endpoint security Archives

Tech Optimizer

February 7, 2025

What is Managed Endpoint Protection?

Managed Endpoint Protection involves outsourcing endpoint security for devices like laptops, desktops, and servers to specialized providers. These services offer continuous monitoring, automated responses, and compliance checks, utilizing advanced analytics and real-time threat intelligence. Key features include continuous monitoring, automated threat containment, vulnerability management, forensic analysis, compliance tools, and threat hunting. Managed services address various threats such as ransomware, phishing, zero-day exploits, credential theft, insider threats, DDoS attacks, and data exfiltration. Benefits include 24/7 expert coverage, access to specialized threat intelligence, faster incident response, reduced operational complexity, predictable pricing, and improved compliance. Challenges include the rapidly evolving threat landscape, skills shortage, budget constraints, and ensuring real-time visibility. Best practices for implementation involve maintaining asset inventories, defining roles, fine-tuning detection thresholds, conducting regular drills, and integrating with broader security measures. When choosing a provider, factors to consider include technical expertise, service level agreements, integration capabilities, pricing, compliance, and ongoing support. SentinelOne offers an autonomous cybersecurity platform that enhances endpoint security through superior visibility, automated responses, and customizable features.

Tech Optimizer

November 26, 2024

Business Choice 2024: The Best Security and Privacy Brands for Work

Endpoint security is crucial for corporate cybersecurity, focusing on protecting individual employees and their computers. IT departments rely on security software and remote-access VPN services to mitigate risks from compromised systems and unauthorized data access, especially for remote workers. In 2024, Bitdefender is recognized as the top security suite for work-from-home environments, winning the Business Choice award. Trend Micro received a Readers’ Choice Award, while Norton outperformed Microsoft in satisfaction. Malwarebytes is preferred for standalone antivirus options. For IT-managed security software, Bitdefender retains its title for the second consecutive year, with Microsoft experiencing a decline in ratings. GlobalProtect, from Palo Alto Networks, is the top-rated remote access VPN, excelling in most categories except reliability, where SonicWall is a close competitor. Cisco is the preferred IT-managed VPN brand, rated higher by IT managers than by users, outperforming SonicWall in reliability, ease of use, and internet speed. The PCMag Readers’ Choice survey for Antivirus and Security Suites and VPNs was conducted from September 10 to November 4, 2024.

Winsage

November 20, 2024

Windows security and resiliency: Protecting your business

Microsoft prioritizes security and is set to unveil new security advancements during Ignite 2024, including insights from a July incident and investments to enhance security measures. The Secure Future Initiative (SFI) has dedicated the equivalent of 34,000 full-time engineers to address security challenges. The upcoming November update will provide insights and actionable learnings for customers. The Windows Resiliency Initiative focuses on improving reliability, enabling more applications to run without admin privileges, implementing stronger controls over applications and drivers, and enhancing identity protection against phishing attacks. Quick Machine Recovery will allow IT administrators to execute fixes remotely, available to the Windows Insider Program in early 2025. Microsoft is evolving partnerships with endpoint security providers through the Microsoft Virus Initiative (MVI) and is developing new capabilities for security product developers. A private preview for these capabilities will be available in July 2025, and Microsoft is transitioning to safer programming languages. Windows 11 is designed to be more secure than Windows 10, requiring a hardware-backed security baseline for new PCs. Features like Windows Hello Enhanced Sign-in Security and the Microsoft Pluton security processor enhance security. Windows 11 has led to a reported 62% reduction in security incidents and a threefold decrease in firmware attacks. New features in Windows 11 address challenges such as overprivileged users, unverified apps, and insecure credentials. Administrator protection allows users to make system changes securely without persistent admin privileges. Multifactor Authentication (MFA) is emphasized, with Windows Hello serving as the built-in MFA solution. Smart App Control and App Control for Business policies ensure that only verified applications can run, while Windows Protected Print integrates with Mopria-certified devices to enhance security. Personal Data Encryption safeguards files in known folders, and Hotpatch allows critical security updates without system restarts. Zero Trust DNS restricts devices to approved domains, and Config Refresh helps maintain preferred configurations. Microsoft emphasizes collaboration with OEMs and app developers to ensure Windows is secure by design and default.

Winsage

November 12, 2024

Revamped Remcos RAT Deployed Against Microsoft Users

Threat actors have enhanced the Remcos remote access tool, making it a more sophisticated malware variant by using multiple layers of scripting languages to evade detection. This new campaign exploits a known remote code execution vulnerability in unpatched Microsoft Office and WordPad applications, initiated through a phishing email containing a disguised Excel file. The malware employs various encoding methods and obfuscation techniques to avoid analysis, including the use of PowerShell scripts and API hooking. It gathers information from the victim's device and transmits it to a command and control server. Experts emphasize the importance of patching, employee training, and robust endpoint protection to defend against such attacks.

Winsage

October 28, 2024

Windows ‘Downdate’ Attack Makes Patched PCs Vulnerable

Recent findings have identified a vulnerability in fully patched Windows 11 systems that allows attackers to install custom rootkits, which can bypass endpoint security and maintain persistence on compromised systems. This vulnerability is linked to a downgrade attack technique demonstrated by SafeBreach researcher Alon Leviev at Black Hat USA 2024, using an exploit tool called Windows Downdate. This tool enables an attacker with administrative access to manipulate the Windows Update process, reverting patched components to vulnerable states. Leviev's demonstration showed that even systems using virtualization-based security (VBS) are at risk, as he could downgrade VBS features and expose previously fixed privilege escalation vulnerabilities. Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) but has not addressed the core issue of the downgrade capability. Microsoft maintains that the ability for an admin-level user to gain kernel code execution does not cross a security boundary. Leviev released details of a new downgrade attack on October 26, using the Windows Downdate tool to revive a driver signature enforcement bypass attack. He categorized this flaw as False File Immutability (FFI), exploiting incorrect assumptions about file immutability. He noted that downgrading specific OS modules, like CI.dll, allows exploitation even with VBS enabled. Tim Peck from Securonix highlighted that the attacks exploit Windows' failure to validate DLL version numbers properly, enabling the use of outdated, vulnerable files. Microsoft is actively developing mitigations against these risks, including a security update to revoke outdated VBS system files, although specific measures and timelines are not yet disclosed.

Winsage

October 26, 2024

New Windows Driver Signature bypass allows kernel rootkit installs

SafeBreach security researcher Alon Leviev has identified a vulnerability in the Windows operating system that allows attackers to downgrade kernel components, bypassing security measures like Driver Signature Enforcement (DSE). This vulnerability enables the installation of rootkits on fully patched systems. Leviev demonstrated that attackers can manipulate the Windows Update process to introduce outdated components without altering the system's patched status. He introduced a tool called Windows Downdate, which allows the creation of custom downgrades, exposing updated systems to previously patched vulnerabilities. Leviev's method, named "ItsNotASecurityBoundary," exploits a flaw in the DSE, allowing unsigned kernel drivers to be loaded and facilitating the deployment of rootkit malware. Despite Microsoft addressing the privilege escalation aspect of this vulnerability, it does not protect against downgrade attacks. Leviev's research shows that attackers can replace the 'ci.dll' file responsible for enforcing DSE with an unpatched version during the Windows Update process, thereby circumventing protections. He also discussed methods to disable Microsoft's Virtualization-based Security (VBS), which is designed to protect critical resources, by modifying registry keys. Leviev emphasizes the need for endpoint security tools to monitor downgrade procedures to mitigate these risks.

Winsage

October 24, 2024

The State of Windows Security: What’s Coming, What’s Obsolete and How To Deal — Redmondmag.com

Windows administrators are adapting to changes in security practices due to the rise of sophisticated cyber threats, increased remote work, cloud adoption, regulatory compliance, and supply chain attacks. Key strategies discussed include the integration of advanced threat protection tools, prioritizing endpoint security and zero-trust principles, extending security strategies to cloud environments, implementing strong data protection measures, and enhancing third-party security. The Crowdstrike incident highlighted the importance of change management, continuous monitoring, a layered security approach, proactive communication, disaster recovery planning, vendor accountability, regular security audits, and incident response readiness. AI's role in Windows security is evolving, with potential benefits in threat detection and response, but it also introduces new vulnerabilities and requires adherence to data privacy standards. Organizations must implement governance practices to mitigate risks associated with AI manipulation, ensure human oversight, navigate regulatory considerations, and build user trust for successful adoption.

Tech Optimizer

October 15, 2024

Attackers deploying red teaming tool for EDR evasion – Help Net Security

Threat actors are increasingly using the open-source tool EDRSilencer to bypass endpoint detection and response (EDR) systems. EDRSilencer, originally designed for red teaming, silences EDR solutions by utilizing the Windows Filtering Platform (WFP) to block outbound network communications of EDR processes. It detects processes from various EDR products, including Carbon Black EDR, Cybereason, ESET Inspect, SentinelOne, Microsoft Defender, and others. Additional rules can be implemented to block processes not explicitly listed in the tool. The landscape of EDR evasion tools has expanded, with groups like FIN7 marketing AvNeutralizer to ransomware factions. Other tools include EDRKillShifter and PoorTry, which target and terminate security products. These tools are often sold as subscription services, making them accessible to threat actors with varying technical skills. Prices for these tools range from [openai_gpt model="gpt-4o-mini" prompt="Summarize the content and extract only the fact described in the text bellow. The summary shall NOT include a title, introduction and conclusion. Text: Threat actors are increasingly turning to the open-source tool EDRSilencer as a means to bypass endpoint detection and response (EDR) systems, according to recent findings from Trend Micro researchers. About EDRSilencer This software, originally designed for red teaming exercises, is now being misused to effectively “silence” EDR solutions. EDRSilencer operates by utilizing the Windows Filtering Platform (WFP), which enables the creation of tailored rules to monitor, block, and modify network traffic. As explained by the researchers, “The code leverages WFP by dynamically identifying running EDR processes and creating WFP filters to block their outbound network communications on both the internet protocols IPv4 and IPv6, effectively preventing EDRs from sending telemetry or alerts to their management consoles.” EDRSilencer currently detects processes from a wide range of EDR products, including: Carbon Black EDR Cybereason ESET Inspect SentinelOne Trellix EDR Microsoft Defender for Endpoint Microsoft Defender Antivirus Tanium TrendMicro Apex One And others Moreover, Trend Micro researchers noted that when certain processes are not explicitly listed within the tool, they can still be blocked by implementing additional rules. The Rise of EDR Evasion Tools The landscape of EDR evasion tools has expanded significantly, with groups like FIN7 marketing AvNeutralizer (also known as AuKill) to various ransomware factions since early 2023. This tool employs Windows’ TTD Monitor Driver and the Sysinternals Process Explorer driver to disrupt or crash protected EDR processes. RansomHub RaaS has been utilizing EDRKillShifter, while other RaaS actors have adopted PoorTry (also referred to as BurntCigar), a driver specifically designed to target and terminate security products. Additionally, Qilin ransomware attackers have been using “Killer Ultra,” which exploits a vulnerable Zemana driver to disable EDR and antivirus processes. Despite the differing mechanisms of these tools, the outcome remains consistent: endpoint security solutions are rendered ineffective. According to ExtraHop researchers, “EDR evasion tools are typically sold as subscription services, starting as low as 0 per month or 0 for a single bypass. The low price point makes these tools highly accessible to ransomware affiliates and other threat actors, including those with lower levels of technical proficiency.” On the higher end, some listings have been observed priced at ,500, and even as high as ,000 for packages that include EDR evasion capabilities alongside encryption lockers. In light of these developments, Trend Micro researchers recommend that organizations implement advanced detection mechanisms and proactive threat hunting strategies to mitigate the risks posed by EDR-killing tools. Additionally, Intel471 researchers have recently outlined methods for tracking EDRKillshifter, while ConnectWise Cyber Research has provided guidance on safeguarding organizations against BYOVD-based tools." max_tokens="3500" temperature="0.3" top_p="1.0" best_of="1" presence_penalty="0.1" frequency_penalty="frequency_penalty"] per month to ,500 or more for comprehensive packages. Trend Micro researchers recommend advanced detection mechanisms and proactive threat hunting strategies to mitigate risks from EDR-killing tools.

Tech Optimizer

September 20, 2024

macOS Sequoia change breaks networking for VPN, antivirus software

Users of macOS 15, also known as 'Sequoia,' are experiencing network connection issues with certain endpoint detection and response (EDR) solutions, VPNs, and web browsers, particularly with CrowdStrike Falcon and ESET Endpoint Security. These problems seem to resolve when the tools are deactivated, indicating a compatibility issue with the operating system's network stack. Firewall configurations are causing packet corruption and SSL failures, affecting command-line tools like 'wget' and 'curl.' CrowdStrike has advised customers against upgrading to macOS 15 due to significant changes in networking structures, and similar warnings have been issued by SentinelOne Support. Users have reported connectivity issues with Mullvad VPN and corporate VPNs, while ProtonVPN appears to function without problems. ESET recommends removing ESET Network from the filters in System Settings to restore network functionality for certain versions of their software. Security researcher Wacław Jacek has suggested a temporary fix for firewall issues, and Mullvad VPN is aware of the problems and is working on a resolution. Users relying on EDR products, VPNs, or strict firewall configurations may want to delay upgrading to macOS 15 until these issues are resolved.

Winsage

September 18, 2024

‘Void Banshee’ Exploits Second Microsoft Zero-Day

Microsoft has reclassified a bug from its September Patch Tuesday update as a zero-day vulnerability, designated CVE-2024-43461, which has been exploited by the threat group "Void Banshee" since before July. This vulnerability affects all supported versions of Windows and allows remote attackers to execute arbitrary code if a victim visits a malicious webpage or clicks an unsafe link. Initially rated 8.8 on the CVSS scale, Microsoft revised its assessment after discovering active exploitation linked to another vulnerability, CVE-2024-38112, which was patched in July 2024. To protect against CVE-2024-43461, Microsoft recommends applying patches from both the July and September updates. CISA added this flaw to its known exploited vulnerabilities database, setting an implementation deadline of October 7 for federal agencies. The vulnerability enables attackers to manipulate browser interfaces and has been used by Void Banshee to deploy Atlantida malware through deceptive files. The coordinated attack chain involving CVE-2024-43461 and CVE-2024-38112 exploits the legacy MSHTML engine, which remains in Windows for compatibility. A study indicated that over 10% of Windows 10 and 11 systems lack endpoint protection, increasing vulnerability to such exploits.