back to article Sorry, chaps! We didn't mean to steamroller legit No-IP users – Microsoft

Microsoft has admitted that it did disrupt a significant number of legitimate users of No-IP's dynamic DNS service, but says the problem is now sorted out. "Yesterday morning, Microsoft took steps to disrupt a cyber-attack that surreptitiously installed malware on millions of devices without their owners' knowledge through the …

Page:

  1. Anonymous Coward
    Anonymous Coward

    "The injunction was granted because the Microsoft security team showed evidence that malware writers were using No-IP's services to sell and control nearly 250 types of malware, and in particular the Windows-targeted trojans Bladabindi and Jenxcus."

    I have seen portscans coming from Azure servers; would Microsoft like for someone to seek a temporary injunction knocking Azure off the map until it is resolved?

    Maybe No-IP should seek a temporary injunction against Microsoft because Microsoft products are being sold and used as zombies. Get rid of them being able to sell their software which is used in this fashion and in a decade or so, the issue is resolved.

    1. eulampios

      exactly

      because Microsoft products are being sold and used as zombies

      That is the gist of this issue! Sorry, can't upvote you more than once.

      As per David Finn, associate general counsel of Redmond's Digital Crimes Unit : "..surreptitiously installed malware on millions of devices without their owners' knowledge..." Some kind of injunction on those malware-loving devices would be very logical.

  2. PJD

    I'm going to have to call bullshit on this one - it's 4pm Pacific time and the no-ip address I had still isn't resolving to anything. On the other hand, no-ip's website seems to be back up.

    1. Anonymous Coward
      Anonymous Coward

      I'm going to have to call bullshit on this one

      Same here. And no, it's not a caching problem, not on a recursive server whose cache I just cleared.

      1. NP-Hardass

        Same here

        See title.

    2. Just a geek

      Still not working for me either.

      1. Aqua Marina

        nor mine

        nor mine

        1. Captain Hogwash

          Re: nor mine

          Fine and dandy it most certainly is not at 12:46BST.

  3. Richard Boyce
    Unhappy

    Crossfire

    Now that DynDNS has ceased its free service, I expect we'll see more battles like this between the free providers, business interests, criminal interests and perhaps political interests of one sort or another.

    Roll on IPv6 when everyone can have a static IP address for every device, and end users can then perhaps avoid getting caught in some of the crossfire.

    1. Anonymous Coward
      Anonymous Coward

      Re: Crossfire

      Hey Stephen Fry... How does having a static IP even if its a v6 IP, mitigate the requirement for DNS servers???

      1. intlabs

        Re: Crossfire

        Hey chump,

        Cause if you have a static ip then if you need dns you can use a normal service, like everyone else - the need for dynamic dns services will not be there anymore. (Or at least vastly reduced).

        Maybe think before getting excited.

  4. Trigun
    FAIL

    meh

    Fortunately, I've got my own domain name registered and coupled to my no-ip account, but my free no-ip domain name is definitely not working.

    I won't go to town (yet) on Microsoft for doing what they did as I don't know all of the details. However, their continued incompetence with regard to blocking legitimate users' domain names beggars belief and they need to pull their collective finger out and fix it.

    Also, although in a way it makes sense that Microsoft be the ones to do this "filtering", it seems odd for a non-government agency to be handed what is effectively seized assets from another company. In no other industry that I can think of would this happen.

    1. Yet Another Anonymous coward Silver badge

      Re: meh

      >it seems odd for a non-government agency to be handed what is effectively seized assets from another company.

      Why, we've given corporations entire countries in similar deals - and Microsoft is worth a lot more than a fruit or rubber company

    2. Arctic fox
      Headmaster

      @Trigun Re: "meh" Whilst I entirely agree that Redmond do not seem to be handling.....

      ..........the technical side of this action very well I did feel that the following from the ISP's spokeswoman was more than a bit cheeky.

      "At 6am, they seemed to make a change to forward on the good traffic, but it didn’t do anything. Although they seem to be trying to take corrective measures, DNS is hard, and they don’t seem to be very good at it."

      I am sorely tempted to paraphrase her remarks in the following fashion:

      "Although No-IP claimed to be taking corrective measures to prevent their service being misused by malware bandits, secure Internet service provision is hard, and they don't seem to be very good at it."

      1. Tom 38

        Re: @Trigun "meh" Whilst I entirely agree that Redmond do not seem to be handling.....

        You've mis-read the article - the "ISP" referred to is No-IP, she is complaining that MS are clueless when it comes to DNS.

        1. John Gamble
          Headmaster

          Re: @Trigun "meh" Whilst I entirely agree that Redmond do not seem to be handling.....

          You've mis-read the article ...

          No, they didn't. You do seem to have mis-read the comment though.

  5. Mikel

    The scale of it

    250 different -types- of botnet comprises only 25% of the malicious activity Microsoft is tracking. And one botnet of one type can consist of tens of millions of machines. How many Windows boxes are compromised? All of them?

    1. Anonymous Coward
      Anonymous Coward

      Re: The scale of it

      Yep. Several times over. Sometimes in the thousands on the same machine.

  6. barnabas1969

    What lies!

    It's 8:03pm EDT (5:03pm PDT). I still cannot access most of the services I have forwarded on my home router using the no-ip domain. Microsoft most certainly has NOT fixed the problem!

    I received an e-mail from no-ip telling me that I should setup a new host using new primary domains that they created after this fiasco began... but the no-ip.com website is not responding (presumably because so many people are trying to setup new host names).

    Microsoft claims that 93% of no-ip hosts were participating in malware. I find this to be completely unbelievable.

    I switched to a different DDNS provider, and I'm sure many other people will too. No-IP should sue Microsoft.

    1. RMycroft
      Trollface

      Re: What lies!

      What Microsoft claimed was that 93% of the malware that uses DNS uses No-IP. They forgot to mention that 100% of the malware uses Windows.

      1. Anonymous Coward
        Anonymous Coward

        Re: What lies!

        "They forgot to mention that 100% of the malware uses Windows"

        Erm no. They are blocking the C&C servers - the vast majority of which are exploited Linux based systems.

    2. Anonymous Coward
      Anonymous Coward

      Re: What lies!

      As for me, I CAN'T change the name because it's used in a VPN certificate (and VPN certificates are domain-name-specific).

  7. ben edwards

    If No-IP had been pro-active instead of re-active, MS wouldn't have had to take them to court in the first place. Those guys aren't innocent in all of this, remember.

    1. Anonymous Coward
      Anonymous Coward

      > If No-IP had been pro-active instead of re-active, MS wouldn't have had to take them to court in the first place. Those guys aren't innocent in all of this, remember.

      Jesus, they are a DNS service for Christ's sake. Do we sue Yellow pages for all the criminal organisations that happen to put an entry in the book? Engage some fucking brain cells.

      1. Anonymous Coward
        Anonymous Coward

        Also the need for engaging some brain cells here...

        "Microsoft's takeover of No-IP's domains may have pissed off the DNS firm's customers, but the security industry has rallied around the move. Kaspersky Lab expert Costin Raiu said the power grab has crippled command-and-control systems for many malware operators."

        Switching off the fucking internet would achieve the same. Not exactly productive though is it? Before anyone states it was just no-ip I say that's just the starting point. They have won a case now watch them march on from here.

      2. Asylum Sam

        If you had a list with proof of companies selling drugs via yellow rages, wouldn't you expect them to be more than happy to help remove the listings?

        1. localzuk Silver badge

          If you had a list of companies selling drugs, and you approached the company first you mean? Sure. If they had the list, bypassed the company and went to a judge to get this year's books confiscated before they're distributed so you can drop them in a big vat of black ink before distributing them, then no...

    2. I. Aproveofitspendingonspecificprojects

      So you see; it is OK really

      Really?

    3. RMycroft

      Do you have anything other than the word of David "Pinocchio" Finn that No-IP hasn't been pro-active?

      As I recall, No-IP was always quick to pull the plug on spammers who abused their service. I don't see why they wouldn't be consistent against malware too.

      Also, Microsoft didn't "take them to court". That would involve exchanging legal letters and finally having lawyers for No-IP present in the court room to argue their side. Microsoft did the exact opposite of taking them to court: Microsoft apparently engaged in a legal sneak-attack.

      1. localzuk Silver badge

        According to No-IP, Microsoft didn't even contact them about the problem first... So, it looks remarkably like Microsoft simply took it upon themselves to do whatever they wanted, and found a random judge that would side with them to do it.

        If I were No-IP, I'd be pursuing it through the courts, as Microsoft seem to have failed to do any pre-injunction legwork to try and remedy the issue, which is usually required in order to get such an injunction. Not to mention, does a Judge have the right to hand over the assets from one company to another without that company having any legal representation or redress?

  8. Just a geek

    A thought just crossed my mind

    If Microsoft cannot handle the DNS requests for No-ip can they not scale them out to Azure and if not, is Azure not fit for purpose?

    This little cock up should come back and bite them hard.

    1. Anonymous Coward
      Anonymous Coward

      Re: A thought just crossed my mind

      It seems rather unlikely that scalability is the issue. Microsoft's DNS infrastructure routinely handles millions of requests, and it wouldn't be hard for them to add additional hardware. Most likely they simply screwed up the config - which presumably wouldn't have been possible to test in advance...

      1. Maventi

        Re: A thought just crossed my mind

        "It seems rather unlikely that scalability is the issue. ... Most likely they simply screwed up the config..."

        That's entirely possible, but no matter which of those is true Microsoft have demonstrated a significant lack of competence and caused a lot of disruption as a result. Even if they couldn't test it in advance the time it took to sort things out shows that they were really struggling to figure this out.

        No matter how you look at it this was very poorly executed and they deserve the hit in reputation they have received.

        1. Anonymous Coward
          Anonymous Coward

          Re: A thought just crossed my mind

          Microsoft on occasion makes IBM look competent by comparison....

  9. startstuff

    I am one of those infected.

    I have a paid account with noip.com and all my hosts suddenly disappeared (home security cameras and computers, friends and clients). I didn't know what happened until I read the news.

    I found out that all my hosts were infected by malware mainly windows 7 and internet explorer.

    Poor microsoft they can't help it they were born with a virus up their butts. It is like confiscating all GM cars because someone used an Chevrolet Impala to commit a crime, smart very smart.

    Looking forward for compensation in the form of a class action lawsuit.

    1. Alan Brown Silver badge

      Re: I am one of those infected.

      "I have a paid account with noip.com and all my hosts suddenly disappeared (home security cameras and computers, friends and clients). I didn't know what happened until I read the news."

      I suspect the words that various noip customers are looking for is "tortuious interference with contracts"

      If MS really shot first and asked questions later, they (and the judge) are going to be facing a LOT of hurt. How many people can join a class-action in the USA alone?

      As for "DNS is hard and MS isn't doing it very well", the exact same statements can be made about their webservice and email offerings, but they didn't get a judge to arbitrarily shift service provision to them without the original service provider or end users being consulted.

  10. Goat Jam

    "legitimate subdomains resolve as expected"

    So, how does that work then? How does my noip client update my IP? I'm pretty sure Microshit haven't implemented the "dynamic" part of the noip service.

    MS need to be taken behind the shed and shot (NADT). The world would be a better place without them.

    1. Jamie Jones Silver badge

      " So, how does that work then? How does my noip client update my IP? I'm pretty sure Microshit haven't implemented the "dynamic" part of the noip service."

      They are forwarding the lookup back to the original no-ip servers, so they are sort of acting like a man-in-the-middle.

      However they've screwed up the way they've done it.. See my more detailed post below

  11. frank ly

    They lie

    I try an ftp connection, via cable internet and by mobile internet:

    "Status: Connection attempt failed with "EAI_NONAME - Neither nodename nor servname provided, or not known".

    Error: Could not connect to server"

  12. Sebastian A

    Guess Microsoft can't make an omelet

    without killing everyone's chickens.

  13. slack

    They haven't unborked anything yet from where I am sitting. Does anybody know where we can send a strongly worded email to voice our displeasure?

    "legitimate subdomains resolve as expected"

    So MS thinks that my little host serving up pics to family and stuff is somehow illegitimate? Is it because I won't let their poxy software run on it and I don't bother writing kludges into css files to work around their shitty browser?

  14. RMycroft

    This may have temporarily disrupted some botnets, but it won't last. There are many different ways to connect and control a botnet, no-ip was just an easy one. Odds are, the malware writers are already rolling out their own Patch Tuesday.

  15. Jamie Jones Silver badge
    Boffin

    This is where they've gone wrong (You'd think they'd know how DNS works....)

    They are 'honouring' updates to the users dynamic addresses, but in a horrible and incorrect way:

    The authoritative nameservers are configured as recursive for *ALL* domains (yuck)

    They have configured an override to divert forwarding requests for these affected domains to the no-ip (original) authoritative nameservers. (i.e. they've statically added NS records for the affected domains pointing to the no-ip servers)

    They therefore reply to the client with the correct IP address.

    This would be fine for a recursive nameserver, but these servers are configured as *authoritative* nameservers for these domains - and are accessed as such, but they are returning the result as non-authoritative.

    Basically, this creates the following process (Example uses the no-ip.org domain, but the same applies to the others. Some irrelevent steps skipped/simplified) :

    1) User requests the IP for some-subdomain.no-ip.org

    2) Users local nameserver (usually belonging to their ISP) checks the .org servers and is told that the 2 microsoft nameservers are responsible for this domain.

    3) Users local nameserver ask the microsoft servers for the authoritative ip address of the subdomain, only to be given an unauthoritative result, along with the message 'if you want an authoritative result, go here' which points BACK to the same microsoft nameservers.

    4) Users local nameserver replies with SERVFAIL because the nameserver that is meant to be authoritative is not returning an authoritative response.

    Whichever bozo claimed everything is working presumably just did a 'raw' nslookup, saw the response, and didn't think (or know) about authoritative/non-authoritative results.

    Or maybe MS nameservers don't handle authoritative/non-authoritative results correctly, so things 'work' if your ISP uses a microsoft nameserver product?? I don't know, just a guess...

    Anyway, MS, I think this post is worth many thousands of your MS dollars!

    By way of an example, here's a session capture using a jo-ip.org domain chosen at random:

    4:37 [2] (1) "~" jamie@lapcat% nslookup

    > server a.root-servers.net.

    Default server: a.root-servers.net.

    Address: 2001:503:ba3e::2:30#53

    Default server: a.root-servers.net.

    Address: 198.41.0.4#53

    >

    > home.no-ip.org.

    Server: a.root-servers.net.

    Address: 2001:503:ba3e::2:30#53

    Non-authoritative answer:

    *** Can't find home.no-ip.org.: No answer

    > set q=ns

    > home.no-ip.org.

    Server: a.root-servers.net.

    Address: 2001:503:ba3e::2:30#53

    Non-authoritative answer:

    *** Can't find home.no-ip.org.: No answer

    Authoritative answers can be found from:

    org nameserver = a0.org.afilias-nst.info.

    org nameserver = a2.org.afilias-nst.info.

    org nameserver = b0.org.afilias-nst.org.

    org nameserver = b2.org.afilias-nst.org.

    org nameserver = c0.org.afilias-nst.info.

    org nameserver = d0.org.afilias-nst.org.

    a0.org.afilias-nst.info internet address = 199.19.56.1

    a2.org.afilias-nst.info internet address = 199.249.112.1

    b0.org.afilias-nst.org internet address = 199.19.54.1

    b2.org.afilias-nst.org internet address = 199.249.120.1

    c0.org.afilias-nst.info internet address = 199.19.53.1

    d0.org.afilias-nst.org internet address = 199.19.57.1

    a0.org.afilias-nst.info has AAAA address 2001:500:e::1

    a2.org.afilias-nst.info has AAAA address 2001:500:40::1

    b0.org.afilias-nst.org has AAAA address 2001:500:c::1

    b2.org.afilias-nst.org has AAAA address 2001:500:48::1

    c0.org.afilias-nst.info has AAAA address 2001:500:b::1

    d0.org.afilias-nst.org has AAAA address 2001:500:f::1

    >

    > server 199.19.56.1

    Default server: 199.19.56.1

    Address: 199.19.56.1#53

    > home.no-ip.org.

    Server: 199.19.56.1

    Address: 199.19.56.1#53

    Non-authoritative answer:

    *** Can't find home.no-ip.org.: No answer

    Authoritative answers can be found from:

    no-ip.org nameserver = ns7.microsoftinternetsafety.net.

    no-ip.org nameserver = ns8.microsoftinternetsafety.net.

    > server ns7.microsoftinternetsafety.net

    Default server: ns7.microsoftinternetsafety.net

    Address: 157.56.78.73#53

    > home.no-ip.org.

    Server: ns7.microsoftinternetsafety.net

    Address: 157.56.78.73#53

    Non-authoritative answer:

    home.no-ip.org nameserver = ns7.microsoftinternetsafety.net.

    home.no-ip.org nameserver = ns8.microsoftinternetsafety.net.

    Authoritative answers can be found from:

    > set q=a

    > home.no-ip.org.

    Server: ns7.microsoftinternetsafety.net

    Address: 157.56.78.73#53

    Non-authoritative answer:

    Name: home.no-ip.org

    Address: 85.241.47.150

  16. hayzoos

    Microsoft is to dynamic or agile or responsive

    as

    Military is to intelligence

  17. herman Silver badge

    Non-authoritative

    I have seen that issue many times in the past. MS uses a BSD name server, with a GUI on top. Down below, is a config file, same as in UNIX. To fix the problem you got to run Wordpad and edit the config file by hand to change the authoritative setting - the GUI cannot do it. If you use Notepad, then it will screw up the config file with carriage returns, causing the name server to barf.

    1. Anonymous Coward
      Anonymous Coward

      Re: Non-authoritative

      "MS uses a BSD name server, with a GUI on top."

      Not as far as I have ever seen. All of Microsoft's DNS Servers run Windows based DNS - which is nothing like the BSD implimentation.

      "Down below, is a config file, same as in UNIX"

      That is technically possible, but very unusual. Normally Active Directory is 'down below'.

      "edit the config file by hand to change the authoritative setting - the GUI cannot do it"

      Utter rubbish. http://technet.microsoft.com/en-us/library/cc739089(v=ws.10).aspx

    2. Jamie Jones Silver badge
      Flame

      Re: Non-authoritative

      It's always harder trying to work out exactly was has been setup incorrectly with just the results to go on... A bit like reverse engineering in a way.

      I don't have the inside knowledge that you have, but I tried to explain similar in my incoherent post above (which deserved down-voting for the formatting alone!)

      However, I'm wary about your solution - assuming their configs are pretty much 'stock', simply changing the zones to authoritative will mean the servers will not look elsewhere for the data, but will expect it to live locally. - of course, the zone data isn't local to microsoft, due to their kludgy solution (which can be made to work, but errrr. not like that)

      As you are aware, but I'll try to clarify for anyone else who maybe confused (I'm looking at you, Microsoft!), the difference between authoritative/non-authoritative is as follows: (and to the techie pedants, I'm purposefully leaving out some stuff not relevant to the situation)

      Basically, there are 2 separate functions performed by nameservers. Generally these days, nameservers are configured to do one or the other.

      However, nameserver software can perform both roles simultaneously, and in the past, they usually did, adding to some peoples confusion.

      These 2 functions are:

      1) "Lookup addresses for people" - These are the nameservers you configure in your home systems, usually the nameservers of your ISP or googleDNS or opendns. These are known as 'recursive' - they probe the various servers in the chain until they find the answer you're looking for, and then return it to you as a 'non-authoritative' - this means the nameserver you queried doesn't "own" that answer. It got it from elsewhere.

      2) "Host and supply the actual data being looked up for a zone" - These are 'authoritative' nameservers. Different domains are assigned to specific sets of authoritative nameservers. These are the servers your ISP's nameserver finally contact to get the info you require.

      For example, the authoritative nameservers for theregister.co.uk hold in a file (db/text/etc.) a record containing the address 92.52.96.89 which is returned when someone queries www.the.register.co.uk -- Change this data held on the authoritative nameservers, and the change will propagate across the whole internet.

      If you talk direct to an authoritative nameserver, and query a host in a domain it is authoritative for,it will return the *authoritative* (straight from the horses mouth) results. If it doesn't have a match for your query, you are authoritatively told 'not found'. There is no forwarding to other servers. It's own decision is final.

      Additionally, if you ask an authoritative nameserver for an address that isn't in a domain it's configured to be authoritative for, then you get a null result (except in the case I mentioned above where some authoritative nameservers are also configured as recursive nameservers...)

      ----

      How this applies to this case:

      By taking over the domains, microsofts nameservers are now considered authoritative. The internet-wide nameservers are being told this.

      Now, Microsoft needs to configure their nameserver to say 'I'm authoritative for no-ip.org - and the info for the hosts contained within that domain is held in file xxxxxxx.zzz'

      The 'gotcha' in this case is that MS doesn't have the no-ip database! Even if they did, the host address updates from users wouldn't happen unless they also took over the whole update infrastructure (which is actually done under a domain no-ip still control)

      Their solution? Even though 'the internet' considers their servers authoritative, they've specifically not set them to be - instead configuring them as recursive nameservers that lookup the results elsewhere.

      Of course, following the normal path, they'd look up the nameserver responsible and forward the request there. Of course, the nameserver they would lookup is their own, so it wouldn't work - so they've set in their config files the original no-ip servers as an override..... A bit like how some of you edit your hosts file to override an IP address, they've editted their config to override the whole domains nameserver for these domains they've stolen.

      So, their nameservers basically behave as recursive nameservers, just as your ISPs nameserver does for you. The only difference is they've been hardcoded with the original no-ip dns info instead of using what everyone else is supplied, so the requests go to the right place, and the results retrieved, and replied with... HOWEVER, ISPs nameservers expect an authoritative response. microsofts servers are configured to relay the request to no-ip and then return it as *non-authoritative* (i.e. 'here is the information you wanted... but i got it from elsewhere)

      At this point, all sane resolvers reject the data. They expected authoritative data and they damnwell better get it!

      So, if microsoft simply configure their nameservers to be authoritative as they should be, then they will no longer get the data from no-ip.

      What they NEED to do is kludge it so that internally it looksup the data as a recursive nameserver, but when it presents this info, it needs to present it as authoritative.

      I'm afraid this sort of hack is beyond simple nameserver configs, and as we see, beyond microsoft engineers, who seem not only to not understand the concept/reasons for authoritative/non-authoritative, but are willing to foist their ignorance onto millions, using a power received under dubious circumstances in the first place...

      Now...... Where's my money? :-)

      1. Anonymous Coward
        Anonymous Coward

        Re: Non-authoritative

        NO money, I am afraid but you certainly get my upvote !

        Once again, MS engineers have proven they don't understand networking. As for the rest of it... don't go there.

        1. Jamie Jones Silver badge
          Happy

          Re: Non-authoritative

          "NO money, I am afraid but you certainly get my upvote !"

          Thanks!

          (but I prefer money! )

      2. Anonymous Coward
        Anonymous Coward

        Re: Non-authoritative

        Great explanation, thanks and upvoted!

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Microsoft Defender goes cross-platform for the masses
    Redmond's security brand extended to multiple devices without stomping on other solutions

    Microsoft is extending the Defender brand with a version aimed at families and individuals.

    "Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

    The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

    Continue reading
  • Cloudflare says it thwarted record-breaking HTTPS DDoS flood
    26m requests a second? Not legit traffic, not even Bill Gates doing $1m giveaways could manage that

    Cloudflare said it this month staved off another record-breaking HTTPS-based distributed denial-of-service attack, this one significantly larger than the previous largest DDoS attack that occurred only two months ago.

    In April, the biz said it mitigated an HTTPS DDoS attack that reached a peak of 15.3 million requests-per-second (rps). The flood last week hit a peak of 26 million rps, with the target being the website of a company using Cloudflare's free plan, according to Omer Yoachimik, product manager at Cloudflare.

    Like the attack in April, the most recent one not only was unusual because of its size, but also because it involved using junk HTTPS requests to overwhelm a website, preventing it from servicing legit visitors and thus effectively falling off the 'net.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Microsoft pledges neutrality on unions for Activision staff
    Now can we just buy them, please?

    Microsoft isn't wasting time trying to put Activision Blizzard's problems in the rearview mirror, announcing a labor neutrality agreement with the game maker's recently-formed union.

    Microsoft will be grappling with plenty of issues at Activision, including unfair labor lawsuits, sexual harassment allegations and toxic workplace claims. Activision subsidiary Raven Software, developers on the popular Call of Duty game series, recently voted to organize a union, which Activision entered into negotiations with only a few days ago.

    Microsoft and the Communication Workers of America (CWA), which represents Raven Software employees, issued a joint statement saying that the agreement is a ground-breaking one that "will benefit Microsoft and its employees, and create opportunities for innovation in the gaming sector." 

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading
  • Wi-Fi hotspots and Windows on Arm broken by Microsoft's latest patches
    Only way to resolve is a rollback – but update included security fixes

    Updated Microsoft's latest set of Windows patches are causing problems for users.

    Windows 10 and 11 are affected, with both experiencing similar issues (although the latter seems to be suffering a little more).

    KB5014697, released on June 14 for Windows 11, addresses a number of issues, but the known issues list has also been growing. Some .NET Framework 3.5 apps might fail to open (if using Windows Communication Foundation or Windows Workflow component) and the Wi-Fi hotspot features appears broken.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading

Biting the hand that feeds IT © 1998–2022