EDR Archives

Tech Optimizer

May 27, 2025

Microsoft Defender vs Bitdefender: Compare Antivirus Software

eSecurity Planet maintains editorial independence in content and product recommendations, ensuring financial gain from partner links does not influence information integrity. Microsoft Defender and Bitdefender are prominent small business security providers. Microsoft Defender is ideal for larger SMBs, starting at .00 per user per month, while Bitdefender is suited for startups with over 10 employees, starting at .33 per user per month. Microsoft Defender Overview: - Overall Rating: 3.7/5 - Pricing: 4.4/5 - Features: 3.4/5 - Ease of Use and Administration: 3.8/5 - Customer Support: 3.7/5 - Features include next-gen antivirus, vulnerability management, and EDR. Bitdefender Overview: - Overall Rating: 3.4/5 - Pricing: 3.8/5 - Features: 3/5 - Ease of Use and Administration: 3.4/5 - Customer Support: 4/5 - Features include identity protection, a VPN, and a password manager. Pricing Comparison: - Microsoft Defender: Free Trial: 90 days; Least Expensive Plan: .00/user/month; Mid-Range Plan: .50/user/month; Most Expensive Plan: .00/user/month. - Bitdefender: 30-day money-back guarantee; Least Expensive Plan: .33/user/month; Mid-Range Plan: Not specified; Most Expensive Plan: Not specified. Feature Comparison: - Microsoft Defender offers robust endpoint protection but lacks clarity on web browsing protection and ad-blocking. - Bitdefender offers identity exposure protection, a VPN, and a password manager but also lacks web browsing and ad-blocking features. Ease of Use and Administration: - Microsoft Defender supports macOS, Windows, and Linux Server; Bitdefender supports macOS and Windows but lacks Linux support. Customer Support Comparison: - Microsoft provides phone and live chat support; Bitdefender offers email and chat support, with limited phone support for small business users. Alternative Solutions include Norton, McAfee, and Trend Micro, each offering different features and pricing structures. Evaluation Methodology focused on pricing, features, ease of use, and customer support, with Microsoft winning in pricing, features, and ease of use, while Bitdefender excelled in customer support.

Tech Optimizer

May 21, 2025

Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Microsoft has monitored Lumma Stealer, an infostealer malware used by financially motivated threat actors. Lumma Stealer, also known as LummaC2, functions as a malware-as-a-service (MaaS) solution that extracts data from browsers and applications, including cryptocurrency wallets. The entity behind Lumma is identified as Storm-2477, which maintains the malware and its command-and-control (C2) infrastructure. Affiliates can create malware binaries and manage C2 communications through a panel provided by Storm-2477. Ransomware groups have integrated Lumma Stealer into their operations. Lumma Stealer employs various delivery techniques, including phishing emails, malvertising, drive-by downloads, Trojanized applications, and abuse of legitimate services. Specific campaigns have been identified, such as one in April 2025 that used EtherHiding and ClickFix techniques to deliver Lumma Stealer via compromised websites. Another campaign on April 7, 2025, targeted Canadian organizations with emails containing invoice lures that led to malicious downloads. The malware is developed using C++ and ASM, employing advanced obfuscation techniques to evade detection. It can extract a wide range of user data, including browser credentials, cryptocurrency wallet information, and user documents. Lumma Stealer maintains a robust C2 infrastructure with multiple hardcoded and fallback C2 servers, utilizing encryption methods to secure communications. Microsoft's Digital Crimes Unit has disrupted Lumma Stealer's infrastructure by blocking approximately 2,300 malicious domains. Recommendations to mitigate the impact of Lumma Stealer include strengthening Microsoft Defender configurations, implementing multifactor authentication, and utilizing phishing-resistant authentication methods. Microsoft Defender products can detect and block activities associated with Lumma Stealer, providing alerts and insights for incident response.

AppWizard

May 14, 2025

Marbled Dust leverages zero-day in Output Messenger for regional espionage

Since April 2024, the threat actor Marbled Dust has been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger chat application, targeting user accounts that have not applied necessary fixes. This exploitation has resulted in the collection of sensitive data from users in Iraq, specifically linked to the Kurdish military. Microsoft has high confidence in this assessment and notes that Marbled Dust conducts reconnaissance to identify potential targets using Output Messenger. Marbled Dust has successfully utilized this vulnerability to deploy malicious files and exfiltrate data. Microsoft notified the application’s developer, Srimax, about the vulnerability, leading to the release of a software update. A second vulnerability (CVE-2025-27921) was also found, but no exploitation of this second flaw has been observed. The zero-day vulnerability allows an authenticated user to upload malicious files to the server's startup directory. Marbled Dust has exploited this flaw to place a backdoor file, OMServerService.vbs, in the startup folder, enabling them to access communications and sensitive data indiscriminately. The attack chain begins with Marbled Dust gaining access to the Output Messenger Server Manager, likely through DNS hijacking or other credential interception techniques. Once inside, they exploit the vulnerability to drop malicious files, including a GoLang backdoor, which connects to a Marbled Dust command-and-control domain for data exfiltration. To mitigate this threat, Microsoft recommends updating to the latest version of Output Messenger, activating various security protections, and implementing rigorous vulnerability management strategies. Microsoft Defender XDR customers can identify potential threat activity through specific alerts related to Marbled Dust and utilize advanced hunting queries for detection. Indicators of compromise include traffic to the domain api.wordinfos[.]com, associated with Marbled Dust activities.

Tech Optimizer

May 5, 2025

Chimera Malware: Outsmarting Antivirus, Firewalls, and Human Defenses

X Business, an e-commerce store specializing in handmade home décor, experienced a cybersecurity incident involving a malware strain called Chimera. The attack began during a routine update to their inventory management system and escalated within 12 hours, resulting in halted customer orders, locked employee accounts, and a crashed website. The attackers demanded a ransom of 0,000 in cryptocurrency, threatening to expose sensitive customer data. Chimera is an AI-driven malware that adapts its code to evade detection, targeting both Windows and macOS systems. It exploited a zero-day vulnerability in Windows' Print Spooler service and bypassed macOS security measures by forging code signatures. The malware used social engineering tactics to deceive employees into activating malicious payloads, leading to compromised systems and encrypted customer data. The recovery process took 48 hours, utilizing cybersecurity tools like CrowdStrike Falcon and SentinelOne Singularity to identify and isolate the malware. Data restoration was achieved through Acronis Cyber Protect and macOS Time Machine, while vulnerabilities were addressed with Qualys and emergency patch deployment via WSUS. The network security framework was improved using Cisco Umbrella and Zscaler Private Access to implement a Zero Trust architecture. The incident highlights the need for small enterprises to adopt proactive cybersecurity strategies, including a 3-2-1 backup approach, Zero Trust models, investment in AI-driven defense tools, and employee training to recognize social engineering attempts.

Tech Optimizer

May 2, 2025

The Pillars of AI-Driven Security

The cybersecurity landscape has shifted from traditional methods like firewalls and antivirus software to more sophisticated, AI-driven strategies. The 2024 Verizon Data Breach Investigations Report identifies ransomware as a leading attack type, with a median time to compromise now measured in hours. The attack surface is expanding due to remote work, cloud adoption, and IoT devices, while traditional security measures struggle to keep up. AI enhances security across three domains: prevention, detection, and response. 1. Prevention: AI distinguishes between legitimate and suspicious activities, improving predictive accuracy and enabling proactive defenses against attacks. AI models can identify zero-day malware and fileless attacks by focusing on behavior. 2. Detection: AI-powered tools like SIEM systems analyze vast amounts of data to identify risks and suspicious patterns in near real-time, reducing false positives and highlighting low-and-slow attacks and insider threats. 3. Response: AI automates rapid containment and remediation actions, allowing human analysts to focus on more complex tasks. Generative AI can assist in drafting incident reports and suggesting remediation measures. AI-driven security offers scale and efficiency, reducing breach costs significantly for organizations that utilize it. AI models adapt to evolving threats, and AI tools help bridge the cybersecurity skills gap. However, challenges include potential biases in AI models, the need for talent and change management, and privacy concerns. Organizations are encouraged to adopt AI-driven security as a core component of their digital defense strategy to improve risk posture and threat response.

Tech Optimizer

April 15, 2025

New ‘Waiting Thread Hijacking’ Malware Technique Evades Modern Security Measures

Security researchers have developed a new malware process injection technique called "Waiting Thread Hijacking" (WTH), which executes harmful code within legitimate processes while avoiding detection by security measures. This method improves upon traditional Thread Execution Hijacking by using a different sequence of operations that bypasses commonly monitored API calls. WTH involves allocating memory and injecting malicious payloads using standard functions, identifying dormant threads within the target process, acquiring thread context with less suspicious permissions, and overwriting the return address on the stack with the injected shellcode. The technique ensures stability by preserving the original state of the thread and allows it to resume normal operations after executing the malicious code. Additionally, WTH employs an obfuscation technique that distributes its steps across multiple child processes to evade behavioral detection systems. While WTH can avoid many conventional detection triggers, it is not completely immune, as some Endpoint Detection and Response (EDR) solutions can block unauthorized memory writes. Check Point Research has observed that WTH is effective against certain EDRs while others can block it but not older methods, illustrating the variability in EDR capabilities.

Winsage

April 9, 2025

Exploitation of CLFS zero-day leads to ransomware activity

The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) identified a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS), designated as CVE-2025-29824. This vulnerability has been exploited by the PipeMagic malware, attributed to the group Storm-2460, affecting organizations in various sectors across the U.S., Venezuela, Spain, and Saudi Arabia. Microsoft released security updates on April 8, 2025, to address this vulnerability. The exploit allows attackers with standard user privileges to escalate their access, and it was executed from a dllhost.exe process. The exploit utilizes memory corruption techniques and the RtlSetAllBits API to gain all privileges and inject processes into SYSTEM processes. Post-exploitation, the attackers injected a payload into winlogon.exe, leading to ransomware activity characterized by file encryption and the creation of ransom notes. Indicators of compromise include the creation of a CLFS BLF file at C:ProgramDataSkyPDFPDUDrv.blf, command lines associated with ransomware activities, and specific domains linked to PipeMagic. Microsoft advises applying security updates promptly and recommends strategies for mitigating ransomware threats, including enabling cloud-delivered protection and utilizing device discovery.

Winsage

April 8, 2025

Microsoft fixes actively exploited Windows CLFS zero-day (CVE-2025-29824)

April 2025 Patch Tuesday introduced fixes for over 120 vulnerabilities, including a critical zero-day vulnerability (CVE-2025-29824) that is actively exploited. CVE-2025-29824 is a user-after-free vulnerability in the Windows Common Log File System (CLFS), allowing privilege escalation to SYSTEM on compromised Windows machines. Microsoft has patched 32 CLFS vulnerabilities since 2022, with six exploited in the wild. Updates for Windows 10 are not yet available. Other notable vulnerabilities include CVE-2025-26663 and CVE-2025-26670, both unauthenticated user-after-free vulnerabilities in Windows LDAP, and CVE-2025-27480 and CVE-2025-27482 in Windows Remote Desktop Services. None of these vulnerabilities have been patched for Windows 10 systems, but updates are forthcoming. Microsoft reversed its decision to discontinue driver update synchronization to WSUS servers, confirming that WSUS will continue to synchronize driver updates.

Tech Optimizer

April 7, 2025

Sakura RAT Released on GitHub Can Bypass Antivirus and EDR Tools

Sakura RAT is a newly developed remote administration tool available on GitHub, designed for use by malware analysts and security researchers. It features capabilities such as hidden browsing, hidden virtual network computing (HVNC), fileless execution, multi-session control, and anti-detection mechanisms to evade antivirus and endpoint detection systems. While marketed for research purposes, its open availability raises concerns about potential misuse by cybercriminals for activities like data exfiltration and ransomware deployment. Cybersecurity experts are advocating for the removal of the repository from GitHub and calling for improved detection systems to combat the risks posed by such advanced tools.

Tech Optimizer

March 31, 2025

Traditional EDR can’t keep up with modern cyber threats

By 2025, the global cost of cybercrime is projected to reach .5 trillion annually. Many organizations continue to use outdated Endpoint Detection and Response (EDR) solutions, which are increasingly ineffective against sophisticated cyber threats. EDR was introduced in 2013 but has struggled to keep pace with evolving attack techniques. Traditional EDR is reactive, responding to incidents after they occur, and relies on known Indicators of Compromise (IoCs), which limits its effectiveness. Real-world examples of traditional EDR failures include a misconfigured update to CrowdStrike’s Falcon EDR causing an IT outage, the Akira ransomware exploiting an unsecured webcam, the Medibank breach despite multiple alerts from EDR, and the BlackCat ransomware attack on Henry Schein. These incidents highlight the inadequacy of traditional EDR in preventing modern threats. The next phase of endpoint security is Preemptive Endpoint Protection (PEP), which actively prevents attacks rather than just detecting and responding to them. PEP utilizes proactive strategies like Automated Moving Target Defense (AMTD) and Adaptive Exposure Management (AEM), and research indicates that organizations using proactive security save 30% more on breach costs compared to those relying solely on reactive measures.