Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label EDR. Show all posts
Skitnet
Cyber Defender Cyber Surge Cyberattacks Cybersecurity CyberThreat EDR malware PowerShell malware RAMP Ransomware Security Audits Skitnet

Surge in Skitnet Usage Highlights Evolving Ransomware Tactics

 


Today’s cyber threat landscape is rapidly evolving, making it increasingly difficult for adversaries to tell the difference between traditional malware families, as adversaries combine their capabilities to maximise their impact. Skitnet, an advanced multistage post-exploitation toolkit, is one of the best examples of this convergence, as it emerged as an evolution of the legacy Skimer malware, a sophisticated multi-stage post-exploitation toolkit. 

Skitnet, which was once used as a tool for skimming card information from ATMs, has been repurposed as one of the strongest weapons in the arsenal of advanced ransomware groups, notably Black Basta. In the last few months, it has appeared again as part of a larger tactical shift aimed at focusing on stealth, persistent access, data exfiltration, and support for double extortion ransomware campaigns that move away from singular objectives like financial theft. 

Since April 2024, Skitnet, which is also known as Bossnet in some underground circles, has been actively traded on darknet forums like RAMP, with a noticeable uptake noticed among cybercriminals by early 2025. This version has an enterprise-scale modular architecture, unlike its predecessor, which allows it to operate at an enterprise scale. 

There is no need to worry about fileless execution, DNS-based communication for command-and-control (C2), system persistence, or seamless integration with legitimate remote management tools like PowerShell or AnyDesk to use it. Through this flexibility, attackers can continue to remain covert inside targeted environments for extended periods of time without being noticed. 

In addition to being a threat to enterprises, Skitnet has also been deployed through sophisticated phishing campaigns that attempt to duplicate trusted enterprise platforms such as Microsoft Teams, thus allowing threat actors to use social engineering as a primary vector for gaining access to networks and systems. 

Moreover, this evolution demonstrates the growing commoditization of post-exploitation toolkits on underground markets, which offers a leading indicator of how ransomware groups are utilising increasingly advanced malware to refine their tactics and enhance the overall efficiency of their operations. 

According to recent threat intelligence findings, multiple ransomware groups are now actively integrating Skitnet into their post-exploitation toolkits in order to facilitate data theft, maintain persistent remote access to compromised enterprise systems, and reinforce control over compromised enterprise systems as well as facilitate after-exploitation data theft. Skitnet began circulating in underground forums like RAMP as early as April 2024, but its popularity skyrocketed by early 2025, when several prominent ransomware actors began leveraging its use in active campaigns to target consumers.

Several experts believe that Skitnet will end up being a major ransomware threat to the public shortly. The ransomware group Black Basta, for instance, was seen using Skitnet as part of phishing campaigns mimicking Microsoft Teams communications in April of 2025, an increasingly common technique that exploits the trust of employees towards workplace collaboration tools. 

The Skitnet campaign targets enterprise environments, where its stealth capabilities and modular design make it possible for the attacker to deep infiltrate and stay active for a long time. PRODAFT is tracking Skitnet as LARVA-306, the threat actor designated by the organisation. Skitnet, also known in underground circles by Bossnet, is a multi-stage malware platform designed to be versatile and evasive in nature. 

A unique feature of this malware is its use of Rust and Nim, two emerging programming languages in the malware development community, to craft payloads that are highly resistant to detection. By initiating a reverse shell via the DNS, the malware bypasses traditional security monitoring and allows attackers to remain in communication with the command-and-control infrastructure and maintain covert communications. 

Further increasing Skitnet's threat potential are its robust persistence mechanisms, the ability to integrate with legitimate remote access tools, and the ability to exfiltrate data built into its software. The .NET loader binary can also be retrieved and executed by the server, which serves as a mechanism to deliver additional payloads to the machine, thus increasing its operational flexibility. 

As described on dark web forums, Skitnet is a “compact package” comprised of a server component as well as a malware payload that is easy to deploy. As a result of Skitnet's technical sophistication and ease of deployment, it continues to be a popular choice among cybercriminals looking for scalable, stealthy, and effective post-exploitation tools. 

There is a modular architecture built into Skitnet, with a PowerShell-based dropper that decodes and executes the core loader in a centralised manner. Using HTTP POST requests with AES-encrypted payloads, the loader retrieves task-specific plugins from hardcoded command-and-control servers that are hardcoded. One of its components is skitnel.dll, which makes it possible to execute in memory while maintaining the persistence of the system through built-in mechanisms.

Researchers have stated that Skitnet's plugin ecosystem includes modules that are dedicated to the harvesting of credentials, escalation of privileges, and lateral movement of ransomware, which allow threat actors to tailor their attacks to meet the strategic objectives and targets of their attacks. It is clear from the infection chain that Skitnet is a technical advancement in the post-exploitation process, beginning with the execution of a Rust-based loader on compromised hosts. 

With this loader, a Nim binary that is encrypted with ChaCha20 is decrypted and then loaded directly into memory, allowing the binary to be executed stealthily, without the need for traditional detection mechanisms. The Nim-based payload establishes a reverse shell through a DNS-based DNS request, utilising randomised DNS queries to initiate covert communications with the command-and-control (C2) infrastructure as soon as it is activated. 

To carry out its core functions, the malware then launches three different threads to manage its core functions: one thread takes care of periodic heartbeat signals, another thread monitors and extracts shell output, and yet another thread monitors and decrypts responses received over DNS, and the third thread listens for incoming instructions. Based on the attacker's preferences set within the Skitnet C2 control panel, command execution and C2 communication are dynamically managed, using either HTTP or DNS protocols. 

Through the web-based interface, operators can view infected endpoints in real-time, view their IP address, their location, and their system status, as well as remotely execute command-line commands with precision, in real time. As a result of Skitnet's level of control, it has become a very important tool in modern ransomware campaigns as a highly adaptable and covert post-exploitation tool. 

As opposed to custom-built malware created just for specific campaigns, Skitnet is openly traded on underground forums, offering a powerful post-exploitation solution to cyber criminals of all sorts. The stealth characteristics of this product, as well as minimal detection rates and ease of deployment, make it an attractive choice for threat actors looking to maximise performance and maintain operational covertness. With this ready accessibility, the technical barrier to executing sophisticated attacks is dramatically reduced. 

Real-World Deployments by Ransomware Groups


There is no doubt in my mind that Skitnet is not just a theoretical concept. Security researchers have determined that it has been used in actual operations conducted by ransomware groups such as Black Basta and Cactus, as well as in other real-life situations. 

As part of their phishing campaigns, actors have impersonated Microsoft Teams to gain access to enterprise environments. In these attacks, Skitnet has successfully been deployed, highlighting its growing importance among ransomware threats. 

Defensive Measures Against Skitnet 


Skitnet poses a significant risk to organisations. Organisations need to adopt a proactive and layered security approach to mitigate these risks. Key recommendations are as follows: 

DNS Traffic Monitoring: Identify and block unusual or covert DNS queries that might be indicative of an activity like command and control. 

Endpoint Detection and Response (EDR) Use advanced EDR tools to detect and investigate suspicious behaviour associated with Rust and Nim-based payloads. Often, old antivirus solutions are unable to detect these threats. 

PowerShell Execution Restrictions: PowerShell should be limited to only be used in situations that prevent unauthorised script execution and minimise the risk of a fileless malware attack. 

Regular Security Audits Continually assess and manage vulnerabilities to prevent malware like Skitnet from entering the network and exploiting them, as well as administer patches as needed. 

The Growing Threat of Commodity Malware 


In the context of ransomware operations, Skitnet represents the evolution of commodity malware into a strategic weapon. As its presence in cybercrime continues to grow, organisations are required to stay informed, agile, and ready to fight back. To defend against this rapidly evolving threat, it is crucial to develop resilience through threat intelligence, technical controls, and user awareness. 

Often times, elite ransomware groups invest in creating custom post-exploitation toolsets, but they take a considerable amount of time, energy, and resources to develop them—factors that can restrict operational agility. Skitnet, on the other hand, is a cost-effective, prepackaged alternative that is not only easy to deploy but also difficult to attribute, as it is actively distributed among a wide range of threat actors. 

A broad distribution of incidents further blurs attribution lines, making it more difficult to identify threat actors and respond to incidents. The cybersecurity firm Prodaft has published on GitHub associated Indicators of Compromise (IoCs) related to incident response. As a result of Skitnet's plug-and-play architecture and high-impact capabilities, it is particularly appealing to groups that wish to achieve strategic goals with minimal operational overhead in terms of performance and operational efficiency. 

According to Prodaft in its analysis, Skitnet is particularly attractive for groups that are trying to maximise impact with the lowest overhead. However, in spite of the development of antivirus evasion techniques for custom-made malware, the affordability, modularity, and stealth features of Skitnet continue to drive its adoption in the marketplace. 

Despite the fact that it is a high-functioning off-the-shelf tool, its popularity in the ransomware ecosystem illustrates a growing trend that often outweighs bespoke development when attempting to achieve disruptive outcomes. As ransomware tactics continue to evolve at an explosive rate, the advent and widespread adoption of versatile toolkits like Skitnet are a stark reminder of how threat actors have been continually refining their methods in order to outpace traditional security measures. 

A holistic and proactive cybersecurity posture is vital for organisations to adopt to protect themselves from cyber threats and evade detection, one that extends far beyond basic perimeter defences and incorporates advanced threat detection, continuous monitoring, and rapid incident response capabilities. To detect subtle indicators of compromise that commodity malware like Skitnet exploits to maintain persistence and evade detection, organisations should prioritise integrating behavioural analytics and threat intelligence. 

It is also vital to foster an awareness of cybersecurity risks among employees, particularly when it comes to the risks associated with phishing and social engineering, to close the gap in human intelligence that is often the first attack vector employed by cybercriminals. Organisations must be able to protect themselves from sophisticated post-exploitation tools through multilayered defence strategies combining technology, processes, and people, enabling them to not only detect and mitigate the current threats but also adapt to emerging cyber risks in an ever-changing digital environment with rapidity.
Read more »
SentinelOne
Babuk Babuk Ransomware critical vulnerabilities Cyber Security cybercriminals EDR Ransomware attack Ransomwares SentinelOne

SentinelOne EDR Exploit Allows Babuk Ransomware Deployment Through Installer Abuse

 

A newly discovered exploit has revealed a critical vulnerability in SentinelOne’s endpoint detection and response (EDR) system, allowing cybercriminals to bypass its tamper protection and deploy the Babuk ransomware. The method, identified as a “Bring Your Own Installer” technique, was uncovered by John Ailes and Tim Mashni from Aon’s Stroz Friedberg Incident Response team during a real-world ransomware case investigation. 


The core issue lies in how the SentinelOne agent handles updates. When an agent is upgraded, the existing version is momentarily stopped to make way for the new one. Threat actors have figured out how to exploit this transition window by launching a legitimate SentinelOne installer and then terminating it mid-process. This action disables the EDR protection temporarily, leaving the system vulnerable long enough to install ransomware or execute malicious operations without being detected.  

Unlike traditional bypasses that rely on third-party drivers or hacking tools, this method takes advantage of SentinelOne’s own software. Once the process is interrupted, the system loses its protection, allowing the attackers to act with impunity. Ailes stressed that the bypass can be triggered using both older and newer agent versions, putting even up-to-date deployments at risk if specific configuration settings are not enabled. During their investigation, the team observed how the targeted device disappeared from the SentinelOne management console shortly after the exploit was executed, signaling that the endpoint had become unmonitored. 

The attack was effective across multiple versions of the software, indicating that the exploit isn’t tied to a particular release. To mitigate this risk, SentinelOne recommends activating a feature called “Online Authorization” (also referred to as Local Upgrade Authorization). This setting ensures that any attempt to upgrade, downgrade, or uninstall the agent must first be approved via the SentinelOne management console. 

Although this option exists, it is not enabled by default for existing customers, largely to maintain compatibility with deployment tools like Microsoft’s System Center Configuration Manager. Since the vulnerability was disclosed, SentinelOne has taken steps to notify customers and is now enabling the protective setting by default for new installations. 

The company also confirmed sharing the findings with other major EDR providers, recognizing that similar techniques could potentially impact their platforms as well. While the current exploit does not affect SentinelOne when configured correctly, the case serves as a stark reminder of the importance of security hardening, particularly in the tools meant to defend against sophisticated threats.
Read more »
vulnerabledrivers
Cyber Attacks Cybersecurity Darkweb EDR endpointsecurity ESET Ransomware ransomware-as-a-service vulnerabledrivers

Rise in EDR Killers Signals Growing Threat to Ransomware Detection Systems

 

EDR killers are becoming an increasingly favored tool among ransomware-as-a-service (RaaS) affiliates, with EDRKillShifter emerging as a notable threat. According to a recent report by ESET malware researchers Jakub Souček and Jan Holman, the tool is not alone—there has been a noticeable rise in the variety of EDR killers being used by attackers.

“However, it is not the only EDR killer out there; in fact, ESET researchers have observed an increase in the variety of EDR killers used by ransomware affiliates,” Souček and Holman wrote in the report.

These tools are designed to bypass endpoint detection and response (EDR) solutions that can typically recognize and block encryption payloads used in ransomware attacks. To remain undetected, affiliates rely on EDR killers, which presents a major hurdle for both cybersecurity vendors and internal IT security teams.

ESET’s defense approach includes flagging vulnerable drivers exploited by these tools as potentially unsafe, preventing their activation. The researchers urged organizations to implement similar protective measures.

They referenced the Living Off The Land Drivers (LOLD) project, which tracks over 1,700 vulnerable drivers. However, only a small subset of these are exploited for EDR killer activity, and that number has remained largely consistent.

Identifying and neutralizing these drivers remains a technical challenge. ESET’s analysis highlights how many EDR killers use obfuscated code to dodge early-stage detection. In particular, RansomHub’s EDRKillShifter conceals its shellcode using a 64-character password.

“Without the password, security researchers can neither retrieve the list of targeted process names nor the abused vulnerable driver,” they wrote in the report.

Due to its effectiveness, EDRKillShifter has been adopted by a growing number of affiliates associated with rival ransomware groups since it was released as a service on the dark web.

ESET researchers said they saw a “steep increase” in activity following the release.
Read more »
S-RM
Akira Akira Ransomware Camera Hack Cyber Attacks EDR Ransomware attack Ransomwares RDP S-RM

Ransomware Group Uses Unpatched Webcams to Deploy Attacks

 

A recent cybersecurity report by S-RM has revealed a new tactic used by the Akira ransomware group, demonstrating their persistence in bypassing security defenses. When their initial attempt to deploy ransomware was blocked by an endpoint detection and response (EDR) tool, the attackers shifted their focus to an unexpected network device—a webcam. 

This strategy highlights the evolving nature of cyber threats and the need for organizations to secure all connected devices. The attack began with the use of remote desktop protocol (RDP) to access a target’s server. When the group attempted to deploy a ransomware file, the victim’s EDR successfully detected and neutralized the threat. However, rather than abandoning the attack, the adversaries conducted a network search and identified other connected devices, including a fingerprint scanner and a camera. The camera was an ideal entry point because it was unpatched, ran a Linux-based operating system capable of executing commands, and had no installed EDR solution. 

Exploiting these vulnerabilities, the attackers used the camera to deploy ransomware via the Server Message Block (SMB) protocol, which facilitates file and resource sharing between networked devices. According to cybersecurity experts, this kind of attack is difficult to defend against because it targets overlooked devices. Rob T. Lee, chief of research at the SANS Institute, compared detecting such threats to “finding a needle in a haystack.” The attack underscores how cybercriminals are constantly adapting, looking for the weakest points in a network to infiltrate and execute their malicious operations. 

The Akira ransomware group has gained traction following law enforcement takedowns of major ransomware organizations like AlphV and LockBit. S-RM reported that Akira accounted for 15% of the cyber incidents it analyzed, and in January 2024, CISA confirmed that the group had impacted over 250 organizations, extorting approximately $42 million in ransom payments. Ransom demands from Akira typically range from $200,000 to $4 million. The growing threat to internet of things (IoT) devices is further supported by data from Zscaler, which blocked 45% more IoT malware transactions between June 2023 and May 2024. 

Devices such as webcams, e-readers, and routers are particularly vulnerable due to outdated software and poor security practices. To mitigate risks, cybersecurity experts recommend several best practices for securing IoT devices. Organizations should place IoT devices on restricted networks that prevent unauthorized access from workstations or servers. Unused devices should be turned off, networked devices should be regularly audited, and software patches must be applied promptly. Additionally, changing default passwords on IoT devices is essential to prevent unauthorized access. 

Cybercriminals are continuously thinking outside the box to exploit vulnerabilities, and security professionals must do the same to defend against emerging threats. If attackers can compromise a webcam, they could potentially target more complex systems, such as industrial machinery or medical devices. As ransomware groups evolve, staying ahead of their tactics is crucial for safeguarding sensitive data and preventing costly breaches.
Read more »
Windows
Akira CyberCrime Cybersecurity Cyberthreats EDR EDR Protections Ransomware S-RM Technology Webcam Windows

Webcam Exploited by Ransomware Group to Circumvent EDR Protections

 


Researchers at S-RM have discovered an unusual attack method used by the Akira ransomware gang. The Akira ransomware gang utilized an unsecured webcam to conduct encryption attacks against victims' networks via the use of an unsecured webcam. The attackers were able to bypass the Endpoint Detection and Response (EDR) mechanisms, which had been successful in stopping the ransomware encryptor from functioning on Windows computers.

During an investigation conducted by the S-RM team as part of an incident response, the S-RM team uncovered Akira's sophisticated adaptations in response to security defences. As a first step, the threat actors tried to implement encryption tools on Windows endpoints, but these attempts were thwarted by the EDR solution provided by the victim. 

It is important to note that the attackers reacted to this by exploiting the unsecured webcam as an entry point for the malware to infiltrate the network and launch their ransomware attacks. This incident illustrates how ransomware operators are increasingly using unconventional vulnerabilities to circumvent modern cybersecurity defenses, highlighting the evolution of ransomware operations. 

Network vulnerabilities exploited by Akira ransomware operators. 


Researchers in the cybersecurity field recently discovered a sophisticated attack strategy that was employed by the Akira ransomware group. Initially, the threat actors gained access to the network via an externally exposed remote access solution through which unauthorized access was gained. The attackers then installed AnyDesk.exe, a legitimate remote desktop tool, to maintain persistent access within the compromised network, and proceeded to exfiltrate sensitive data using this tool. 

In the months following the initial breach, the attackers used Remote Desktop Protocol (RDP) to move laterally through the network, simulating legitimate system administrator activities to conceal their activity and blend into normal networking operations. They evaded detection by mimicking legitimate system administrator activities. 

Akira Ransomware Group: A Rising Threat in the Cybercrime Landscape 


Emergence and Rapid Expansion 


Originally identified in early 2023, the Akira ransomware group has rapidly gained popularity as one of the most active ransomware operations in the world. As of 2024, the Akira group is responsible for around 15% of all ransomware incidents that were examined by cybersecurity firm S-RM. The company specializes in targeting small to medium sized businesses (SMEs) in North America, Europe, and Australia, especially businesses that have fewer than 1,000 employees as their primary target market. 

Operational Model and Organizational Structure 


Rather than using the typical paid-for model, Akira also uses a ransomware-as-a-service model: within this model, the group's core developers provide a running platform that allows its affiliates to access its binary and leak sites in exchange for a share of the ransom payments received by the group's owners. 

Triple Extortion Strategy and Technical Adaptability 


By employing a triple approach of extortion, or a series of layers of coercion to maximize leverage over their victims, Akira achieves extreme leverage over them: 

Data Encryption – Locking files and systems to disrupt business operations. 

Data Exfiltration – Stealing sensitive information before encryption. 

Public Disclosure Threats – Threatening to release exfiltrated data unless the ransom is paid. 

Akira's technical adaptability is exemplified by its ability to adjust its attack methods based on security threats. A recent webcam attack highlighted the group's innovative tactics. In this case, the group circumvented Endpoint Detection and Response (EDR) protections by using unsecured Internet of Things devices as an alternative entry point to bypass the system's protections. 

As ransomware operations such as Akira become more sophisticated, organizations, particularly small and medium-sized enterprises, must take proactive cybersecurity measures to mitigate the threats posed by these highly adaptive threat actors. To mitigate these risks, organizations must implement robust endpoint security, network segmentation, and IoT security protocols. 

Initially, the threat actors managed to breach the corporate network through an exposed remote access solution, likely using stolen credentials or brute-force techniques to gain access to the network. Once inside, they deployed AnyDesk, an authentic remote access tool, to gain persistent access and gain access to sensitive data. The data was then used as leverage in a double extortion scheme that later resulted in a double extortion attack. 

When the attack was first initiated, the attackers took advantage of the Remote Desktop Protocol (RDP) to enable them to move laterally, systematically spreading their presence across multiple systems before launching the ransomware attack. Their attack was carried out by introducing a password-protected archive file, win.zip, with the ransomware payload, win.exe, as a payload. Although the threat was initially detected and quarantined by the victim's Endpoint Detection and Response (EDR) system, it was ultimately neutralized when the virus was identified and quarantined. 

The attackers modified their strategy after experiencing this setback by finding alternative ways to attack the device. During a thorough network scan, several potential entry points were discovered, including a webcam and a fingerprint scanner. S-RM, a cybersecurity firm, explains that threat actors eventually chose the webcam as their primary pivot point for gaining access to its data, as it is easy for remote shell access and unauthorized video feeds. Moreover, the attackers took advantage of the device's lightweight Linux-based operating system, which was compatible with Akira's Linux encryptor. 

Since the webcam was without a protection agent against EDR attacks, it was an ideal choice for the ransomware attack to take place. The threat actors were able to successfully encrypt files on network shares by leveraging their connectivity to the Internet, circumventing conventional security measures and demonstrating the evolving sophistication of ransomware tactics. Instead of abandoning their original objective, the ransomware operators chose to utilize a previous internal network scan data as the basis for their next strategy. 

An investigation of the Internet of Things (IoT) revealed that several vulnerable devices were not adequately protected, including webcams and fingerprint scanners. As the attackers recognized the potential of unprotected devices as alternative entry points to traditional security systems, they sought to bypass those mechanisms. They discovered several vulnerabilities during their assessment, including an unsecured webcam, which proved to be the most feasible vulnerability. 

Several reasons contributed to this, most notably that it lacked Endpoint Detection and Response (EDR) protection, which made it an ideal target for exploiting. Additionally, the device was capable of being accessed remotely through a remote shell, making it even easier for attackers to gain access.

In addition, the Linux-based operating system presented a lightweight security footprint, which reduced the chances of detection and strengthened the appeal of the operating system as a potential entry point for cybercriminals. Execution of the Attack Through IoT Exploitation This attacker was able to create malicious SMB traffic directed towards a target Windows server by compromising a vulnerable webcam, which was able to be used by the attacker to create malicious SMB traffic. 

Due to the organization's lack of active monitoring of IoT devices, this technique enabled the ransomware payload to bypass traditional detection mechanisms. As a result of the attack, a large number of files were encrypted across the network of the victim. Even though SMB-based attacks have generally been considered to be less efficient than other intrusion techniques, this attack proved extremely effective in this case, mainly because they are frequently incompatible with conventional security monitoring tools, such as this tool. 

It is as a consequence of this incident that organizations must take proactive steps to ensure that all network-connected devices, most notably IoT endpoints, are secured via encryption so that sophisticated ransomware operators are not able to exploit them as attack vectors. 

The fact that the compromised webcam lacked an Endpoint Detection and Response (EDR) protection was a critical factor in the success of this attack, as largely due to its limited storage capacity, it could not cope with advanced security measures needed to defend itself. 

The Akira ransomware group exploited this vulnerability to deploy its Linux-based ransomware quickly from the compromised machine, encrypting files across the victim's network by using the Server Message Block protocol (SMB). As a result of this strategic approach, the attackers were able to operate covertly since malicious SMB traffic originating from the webcam was not detected by security systems, allowing them to evade detection by the organization's cybersecurity team. 

In light of these events, it is due to the growing necessity for comprehensive security protocols, in particular for securing Internet of Things (IoT) devices, that are more and more exploited as attack vectors by cyber criminals. A proactive cybersecurity approach is imperative to mitigate similar threats by ensuring that IoT devices are patched and managed, conducting regular vulnerability assessments within the organization's internal networks, and implementing robust network segmentation so that connected devices are limited in their ability to communicate. 

Further, turning off IoT devices when not in use can serve as a preventive measure against potential exploitation. To effectively defend against emerging threats, it is imperative to continuously monitor your network and implement robust security frameworks. As demonstrated by the Akira ransomware group, you must monitor your network constantly and implement robust security measures. With ransomware-as-a-service (RaaS) operations continuing to evolve at a rapid pace, organizations must remain vigilant, improving their cybersecurity strategies proactively to remain protected from increasingly sophisticated cyberattacks.
Read more »
Software Updates
AI Tool Antivirus Detection antivirus software cyber resilience Cyber Security CyberThreat EDR online threats Software Updates

Zero Trust Endpoint Security: The Future of Cyber Resilience

 

The evolution of cybersecurity has moved far beyond traditional antivirus software, which once served as the primary line of defense against online threats. Endpoint Detection and Response (EDR) tools emerged as a solution to combat the limitations of antivirus programs, particularly in addressing advanced threats like malware. However, even EDR tools have significant weaknesses, as they often detect threats only after they have infiltrated a system. The need for a proactive, zero trust endpoint security solution has become more evident to combat evolving cyber threats effectively. 

Traditional antivirus software struggled to keep up with the rapid creation and distribution of new malware. As a result, EDR tools were developed to identify malicious activity based on behavior rather than known code signatures. These tools have since been enhanced with artificial intelligence (AI) for improved accuracy, automated incident responses to mitigate damage promptly, and managed detection services for expert oversight. Despite these advancements, EDR solutions still act only after malware is active, potentially allowing significant harm before mitigation occurs. 

Cybercriminals now use sophisticated techniques, including AI-driven malware, to bypass detection systems. Traditional EDR tools often fail to recognize such threats until they are running within an environment. This reactive approach highlights a critical flaw: the inability to prevent attacks before they execute. Consequently, organizations are increasingly adopting zero trust security strategies, emphasizing proactive measures to block unauthorized actions entirely. Zero trust endpoint security enforces strict controls across applications, user access, data, and network traffic. 

Unlike blocklisting, which permits all actions except those explicitly banned, application allowlisting ensures that only pre-approved software can operate within a system. This approach prevents both known and unknown threats from executing, offering a more robust defense against ransomware and other cyberattacks. ThreatLocker exemplifies a zero trust security platform designed to address these gaps. Its proactive tools, including application allowlisting, ringfencing to limit software privileges, and storage control to secure sensitive data, provide comprehensive protection. 

ThreatLocker Detect enhances this approach by alerting organizations to indicators of compromise, ensuring swift responses to emerging threats. A recent case study highlights the efficacy of ThreatLocker’s solutions. In January 2024, a ransomware gang attempted to breach a hospital’s network using stolen credentials. ThreatLocker’s allowlisting feature blocked the attackers from executing unauthorized software, while storage controls prevented data theft. Despite gaining initial access, the cybercriminals were unable to carry out their attack due to ThreatLocker’s proactive defenses. 

As cyber threats become more sophisticated, relying solely on detection-based tools like EDR is no longer sufficient. Proactive measures, such as those provided by ThreatLocker, represent the future of endpoint security, ensuring that organizations can prevent attacks before they occur and maintain robust defenses against evolving cyber risks.
Read more »
Sophos report
BYOVD Attack Cyber Attacks EDR GitHub Malware Attack RansomHub Sophos Sophos report

RansomHub Deploys EDRKillShifter Malware to Disable Endpoint Detection Using BYOVD Attacks

 

Sophos security researchers have identified a new malware, dubbed EDRKillShifter, used by the RansomHub ransomware group to disable Endpoint Detection and Response (EDR) systems in attacks leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques. This method involves deploying a legitimate but vulnerable driver on a target device to gain escalated privileges, disable security measures, and take control of the system. 

The technique has gained popularity among various threat actors, including both financially motivated ransomware groups and state-sponsored hackers. The EDRKillShifter malware was discovered during an investigation of a ransomware incident in May 2024. The attackers tried to use this tool to disable Sophos protection on a targeted computer but were unsuccessful due to the endpoint agent’s CryptoGuard feature, which prevented the ransomware executable from running. Sophos’ investigation revealed two different malware samples, both exploiting vulnerable drivers with proof-of-concept code available on GitHub. These drivers include RentDrv2 and ThreatFireMonitor, the latter being part of an obsolete system-monitoring package. 

The malware’s loader execution process follows a three-step procedure. Initially, the attacker launches the EDRKillShifter binary with a password string to decrypt and execute an embedded resource named BIN in memory. This code then unpacks and executes the final payload, which installs and exploits a vulnerable driver to elevate privileges and disable active EDR processes. Once the driver is loaded, the malware creates a service and enters an endless loop that continuously monitors and terminates processes matching names on a hardcoded target list. Interestingly, the EDRKillShifter variants discovered were compiled on computers with Russian localization, and they exploit legitimate but vulnerable drivers, using modified proof-of-concept exploits found on GitHub. 

Sophos suspects that the attackers adapted portions of these proofs-of-concept and ported the code to the Go programming language. To mitigate such threats, Sophos advises enabling tamper protection in endpoint security products, separating user and admin privileges to prevent the loading of vulnerable drivers, and keeping systems updated. Notably, Microsoft continually de-certifies signed drivers known to have been misused in previous attacks. Last year, Sophos identified another EDR-disabling malware, AuKill, which similarly exploited a vulnerable Process Explorer driver in Medusa Locker and LockBit ransomware attacks.
Read more »
North Korean Hackers
American Firms Data Breach Data Theft EDR IT Sector North Korean Hackers

KnowBe4 Avoids Data Breach After Hiring North Korean Hacker


 

American cybersecurity firm KnowBe4 recently discovered that a new hire, brought on as a Principal Software Engineer, was actually a North Korean state actor. This individual attempted to install data-stealing malware on the company's devices, but the threat was identified and neutralised before any data breach occurred.

This incident is the testament to the persistent threat from North Korean operatives posing as IT professionals, a danger that the FBI has been warning about since 2023. North Korea has a well-organised network of IT workers who disguise their true identities to secure employment with American companies. The revenue generated by these infiltrators funds the country's weapons programs, cyber operations, and intelligence gathering.

How the Hacker Bypassed Checks

Before hiring the malicious actor, KnowBe4 conducted extensive background checks, verified references, and held four video interviews. Despite these precautions, the individual used a stolen U.S. identity and AI tools to create a fake profile picture that matched during the video calls. This deception enabled the hacker to bypass the initial vetting process.

On July 15, 2024, KnowBe4's Endpoint Detection and Response (EDR) system flagged an attempt to load malware from the Mac workstation recently issued to the new hire. The malware, designed to steal information stored in web browsers, was intended to capture any leftover credentials or data from the computer's previous user.

When confronted by KnowBe4's IT staff, the state actor initially offered excuses but soon ceased all communication.

Deceptive Hiring Practices

KnowBe4 CEO Stu Sjouwerman explained that the scheme involved tricking the company into sending the workstation to an "IT mule laptop farm" near the address provided by the fraudster. The hacker then used a VPN to connect to the device during U.S. working hours, making it seem like they were working as usual.

To prevent similar incidents, KnowBe4 advises companies to use isolated sandboxes for new hires, keeping them away from critical network areas. Additionally, firms should ensure that new employees' external devices are not used remotely and treat any inconsistencies in shipping addresses as potential red flags.

This incident at KnowBe4 zeroes in on the intricate  methods employed by North Korean hackers to infiltrate American companies. By staying vigilant and implementing robust security measures, firms can protect themselves from such threats.


Read more »
Subscribe to: Posts (Atom)