Microsoft AppLocker Mis-Config Settings Could Let Bad Apps Slip Through
Security experts at Varonis found a flaw in Microsoft’s AppLocker, a tool used by businesses to control which apps can run on company computers. AppLocker works by checking specific rules, including the version number of a file, to determine whether it should be allowed. Microsoft’s official setup guide suggested a version limit of 65355, but the actual highest number it should allow is 65535. That small mistake leaves a gap where specific app versions—those that fall between those two numbers—aren’t checked properly. A cybercriminal could exploit this by slightly modifying the version number of a blocked app so that it falls within the unchecked range, allowing the app to run even when it's not intended to. It’s not a complicated hack—it’s more about slipping through a crack left open by incorrect settings. Although this could be used to bypass security, it only works under specific conditions. Changing a file’s version number typically disrupts its digital signature, which is a crucial component that many businesses rely on to ensure only trusted, verified apps are allowed. If a company has policies in place that only allow apps with valid signatures, then the trick wouldn’t work—the altered file would be blocked anyway. Because of this, the issue isn’t seen as a low-risk flaw, but it still matters. Microsoft has updated its instructions to fix the issue, but it serves as a good reminder for companies to review even minor details in their security settings. Tiny oversights, like a single wrong number, can open the door just enough for threats to get in. Regular reviews of security tools and settings are necessary to catch these kinds of gaps before they become real problems.
Phishing Scam Bypasses FIDO Key Protections
A new phishing tactic has emerged that tricks users into bypassing the strong security of FIDO keys, which are designed to prevent unauthorized access through unique cryptographic keys tied to specific websites. Attackers, believed to be the group PoisonSeed, send phishing emails that direct users to fake login pages mimicking trusted company portals, like Okta. These fake sites capture the user’s login details and secretly pass them to the real login page, which then generates a QR code for cross-device authentication. When users scan this QR code with their authenticator app on a mobile device, they unknowingly allow attackers to access their accounts. This method leverages a legitimate feature called cross-device sign-in, which will enable users to log in from a device without a passkey by using another device, typically a phone. The attack works only when proximity checks, like Bluetooth, aren’t required, highlighting a loophole in flexible FIDO implementations. To stay safe, companies and users must tighten their authentication processes and remain vigilant. Security teams should monitor for unusual login patterns, such as QR code requests from unfamiliar locations or the rapid registration of new FIDO keys. Requiring Bluetooth for cross-device logins can block most of these attacks by ensuring the user’s phone is within range of the login device. Users should double-check login pages for suspicious domains and watch for unexpected QR codes. Account recovery methods should also use phishing-resistant options to avoid weakening the entire system. In another incident, attackers even added their own FIDO key after resetting a user’s password, showing how easily these protections can be misused if not carefully monitored. Staying proactive by regularly reviewing logs and maintaining strict authentication settings is key to keeping accounts secure.
Cryptojacking Campaign Hits Thousands of Websites
A widespread attack has compromised over 3,500 websites globally, embedding hidden JavaScript code that secretly uses visitors’ devices to mine cryptocurrency. These stealthy miners, uncovered by c/side researchers, assess a device’s power and run background tasks via Web Workers to mine crypto without detection. By leveraging WebSockets, attackers dynamically adjust the mining intensity to avoid draining devices too quickly, thereby keeping their activity unnoticed by users and security tools. The exact domains used by these miners have ties to past Magecart credit card skimming attacks, demonstrating how cybercriminals are combining different malicious tactics to maximize profits. Although the exact method of website compromise remains unclear, the use of obfuscated JavaScript helps these attacks evade detection. This campaign aligns with other recent client-side attacks, including a Magecart scheme targeting East Asian e-commerce sites using OpenCart to steal payment details through fake checkout forms. These tactics often involve redirecting users to spam sites or manipulating search engine rankings to increase visibility. To stay safe, website owners should regularly update their software, enable multi-factor authentication, and monitor their website for suspicious scripts. Users can protect themselves by using updated antivirus software and being cautious of the websites they visit.
