endpoint security Archives

Winsage

May 15, 2025

Windows Remote Desktop Vulnerability Let Attackers Execute Malicious Code Over Network

Microsoft's May 2025 Patch Tuesday addressed 72 vulnerabilities in Windows Remote Desktop services, including two critical vulnerabilities, CVE-2025-29966 and CVE-2025-29967, which are heap-based buffer overflow issues. These flaws allow unauthorized attackers to execute arbitrary code over a network, posing significant risks. The vulnerabilities have been rated as "Critical" and classified under CWE-122. They affect various versions of Windows operating systems utilizing Remote Desktop services. Although there have been no reported active exploitations, experts warn of the potential dangers, urging users to apply patches immediately. The update also addressed five actively exploited zero-day vulnerabilities in other Windows components. Patches are available through Windows Update, WSUS, and the Microsoft Update Catalog.

Tech Optimizer

April 30, 2025

Malwarebytes Launches Global Strategic Partner Program Offering Organizations a One-stop Shop for Personal Security, Privacy, and Identity Solutions

Malwarebytes has launched a partnership initiative aimed at providing financial institutions, HR benefit providers, and internet service providers with personal security, privacy, and identity solutions in response to rising online fraud, which has led to financial losses of .5 billion over the past year for one in three individuals. The program offers AI-powered consumer security solutions to protect devices from various threats and allows partners to choose from a range of options or create custom solutions. Key features include a comprehensive cybersecurity platform, advanced mobile security, and flexible integration options. Eero is one of the first partners to integrate Malwarebytes Premium Security into its eero Plus subscription service, enhancing online security for its subscribers.

Winsage

April 27, 2025

Windows 10 support ends soon, but shockingly, 35% of SMBs are either clueless or refusing to upgrade their systems

A recent survey by Canalys revealed that over a third (35%) of channel partners reported their small and medium-sized business (SMB) clients are either unaware of the upcoming end-of-service (EoS) deadline for Windows 10 or lack a plan to transition away from it. Additionally, 14% of respondents admitted they do not know that support for Windows 10 is ending on October 14, 2025. The market for business PCs is growing, with a 9.4% year-on-year increase in shipments, reaching 62.7 million units in Q1 2025. Experts warn that the lack of upgrade plans could lead to significant financial repercussions for SMBs, especially with rising tariffs and potential supply constraints. A structured approach for transitioning to Windows 11 is recommended, including assessing current hardware, evaluating application compatibility, developing a timeline for upgrades, budgeting for investments, training staff, and implementing endpoint security strategies.

Tech Optimizer

March 31, 2025

Traditional EDR can’t keep up with modern cyber threats

By 2025, the global cost of cybercrime is projected to reach .5 trillion annually. Many organizations continue to use outdated Endpoint Detection and Response (EDR) solutions, which are increasingly ineffective against sophisticated cyber threats. EDR was introduced in 2013 but has struggled to keep pace with evolving attack techniques. Traditional EDR is reactive, responding to incidents after they occur, and relies on known Indicators of Compromise (IoCs), which limits its effectiveness. Real-world examples of traditional EDR failures include a misconfigured update to CrowdStrike’s Falcon EDR causing an IT outage, the Akira ransomware exploiting an unsecured webcam, the Medibank breach despite multiple alerts from EDR, and the BlackCat ransomware attack on Henry Schein. These incidents highlight the inadequacy of traditional EDR in preventing modern threats. The next phase of endpoint security is Preemptive Endpoint Protection (PEP), which actively prevents attacks rather than just detecting and responding to them. PEP utilizes proactive strategies like Automated Moving Target Defense (AMTD) and Adaptive Exposure Management (AEM), and research indicates that organizations using proactive security save 30% more on breach costs compared to those relying solely on reactive measures.

Tech Optimizer

March 31, 2025

Ransomware crews add EDR killers to their arsenal

Antivirus and endpoint security tools are increasingly challenged by ransomware groups that use sophisticated strategies to disable defenses early in attacks. Cisco Talos reported that in nearly half of the ransomware incidents they handled in 2024, attackers successfully employed "EDR killers" to neutralize endpoint detection and response (EDR) systems, achieving success 48 percent of the time. Tools such as EDRSilencer, EDRSandblast, EDRKillShifter, and Terminator pose significant threats to organizational security. EDRKillShifter exploits vulnerable drivers on Windows machines to terminate EDR products, a tactic observed in operations by rival gangs like Medusa, BianLian, and Play. The primary goal of these tools is to disable EDR protections, allowing attackers to operate undetected, complicating system recovery efforts. Recovery often requires wiping and rebuilding entire networks if robust backups are available. Some EDR killers, like HRSword, are legitimate software tools misused by ransomware actors to disable endpoint protection systems. Attackers have exploited misconfigured systems, particularly EDR products set to audit-only mode, which detect but do not block malicious activity. LockBit has remained the most active ransomware-as-a-service group for the third consecutive year, accounting for 16 percent of claimed attacks in 2024. Newcomer RansomHub secured the second position with 11 percent of posts to leak sites. The effectiveness of law enforcement actions plays a significant role in shaping the ransomware landscape.

Tech Optimizer

March 23, 2025

How to disable the Windows Hello feature with Intune

Windows Hello allows users to authenticate in Windows using biometric data or a PIN, with enhanced features in Windows Hello for Business, including device authentication and integration with Conditional Access. It is recognized by NIST as a multifactor authentication (MFA) method, combining a device with a Trusted Platform Module (TPM) and a PIN or biometric data. However, the second factor is not portable, which may be a concern for some organizations. For those not using Windows Hello for Business, IT administrators can disable it through Microsoft Intune using two methods: by adjusting enrollment options or creating an account protection policy.

Tech Optimizer

March 21, 2025

Cybercriminals Exploit CheckPoint Driver Flaws in Malicious Campaign

A report by Nima Bagheri reveals that CheckPoint’s ZoneAlarm antivirus software is being exploited by threat actors using a method called Bring Your Own Vulnerable Driver (BYOVD). This attack targets vulnerabilities in the vsdatant.sys driver, which operates with high-level kernel privileges, allowing attackers to bypass Windows security measures. Specifically, version 14.1.32.0 of vsdatant.sys, released in 2016, contains vulnerabilities that enable attackers to circumvent the Windows Memory Integrity feature, gaining access to sensitive information and establishing persistent connections to compromised systems. Bagheri advises users to update to the latest version of vsdatant.sys, which is not vulnerable. CheckPoint confirmed that the outdated driver is no longer in use and that users running the latest versions of ZoneAlarm or Harmony Endpoint are not affected.

AppWizard

February 24, 2025

Android App on Google Play Targets Indian Users to Steal Login Credentials

A recently uncovered Android application, Finance Simplified (package: com.someca.count), is a malware platform disguised as a financial management tool for Indian users. It has rapidly gained downloads, increasing from 50,000 to 100,000 in one week. The app uses location-based targeting to present unauthorized loan applications and redirects users to external websites that bypass Google Play’s security. It requests extensive permissions, including access to location data, contacts, call logs, SMS messages, clipboard content, and external storage, and stealthily collects sensitive information like passwords and credit card numbers, which are sent to a command-and-control server on Amazon EC2. The app employs tactics such as dynamic WebView manipulation to present fake loan applications, persistent data harvesting, and blackmail through altered user photos. Finance Simplified is part of a network of fraudulent apps that falsely claim registration with Indian financial regulators and have been removed from the Play Store for fraudulent activities. Users are advised to scrutinize app permissions and avoid downloading unverified applications.

Tech Optimizer

February 7, 2025

What is Managed Endpoint Protection?

Managed Endpoint Protection involves outsourcing endpoint security for devices like laptops, desktops, and servers to specialized providers. These services offer continuous monitoring, automated responses, and compliance checks, utilizing advanced analytics and real-time threat intelligence. Key features include continuous monitoring, automated threat containment, vulnerability management, forensic analysis, compliance tools, and threat hunting. Managed services address various threats such as ransomware, phishing, zero-day exploits, credential theft, insider threats, DDoS attacks, and data exfiltration. Benefits include 24/7 expert coverage, access to specialized threat intelligence, faster incident response, reduced operational complexity, predictable pricing, and improved compliance. Challenges include the rapidly evolving threat landscape, skills shortage, budget constraints, and ensuring real-time visibility. Best practices for implementation involve maintaining asset inventories, defining roles, fine-tuning detection thresholds, conducting regular drills, and integrating with broader security measures. When choosing a provider, factors to consider include technical expertise, service level agreements, integration capabilities, pricing, compliance, and ongoing support. SentinelOne offers an autonomous cybersecurity platform that enhances endpoint security through superior visibility, automated responses, and customizable features.