IT administration Archives

Tech Optimizer

October 6, 2025

Ransomware Gangs Exploit Remote Access Tools to Stay Hidden and Maintain Control

Modern ransomware operations have evolved into complex, multi-stage campaigns that utilize legitimate Remote Access Tools (RATs) to maintain stealth and persistently dismantle organizational defenses. Ransomware encrypts critical data and demands ransom for restoration, with current operations being highly targeted compared to earlier mass phishing attacks. Attackers exploit trusted administrative software like AnyDesk, UltraViewer, RustDesk, and Splashtop to establish backdoors, escalate privileges, and deploy payloads across networks, moving laterally and evading detection. The ransomware kill chain consists of several stages: 1. Initial Access: Attackers gain access through credential compromise, often targeting administrator accounts. 2. Remote Tool Abuse: Attackers deploy RATs either by hijacking existing tools or performing silent installations. 3. Persistence & Privilege Consolidation: They maintain persistence using registry keys and scheduled tasks while escalating privileges. 4. Antivirus Neutralization & Anti-Forensics: Attackers stop antivirus services, manipulate policies, and clear logs to evade detection. 5. Payload Deployment & Execution: Ransomware is delivered and executed within remote sessions to avoid suspicion. Commonly abused RATs include AnyDesk, UltraViewer, AppAnywhere, RustDesk, Splashtop, and TightVNC, which have been associated with various ransomware campaigns. Understanding the tactics and techniques used by adversaries is crucial for effective defense, as they exploit legitimate tools to bypass security measures. Emerging trends include AI-driven RAT deployment, cloud-based RAT abuse, and the integration of RATs in ransomware-as-a-service offerings. A comprehensive defense strategy involves multiple layers of security, including virus protection, behavior-based detection, and application control, to counter the risks posed by RAT abuse in ransomware attacks.

Winsage

August 27, 2025

Microsoft Azure Update Manager Streamlines Windows Updates for Enterprises

Microsoft is introducing a new feature to simplify the installation of Windows upgrades, utilizing Azure Update Manager to manage updates across hybrid environments without the need for on-premises servers or complex scripting. This update mechanism includes intelligent scheduling and rollback options, enhancing efficiency and reducing the risk of deployment failures. The enhancement is significant for enterprise security, ensuring timely application of critical upgrades to address cyber threats. It may also facilitate smoother transitions to newer Windows versions for businesses using older systems. Reactions from the IT community are positive, with expectations that similar efficiencies could extend to consumer updates in the future.

Winsage

April 4, 2025

Vole punts pricey plastic brick for cloudy PCs

Microsoft has introduced the Windows 365 Link, a compact device priced at £349, designed to connect users to Windows Cloud PCs hosted on Azure. Weighing 418 grams, it features HDMI, USB-C, three USB-A ports, Ethernet, Bluetooth, and Wi-Fi. The device is only compatible with organizations using Windows 365 (Enterprise, Frontline, or Business), Intune, and Microsoft Entra ID, excluding government users. It promises high-performance video playback and conferencing, particularly with Teams, but functions primarily as a cloud dongle aimed at simplifying IT administration and enhancing security. The Link connects to Windows 365 in seconds and is available through select resellers like Ricoh UK and Insight Enterprises in the U.S.

Winsage

March 22, 2025

How to disable the Windows Hello feature with Intune

Windows Hello allows users to authenticate in Windows using biometric data or a PIN, with enhanced features in Windows Hello for Business, including device authentication and integration with Conditional Access. It is recognized by NIST as a multifactor authentication (MFA) method, combining a device with a Trusted Platform Module (TPM) and a PIN or biometric data. However, the second factor is not portable, which may be a concern for some organizations. For those not using Windows Hello for Business, IT administrators can disable it through Microsoft Intune using two methods: by adjusting enrollment options or creating an account protection policy.

Winsage

February 5, 2025

0-Day Vulnerabilities in Microsoft Sysinternals Tools Allow Attackers To Launch DLL Injection Attacks on Windows

A critical 0-Day vulnerability has been identified in Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute harmful code. This vulnerability has been verified and remains unresolved despite being disclosed to Microsoft over 90 days ago. The Sysinternals tools, including Process Explorer, Autoruns, and Bginfo, are widely used for system analysis and troubleshooting but lack integration with the Windows Update system, requiring manual management of security patches. The vulnerability stems from how Sysinternals tools load DLL files, prioritizing untrusted paths over secure system directories. Attackers can place a malicious DLL in the same directory as a legitimate Sysinternals executable, leading to the execution of arbitrary code under the user's privileges. A real-world example demonstrated that an attacker could deploy a Trojan via the Bginfo tool by loading a malicious DLL from a network directory. The vulnerability affects multiple Sysinternals applications, and a comprehensive list is available from the researcher. Microsoft has classified the issue as a "defense-in-depth" enhancement rather than a critical vulnerability, focusing on local execution rather than risks associated with network paths. As of December 2024, the vulnerability remains unpatched, prompting users to take precautionary steps such as avoiding running tools from network locations and verifying DLL integrity.

Winsage

November 27, 2024

How to get the right Hyper-V window size in Windows 11

Ensuring that Hyper-V virtual machines (VMs) operate seamlessly on a Windows 11 desktop requires careful attention to window size, as an incorrectly sized window can hinder user experience and restrict business application capabilities. A window that is too large may obscure parts of the screen, while a window that is too small can lead to application errors or make text and images difficult to read. To select the correct window size, users should identify the resolution of their host display, which can be found in Display Settings. It is advisable not to exceed a resolution of 1920 x 1080, with a minimum recommended resolution of 800 x 600. The default resolution is often set to 1366 x 768. For basic Hyper-V VM sessions, which do not support resizing, users must adjust the video output using PowerShell commands while the VM is powered off. For enhanced Hyper-V VM sessions, which utilize the Remote Desktop Protocol (RDP), users can select their preferred resolution upon connecting and can easily resize the window during the session, which automatically adjusts the VM's resolution. Enhanced sessions allow for a more dynamic connection, including local clipboard and printer access, and can be configured for Linux VMs with proper setup.

Winsage

September 22, 2024

Windows Server Update Services (WSUS) to be deprecated

Windows Server Update Services (WSUS) is deprecated, with no new features or enhancements planned. Microsoft encourages organizations to transition to cloud solutions for update management. WSUS will continue to function with existing capabilities until its official deprecation on April 18, 2025, but it will not receive updates or new features. Microsoft has phased out WSUS driver synchronization in favor of cloud-based driver services. Organizations are advised to consider tools like Windows Autopatch, Microsoft Intune, and Azure Update Manager for managing updates.

Winsage

July 30, 2024

Winget now lets you download Microsoft Store apps to install on multiple PCs

Microsoft has introduced enhancements to the Microsoft Store and the Windows Package Manager, winget version 1.8, to improve app installation for both casual users and IT administrators. Winget version 1.8 allows users to download and distribute Microsoft Store apps more efficiently by creating a dedicated folder within the Downloads directory for each app package. Users can download apps using the command winget download Calculator -s msstore, find the app package in the Downloads directory, and install it on another device using the Add-AppxPackage -Path command. Administrative privileges are required to execute these commands. The latest version of winget is available for download on GitHub.