widespread vulnerability highlights the need for IoT manufacturers to prioritize security measures, such as implementing robust testing protocols and conducting regular firmware updates.
How will governments around the world respond to this new wave of IoT-based cybersecurity threats, and what regulations or standards may be put in place to mitigate their impact?
Amnesty International said that Google fixed previously unknown flaws in Android that allowed authorities to unlock phones using forensic tools. On Friday, Amnesty International published a report detailing a chain of three zero-day vulnerabilities developed by phone-unlocking company Cellebrite, which its researchers found after investigating the hack of a student protester’s phone in Serbia. The flaws were found in the core Linux USB kernel, meaning “the vulnerability is not limited to a particular device or vendor and could impact over a billion Android devices,” according to the report.
This highlights the ongoing struggle for individuals exercising their fundamental rights, particularly freedom of expression and peaceful assembly, who are vulnerable to government hacking due to unpatched vulnerabilities in widely used technologies.
What regulations or international standards would be needed to prevent governments from exploiting these types of vulnerabilities to further infringe on individual privacy and security?
A recently discovered trio of vulnerabilities in VMware's virtual machine products can grant hackers unprecedented access to sensitive environments, putting entire networks at risk. If exploited, these vulnerabilities could allow a threat actor to escape the confines of one compromised virtual machine and access multiple customers' isolated environments, effectively breaking all security boundaries. The severity of this attack is compounded by the fact that VMware warned it has evidence suggesting the vulnerabilities are already being actively exploited in the wild.
The scope of this vulnerability highlights the need for robust security measures and swift patching processes to prevent such attacks from compromising sensitive data.
Can the VMware community, government agencies, and individual organizations respond effectively to mitigate the impact of these hyperjacking vulnerabilities before they can be fully exploited?
The US Department of Justice has announced charges against 12 Chinese hackers accused of targeting over 100 American companies, including the US Treasury. These individuals allegedly played a "key role" in recent cyberattacks and were linked to state-sponsored hacking groups, exploiting vulnerabilities in enterprise software. The DoJ also brought charges against eight individuals from organization Anxum Information Technology Co., Ltd., which was reportedly paid by Chinese authorities for its services.
This brazen attempt by the Chinese government to silence dissenting voices through cyberattacks raises serious questions about the accountability of governments for their citizens' online freedoms.
Will the US government's decision to offer a $10 million reward for information on these hackers lead to increased international cooperation in bringing them to justice, or will it remain a token gesture?
A software engineer for the Disney Company unwittingly downloaded malware on his computer that turned his life upside down. The malware gave outside attackers full access to his 1Password database and session cookies, allowing them to compromise his online accounts, including his employer's Slack channel. As a result, he lost his job after Disney's forensic examination reportedly showed that he had accessed pornographic material on his work laptop in violation of company policy.
The real problem lies not with the password manager itself but with the software engineer's decision to download untrusted software, which unknowingly installed malware that took over his PC.
This incident highlights the importance of being cautious when installing software and taking proactive measures to protect personal devices from malicious attacks.
Vishing attacks have skyrocketed, with CrowdStrike tracking at least six campaigns in which attackers pretended to be IT staffers to trick employees into sharing sensitive information. The security firm's 2025 Global Threat Report revealed a 442% increase in vishing attacks during the second half of 2024 compared to the first half. These attacks often use social engineering tactics, such as help desk social engineering and callback phishing, to gain remote access to computer systems.
As the number of vishing attacks continues to rise, it is essential for organizations to prioritize employee education and training on recognizing potential phishing attempts, as these attacks often rely on human psychology rather than technical vulnerabilities.
With the increasing sophistication of vishing tactics, what measures can individuals and organizations take to protect themselves from these types of attacks in the future, particularly as they become more prevalent in the digital landscape?
The Lee Enterprises ransomware attack is affecting the company's ability to pay outside vendors, including freelancers and contractors, as a result of the cyberattack that began on February 3. The attack has resulted in widescale outages and ongoing disruption at dozens of newspapers across the United States, causing delays to print editions and impacting various aspects of the company's operations. Lee Enterprises has confirmed that hackers "encrypted critical applications," including those related to vendor payments.
This breach highlights the vulnerability of small businesses and freelance workers to cyberattacks, which can have far-reaching consequences for their livelihoods and financial stability.
How will governments and regulatory bodies ensure that companies like Lee Enterprises take adequate measures to protect vulnerable groups, such as freelancers and contractors, from the impacts of ransomware attacks?
The U.S. government has indicted a slew of alleged Chinese hackers, sanctioned a Chinese tech company, and offered a $10 million bounty for information on a years-long spy campaign that targeted victims across America and around the world. The indictment accuses 10 people of collaborating to steal data from their targets, including the U.S. Defense Intelligence Agency, foreign ministries, news organizations, and religious groups. The alleged hacking scheme is believed to have generated significant revenue for Chinese intelligence agencies.
The scale of this operation highlights the need for international cooperation in addressing the growing threat of state-sponsored cyber espionage, which can compromise national security and undermine trust in digital systems.
As governments around the world seek to counter such threats, what measures can be taken to protect individual data and prevent similar hacking schemes from emerging?
NTT Communications has suffered a devastating cyberattack that compromised sensitive data of almost 18,000 corporate customers. The breach occurred in late February and saw the theft of key customer information, including contract numbers, names, contact details, and service usage records. NTT has acknowledged the breach but remains tight-lipped about the identity of the attackers or how they accessed its systems.
This high-profile cyberattack highlights the vulnerability of even large and seemingly secure organizations to sophisticated threats, underscoring the need for robust cybersecurity measures across the global telecommunications industry.
How will this incident influence regulatory bodies' efforts to implement more stringent data protection standards in the telecom sector, particularly in light of growing concerns about corporate espionage?
Former top U.S. cybersecurity official Rob Joyce warned lawmakers on Wednesday that cuts to federal probationary employees will have a "devastating impact" on U.S. national security. The elimination of these workers, who are responsible for hunting and eradicating cyber threats, will destroy a critical pipeline of talent, according to Joyce. As a result, the U.S. government's ability to protect itself from sophisticated cyber attacks may be severely compromised. The probe into China's hacking campaign by the Chinese Communist Party has significant implications for national security.
This devastating impact on national security highlights the growing concern about the vulnerability of federal agencies to cyber threats and the need for proactive measures to strengthen cybersecurity.
How will the long-term consequences of eliminating probationary employees affect the country's ability to prepare for and respond to future cyber crises?
Threat actors are exploiting misconfigured Amazon Web Services (AWS) environments to bypass email security and launch phishing campaigns that land in people's inboxes. Cybersecurity researchers have identified a group using this tactic, known as JavaGhost, which has been active since 2019 and has evolved its tactics to evade detection. The attackers use AWS access keys to gain initial access to the environment and set up temporary accounts to send phishing emails that bypass email protections.
This type of attack highlights the importance of proper AWS configuration and monitoring in preventing similar breaches, as misconfigured environments can provide an entry point for attackers.
As more organizations move their operations to the cloud, the risk of such attacks increases, making it essential for companies to prioritize security and incident response training.
The Department of Justice has criminally charged 12 Chinese nationals for their involvement in hacking over 100 US organizations, including the Treasury, with the goal of selling stolen data to China's government and other entities. The hackers used various tactics, including exploiting email inboxes and managing software, to gain access to sensitive information. China's government allegedly paid "handsomely" for the stolen data.
The sheer scale of these hacks highlights the vulnerability of global networks to state-sponsored cyber threats, underscoring the need for robust security measures and cooperation between nations.
What additional steps can be taken by governments and private companies to prevent similar hacks in the future, particularly in industries critical to national security?
Microsoft has implemented a patch to its Windows Copilot, preventing the AI assistant from inadvertently facilitating the activation of unlicensed copies of its operating system. The update addresses previous concerns that Copilot was recommending third-party tools and methods to bypass Microsoft's licensing system, reinforcing the importance of using legitimate software. While this move showcases Microsoft's commitment to refining its AI capabilities, unauthorized activation methods for Windows 11 remain available online, albeit no longer promoted by Copilot.
This update highlights the ongoing challenges technology companies face in balancing innovation with the need to protect their intellectual property and combat piracy in an increasingly digital landscape.
What further measures could Microsoft take to ensure that its AI tools promote legal compliance while still providing effective support to users?