Sorry, Linux. We know you want to be popular, but cyber-crooks are all about Microsoft for now

Oh, and Flash! Arrrrrggghhh


Eight out of the ten most exploited vulnerabilities tracked by threat intelligence biz Recorded Future in 2018 targeted Microsoft products – though number two on its list was, surprise surprise, a Flash flaw.

The most exploited vuln in the firm's hall of shame was a remote code execution flaw in Windows' VBScript engine that could pwn users who opened a booby-trapped web page with Internet Explorer.

"Exploit kits associated with this vulnerability were noted to spread the malware Trickbot through phishing attacks," said Recorded Future in a report published today.

The Flash vuln was none other than one exploited by North Korean state-backed hackers – first detected by South Korea's CERT, which discovered a flood of booby-trapped MS Office documents, web pages, spam messages and more.

Meanwhile, a near three-year-old vuln continues to be one of the most exploited flaws tracked by Recorded Future. Unveiled in July 2016, the Neutrino exploit kit was built out of code first published by white hats trying to provoke Microsoft into cleaning up an Internet Explorer zero-day vuln.

Recorded Future said it had seen five new exploit kits using the underlying code to target hapless IE users, warning that "the only workarounds are restricting access to two common dynamic-linked library files: VBScript.dll and JScript.dll".

The threat intelligence biz used a list of 167 exploit kits to define its master list of commonly abused vulns, as well as 492 remote-access Trojans. Its report specifically excluded Spectre, Meltdown and Eternalblue, on the grounds that the latter was "not used by the criminal underground", while the former pair were also not "heavily utilized" by miscreants. ®


Other stories you might like

  • Microsoft postpones shift to New Commerce Experience subscriptions
    The whiff of rebellion among Cloud Solution Providers is getting stronger

    Microsoft has indefinitely postponed the date on which its Cloud Solution Providers (CSPs) will be required to sell software and services licences on new terms.

    Those new terms are delivered under the banner of the New Commerce Experience (NCE). NCE is intended to make perpetual licences a thing of the past and prioritizes fixed-term subscriptions to cloudy products. Paying month-to-month is more expensive than signing up for longer-term deals under NCE, which also packs substantial price rises for many Microsoft products.

    Channel-centric analyst firm Canalys unsurprisingly rates NCE as better for Microsoft than for customers or partners.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading

Biting the hand that feeds IT © 1998–2022