endpoint Archives

Winsage

February 22, 2025

Announcing Windows 11 Insider Preview Build 26120.3291 (Dev and Beta Channels)

Windows 11 Insider Preview Build 26120.3291 (KB5052080) has been released for the Dev and Beta Channels, introducing enhancements for Snapdragon-powered Copilot+ PCs. Key updates include an improved Windows Search feature that allows users to find cloud-stored files directly from the taskbar search box and a refined Recall (Preview) experience, which will delete previous snapshots but continue saving new ones if enabled in Settings. For Beta Channel users, the same updates are available as optional upgrades, with plans to make them recommended later this year. Insiders can switch from the Dev to the Beta Channel while both channels share identical build numbers, but this option will close once the Dev Channel progresses to higher build numbers. The improved Windows Search feature supports finding cloud-stored photos by describing them, available for users signed into OneDrive with a personal Microsoft account. Support for third-party cloud providers is expected soon. The update also includes fixes for live captions, File Explorer reliability, and issues with Remote Desktop. Known issues include inaccuracies in build version display after a PC reset and problems with Recall not saving snapshots automatically. An update to the Snipping Tool introduces a new trim feature for screen recordings, allowing users to adjust start and end times.

Tech Optimizer

February 18, 2025

Microsoft Discovers Return Of Alarming MacOS Malware With Sinister New Tricks

The XCSSET malware, discovered in 2020, allows cybercriminals remote access to developers' MacBooks and has led to a reassessment of macOS security measures. A new variant of XCSSET has been identified, specifically targeting macOS systems and exploiting vulnerabilities, particularly in keychains, to steal sensitive information like usernames and passwords. This variant spreads through Xcode projects and features enhanced functionality that makes detection and removal more challenging. It employs increased randomization in payload generation and uses both xxd and Base64 encoding. The malware can remain undetected, targeting Xcode projects for payload insertion and extracting data from cryptocurrency wallets and the Notes app. Microsoft has confirmed that its Defender for Endpoint on Mac can detect both the old and new variants of XCSSET, but developers are advised to exercise caution by downloading only from trusted sources, using the latest software versions, inspecting Xcode projects before opening them, and avoiding third-party applications.

Winsage

February 18, 2025

Earth Preta APT Exploit Microsoft Utility Tool to Control Windows

Researchers from Trend Micro's Threat Hunting team have identified a cyberattack campaign by the APT group Earth Preta, targeting government entities in the Asia-Pacific region, including Taiwan, Vietnam, Malaysia, and Thailand. The group uses spear-phishing emails and advanced malware to compromise Windows systems, notably employing the Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious payloads into legitimate processes. The attack typically begins with a malicious file, IRSetup.exe, which drops both legitimate and malicious files onto the system, often accompanied by a decoy PDF posing as an official document. Earth Preta utilizes a modified variant of the TONESHELL backdoor malware, sideloaded using OriginLegacyCLI.exe and a malicious DLL, EACore.dll. This malware communicates with a command-and-control server for data exfiltration and remote operations, offering capabilities such as reverse shell access, file deletion, and persistent storage of victim identifiers. The malware adapts its behavior based on the presence of ESET antivirus software, using different techniques for code injection. Trend Micro attributes this campaign to Earth Preta with medium confidence, noting that the group has compromised over 200 victims since at least 2022, primarily focusing on government entities and using phishing as the initial attack vector.

Tech Optimizer

February 18, 2025

Microsoft Defender vs. McAfee: Features, Pricing, Pros & Cons

eSecurity Planet maintains editorial independence and may earn revenue from partner links. Microsoft Defender, a free built-in antivirus for Windows, offers minimal configuration and supports Windows 10 and 11, while McAfee, which holds a 12.47% share of the global antivirus market, provides extensive privacy monitoring and data protection across multiple platforms (Windows, Mac, Android, iOS) with various pricing plans ranging from .99 to 9.99. Microsoft Defender supports a single device and includes features like real-time threat protection, parental controls, and a firewall, but lacks advanced features like VPN and identity theft monitoring. McAfee offers a wider range of features, including a VPN, identity theft monitoring, and data cleanup, making it a more comprehensive solution despite its higher cost. Microsoft Defender has an overall rating of 3.8/5, while McAfee rates 4.4/5, excelling in customer support with multiple channels, including live chat and phone support. Microsoft Defender is suitable for users on a budget, while McAfee is better for those needing robust privacy and identity protection. Alternatives to consider include Norton, Bitdefender, and Malwarebytes.

Winsage

February 14, 2025

REF7707 Hackers Attacking Windows & Linux Machines Using FINALDRAFT Malware

A hacking campaign named “REF7707” has been targeting Windows and Linux systems with malware families including FINALDRAFT, GUIDLOADER, and PATHLOADER. It originated in late November 2024, when Elastic Security Labs detected alerts from the Foreign Ministry of a South American nation. The attackers used Microsoft’s certutil application to download files and had valid network credentials for lateral movement. FINALDRAFT, a key component of the campaign, exploits the Windows-signed debugger CDB.exe and uses a Scheduled Task for persistence. It employs Microsoft’s Graph API for command and control, utilizing cloud services and domains like support.vmphere[.]com and update.hobiter[.]com. The campaign highlights the need for improved security measures across different operating systems.

Winsage

February 13, 2025

Russian Hackers Leverages Weaponized Microsoft KMS to Hack Windows Systems

The Russian state-sponsored hacking group Sandworm, affiliated with the GRU, has been using pirated Microsoft Key Management Service (KMS) activation tools to infiltrate Ukrainian Windows systems since late 2023. They distribute a harmful ZIP file named “KMSAuto++x64_v1.8.4.zip” on torrent platforms, which, when executed, deploys the BACKORDER loader and disables Windows Defender. The BACKORDER loader then downloads the Dark Crystal Remote Access Trojan (DcRAT) from attacker-controlled domains, allowing data theft, including keystrokes and browser credentials. The campaign exploits Ukraine's high prevalence of unlicensed software, estimated at 70% in the public sector, increasing vulnerability to cyberattacks. Researchers have linked this activity to Sandworm through shared infrastructure and tactics, highlighting its role in Russia's hybrid warfare strategy against Ukraine. Cybersecurity experts recommend avoiding pirated software and implementing robust security measures to mitigate these threats.

Tech Optimizer

February 11, 2025

10 Best UTM (Unified Threat Management) Firewalls

Unified Threat Management (UTM) firewalls integrate multiple security functionalities into a single platform, streamlining security management and reducing costs for organizations, particularly small and medium-sized enterprises (SMEs). UTM solutions include features such as firewalls, intrusion detection and prevention systems (IDPS), antivirus, anti-spam, VPN, web content filtering, and application control, providing comprehensive protection against various cyber threats. UTM firewalls serve as a gateway between internal networks and external connections, inspecting all traffic to block malicious activity. They continuously monitor for suspicious patterns, scan for malware, filter web access, provide VPN capabilities for secure remote connectivity, and filter emails to protect against spam and phishing. UTM systems offer centralized management through a unified dashboard, receive regular updates for emerging threats, and may include performance optimization features. The distinction between UTM and traditional firewalls lies in UTM's broader range of security functions, acting as a comprehensive security solution rather than solely focusing on real-time malware scanning. Top UTM firewalls include: 1. SonicWall UTM: Intrusion prevention and gateway anti-virus. 2. Sophos UTM: User-friendly management with advanced security measures. 3. Check Point UTM: Comprehensive protections including firewalls and VPNs. 4. Fortinet FortiGate UTM: Integrates security and networking functions. 5. WatchGuard UTM: Balances performance, security, and management ease. 6. Juniper UTM: High-performance security services. 7. Barracuda UTM: Extensive network protection through integrated functions. 8. Stormshield UTM: Proactive defense mechanisms. 9. Huawei Unified Security Gateway (USG): Versatile security protections. 10. Cisco UTM: Integrated security and threat management services. Key features of the best UTM firewalls include application control, advanced threat prevention, reporting and analytics, scalability, endpoint protection, and DDoS protection.

Tech Optimizer

February 8, 2025

New Attack Technique to Bypassing EDR as Low Privileged Standard User

A new cyberattack technique allows attackers to bypass Endpoint Detection and Response (EDR) systems while using low-privileged standard user accounts. This method utilizes masquerading and path obfuscation to disguise malicious payloads as legitimate processes, misleading detection systems and analysts. Process creation events are crucial for identifying threats, with tools like Sysmon logging detailed information about process execution. Attackers can manipulate file paths to evade restrictions on placing payloads in protected directories. They create folders that mimic legitimate antivirus software paths using Unicode characters to resemble spaces. For example, a folder may be named C:Program[U+2000]Files, allowing the attacker to introduce their payload (SuperJuicy.exe) without raising alarms. The execution of the payload results in logs that appear legitimate, complicating detection efforts. This technique poses challenges for EDR systems, including confusion in log analysis, deceptive attribution to legitimate software, and prolonged dwell time for malicious payloads. Defensive strategies include enhanced logging rules to flag Unicode characters, adjusting log viewers to display these characters, and restricting folder creation permissions for standard users.

Winsage

February 7, 2025

Latest Windows 11 build adds full MIDI 2.0 support and improved performance

Microsoft has released Windows 11 Insider Preview Build 27788 in the Canary Channel, which includes significant enhancements to the MIDI standard. This update supports both MIDI 1.0 and MIDI 2.0, designed exclusively for 64-bit operating systems, and extends full MIDI compatibility across all modern Windows architectures, including Arm64-based PCs. The MIDI 2.0 standard features high-speed data transmission, high-fidelity messages, and endpoint discovery and negotiation. The new MIDI stack improves performance with better timing and reduced jitter, and a faster MIDI driver supports both versions with automatic API translation for interoperability. The update also includes a USB MIDI 2.0 class driver developed in collaboration with the Association of Musical Electronics Industry of Japan and AmeNote, ensuring compatibility with both MIDI 2.0 and legacy MIDI 1.0 devices. Additionally, the preview introduces a 1-click resume function for OneDrive and selective installation options for games in the Microsoft Store.

Tech Optimizer

February 7, 2025

What is Managed Endpoint Protection?

Managed Endpoint Protection involves outsourcing endpoint security for devices like laptops, desktops, and servers to specialized providers. These services offer continuous monitoring, automated responses, and compliance checks, utilizing advanced analytics and real-time threat intelligence. Key features include continuous monitoring, automated threat containment, vulnerability management, forensic analysis, compliance tools, and threat hunting. Managed services address various threats such as ransomware, phishing, zero-day exploits, credential theft, insider threats, DDoS attacks, and data exfiltration. Benefits include 24/7 expert coverage, access to specialized threat intelligence, faster incident response, reduced operational complexity, predictable pricing, and improved compliance. Challenges include the rapidly evolving threat landscape, skills shortage, budget constraints, and ensuring real-time visibility. Best practices for implementation involve maintaining asset inventories, defining roles, fine-tuning detection thresholds, conducting regular drills, and integrating with broader security measures. When choosing a provider, factors to consider include technical expertise, service level agreements, integration capabilities, pricing, compliance, and ongoing support. SentinelOne offers an autonomous cybersecurity platform that enhances endpoint security through superior visibility, automated responses, and customizable features.