endpoint Archives

Tech Optimizer

May 23, 2025

Cloudflare, Microsoft & police disrupt global malware service

Cloudflare, in collaboration with Microsoft and international law enforcement, has dismantled the infrastructure of LummaC2, an information-stealing malware service. This initiative led to the seizure and blocking of malicious domains and disrupted digital marketplaces used by criminals. Lumma Stealer operates as a subscription service providing threat actors access to a central panel for customized malware builds and stolen data retrieval. The stolen information includes credentials, cryptocurrency wallets, and sensitive data, posing risks of identity theft and financial fraud. Lumma Stealer was first identified on Russian-language crime forums in early 2023 and has since migrated to Telegram for distribution. Its proliferation is facilitated by social engineering campaigns, including deceptive pop-ups and bundled malware in cracked software. Cloudflare implemented measures to block access to Lumma's command and control servers and collaborated with various authorities to prevent the criminals from regaining control. Mitigation strategies for users include restricting unknown scripts, limiting password storage in browsers, and using reputable endpoint protection tools. The operation has significantly hindered Lumma's operations and aims to undermine the infostealer-as-a-service model contributing to cybercrime.

Tech Optimizer

May 21, 2025

Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Microsoft has monitored Lumma Stealer, an infostealer malware used by financially motivated threat actors. Lumma Stealer, also known as LummaC2, functions as a malware-as-a-service (MaaS) solution that extracts data from browsers and applications, including cryptocurrency wallets. The entity behind Lumma is identified as Storm-2477, which maintains the malware and its command-and-control (C2) infrastructure. Affiliates can create malware binaries and manage C2 communications through a panel provided by Storm-2477. Ransomware groups have integrated Lumma Stealer into their operations. Lumma Stealer employs various delivery techniques, including phishing emails, malvertising, drive-by downloads, Trojanized applications, and abuse of legitimate services. Specific campaigns have been identified, such as one in April 2025 that used EtherHiding and ClickFix techniques to deliver Lumma Stealer via compromised websites. Another campaign on April 7, 2025, targeted Canadian organizations with emails containing invoice lures that led to malicious downloads. The malware is developed using C++ and ASM, employing advanced obfuscation techniques to evade detection. It can extract a wide range of user data, including browser credentials, cryptocurrency wallet information, and user documents. Lumma Stealer maintains a robust C2 infrastructure with multiple hardcoded and fallback C2 servers, utilizing encryption methods to secure communications. Microsoft's Digital Crimes Unit has disrupted Lumma Stealer's infrastructure by blocking approximately 2,300 malicious domains. Recommendations to mitigate the impact of Lumma Stealer include strengthening Microsoft Defender configurations, implementing multifactor authentication, and utilizing phishing-resistant authentication methods. Microsoft Defender products can detect and block activities associated with Lumma Stealer, providing alerts and insights for incident response.

Winsage

May 15, 2025

Windows Remote Desktop Vulnerability Let Attackers Execute Malicious Code Over Network

Microsoft's May 2025 Patch Tuesday addressed 72 vulnerabilities in Windows Remote Desktop services, including two critical vulnerabilities, CVE-2025-29966 and CVE-2025-29967, which are heap-based buffer overflow issues. These flaws allow unauthorized attackers to execute arbitrary code over a network, posing significant risks. The vulnerabilities have been rated as "Critical" and classified under CWE-122. They affect various versions of Windows operating systems utilizing Remote Desktop services. Although there have been no reported active exploitations, experts warn of the potential dangers, urging users to apply patches immediately. The update also addressed five actively exploited zero-day vulnerabilities in other Windows components. Patches are available through Windows Update, WSUS, and the Microsoft Update Catalog.

Tech Optimizer

May 14, 2025

Best Antivirus Software (2025): ESET Recognized as Top Cybersecurity Solution by Software Experts

ESET is recognized as a leading antivirus provider in 2025, known for its robust security solutions that effectively combat rising cyber threats such as phishing, ransomware, and zero-day exploits. The company's offerings include heuristic and behavioral detection, ransomware and phishing protection, exploit blocker technology, and low resource usage, ensuring minimal impact on system performance. ESET provides various products for home users, including ESET HOME Security Essential, Premium, and Ultimate, as well as a Small Business Security package for up to 25 devices and scalable solutions for larger organizations. Pricing for home products starts at .99/year, with multi-device and multi-year discounts available. ESET operates in over 200 countries, utilizing a global network for real-time threat intelligence and maintaining a commitment to effective digital security since its establishment in 1992.

AppWizard

May 14, 2025

Marbled Dust leverages zero-day in Output Messenger for regional espionage

Since April 2024, the threat actor Marbled Dust has been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger chat application, targeting user accounts that have not applied necessary fixes. This exploitation has resulted in the collection of sensitive data from users in Iraq, specifically linked to the Kurdish military. Microsoft has high confidence in this assessment and notes that Marbled Dust conducts reconnaissance to identify potential targets using Output Messenger. Marbled Dust has successfully utilized this vulnerability to deploy malicious files and exfiltrate data. Microsoft notified the application’s developer, Srimax, about the vulnerability, leading to the release of a software update. A second vulnerability (CVE-2025-27921) was also found, but no exploitation of this second flaw has been observed. The zero-day vulnerability allows an authenticated user to upload malicious files to the server's startup directory. Marbled Dust has exploited this flaw to place a backdoor file, OMServerService.vbs, in the startup folder, enabling them to access communications and sensitive data indiscriminately. The attack chain begins with Marbled Dust gaining access to the Output Messenger Server Manager, likely through DNS hijacking or other credential interception techniques. Once inside, they exploit the vulnerability to drop malicious files, including a GoLang backdoor, which connects to a Marbled Dust command-and-control domain for data exfiltration. To mitigate this threat, Microsoft recommends updating to the latest version of Output Messenger, activating various security protections, and implementing rigorous vulnerability management strategies. Microsoft Defender XDR customers can identify potential threat activity through specific alerts related to Marbled Dust and utilize advanced hunting queries for detection. Indicators of compromise include traffic to the domain api.wordinfos[.]com, associated with Marbled Dust activities.

Winsage

May 13, 2025

Announcing Windows 11 Insider Preview Build 26120.3964 (Beta Channel)

Windows 11 Insider Preview Build 26120.3964 (KB5058496) has been released for the Beta Channel, specifically for Windows 11, version 24H2. Users on version 23H2 can choose to upgrade to version 24H2 with this build. The update introduces a new AI-powered agent in Settings for easier navigation and task automation, currently available for Snapdragon-powered Copilot+ PCs, with support for AMD and Intel PCs coming soon. Enhanced intelligent text actions have been added to Click to Do for AMD and Intel-powered Copilot+ PCs, allowing users to summarize, create bulleted lists, or rewrite text. A dedicated FAQs section has been added to the Settings > System > About page. Several fixes have been implemented, including improvements to the Start menu, File Explorer, and voice access. Known issues include problems with PC reset display and Xbox Controller connectivity. Entra ID support for AI features in Paint and Notepad has been rolled out for IT-managed PCs.

Winsage

May 13, 2025

Announcing Windows 11 Insider Preview Build 26200.5600 (Dev Channel)

Windows 11 Insider Preview Build 26200.5581 (KB5058493) has been released to the Dev Channel. New features include enhanced intelligent text actions in Click to Do for AMD and Intel™-powered Copilot+ PCs, allowing users to Summarize, Create a bulleted list, or Rewrite text. These features are available when the default language is English and at least 10 words are selected. For users with French or Spanish as their primary language, only Summarize, Create a bulleted list, and Refine options are temporarily available. Improvements include the ability to safely remove devices compatible with Dynamic Lighting and the introduction of a FAQs section in Settings to help users find information about their PC. Fixes have been made to the Start menu, File Explorer, Voice Access, Taskbar, Windows Spotlight, and Live captions. Known issues include problems with the PC reset option and Xbox Controller connectivity. Entra ID support for AI features in Paint and Notepad has been rolled out for IT-managed PCs, allowing access to tools like Cocreator and Generative Fill in Paint, and summarization or rewriting in Notepad. Windows Insiders in the Dev Channel receive updates based on Windows 11, version 24H2, and features may evolve or be removed based on feedback.

Winsage

May 10, 2025

Hackers Using Windows Remote Management to Stealthily Navigate Active Directory Network

Threat actors are exploiting Windows Remote Management (WinRM) to navigate through Active Directory environments stealthily, allowing them to bypass detection systems, escalate privileges, and deploy malicious payloads. WinRM operates on HTTP port 5985 and HTTPS port 5986, enabling remote command execution and management tasks. Attackers can gain access through compromised credentials and use WinRM-enabled PowerShell commands for reconnaissance, deploying payloads while evading detection. The attack chain includes initial access, reconnaissance, payload deployment, persistence, and lateral movement, often utilizing techniques that obfuscate malicious activities. Detecting such attacks is challenging due to the use of built-in Windows functionalities and encrypted channels. Recommended mitigation strategies include monitoring for unusual activity, restricting WinRM access, enforcing credential hygiene, and implementing advanced monitoring solutions.

Winsage

May 6, 2025

Expanding the Surface for Business Copilot+ PC portfolio

AI has evolved into a transformative force for organizations, increasing the demand for secure and high-performance AI-ready Windows 11 PCs. Microsoft has introduced Copilot+ PCs, including the new 12-inch Surface Pro and 13-inch Surface Laptop, both powered by the Snapdragon X Plus processor with an integrated neural processing unit (NPU) capable of 45 trillion operations per second. The 13-inch Surface Laptop offers up to 23 hours of video playback and 16 hours of web browsing, with performance enhancements of up to 50% faster speeds and double the battery life compared to its predecessor. It features an AI-enhanced 1080p front camera for video conferencing and a durable design. The 12-inch Surface Pro is the thinnest and lightest Copilot+ PC, providing 50% faster performance and up to 16 hours of local video playback. Both devices are designed as Secured-core PCs with advanced security features, including Windows Hello for Business and biometric authentication options. They support enhanced productivity through AI features in Windows 11 and Microsoft 365 Copilot, enabling faster file searches and improved team efficiency. Microsoft emphasizes sustainability with the use of recycled materials and energy-efficient designs. The new devices will be available starting July 22 in select markets.

Winsage

May 6, 2025

Announcing Windows 11 Insider Preview Build 26120.3950 (Beta Channel)

Windows 11 Insider Preview Build 26120.3950 (KB5055653) has been released to the Beta Channel for Windows 11, version 24H2. Insiders on version 23H2 can opt to upgrade to version 24H2 with this build. Key changes include the introduction of energy saver management in Microsoft Intune, allowing IT administrators to manage energy settings on Windows 11 PCs. Other updates involve UI experiments in Recall, taskbar enhancements, and graphics improvements for HDR capabilities. Fixes include resolving keyboard focus issues in the taskbar, startup sound playback issues, and scaling problems after sleep/resume. Known issues involve bugs with Xbox Controllers and live captions crashing. Insiders are reminded to keep their devices updated for optimal performance and access to features.