FISA

 A critical vulnerability in Microsoft Entra ID has been uncovered, allowing attackers to escalate privileges to the Global Administrator role by abusing built-in first-party applications and federated domain configurations. The flaw affects organizations running hybrid Active Directory environments with federated domains , opening a stealthy path to full tenant compromise. Discovery and Impact The vulnerability, discovered by Datadog security researchers and reported to the Microsoft Security Response Center (MSRC) in January 2025 , enables privilege escalation through the misuse of the Office 365 Exchange Online service principal (Client ID: 00000002-0000-0ff1-ce00-000000000000 ). Attackers with Cloud Application Administrator , Application Administrator , or Application.ReadWrite.All permissions can hijack the Exchange Online service principal’s Domain.ReadWrite.All permission. This allows them to: Add a new federated domain to the tenant. Forge SAML tokens as any ...

  A new and highly sophisticated Remote Access Trojan (RAT), CyberEYE , has surfaced as a growing threat to Windows environments. Written in .NET and built for modular deployment, this malware stands out for its ability to completely disable Windows Defender using a combination of PowerShell scripting and registry manipulations . Command & Control via Telegram CyberEYE’s communication infrastructure is built on Telegram’s Bot API , which allows threat actors to control infected systems without maintaining their own backend infrastructure. This use of a popular, encrypted messaging platform complicates detection and containment efforts. Plug-and-Play Malware for the Masses CyberEYE includes a user-friendly builder interface , allowing even low-skilled attackers to generate custom payloads without writing code. This ease of use, combined with its feature-rich design, is accelerating adoption across cybercriminal communities. It is distributed via multiple channels inclu...

A newly uncovered vulnerability in Microsoft’s Windows Deployment Services (WDS) exposes enterprise systems to a severe zero-click denial-of-service (DoS) attack that can be executed remotely—without authentication or user interaction. The flaw targets the UDP-based TFTP service running on port 69, which is central to WDS’s PXE boot functionality used for deploying operating systems over the network. Exploiting this weakness, an attacker can crash a vulnerable server in minutes, posing a serious risk to organizations relying on WDS for streamlined operating system rollouts. How the Vulnerability Works Discovered by security researcher Zhiniang Peng , the vulnerability stems from how WDS handles incoming TFTP (Trivial File Transfer Protocol) sessions. When a connection request is received, WDS creates a CTftpSession object via the function wdstftp!CClientContext::OnConnectionRequest . However, there’s a fundamental flaw: no limits are enforced on the number of sessions the serv...

 A year after announcing support for passkeys in consumer accounts, Microsoft is now making them the default sign-in method for all new accounts. This move signals a significant step in the tech giant’s broader commitment to eliminating passwords—a major weak point in online security. New Accounts Are Now Passwordless by Default In an official statement, Microsoft executives Joy Chik and Vasu Jakkal confirmed: "Brand new Microsoft accounts will now be 'passwordless by default.' New users will have several passwordless options for signing into their account and they'll never need to enroll a password. Existing users can visit their account settings to delete their password." The updated process ensures new users never have to create or manage a password. Instead, they can authenticate using phishing-resistant options like biometrics or device-based passkeys. A Simplified, Smarter Sign-In Experience To support this transition, Microsoft has overhauled its si...

Microsoft on Monday said it took steps  correct a glaring security gaffe that led to the exposure of 38 terabytes of private data. The leak was discovered on the company's AI GitHub repository and is said to have been inadvertently made public when publishing a bucket of open-source training data, Wiz said. It also included a disk backup of two former employees' workstations containing secrets, keys, passwords, and over 30,000 internal Teams messages. The repository, named " robust-models-transfer ," is no longer accessible. Prior to its takedown, it featured source code and machine learning models pertaining to a  2020 research paper   titled  "Do Adversarially Robust ImageNet Models Transfer Better?" "The exposure came as the result of an overly permissive  SAS token  – an Azure feature that allows users to share data in a manner that is both hard to track and hard to revoke," Wiz said in a report. The issue was reported to Microsoft on June 22,...

A set of memory corruption flaws have been discovered in the  ncurses  (short for new curses) programming library that could be exploited by threat actors to run malicious code on vulnerable Linux and macOS systems. "Using environment variable poisoning, attackers could chain these vulnerabilities to elevate privileges and run code in the targeted program's context or perform other malicious actions," Microsoft Threat Intelligence researchers Jonathan Bar Or, Emanuele Cozzi, and Michael Pearse said in a technical report published today. The vulnerabilities, collectively tracked as  CVE-2023-29491  (CVSS score of 7.8), have been addressed as of April 2023. Microsoft said it also worked with Apple on remediating the macOS-specific issues related to these flaws. Environment variables are user-defined values that can be used by multiple programs on a system and can affect the manner in which they behave on the system. Man...

Microsoft on Wednesday revealed that a China-based threat actor known as  Storm-0558  acquired the inactive consumer signing key to forge tokens and access Outlook by compromising an engineer's corporate account. This enabled the adversary to access a debugging environment that contained information pertaining to a crash of the consumer signing system and steal the key. The system crash took place in April 2021. "A consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process ('crash dump')," the Microsoft Security Response Center (MSRC) said in a post-mortem report. "The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump. The key material's presence in the crash dump was not detected by our systems." The Windows maker said the crash dump was moved to a debugging environment on the internet-connected corporat...

Threat actors are exploiting poorly secured Microsoft SQL (MS SQL) servers to deliver Cobalt Strike and a ransomware strain called FreeWorld. Cybersecurity firm Securonix, which has dubbed the campaign  DB#JAMMER , said it stands out for the way the toolset and infrastructure is employed. "Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov  said  in a technical breakdown of the activity. "The ransomware payload of choice appears to be a newer variant of  Mimic ransomware  called FreeWorld." Initial access to the victim host is achieved by brute-forcing the MS SQL server, using it to enumerate the database and leveraging the  xp_cmdshell configuration option  to run shell commands and conduct reconnaissance. The next stage entails taking steps to impair system firewall and establish persistence by c...

Microsoft is warning of an increase in adversary-in-the-middle (AiTM) phishing techniques, which are being propagated as part of the phishing-as-a-service (PhaaS) cybercrime model. In addition to an uptick in AiTM-capable PhaaS platforms, the tech giant noted that existing phishing services like PerSwaysion are incorporating AiTM capabilities. "This development in the PhaaS ecosystem enables attackers to conduct high-volume phishing campaigns that attempt to circumvent MFA protections at scale," the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter). Phishing kits with AiTM capabilities work in two ways, one of which concerns the use of reverse proxy servers (i.e., the phishing page) to relay traffic to and from the client and legitimate website and stealthily capture user credentials, two-factor authentication codes, and session cookies. A second method involves synchronous relay servers. "In AiTM through synchronous relay servers the t...