home.social
Sign in Create account

#msrc — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #msrc, aggregated by home.social.

  1. raptor @[email protected] ·

    Happy to announce that, with 23 valid reports and 660 total case points, I’m 25th worldwide in this year’s #MSRC Most Valuable Researcher (#MVR) leaderboard!

    msrc.microsoft.com/leaderboard

    Stay tuned to the @hnsec blog for a comprehensive writeup. And, who knows, perhaps even a conference talk is brewing…

    #msrc #mvr
  2. Not Simon @[email protected] ·

    Happy Patch Tuesday from Microsoft: 155 vulnerabilities.
    EDIT: 1 vulnerability was updated to say Exploited and Publicly Disclosed: CVE-2024-26234 (6.7 medium) THIS IS AN EXPLOITED ZERO-DAY! See Sophos article for information on a malicious executable signed by a valid Microsoft Hardware Publisher Certificate: news.sophos.com/en-us/2024/04/

    Updated CVE to correct exploit status. This is an informational update only.

    cc: @campuscodi @briankrebs @todb @serghei

    #PatchTuesday #Microsoft #MSRC #Vulnerability #CVE_2024_26234 #eitw #activeexploitation

    #patchtuesday #microsoft #msrc #vulnerability #cve_2024_26234 #eitw
  3. Not Simon @[email protected] ·

    DHS Cyber Safety Review Board (CSRB) absolutely savages Microsoft over the June 2023 Exchange Online breach by Chinese threat actor Storm-0558 and accessing U.S. government emails right before Secretary of State Anthony Blinken was to visit China. This 34 page PDF is written in the style of a U.S. Government Accountability Office (GAO) report. 🔗 dhs.gov/news/2024/04/02/cyber-

    Key takeways (copied verbatim, emphasis mine):

    • "Google's Threat Analysis Group was able to link at least one entity tied to this threat actor to the group responsible for the 2009 compromise of Google and dozens of other private companies in a campaign known as Operation Aurora, as well as the RSA SecurID incident."
    • "However, by the conclusion of this review, Microsoft was still unable to demonstrate to the Board that it knew how Storm-0558 had obtained the 2016 MSA key."
    • "Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board's repeated questioning about Microsoft's plans to issue a correction;"

    #DHS #CSRB #Microsoft #MSRC #China #cyberespionage #Storm0558

    #dhs #csrb #microsoft #msrc #china #cyberespionage
  4. Not Simon @[email protected] ·

    DHS Cyber Safety Review Board (CSRB) absolutely savages Microsoft over the June 2023 Exchange Online breach by Chinese threat actor Storm-0558 and accessing U.S. government emails right before Secretary of State Anthony Blinken was to visit China. This 34 page PDF is written in the style of a U.S. Government Accountability Office (GAO) report. 🔗 dhs.gov/news/2024/04/02/cyber-

    Key takeways (copied verbatim, emphasis mine):

    • "Google's Threat Analysis Group was able to link at least one entity tied to this threat actor to the group responsible for the 2009 compromise of Google and dozens of other private companies in a campaign known as Operation Aurora, as well as the RSA SecurID incident."
    • "However, by the conclusion of this review, Microsoft was still unable to demonstrate to the Board that it knew how Storm-0558 had obtained the 2016 MSA key."
    • "Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board's repeated questioning about Microsoft's plans to issue a correction;"

    #DHS #CSRB #Microsoft #MSRC #China #cyberespionage #Storm0558

    #dhs #csrb #microsoft #msrc #china #cyberespionage
  5. Not Simon @[email protected] ·

    DHS Cyber Safety Review Board (CSRB) absolutely savages Microsoft over the June 2023 Exchange Online breach by Chinese threat actor Storm-0558 and accessing U.S. government emails right before Secretary of State Anthony Blinken was to visit China. This 34 page PDF is written in the style of a U.S. Government Accountability Office (GAO) report. 🔗 dhs.gov/news/2024/04/02/cyber-

    Key takeways (copied verbatim, emphasis mine):

    • "Google's Threat Analysis Group was able to link at least one entity tied to this threat actor to the group responsible for the 2009 compromise of Google and dozens of other private companies in a campaign known as Operation Aurora, as well as the RSA SecurID incident."
    • "However, by the conclusion of this review, Microsoft was still unable to demonstrate to the Board that it knew how Storm-0558 had obtained the 2016 MSA key."
    • "Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board's repeated questioning about Microsoft's plans to issue a correction;"

    #DHS #CSRB #Microsoft #MSRC #China #cyberespionage #Storm0558

    #dhs #csrb #microsoft #msrc #china #cyberespionage
  6. Not Simon @[email protected] ·

    DHS Cyber Safety Review Board (CSRB) absolutely savages Microsoft over the June 2023 Exchange Online breach by Chinese threat actor Storm-0558 and accessing U.S. government emails right before Secretary of State Anthony Blinken was to visit China. This 34 page PDF is written in the style of a U.S. Government Accountability Office (GAO) report. 🔗 dhs.gov/news/2024/04/02/cyber-

    Key takeways (copied verbatim, emphasis mine):

    • "Google's Threat Analysis Group was able to link at least one entity tied to this threat actor to the group responsible for the 2009 compromise of Google and dozens of other private companies in a campaign known as Operation Aurora, as well as the RSA SecurID incident."
    • "However, by the conclusion of this review, Microsoft was still unable to demonstrate to the Board that it knew how Storm-0558 had obtained the 2016 MSA key."
    • "Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board's repeated questioning about Microsoft's plans to issue a correction;"

    #DHS #CSRB #Microsoft #MSRC #China #cyberespionage #Storm0558

    #storm0558 #cyberespionage #china #msrc #microsoft #csrb
  7. Not Simon @[email protected] ·

    DHS Cyber Safety Review Board (CSRB) absolutely savages Microsoft over the June 2023 Exchange Online breach by Chinese threat actor Storm-0558 and accessing U.S. government emails right before Secretary of State Anthony Blinken was to visit China. This 34 page PDF is written in the style of a U.S. Government Accountability Office (GAO) report. 🔗 dhs.gov/news/2024/04/02/cyber-

    Key takeways (copied verbatim, emphasis mine):

    • "Google's Threat Analysis Group was able to link at least one entity tied to this threat actor to the group responsible for the 2009 compromise of Google and dozens of other private companies in a campaign known as Operation Aurora, as well as the RSA SecurID incident."
    • "However, by the conclusion of this review, Microsoft was still unable to demonstrate to the Board that it knew how Storm-0558 had obtained the 2016 MSA key."
    • "Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board's repeated questioning about Microsoft's plans to issue a correction;"

    #DHS #CSRB #Microsoft #MSRC #China #cyberespionage #Storm0558

    #dhs #csrb #microsoft #msrc #china #cyberespionage