Ethan Grammer
Guillermo SánchezMeng Li / April 28, 2025 / 2 minutes of readingAdvisories, Vulnerabilities & Alerts
Hackers Exploit Microsoft Teams Messages to Deliver Malware
Description:
Recent cybersecurity analyses have revealed a sophisticated malware campaign targeting Microsoft Teams users. Attackers are leveraging the platform’s communication features to bypass traditional security measures, deploying malicious PowerShell scripts that compromise systems by stealing credentials and establishing persistent backdoors.
Attackers impersonate IT administrators or trusted contacts, sending deceptive messages that prompt users to execute malicious commands. Post initial access, attackers utilize tools like Microsoft Quick Assist to gain remote control, interacting with compromised machines under the guise of legitimate support.
Recommended Actions:
- Restrict External Communications: Configure Microsoft Teams to limit interactions with external users, reducing exposure to unsolicited messages.
- Enforce PowerShell Execution Policies: Implement strict policies to allow only signed scripts to run, minimizing the risk of executing unauthorized commands.
- Monitor Remote Access Tools: Regularly audit and control the use of remote assistance tools to prevent unauthorized access.
- Educate Employees: Conduct ongoing training to help staff recognize phishing attempts and understand the importance of verifying unexpected communications.
External Links:
VMware Tools for Windows Authentication Bypass Vulnerability
Description:
On March 25, 2025, VMware released a security advisory (VMSA-2025-0005) addressing an authentication bypass vulnerability identified in VMware Tools for Windows, designated as CVE-2025-22230. The vulnerability stems from improper access control mechanisms within VMware Tools for Windows. A malicious actor with non-administrative privileges on a Windows guest virtual machine (VM) could exploit this flaw to perform certain high-privilege operations within that VM. VMware has assigned this vulnerability a CVSSv3 base score of 7.8, categorizing it as a high-severity issue.
VMware Tools versions 11.x.x and 12.x.x running on Windows operating systems are affected by this vulnerability. VMware Tools running on Linux and macOS are not impacted. VMware has released VMware Tools version 12.5.1 to address this vulnerability. Admins are strongly encouraged to update to this latest version to mitigate potential risks.
Recommended Actions:
- Update VMware Tools: Ensure that all Windows guest VMs are running VMware Tools version 12.5.1 or later.
- Review Access Controls: Regularly audit and enforce strict access controls to limit non-administrative users from performing unauthorized operations.
- Monitor Systems: Continuously monitor systems for unusual activity that may indicate exploitation attempts.
External Links: