Latest news with #IBMX-ForceRed
CTV News
30-07-2025
- CTV News
Southern Alberta woman falls prey to fraud, is contacted by law firm to pay back bank
A southern Alberta woman had her personal information used to fraudulently obtain a credit card. The bank went after her to repay thousands in charges. Katrina Witwer had her personal information fraudulently used to obtain a credit card, while the bank that issued it took legal action to try and have her pay it back. On March 12, Witwer was surprised by a pending credit card application she never filled out. It was then the Airdrie woman did a credit report check and found out a BMO credit card was also authorized under her name with a limit of $22,000. That was issued in February, and $17,000 had already been spent. Witwer was reluctant to be interviewed, so her husband, Dustin Heywood, spoke to CTV News. 'We called BMO to identify this as fraud. They told us over the phone, 'Go into a branch with your ID and we will sort it out,' said Heywood. Heywood has expertise in this area, working as a hacker for IBM X-Force Red to help companies identify cybersecurity issues. He has been cited in multiple articles, including a CTV News article about customers at BMO being breached due to large-scale data theft. The couple then filed a police report with the Airdrie RCMP. Authorities there informed Witwer her ID had been used to try and purchase OxyContin. There was also another incident involving her ID in northern Alberta. Witwer did have her pending application for a credit card shut down while BMO verified her identity and also shut down the fraudulent credit card. 'They closed the account right then and there,' said Heywood. Katrina Witwer had her personal information fraudulently used to obtain a credit card, while the bank that issued it took legal action to try and have her pay it back. Katrina Witwer had her personal information fraudulently used to obtain a credit card, while the bank that issued it took legal action to try and have her pay it back. Witwer was assured she would be looked after; however, last week, they found out a law firm performed a hard credit check on their file on July 14. The firm was pressuring Witwer into paying back the $17,000. 'We tried to tell him, like, 'This is a fraud case.' He says, 'No, no, no, no, stop, this is the way this is going to happen,' and then starts to go all lawyerly-like,' said Heywood. Witwer told the bank she was speaking to CTV News on Tuesday morning, and the case was dropped later in the day. 'All I want from this is for them to back off, give us an apology, correct my (wife's) credit report to take off the derogatory credit information and to make sure they put in steps to make sure this doesn't affect anybody else,' said Heywood. BMO provided a statement regarding the incident: 'We immediately reviewed this matter after the client was in contact with us and are working to resolve it as part of our regular process. We confirm that the law firm will not be taking any further steps in the matter. In addition, we are working with the credit bureau to update the client's file as soon as possible and ensure there is no impact on their credit report.' Vanessa Iafolla, principal at Anti-Fraud Intelligence Consulting, isn't surprised by BMO's handling of the incident. 'I think this is actually part of the bigger institutional, structural, societal problem,' said Iafolla. 'It shouldn't take going to the media every time for our banks to do the right thing. It just shouldn't. 'I'm going to be hearing these kinds of things again and again, because nothing is really going to change until financial institutions are made to change.'
Fox News
12-04-2025
- Fox News
Hackers find a way around built-in Windows protections
All Windows PCs come with a built-in security feature called Windows Defender Application Control (WDAC), which helps prevent unauthorized software from running by allowing only trusted applications. However, despite its purpose, hackers have discovered several ways to bypass WDAC, exposing systems to malware, ransomware and other cyber threats. As a result, what was once considered a strong layer of defense may now serve as a potential vulnerability if not properly managed. Windows Defender Application Control (WDAC) is a security feature in Windows that enforces strict rules about which applications can run. It helps block unauthorized software, but researchers have found ways to bypass these protections. Bobby Cooke, a red team operator at IBM X-Force Red, confirmed that Microsoft Teams could be used as a WDAC bypass. He explained that during Red Team Operations, they were able to get around WDAC and execute their Stage 2 Command and Control payload. To find and fix these security gaps, Microsoft runs a bug bounty program that rewards researchers for reporting vulnerabilities in WDAC and other security components. However, some bypass techniques go unpatched for long periods. One of the key ways attackers get around WDAC is by using Living-off-the-Land Binaries, or LOLBins. These are legitimate system tools that come pre-installed with Windows, but hackers can repurpose them to execute unauthorized code while avoiding security detection. Since these tools are trusted by the system, they provide an easy way to slip past defenses. Some bypass techniques involve DLL sideloading, where attackers trick legitimate applications into loading malicious DLLs instead of the intended ones. Additionally, if WDAC policies are not enforced properly, attackers can modify execution rules to allow unauthorized software to run. Hackers also use unsigned or loosely signed binaries. WDAC relies on code signing to verify an application's authenticity. However, attackers sometimes exploit misconfigurations where loosely signed or unsigned binaries are mistakenly allowed, letting them execute malicious payloads. Once an attacker bypasses WDAC, they can execute payloads without being flagged by traditional security solutions. This means they can deploy ransomware, install backdoors, or move laterally within a network without triggering immediate suspicion. Since many of these attacks use built-in Windows tools, detecting malicious activity becomes even more difficult. Since this attack exploits a vulnerability within WDAC, there is little you can do to fully protect yourself. It is up to Microsoft to fix the issue. However, here are three best practices you can follow to reduce your risk. 1. Keep Windows updated: Microsoft regularly releases security updates that patch vulnerabilities, including those related to WDAC. Keeping Windows and Microsoft Defender up to date ensures you have the latest protection against known threats. If you're not sure how to do that, see my guide on how to keep all your devices and apps updated. 2. Be cautious with software downloads: Only install applications from trusted sources like the Microsoft Store or official vendor websites. Avoid pirated software, as it can come bundled with malicious code that bypasses security protections like WDAC. 3. Use strong antivirus software: Based on the report, it does not appear that hackers require user interaction to bypass WDAC. The methods described suggest that an attacker could exploit these vulnerabilities without direct user input, especially if they already have some level of access to the system. However, in real-world scenarios, attackers often combine such exploits with social engineering or phishing to gain initial access. For example, if an attacker gains access through a phishing attack, they might then use WDAC bypass methods to execute further malicious payloads. So, while direct user input may not be necessary for some bypass techniques, attackers often use user actions as an entry point before exploiting WDAC vulnerabilities. The best way to avoid becoming a victim is to have a strong antivirus software installed. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices. While Windows Defender Application Control (WDAC) offers a valuable layer of security, it isn't foolproof. Hackers are actively developing and using WDAC bypass techniques to exploit gaps in system defenses. Understanding how WDAC bypass works is essential to protecting your devices. By keeping your software up to date, using trusted applications, and relying on reputable security tools, you can significantly lower your risk. Do you think Microsoft is doing enough to patch these vulnerabilities, or should it take stronger action? Let us know by writing us at For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Follow Kurt on his social channels: Answers to the most-asked CyberGuy questions: New from Kurt: Copyright 2025 All rights reserved.
Forbes
31-03-2025
- Forbes
Hackers Bypass Windows Defender Security — What You Need To Know
Hackers bypass Windows Defender security comtrols. Update, March 31, 2025: This story, originally published March 29, has been updated with an explanation of LOLBINS as well as further technical information regarding the Windows Defender Application Control security bypass from IBM X-Force red team operator Bobby Cooke. When you thought that things couldn't get much scarier for Windows users, elite red team hackers go and prove you wrong. First, there was a zero-day vulnerability leaving Windows passwords up for grabs, then a ransomware shocker as criminals put a $500,000 Windows threat up for rent, and even the discovery of a Windows rootkit to contend with. Now, it has been confirmed that there's a way to bypass Windows Defender Application Control, which is meant to restrict application execution to trusted software, with all the implications that brings to the security party. Here's what you need to know. You might not have heard of Windows Defender Application Control, so let's briefly explain what it does. In fact, let Microsoft explain: it is designed to protect devices against malware and other untrusted software. 'It prevents malicious code from running by ensuring that only approved code, that you know, can be run,' Microsoft said. In other words, it's a software-based security layer enforcing a list of specific software that is trusted enough to be allowed to run on your PC. It's also what is known as a security boundary and eligible for Microsoft bug bounty payments if it can be bypassed. This means, dear reader, there are a lot of hackers' eyes on the thing, and one of them just found a way to do precisely that: bypass Windows Defender Application Control. Bobby Cooke, a red team operator working at IBM X-Force Red, or an elite hacker for want of a better definition, has confirmed that the Microsoft Teams application was 'a viable WDAC bypass' target and, 'when encountering WDAC during Red Team Operations, we successfully bypassed it and executed our Stage 2 Command and Control payload.' Uh oh Buck, bedoop, bedoop, bedoop. Hackers are ingenious and obsessive when it comes to finding new attack methods and points of entry. So it should come as no surprise to learn that when hunting for a new execution chain to be used as preparation for a forthcoming financial sector client red team operation, Cooke looked to Windows Defender Application Control, and in particular, Electron applications. 'Electron applications function as web browsers that render desktop applications using standard web technologies like HTML, JavaScript and CSS,' Cooke said. What's more, the JavaScript engine used is something called and that provides for the use of a powerful application programming interface. They are powerful because they are capable of interacting with the host operating system. 'These APIs allow actions such as reading and writing files, executing programs and other operations typical of native applications,' Cooke explained. So Cooke pivoted to the legacy Microsoft Teams application, originally built on Electron and signed by Microsoft, which was capable of bypassing even the strictest WDAC policies. 'While can interact with the operating system through its APIs,' Cooke said, 'it lacks the full functionality of C, where developers can directly call WINAPIs and NTAPIs.' But that gap is bridged by Node modules which can extend the capabilities of the framework and execute JavaScript within Electron applications. I think my favorite explanation of what a LOLBIN is came from Naeem Rizwan Mirza, writing at the Emsisoft blog, who used the analogy of breaking into a house without setting the alarm off by using a spare key. 'The key belongs to the house and is typically used by its owner,' Mirza said, 'so security systems do not flag anything unusual.' A LOLBIN attack uses perfectly legitimate tools, those already built into the operating system, so they can be exploited without setting off the alarm either. Of course, that tool has been manipulated by the attacker, and so is not actually what it seems. To be accepted as a LOLBIN, sometimes just called a LOL, although that's a bit confusing and not at all funny, that binary, or library, has to be a system default that can be repurposed by the attacker in question. The end results are as varied as they are capacious: payload obfuscation, code compiling and even execution, DLL hijacking, and, of course, security protection evasion. As CrowdStrike helpfully pointed out, LOLBIN attacks are increasingly popular for many reasons, but in particular: When it comes to LOLBIN attack mitigation, Mirza warned that a multi-layered approach is essential, and one which focuses on 'combining proactive measures, detection capabilities, and incident response strategies.' Endpoint detection and response can help by providing much-needed visibility into everything from command line execution to network connections, Mirza said, which means it can be possible to 'catch those unusual uses of LOLBINS and connect the dots with other suspicious events.' Although I might argue that such protections are the embodiment of security basics, Mirza reminded us that the more commonly regarded basics of good security hygiene cannot be overlooked when it comes to LOLBIN attack mitigation. By which we are talking about patch management to ensure all vulnerabilities are fixed in good time before they can be exploited, for example. Threat intelligence also fits my interpretation of basics because unless you know what you are defending against, you are always going to be on the back foot. And finally, Mirza said, you need an incident response plan. 'This is your playbook for what to do if an attack happens,' Mirza explained.'It outlines the steps for detection, containment, eradication, and recovery — it's like having a fire drill so everyone knows what to do in an emergency.' You should go and read the full report, which is highly technical and seriously useful for any security defenders, for all the attack details, as it's way too complex to cover here. However, the TL;DR when it comes to the techniques used by the X-Force red team hackers to be able to bypass the Windows Defender security controls and execute the payload is as follows: Mitigating number one requires the client to have implemented the recommended block list rules, or to be using another solution that can detect the most common LOLBINs. Mitigating number two is only effective if Windows Defender Application Control is enabled without enforcing DLL signing. I contacted Microsoft regarding the Windows Defender Application Control bypass, and a spokesperson said, 'We are aware of this report and will take action as needed to help keep customers protected.'
