Latest news with #MicrosoftSecurity
Geek Wire
24-07-2025
- Geek Wire
Microsoft contains SharePoint security wildfire, but questions linger about on-premises software
Microsoft's latest vulnerability impacted on-premises SharePoint software. (GeekWire File Photo / Todd Bishop) Editor's note: This is a guest analysis from Christopher Budd, who previously spent a decade at the Microsoft Security Response Center (MSRC). Emergency security teams know summer weekends are made for work. Last weekend was a reminder of that industry truism with Microsoft's SharePoint vulnerability (CVE-2025-53770). It's a classic 'remote code execution' vulnerability that only affects on-premises SharePoint servers. It can give an attacker full control over a system without authentication. If you can access the system on the internet, you can attack it and take it over. We saw attackers around the world using it quickly to establish a foothold on vulnerable networks, frequently using webshells like we saw happen with Microsoft Exchange in 2012 and 2022 with the ProxyShell and ProxyNotShell attacks. The attacks were another classic 'zero day' situation, with a new vulnerability under attack and no patch initially available. This time, Microsoft published information broadly within a day and started releasing patches within two days of the event breaking, a nearly unprecedented speed of response for them. Microsoft execs got the word out with each new development, providing clear, urgent direction. Certainly, when we look at the response, it was faster and better than we saw with ProxyNotShell. It was another example of Microsoft showing that when it needs to, it can pull out the stops with its security response, much like it did with SolarWinds in December 2020. Microsoft has also steered clear recently of the kinds of major breaches that plagued the company from March 2022 through January 2024, when corporate and cloud systems were breached by three major threat actor groups (Lapsu$, Storm-0558, Midnight Blizzard). RELATED STORY Microsoft grapples with another security breach: The latest on the SharePoint attacks Taken altogether, we can think of this as a wildfire that was identified and contained relatively quickly. There is damage from it, and teams are coming off (yet another) very long summer weekend. But compared to what this could have been, this situation was merely bad, not awful. Yet this vulnerability also exposes a fundamental tension: While Microsoft's response was exemplary, the fact that we're still seeing critical zero-day flaws in on-premises products raises questions about where these systems fit in Microsoft's cloud-first, AI-focused future. Where does securing on-premises software like Exchange, SharePoint, and, yes, Windows (which includes ActiveDirectory) get prioritized in the company's Secure Future Initiative? The well-oiled Patch Tuesday machine that I and others helped build in the early 2000s continues to chug along. But the number of patches continues to increase and the level of innovation and development around Patch Tuesday has generally dropped off in recent years. As a case in point, Microsoft promised 'no reboot' patches in the late 2000s. I distinctly recall that we promised this as 'coming soon' on the security bulletin webcasts I hosted then. But no-reboot patches never materialized at the time. While Microsoft is delivering on this promise, finally, it has taken more than 15 years, and the company is implementing it in a way that is clearly focused on the enterprise space — at a cost to users and tied to the company's cloud offerings. In today's cloud-and-AI era, many organizations still rely on on-premises systems like SharePoint for essential operations. Microsoft's swift response to this latest vulnerability proves it can rise to the occasion. But as the company accelerates its cloud-first agenda, it's fair to ask: Will on-premises software receive the same level of care and innovation? The latest fire may be out, but that burning question remains.
CTV News
22-07-2025
- Business
- CTV News
Quebec government computer networks affected by widespread Microsoft cyberattack
Computer networks in the Quebec government are being affected by a massive cyberattack targeting widely-used Microsoft software, the province confirmed. The tech company issued an alert to its customers of the SharePoint software on Saturday, warning of a zero-day exploit being used to carry out attacks. The software is used by clients around the world, including government agencies and businesses, for internal document sharing and collaboration. Quebec's Ministry of Cybersecurity and Digital Technology said in a statement Tuesday afternoon that it took immediate action and is conducting an investigation into the vulnerability. 'This vulnerability affects the systems of several governments and companies, including certain Quebec government departments and agencies,' the ministry said. As a result, various Quebec public administration websites may be shut down Tuesday as a preventive measure in order to apply 'fixes and mitigation measures.' The website for Retraite Québec displayed a notice on Tuesday, telling clients that it was 'currently experiencing difficulties,' though it was not immediately clear if the issue was related to the Microsoft vulnerability. The ministry said it is working to ensure that appropriate solutions are implemented to limit the impact to online users. Microsoft has issued an emergency fix to close the vulnerability for SharePoint Server 2019 and SharePoint Server Subscription Edition. The Associated Press reported that security researchers warned that the exploit is a serious one and can allow actors to fully access SharePoint file systems, including services connected to SharePoint, such as Teams and OneDrive. With files from The Associated Press
Techday NZ
17-07-2025
- Business
- Techday NZ
Octo Tempest targets airlines as Microsoft warns of new cyber risks
Microsoft has reported that the cybercriminal group Octo Tempest has shifted its focus to the airlines sector following recent attacks on retail, food services, hospitality, and insurance organisations. The observed pattern is consistent with Octo Tempest's usual strategy of targeting a single sector for several weeks or months before moving on to new industries. Microsoft Security products are being regularly updated to address these evolving threats. Octo Tempest activity Octo Tempest, also known by names such as Scattered Spider, Muddled Libra, UNC3944, and 0ktapus, is financially motivated and employs a variety of methods in its attacks. Initial access is typically achieved through social engineering, including impersonation of legitimate users, as well as contacting support desks via phone, email, and messaging platforms. The group also uses SMS-based phishing through adversary-in-the-middle domains, which are crafted to appear as legitimate organisational sites. Additional tactics include the use of tools such as ngrok, Chisel, and AADInternals, impacting hybrid identity infrastructures, and exfiltrating data to support extortion or ransomware activities. Recent attacks have seen the deployment of DragonForce ransomware, with a focus on VMWare ESX hypervisor environments. Unlike previous incidents, recent attacks have also impacted both on-premises accounts and infrastructure at the initial stage prior to shifting to cloud environments. Detection strategies Microsoft Defender provides detection coverage for Octo Tempest activity across all segments of the security portfolio, including endpoints, identities, SaaS applications, email and collaboration platforms, and cloud workloads. The following detection capabilities have been mapped against Octo Tempest's tactics, techniques, and procedures recently observed: Initial access: Detection of unusual password resets within virtual environments Discovery: Monitoring for suspicious credential dumping, account enumeration, and reconnaissance activities across DNS, SMB, SAMR, and LDAP Credential access and lateral movement: Monitoring use of tools such as Mimikatz and ADExplorer, suspicious Azure role assignments, and potentially malicious device registrations Persistence and execution: Identifying trusted backdoor installations and persistent ADFS backdoors Actions on objectives: Detection of data exfiltration and prevention of ransomware deployment via Microsoft Defender capabilities Microsoft notes that the list above is not exhaustive and that a full set of detection options remains available through the Microsoft Defender portal. Attack disruption and incident response "Attack disruption is Microsoft Defender's unique, built-in self-defense capability that consumes multi-domain signals, the latest threat intelligence, and AI-powered machine learning models to automatically predict and disrupt an attacker's next move by containing the compromised asset (user, device). This technology uses multiple potential indicators and behaviors, including all the detections listed above, possible Microsoft Entra ID sign-in attempts, possible Octo Tempest-related sign-in activities and correlate them across the Microsoft Defender workloads into a high-fidelity incident." According to Microsoft, when Octo Tempest techniques are identified, attack disruption will disable compromised user accounts and revoke active sessions, isolating the threat. Security operations centre teams are advised to follow up with incident response actions to ensure threats are fully remediated. Proactive defence approaches Organisations are also encouraged to use Microsoft Defender's advanced hunting capabilities to proactively identify, trace, and respond to Octo Tempest-related activities. Analysts can query both Microsoft and non-Microsoft data sources using tools such as Microsoft Defender XDR and Microsoft Sentinel, and receive exposure insights from Microsoft Security Exposure Management. The Exposure Graph enables defenders to assess user targeting and potential impacts of compromise. "Microsoft Security Exposure Management, available in the Microsoft Defender portal, equips security teams with capabilities such as critical asset protection, threat actor initiatives, and attack path analysis that enable security teams to proactively reduce exposure and mitigate the impact of Octo Tempest's hybrid attack tactics." Security teams are advised to classify critical assets in the Microsoft Defender portal, create custom rules, and use initiatives to address specific threats including those posed by Octo Tempest and ransomware groups. The 'Chokepoint' view in the attack path dashboard allows teams to spot helpdesk-linked accounts that Octo Tempest is known to target and take remediating steps accordingly. Recommended security measures Microsoft has issued a set of basic security recommendations to mitigate exposure and limit the risk from groups such as Octo Tempest: Identity security: Enable multifactor authentication (MFA) for all users, enforce phishing-resistant MFA for administrators, restrict overprovisioned identities in cloud environments, and use Microsoft Entra Privileged Identity Management. Endpoint security: Activate cloud-delivered and real-time protection with Microsoft Defender Antivirus, turn on tamper protection, and use attack surface reduction rules to block credential stealing and related malicious techniques. Cloud security: Enable purge protection for Key Vaults, use just-in-time network access control for virtual machines, encrypt data with customer-managed keys, activate logging for Azure Key Vault, and ensure Azure Backup is enabled for virtual machines. "In today's threat landscape, proactive security is essential. By following security best practices, you reduce the attack surface and limit the potential impact of adversaries like Octo Tempest. Microsoft recommends implementing the following to help strengthen your overall posture and stay ahead of threats:" The recent focus on the airlines sector by Octo Tempest highlights the ongoing shift in cybercriminal tactics and the need for robust, layered security measures. Organisations are encouraged to regularly reassess their security strategies, apply recommended safeguards, and utilise updated detection and disruption technologies to manage evolving threats.
NDTV
09-07-2025
- Business
- NDTV
FBI And Microsoft Bust Massive North Korean Laptop Farm Scam Across US
In a major crackdown, Microsoft has suspended 3,000 Outlook and Hotmail accounts linked to North Korean IT workers involved in a global job fraud scheme. The company's Threat Intelligence team, calling the operation "Jasper Sleet," outlined its findings in a detailed post, revealing the scope of the elaborate scam. The US Department of Justice also joined the operation, seizing hundreds of laptops, 29 financial accounts, and shutting down nearly 24 websites. Authorities raided 29 "laptop farms" across the US, where Americans were helping foreign workers gain unauthorized access to remote jobs, according to the Fortune Magazine. These accomplices either installed remote access tools on company-issued laptops or shipped them to countries like Russia and China. Some Americans even rented out their identities to help North Koreans apply for US tech jobs. A Maryland nail salon worker was recently caught running a massive scheme, managing 13 remote IT jobs on behalf of North Korean workers. He pocketed nearly $1 million through this illicit activity. After pleading guilty to conspiracy to commit wire fraud, he's set to be sentenced in August. This case is part of a larger effort to crack down on North Korea's use of overseas tech jobs to fund its regime. According to the Microsoft Security, North Korea has deployed thousands of remote IT workers to assume jobs in software and web development as part of a revenue generation scheme for the North Korean government. These highly skilled workers are most often located in North Korea, China, and Russia, and use tools such as virtual private networks (VPNs) and remote monitoring and management (RMM) tools together with witting accomplices to conceal their locations and identities. Historically, North Korea's fraudulent remote worker scheme has focused on targeting United States (US) companies in the technology, critical manufacturing, and transportation sectors. However, we've observed North Korean remote workers evolving to broaden their scope to target various industries globally that offer technology-related roles. Since 2020, the US government and cybersecurity community have identified thousands of North Korean workers infiltrating companies across various industries. The North Korean IT worker scheme generates up to $600 million a year, according to UN estimates, and the IT workers share information with more malicious cyber attackers that have stolen billions in crypto. The revenue generated by the scheme and the illicitly heisted crypto are used to fund DPRK authoritarian ruler Kim Jong Un's nuclear weapons program, according to the FBI and the US Department of Justice.
Business Wire
21-05-2025
- Business
- Business Wire
Connection Achieves Full Suite of Microsoft Security Specializations
MERRIMACK, N.H.--(BUSINESS WIRE)--Connection (PC Connection, Inc.; NASDAQ: CNXN), a leading information technology solutions provider to business, government, healthcare, and education markets, is pleased to announce that it has achieved Microsoft Security Specializations for proficiency in all four solution areas: Cloud Security, Identity and Access Management, Information and Protection Governance, and Threat Protection. Connection's attainment of all four Microsoft Security specializations is a testament to Connection's deep expertise and ongoing commitment to delivering comprehensive, end-to-end protection against evolving cyber threats. Microsoft Specializations are awarded based on the demonstrated ability to successfully deliver solutions built on Microsoft technology. Results are measured by performance, skilling, and customer success. Connection achieving all four Microsoft Security Specializations showcases the Company's ability to provide comprehensive security solutions that are aligned to Microsoft Cloud and help customers achieve their business goals. Dave Hall, General Manager, Technology Solutions and Services at Connection said, 'Attaining all four Microsoft Security Specializations reflects the significant investment Connection has made in our technical expertise, resources, and solution-building capabilities—and our commitment to helping customers integrate advanced security into every layer of their organizations. Combined with the team's customer-centric focus and deep portfolio of Microsoft Solutions Partner designations, this achievement enables our Technology Solutions and Services organization to deliver ingenuity, unparalleled support, and exceptional value at a time when the threat landscape demands it. Connection will continue to align with trusted partners and invest in our capabilities to help customers build innovative, effective security strategies to protect their users, devices, and critical data.' Tony Surma, CTO, Microsoft Americas Global Partner Solutions said, 'Connection's attainment of all four Microsoft Security specializations is a testament to Connection's deep expertise and ongoing commitment to delivering comprehensive, end-to-end protection against evolving cyber threats. This accomplishment reinforces Connection's position as a leading Microsoft Security partner and highlights our shared commitment to prioritize cybersecurity for every person and organization on the planet.' Connection is an AI Cloud Microsoft Solutions Partner with the following Microsoft Designations, Specializations, Expert Programs, and Capabilities: Designations Solutions Partner for Infrastructure (Azure) Solutions Partner for Data & AI (Azure) Solutions Partner for Digital & App Innovation (Azure) Solutions Partner for Modern Work Solutions Partner for Security Solutions Partner for Business Applications Specializations Cloud Security Identity and Access Management Information Protection and Governance Threat Protection Adoption and Change Management Modernize Endpoints Teamwork Deployment Expert Programs Azure Expert Managed Services Provider (MSP) Capabilities Microsoft Direct Cloud Services Partner Microsoft FastTrack Ready Partner Microsoft Marketplace Co-Sell Ready Microsoft Multi-Party Private Offer Selling Partner Microsoft Authorized Surface Provider Microsoft Authorized Education Partner Microsoft Delivery Service Partner Microsoft Open Value, Charity, and Academic Volume Licensing Programs with Service and Support for Microsoft Enterprise Agreements and Microsoft Products and Services Agreement About Connection PC Connection, Inc. and its subsidiaries, dba Connection, ( NASDAQ: CNXN) is a Fortune 1000 company headquartered in Merrimack, NH. With offices throughout the United States, Connection delivers custom-configured computer systems overnight from its ISO 9001:2015 certified technical configuration lab at its distribution center in Wilmington, OH. In addition, the Company has over 2,500 technical certifications to ensure that it can solve the most complex issues of its customers. Connection also services international customers through its GlobalServe subsidiary, a global IT procurement and service management company. Investors and media can find more information about Connection at Connection Business Solutions (800.800.5555) is a rapid-response provider of IT products and services serving primarily the small-and medium-sized business sector. It offers more than 460,000 brand-name products through its staff of technically trained sales account managers, publications, and its website at Connection Enterprise Solutions (561.237.3300), provides corporate technology buyers with best-in-class IT solutions, in-depth IT supply-chain expertise, and real-time access to over 460,000 products and 1,600 vendors through MarkITplace ®, a proprietary next-generation, cloud-based supply chain solution. The team's engineers, software licensing specialists, and subject matter experts help reduce the cost and complexity of buying hardware, software, and services throughout the entire IT lifecycle. Connection Public Sector Solutions (800.800.0019), is a rapid-response provider of IT products and services to federal, state, and local government agencies and educational institutions through specialized account managers, publications, and online at
