In today’s cybersecurity news…
Widespread Microsoft Entra lockouts cause by new security feature rollout
A widespread issue with Microsoft Entra ID’s new “MACE Credential Revocation” app has caused mass account lockouts across organizations. Admins report false positives triggered by the app’s leaked credentials detection, despite affected accounts having unique passwords, MFA protection, and no signs of compromise. Alerts began overnight on Friday, locking out large numbers of users. A Reddit thread revealed extensive impact, including over 20,000 notifications sent to a managed detection and response provider. Microsoft reportedly told one affected organization the lockouts were due to a problem with the MACE app’s rollout.
Malware delivered through diplomatic wine-tasting invites
A new set of phishing attacks from Russian state-sponsored threat actor APT29 is targeting high ranking European and Middle Eastern diplomats under the guise of email invites for wine-tasting events sent from an unspecified European Ministry of Foreign Affairs. This invite naturally triggers the deployment of malware called GRAPELOADER hidden inside a ZIP archive named “wine.zip.” “The malware gains persistence by modifying the Windows Registry to ensure that the “wine.exe” executable is launched every time the system is rebooted.”
British companies told to hold in-person interviews to thwart North Korea job scammers
After finding it too difficult to pursue the job finding scam in the U.S., North Korean operatives are now focusing on Europe and especially the UK to seek out remote work with the goal of accessing sensitive data as well as cash. They are often assisted by co-conspirators who hold physical addresses in the country. John Hultquist, the chief analyst at Google’s Threat Intelligence group, told the UK news outlet The Guardian, “many of the remedies are in the hands of the HR department, which usually has very little experience dealing with a covert state adversary.” He added that companies “need to do a better job checking physical identities and ensuring the person you’re talking to is who they claim to be. This scheme usually breaks down when the actor is asked to go on camera or come into the office for an interview.”
Chrome extensions with 6 million installs contain hidden tracking code
A set of 57 hidden Chrome extensions, installed by over 6 million users, has been found with dangerous capabilities like monitoring browsing activity, accessing cookies, and potentially running remote scripts. These hidden extensions don’t appear in Chrome Web Store searches and can only be installed via direct URLs, often used for internal tools but possibly exploited by threat actors to avoid detection. Researcher John Tuckner of Secure Annex discovered the issue while analyzing a suspicious, obfuscated extension called “Fire Shield Extension Protection,” which sends collected data to an external API. The extensions may be distributed through ads and malicious websites.
Huge thanks to our sponsor, Dropzone AI
Cisco Webex bug lets hackers gain code execution via meeting links
Cisco has issued security updates for a high-severity vulnerability in the Webex app that allows unauthenticated attackers to execute remote code via malicious meeting invite links. The flaw stems from improper input validation in the Webex custom URL parser and affects all operating systems and configurations. Attackers can exploit the bug by tricking users into clicking a crafted link and downloading files, enabling arbitrary command execution with user-level privileges. Discovered to be low complexity, this vulnerability poses significant risk, and Cisco urges users to update immediately, as there are no available workarounds to prevent exploitation.
Payment-card scam involves a phone call, some malware and a personal tap
Researchers at the Italian cybersecurity firm Cleafy are warning financial institutions to watch for a scam that “combines social engineering, previously undocumented malware and mobile phones’ near-field communication (NFC) capabilities to compromise payment cards.” This scam, which is currently active in Italy, delivers malware dubbed SuperCard X. The scam starts with bank fraud alert text message. Victims who call the phone number in the scam are instructed to provide their PINs and remove any spending limits on the card. The novel part of this scam is that the victim is then instructed to place their physical debit or credit card into proximity to their infected mobile device.” The SuperCard X malware then captures the card details transmitted via NFC.” Cleafy’s report states that this “allows the attacker to access the stolen funds instantly and potentially outside traditional fraud channels that typically involve bank transfers.”
Hannaford and Stop & Shop parent company confirms data stolen in cyberattack
Following up on a story we covered last November, the Dutch food conglomerate Ahold Delhaize USA parent company of Stop & Shop, Hannaford, Food Lion, and Giant Food, now confirms that data was stolen during the cyberattack of early November, 2024. Responsibility for the attack has been claimed by the INC ransomware gang, who claim to have stolen six terabytes of information. Representatives from Ahold Delhaize USA state that they are still working to determine specifically what was stolen.
ASUS confirms critical flaw in AiCloud routers
This flaw, which has a CVSS score of 9.2, could allow remote attackers to perform unauthorized execution of functions on susceptible devices. The issue has been addressed with firmware updates for branches in the 3.0.0.4 series, and ASUS reminds users to “use different passwords for the wireless network and the router administration page.”