Saltmyhash15h ago
BrianKrebs

New, from me: Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.

https://krebsonsecurity.com/2026/04/russia-hacked-routers-to-steal-microsoft-office-tokens/

Apr 7 at 6:10pmWeb
Show threadDaniel Gibson22h ago
@briankrebs
The article says that TLS was involved, but isn't it supposed to prevent that?
Just because they manipulate DNS that doesn't mean they have valid private keys of the domains involved? Or have they compromised a CA as well?
Show threadBrianKrebs22h ago
@Doomed_Daniel My sense is that at some point the user might get an alert -- however vague -- that something isn't right with a site's cert, but maybe not, or maybe it doesn't usually matter.
Show threadDrew Scott Daniels21h ago
@briankrebs @Doomed_Daniel an alert pops up. You can see it using common MitM systems. Some home routers inject error messages to https when not connected to the Internet and it triggers a warning.
I sometimes get notified that Microsoft has revoked a certificate intermittently. I think they revoke certificates when they get a new one, but don’t manage to get the new one deployed to all gateways right away.
Show threadDaniel Gibson21h ago

@drewdaniels @briankrebs
Good* to see that Microsofts buggy software and overall incompetence hasn't only trained people to dismiss error messages in general, but even to ignore TLS errors specifically -_-

(*) by some definition of "good"

Show threadDaniel Gibson22h ago
@briankrebs
ah ok, missed that second info graphic, apparently users need to actively ignore TLS errors for this to work
Show threadAndreas K12h ago

@Doomed_Daniel
And Microsoft users seem to be trained by regular Microsoft behaviour to ignore TLS certificate errors.

Slowly claps hands. Well done Microsoft.

@briankrebs

Show threadgunstick3h ago
@Doomed_Daniel @briankrebs
I almost feared the tokens would be put into DNS requests. You see how incompetent I judge Microslop if I assume that as a possible attack vector.
Show threadHans-Cees 🌳🌳🤢🦋🐈🐈🍋🍋🐝🐜21h ago
@Doomed_Daniel @briankrebs and why doesnt dnssec work as intended?
Show threadRaglan Niall  22h ago
@briankrebs good luck getting tokens from my Office 2007 edition ;-)
</smug and annoying>
Show threadCatelli22h ago
@briankrebs I firmly believe that with Google (and others) forcing TLS validation on everything, and also forcing shorter TLS lifespans has contributed to training people to ignore TLS errors.
Show threadAndreas K9h ago

@Catelli
Yes, OTOH, using http outside localhost is an issue.

It's almost never possible to judge the data that is passed to be harmless in finality without the threat context. And on the internet you literally have to many user to consider guessing.

And it's less Google and let's encrypt here. It seems that Microsoft has problems with is internal processes to keep certificates fresh and thus is miseducating users.
@briankrebs

Show threadjackcole21h ago
@briankrebs it's not just passwords, toothbrushes, and smoke detectors that need to be changed regularly.
Show threadWizarro21h ago
@briankrebs coding on vibes, bruh
Show threadMatthew20h ago
@briankrebs Hmmm… https://www.404media.co/artemis-2-astronauts-microsoft-outlook-livestream/
Artemis II Astronauts Have ‘Two Microsoft Outlooks’ and Neither Work

In space, no one can hear you scream at Microsoft’s legacy software.

404 Media
Show threadferricoxide20h ago
@briankrebs

Know what would be dandy? If, instead of (effectively) prohibiting consumers from buying new hardware, they would have, instead, force all equipment makers to provide 5-10 years of security-patches for all existing (and new) equipment.
Show threadSneezy19h ago

@briankrebs

why do we never see posts about US or Israeli hacking ?

there are two possibilities

1. they don't happen. ever. nope.

2. the reporters are propaganda puppets.

Show threadscotty86 🇺🇦🕊️18h ago
@briankrebs Please do not ignore SSL errors without consulting your IT. 🙈
Please!
Show threadFlipper 🐬🏳️‍🌈17h ago
@briankrebs the solution is to use two Outlooks.
Show threadPatrick Cotter17h ago
@briankrebs Brian, your Forest Blizzard report is my reality. Case SIR23252176: I’m an NY small biz owner with 10yrs of data held by a thief. MS admits the theft but leaves a 'bot' in charge. Between token-theft & today's #BlueHammer zero-day, 'you own nothing' is a professional liability. Manually rescuing 3TB of data now to keep my clients safe. #Microsoft #SmallBusiness #Infosec
Show threadBrianKrebs16h ago
@Patrick_Cotter Wow, I thought my day was bad. Sorry to hear that dude.
Show threadPatrick Cotter16h ago
@briankrebs Appreciate that, Brian. It’s been a surreal day of building beehives(literally) to stay sane while manually rescuing 3TB of data at 48MB/s. If a pro like you thinks it’s a mess, maybe MS will finally listen to the human in the loop. Certified mail goes to their legal team tomorrow. Case SIR23252176 for anyone at Redmond actually reading this. Though doubts remain high.
Show threadBrianKrebs16h ago
@Patrick_Cotter send me a note and lmk. briankrebs.07 on signal
Show threadPatrick Cotter16h ago
@briankrebs and done! Will keep you updated there I suppose!
Show threadAndreas K5h ago

@Patrick_Cotter
Why should MS listen? It's peachy for them. They have a captive customer audience, their performance is literally irrelevant for sales.

The moment people like you start jumping ship en masse they might wake up, but almost certainly not with better products, probably with better fences.
@briankrebs

Show threadRobert [KJ5ELX] 2h ago

@yacc143 @Patrick_Cotter @briankrebs

You have to be a fortune 100 to receive priority "oh shit our bad" service from Microsoft.

Show threadJoan of Contention 😷16h ago

@briankrebs

"Commander Wiseman..?"

"What is it, Mission Control?"

"Um.."

Show threadTokyo Outsider (337ppm)14h ago
@briankrebs Are they saying the user would need to click through a certificate warning for this attack to be successful? Or is that only one of the scenarios? (I'm reading the blog post and Microsoft's post but as I'm not a security professional the latter is a little hard to parse.)
Show threadJohn Breen2h ago

@briankrebs Holy fuck...

"This vulnerability enables an unauthenticated attacker to obtain [...] password credentials via specially crafted HTTP GET requests."

(checks all TP-Link routers in old device graveyard box in attic)

(...and ALL HTTP GET request are specially crafted...)

Show threadNeil Craig2h ago
@briankrebs This is why we spent so much time and energy to get all of the primary BBC websites on to HTTPS *and* HSTS preloaded. Modern, mainstream web browsers will show a non-bypassable interstitial error page. Problem solved.
Show threadamy1h ago
@tdp_org @briankrebs i was gonna say have we not solved this problem, guess security is too much for ms to bother investing in
Show threadamy1h ago
@tdp_org @briankrebs though i don’t know how they’d serve a cert for the real login page that gets accepted, unless they seriously just serve it over http and browsers let you do stupid shit on that site because no hsts