
Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets
Over the past several months, Microsoft has observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise ... continue reading

Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. UEFI bootkits are particularly dangerous as they run ... continue reading

Protecting Android clipboard content from unintended exposure
Considering mobile users often use the clipboard to copy and paste sensitive information, like passwords or payment information, clipboard contents can be an attractive target for cyberattacks. Leveraging clipboards can enable attackers to collect target information and exfiltrate useful data ... continue reading

MCCrash: Cross-platform DDoS botnet targets private Minecraft servers
Malware operations continue to rapidly evolve as threat actors add new capabilities to existing botnets, increasingly targeting and recruiting new types of devices. Attackers update malware to target additional operating systems, ranging from PCs to IoT devices, growing their infrastructure ... continue reading

DEV-0569 finds new ways to deliver Royal ransomware, various payloads
Recent activity from the threat actor that Microsoft tracks as DEV-0569, known to distribute various payloads, has led to the deployment of the Royal ransomware, which first emerged in September 2022 and is being distributed by multiple threat actors. Observed ... continue reading

Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
Microsoft has discovered recent activity indicating that the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread. These infections lead to ... continue reading

DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector
In recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society. Shifting ransomware payloads over time from BlackCat, ... continue reading

Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices
Our analysis of a recent version of a previously reported info-stealing Android malware, delivered through an ongoing SMS campaign, demonstrates the continuous evolution of mobile threats. Masquerading as a banking rewards app, this new version has additional remote access trojan ... continue reading

Microsoft investigates Iranian attacks against the Albanian government
Shortly after the destructive cyberattacks against the Albanian government in mid-July, the Microsoft Detection and Response Team (DART) was engaged by the Albanian government to lead an investigation into the attacks. At the time of the attacks and our engagement ... continue reading

MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone
Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments. NOBELIUM remains highly active, executing multiple campaigns in parallel targeting government ... continue reading