Researchers at ETH Zurich have tested the security of Bitwarden, LastPass, Dashlane, and 1Password password managers.
The post Password Managers Vulnerable to Vault Compromise Under Malicious Server appeared first on SecurityWeek.
Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six βzero-dayβ vulnerabilities that attackers are already exploiting in the wild.
Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability in Windows Shell wherein a single click on a malicious link can quietly bypass Windows protections and run attacker-controlled content without warning or consent dialogs. CVE-2026-21510 affects all currently supported versions of Windows.
The zero-day flawΒ CVE-2026-21513 is aΒ security bypass bug targeting MSHTML, the proprietary engine of the default Web browser in Windows. CVE-2026-21514 is a related security feature bypass in Microsoft Word.
The zero-day CVE-2026-21533 allows local attackers to elevate their user privileges to βSYSTEMβ level access in Windows Remote Desktop Services. CVE-2026-21519 is a zero-day elevation of privilege flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a userβs screen. Microsoft fixed a different zero-day in DWM just last month.
The sixth zero-day is CVE-2026-21525, a potentially disruptive denial-of-service vulnerability in the Windows Remote Access Connection Manager, the service responsible for maintaining VPN connections to corporate networks.
Chris Goettl at Ivanti reminds us Microsoft has issued several out-of-band security updates since Januaryβs Patch Tuesday. On January 17, Microsoft pushed a fix that resolved a credential prompt failure when attempting remote desktop or remote application connections. On January 26, Microsoft patched a zero-day security feature bypass vulnerability (CVE-2026-21509) in Microsoft Office.
Kev Breen at Immersive notes that this monthβs Patch Tuesday includes several fixes for remote code execution vulnerabilities affecting GitHub Copilot and multiple integrated development environments (IDEs), including VS Code, Visual Studio, and JetBrains products. The relevant CVEs are CVE-2026-21516, CVE-2026-21523, and CVE-2026-21256.
Breen said the AI vulnerabilities Microsoft patched this month stem from a command injection flaw that can be triggered through prompt injection, or tricking the AI agent into doing something it shouldnβt β like executing malicious code or commands.
βDevelopers are high-value targets for threat actors, as they often have access to sensitive data such as API keys and secrets that function as keys to critical infrastructure, including privileged AWS or Azure API keys,β Breen said. βWhen organizations enable developers and automation pipelines to use LLMs and agentic AI, a malicious prompt can have significant impact. This does not mean organizations should stop using AI. It does mean developers should understand the risks, teams should clearly identify which systems and workflows have access to AI agents, and least-privilege principles should be applied to limit the blast radius if developer secrets are compromised.β
TheΒ SANS Internet Storm CenterΒ has aΒ clickable breakdown of each individual fix this month from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on wonky updates. Please donβt neglect to back up your data if it has been a while since youβve done that, and feel free to sound off in the comments if you experience problems installing any of these fixes.
Last week, many Instagram users began receiving unsolicited emails from the platform that warned about a password reset request.
The message said:
βHi {username},
We got a request to reset your Instagram password.
If you ignore this message, your password will not be changed. If you didnβt request a password reset, let us know.β
Around the same time that users began receiving these emails, a cybercriminal using the handle βSolonikβ offered data that alleged contains information about 17 million Instagram users for sale on a Dark Web forum.
These 17 million or so records include:
Please note that there are no passwords listed in the data.
Despite the timing of the two events, Instagram denied this weekend that these events are related. On the platform X, the company stated they fixed an issue that allowed an external party to request password reset emails for βsome people.β
So, whatβs happening?
Regarding the data found on the dark web last week, Shahak Shalev, global head of scam and AI research at Malwarebytes, shared that βthere are some indications that the Instagram data dump includes data from other, older, alleged Instagram breaches, and is a sort of compilation.β As Shalevβs team investigates the data, he also said that the earliest password reset requests reported by users came days before the data was first posted on the dark web, which might mean that βthe data may have been circulating in more private groups before being made public.β
However, another possibility, Shalev said, is that βanother vulnerability/data leak was happening as some bad actor tried spraying for [Instagram] accounts. Instagramβs announcement seems to reference that spraying. Besides the suspicious timing, thereβs no clear connection between the two at this time.β
But, importantly, scammers will not care whether these incidents are related or not. They will try to take advantage of the situation by sending out fake emails.
βWe felt it was important to alert people about the data availability so that everyone could reset their passwords, directly from the app, and be on alert for other phishing communications,β Shalev said.
If and when we find out more, weβll keep you posted, so stay tuned.
If you have enabled 2FA on your Instagram account, we think it is indeed safe to ignore the emails, as proposed by Meta.
Should you want to err on the safe side and decide to change your password, make sure to do so in the app and not click any links in the email, to avoid the risk that you have received a fake email. Or you might end up providing scammers with your password.
Another thing to keep in mind is that these are Meta-data. Which means some users may have reused or linked them to their Facebook or WhatsApp accounts. So, as a precaution, you can check recent logins and active sessions on Instagram, WhatsApp, and Facebook, and log out from any devices or locations you do not recognize.
If you want to find out whether your data was included in an Instagram data breach, or any other for that matter, try our free Digital Footprint scan.
Last week, many Instagram users began receiving unsolicited emails from the platform that warned about a password reset request.
The message said:
βHi {username},
We got a request to reset your Instagram password.
If you ignore this message, your password will not be changed. If you didnβt request a password reset, let us know.β
Around the same time that users began receiving these emails, a cybercriminal using the handle βSolonikβ offered data that alleged contains information about 17 million Instagram users for sale on a Dark Web forum.
These 17 million or so records include:
Please note that there are no passwords listed in the data.
Despite the timing of the two events, Instagram denied this weekend that these events are related. On the platform X, the company stated they fixed an issue that allowed an external party to request password reset emails for βsome people.β
So, whatβs happening?
Regarding the data found on the dark web last week, Shahak Shalev, global head of scam and AI research at Malwarebytes, shared that βthere are some indications that the Instagram data dump includes data from other, older, alleged Instagram breaches, and is a sort of compilation.β As Shalevβs team investigates the data, he also said that the earliest password reset requests reported by users came days before the data was first posted on the dark web, which might mean that βthe data may have been circulating in more private groups before being made public.β
However, another possibility, Shalev said, is that βanother vulnerability/data leak was happening as some bad actor tried spraying for [Instagram] accounts. Instagramβs announcement seems to reference that spraying. Besides the suspicious timing, thereβs no clear connection between the two at this time.β
But, importantly, scammers will not care whether these incidents are related or not. They will try to take advantage of the situation by sending out fake emails.
βWe felt it was important to alert people about the data availability so that everyone could reset their passwords, directly from the app, and be on alert for other phishing communications,β Shalev said.
If and when we find out more, weβll keep you posted, so stay tuned.
If you have enabled 2FA on your Instagram account, we think it is indeed safe to ignore the emails, as proposed by Meta.
Should you want to err on the safe side and decide to change your password, make sure to do so in the app and not click any links in the email, to avoid the risk that you have received a fake email. Or you might end up providing scammers with your password.
Another thing to keep in mind is that these are Meta-data. Which means some users may have reused or linked them to their Facebook or WhatsApp accounts. So, as a precaution, you can check recent logins and active sessions on Instagram, WhatsApp, and Facebook, and log out from any devices or locations you do not recognize.
If you want to find out whether your data was included in an Instagram data breach, or any other for that matter, try our free Digital Footprint scan.
In todayβs digital world, passwords have become a necessary part of life. But even though you use them for almost everything you do online, you probably donβt give them the thought they truly deserve. May 1, 2025, is World Password Day, a reminder that passwords are the unsung heroes of cybersecurity, the first line of defense for all your sensitive personal data. This annual event encourages you to level up your password game and strengthen your online defenses. World Password Day is more relevant than ever in todayβs evolving threat landscape.
Data breaches are on the rise, and according to theΒ 2024 Verizon Data Breach Investigations Report, a staggeringΒ 81% of themΒ are linked to weak or compromised passwords. The bottom line? If youβre still relying on βFluffy123β, you could be putting your personal information at risk. Letβs explore password-based attacks, and some steps you can take to lock down your logins, once and for all.
Managing all your passwords can be a hassle. Theyβre easy to forget and hard to keep track of, so people tend to use and reuse simple passwords they can remember. But hereβs the issue β cybercriminals are getting smarter and their attacks are only getting more sophisticated. If a scammer gains access to your personal details, they can create havoc with your finances and cause you stress for years to come. In the past, brute force attacks were the go-to method, which involved simply using trial and error to crack passwords. Today, hackers use much more complex methods β here are a few examples.
Never forget that your passwords are the very foundation of your digital defense strategy. With cyberattacks becoming more and more sophisticated, creating strong passwords is no longer optional β itβs essential. This World Password Day, take the time to check in on your password practices. Update those old logins, enable MFA, and let Webroot do the heavy lifting. Just a few simple steps today can save you a world of trouble tomorrow.
Looking for more information and solutions?
The post Strengthen your digital defenses on World Password Day appeared first on Webroot Blog.
Today's post is a brief one on some Microsoft Word and sandbox detection / discovery / fun.
Β $userName = (Get-ItemProperty -Path "HKCU:\Software\Microsoft\
Start-Process -FilePath "notepad.exe" -ArgumentList $userNameOffice\Common\UserInfo"). UserName
Β
Β
Β
Β
I haven't seen much use of actual .asd files, likely as the documents will need to be loaded from one of the above directories, however... after crafting your malicious document, you can simply rename it from badfile.docx to badfile.asd, and it will run fine.
It seems at least 1 actor has used an .asd extension before, as reported on by Didier Stevens:
https://isc.sans.edu/diary/CrowdStrike+Outage+Themed+Maldoc/31116
In short, it's another way of evading sandboxes or other potential detection mechanisms that may not support these .asd or .wbk extensions or even consider them harmless.
Several years ago, I created a "malware puzzle" - basically, a crossword puzzle but with terms related to malware. You can find that puzzle here:Β https://bartblaze.blogspot.com/2013/08/malware-puzzle.html
Seeing crosswords are a hobby of mine, I thought it'd be fun to create another one more than seven years later - this time, all things blue team! Obviously you don't need to be part of a blue team to fill in the puzzle, it's for anyone in information or cyber security - but it does help if you've been on the defense side of things.
You can print the puzzle and fill it in, or you can use Adobe Reader to complete the PDF version, or use any tool to your liking (mspaint is also a candidate). There are no spaces - all words are one word.
You can find the puzzle in the following formats:
PNG:Β https://www.mediafire.com/view/0iuzvxal8redjz2/crossword-iiRh073oLn.png/file
PNG mirror:Β https://imgur.com/a/ASATRXf
PDF:Β https://www.mediafire.com/file/b3v7pebohp6c8vn/crossword-xp6dZUU9Ar.pdf/file
PDF mirror:Β https://www.filedropper.com/crossword-xp6dzuu9ar
If you have the solution, feel free to create a comment or @ me on Twitter:Β https://twitter.com/bartblaze.Β
To make things more interesting, you can set up a competition between your fellow defenders to see who can complete it first!
If you're stuck, I can always send you a hint - see my About page for contact information, use Twitter, or leave a comment. Note there may be spoilers around.Β
Marcello Salvati// During Red Team and penetration tests, itβs always important and valuable to test assumptions. One major assumption I hear from Pentesters, Red teamers and clients alike is that [β¦]
The post Having Fun with ActiveX Controls in Microsoft Word appeared first on Black Hills Information Security, Inc..
Derrick Rauch and Kent Ickler // (Updated 3/22/2019) First, to see what our build looks like, look here:Β https://www.blackhillsinfosec.com/build-password-cracker-nvidia-gtx-1080ti-gtx-1070/ Whatβs next?Β Time for System Rebuild! First, you need to decide whether you [β¦]
The post Running HashCat on Ubuntu 18.04 Server with 1080TI appeared first on Black Hills Information Security, Inc..
David Fletcher// The weak password policy finding is typically an indicator of one of two conditions during a test: A password could be easily guessed using standard authentication mechanisms. A [β¦]
The post Finding: Weak Password Policy appeared first on Black Hills Information Security, Inc..
Carrie Roberts* // Can you think of a reason why you might want to put a lengthy comment into the properties of an MS Office document? If you can, then [β¦]
The post Hide Payload in MS Office Document Properties appeared first on Black Hills Information Security, Inc..
Carrie Roberts*Β // (Updated, 2/11/2019) Trying to figure out the password for a password protected MS Office document? This free solution might do the trick. It attempts to guess the password [β¦]
The post How to Crack Passwords for Password Protected MS Office Documents appeared first on Black Hills Information Security, Inc..
Kent Ickler // The Task Buy The Things: Total for new password cracking machine$5110 A Few Quick Lessons The CPU cooler doesnβt actually clear the case cover. This was OK [β¦]
The post How to Build a Password Cracker with NVidia GTX 1080TI & GTX 1070 appeared first on Black Hills Information Security, Inc..
Carrie Roberts // Β Β Β A malicious macro in a Microsoft Word or Excel document is an effective hacking technique. These documents could be delivered in a variety of [β¦]
The post How to Get Malicious Macros Past Email Filters appeared first on Black Hills Information Security, Inc..
Brian FehrmanΒ // As described in my last blog post,Β Powershell Without Powershell β How To Bypass Application Whitelisting, Environment Restrictions & AVΒ (sheeeshβ¦itβs been a bit!), we are seeing more environments in [β¦]
The post Power Posing with PowerOPS appeared first on Black Hills Information Security, Inc..
Ethan Robish // In my last twoΒ postsΒ I showed how to insert tracking bugs in both .docx (Part 1) and .xlsx files (Part 2). Β But donβt let all that effort go [β¦]
The post Bugging Microsoft Files: Part 3 β Clearing Metadata appeared first on Black Hills Information Security, Inc..
Ethan Robish // If youβre familiar with ADHD and Web Word Bugs, you likely already know the method to create web tracking software using .html files renamed as .doc files. [β¦]
The post Bugging Microsoft Files: Part 1 β Docx Files using Microsoft Word appeared first on Black Hills Information Security, Inc..
Brian Fehrman // In our experience, we see many Windows environments in which the local Administrator password is the same for many machines. We refer to this as Wide-Spread Local [β¦]
The post Wide-Spread Local Admin Testing appeared first on Black Hills Information Security, Inc..
Brian King // Thereβs a one-liner password spray script that a lot of folks use to see if anyone on a domain is using a bad password like LetMeIn! or [β¦]
The post Check\ Your\ Tools appeared first on Black Hills Information Security, Inc..
Login
