BrianKrebs15h ago

New, from me: Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.

https://krebsonsecurity.com/2026/04/russia-hacked-routers-to-steal-microsoft-office-tokens/

Show threadDaniel Gibson15h ago
@briankrebs
The article says that TLS was involved, but isn't it supposed to prevent that?
Just because they manipulate DNS that doesn't mean they have valid private keys of the domains involved? Or have they compromised a CA as well?
Show threadBrianKrebs15h ago
@Doomed_Daniel My sense is that at some point the user might get an alert -- however vague -- that something isn't right with a site's cert, but maybe not, or maybe it doesn't usually matter.
Show threadDrew Scott Daniels15h ago
@briankrebs @Doomed_Daniel an alert pops up. You can see it using common MitM systems. Some home routers inject error messages to https when not connected to the Internet and it triggers a warning.
I sometimes get notified that Microsoft has revoked a certificate intermittently. I think they revoke certificates when they get a new one, but don’t manage to get the new one deployed to all gateways right away.
Show threadDaniel Gibson

@drewdaniels @briankrebs
Good* to see that Microsofts buggy software and overall incompetence hasn't only trained people to dismiss error messages in general, but even to ignore TLS errors specifically -_-

(*) by some definition of "good"

7:12pmWeb