endpoint security

Winsage
July 24, 2025
Microsoft has introduced enhancements to Windows 11's recovery capabilities, including a new restart screen that replaces the Black Screen of Death, reducing crash downtime to approximately two seconds. The Quick Machine Recovery (QMR) tool automatically resolves issues with unresponsive devices without manual IT intervention. The updated interface improves readability and retains essential technical details for troubleshooting. QMR will be available for all Windows 11 version 24H2 devices, enabled by default for Home users, while IT administrators can activate it for Pro and Enterprise systems. Additionally, antivirus software will now run in user mode to improve system stability.
Tech Optimizer
July 7, 2025
The XWorm Remote Access Trojan (RAT) has evolved its attack strategies by incorporating advanced stagers and loaders to evade detection. It is known for its capabilities, including keylogging, remote desktop access, data exfiltration, and command execution, and is particularly targeted at the software supply chain and gaming sectors. Recent campaigns have paired XWorm with AsyncRAT for initial access before deploying ransomware using the leaked LockBit Black builder. XWorm utilizes various file formats and scripting languages for payload delivery, often through phishing campaigns with deceptive lures like invoices and shipping notifications. It employs obfuscation techniques, including Base64 encoding and AES encryption, and manipulates Windows security features to avoid detection. Persistence mechanisms such as registry run keys and scheduled tasks ensure sustained access. XWorm conducts system reconnaissance, queries for antivirus software, and attempts to disable Microsoft Defender. It can propagate via removable media and execute commands from command-and-control servers. The Splunk Threat Research Team has developed detections for suspicious activities related to XWorm infections. Indicators of compromise include various file hashes for different scripts and loaders associated with XWorm.
Tech Optimizer
July 5, 2025
Cybercriminals are using legitimate software installer frameworks like Inno Setup to distribute malware, taking advantage of its trusted appearance and scripting capabilities. A recent campaign demonstrated how a malicious Inno Setup installer can deliver information-stealing malware, such as RedLine Stealer, through a multi-stage infection process. This process includes evasion techniques like detecting debuggers and sandbox environments, using XOR encryption to obscure strings, and conducting WMI queries to identify malware analysis tools. The installer retrieves a payload from a command-and-control server via a TinyURL link and creates a scheduled task for persistence. The payload employs DLL sideloading to load HijackLoader, which ultimately injects RedLine Stealer into a legitimate process to steal sensitive information. RedLine Stealer uses obfuscation techniques and disables security features in browsers to avoid detection. The Splunk Threat Research Team has developed detection methods focusing on indicators such as unsigned DLL sideloading and suspicious browser behaviors. Indicators of Compromise (IOC): - Malicious Inno Setup Loader Hash 1: 0d5311014c66423261d1069fda108dab33673bd68d697e22adb096db05d851b7 - Malicious Inno Setup Loader Hash 2: 0ee63776197a80de42e164314cea55453aa24d8eabca0b481f778eba7215c160 - Malicious Inno Setup Loader Hash 3: 12876f134bde914fe87b7abb8e6b0727b2ffe9e9334797b7dcbaa1c1ac612ed6 - Malicious Inno Setup Loader Hash 4: 8f55ad8c8dec23576097595d2789c9d53c92a6575e5e53bfbc51699d52d0d30a
Tech Optimizer
July 5, 2025
Manufacturers are increasingly integrating IT systems with operational technology (OT), leading to heightened cyber threats such as ransomware, supply chain breaches, and attacks from nation-state actors. To enhance cyber resilience, it is crucial to segment IT and OT networks to prevent breaches on the IT side from affecting critical OT systems. Effective segmentation involves placing OT systems behind firewalls, restricting protocols, and using unidirectional gateways. Many manufacturing plants struggle with aging and undocumented devices, making security and monitoring challenging. Asset visibility tools can help map connected devices, enabling better inventory management and risk assessment. Attackers often use "living-off-the-land" techniques to navigate networks undetected, necessitating defenses that include behavioral analytics and application whitelisting. Incident response plans tailored for OT environments are essential, as production interruptions can have severe consequences. These plans should include scenarios like ransomware attacks and require regular testing and backups. For legacy systems that cannot be patched, isolation and monitoring are critical, along with virtual patching to block known exploits. Weak credentials pose a significant risk, so implementing role-based access control and multi-factor authentication is necessary. Security monitoring tools like SIEM and XDR should be used to consolidate data from IT and OT environments, providing alerts for potential attacks. Overall, cyber resilience in manufacturing focuses on minimizing risks and ensuring recovery without disrupting operations.
Winsage
June 30, 2025
Microsoft has announced that Windows 11 25H2 is forthcoming, serving as a feature enablement update rather than a complete overhaul, sharing the same underlying source code as Windows 11 24H2. Windows Insiders have already gained early access to 25H2, which will introduce additional features activated through an enablement package. Jason Leznek, Principal Project Manager for Windows Servicing and Delivery, noted the seamless compatibility between the two versions, advising a focus on new features rather than a comprehensive review of the operating system. Windows 11 24H2 has faced various issues since its release in 2024, leading to compatibility holds from Microsoft. A significant change in Windows 11 25H2 includes the retirement of the Blue Screen of Death (BSoD), which will be replaced by a black "unexpected restart" screen, while still allowing users to view the stop error code. Microsoft is also introducing quick recovery options for PCs that have trouble restarting and enhancing its security framework by allowing antivirus and endpoint protection vendors to operate in user mode outside of the Windows kernel. The BSoD replacement is expected to roll out on Windows 11 24H2 devices over the summer and will be a key feature of Windows 11 25H2. Additionally, the Windows endpoint security platform will enter private preview in July.
Tech Optimizer
June 28, 2025
Microsoft is changing Windows to restrict security software from operating at the kernel level to reduce vulnerabilities. This decision follows a flawed update from CrowdStrike that crashed over 8.5 million Windows machines. Microsoft is collaborating with security firms like CrowdStrike, Bitdefender, ESET, and Trend Micro to create a new security platform, emphasizing a cooperative approach rather than dictating terms. The transition will start with a private preview for security companies, initially affecting antivirus and endpoint detection software, with plans to include other applications later. Microsoft is also introducing a Quick Machine Recovery feature to restore systems that fail to boot and replacing the "Blue Screen of Death" with a black screen as part of its updates.
Winsage
June 27, 2025
Microsoft will retire the Windows Blue Screen of Death (BSOD) in favor of a black screen as part of the Windows Resiliency Initiative (WRI), with the change rolling out later this summer for Windows 11 version 24H2 devices. This update follows a security incident in July 2024 that affected approximately 8.5 million Windows machines. The WRI aims to enhance system resilience by reengineering Windows code and allowing security software to operate outside the Windows kernel, minimizing risks from vendor security code. A private preview of the new Windows endpoint security platform will be available to Microsoft Virus Initiative partners next month.
Winsage
June 26, 2025
Microsoft is preparing to initiate a private preview of new Windows changes aimed at relocating antivirus (AV) and endpoint detection and response (EDR) applications away from the Windows kernel. This initiative follows a significant incident involving a faulty update from CrowdStrike that disrupted 8.5 million Windows-based machines globally. Microsoft is collaborating with industry leaders such as CrowdStrike, Bitdefender, ESET, and Trend Micro to develop a new endpoint security platform. The company is engaging its top engineers, including original architects of Windows, to work on these security enhancements. The upcoming private preview will allow security vendors to suggest modifications, with several iterations anticipated before the final version is ready. Microsoft is also addressing concerns related to kernel-level drivers in anti-cheating engines for gaming and is engaging with game developers on minimizing kernel usage. A forthcoming Windows update will introduce a Quick Machine Recovery feature to expedite restoration of machines encountering boot issues. Additionally, Microsoft is redesigning the Blue Screen of Death (BSOD) from blue to black as part of its commitment to enhancing user experience and system reliability.
Winsage
June 26, 2025
Resilience is now a strategic necessity for organizations, prompting Microsoft to launch the Windows Resiliency Initiative (WRI) to integrate resilience and security into the Windows platform. In September 2024, Microsoft held the Windows Endpoint Security Ecosystem Summit (WESES) with endpoint security vendors and government representatives to discuss enhancing resilience. Following the summit, collaboration with Microsoft Virus Initiative (MVI) partners has increased, focusing on improving Windows security and reliability through rigorous testing and safe deployment practices. Next month, Microsoft will begin a private preview of a new Windows endpoint security platform for select MVI partners, allowing security solutions to operate outside the Windows kernel for better reliability. Microsoft has released the Windows Resiliency Initiative e-book to guide organizations in building resilience. Innovative products introduced under the WRI include: - Quick machine recovery (QMR) for faster recovery from unexpected restarts, reducing downtime to approximately two seconds. - Microsoft Connected Cache to enhance bandwidth efficiency during updates by caching content locally. - Universal Print anywhere for secure printing from any location. - Hotpatch updates for critical security updates without requiring a restart. - Windows 365 Reserve for secure access to a temporary Cloud PC during device disruptions.
Winsage
June 26, 2025
David Weston, Microsoft’s Corporate Vice President of Enterprise and OS Security, stated that Microsoft is preparing to enhance the resilience and security of its Windows operating system. The company will offer limited access to a Windows endpoint security platform for third-party vendors as part of its Microsoft Virus Initiative (MVI), aimed at improving safe deployment practices. The platform will enter a private preview phase in July for select MVI partners, allowing them to provide feedback. Key features include collaboration with third-party vendors, services running outside the Windows kernel, and development driven by partner feedback. The Windows endpoint security platform will enable partners to develop products that operate in user mode, preventing disruptions like the previous CrowdStrike incident. Weston emphasized the importance of customer trust and transparency in the development process. Microsoft is also introducing a simplified user interface and a quick machine recovery service for Windows 11 version 24H2, along with a Connected Cache service launching on July 9 to enhance bandwidth efficiency. Support for Microsoft’s initiatives has come from various third-party security vendors involved in the MVI, with positive feedback from Microsoft solution providers regarding enhanced protection against third-party software issues.
Search