Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Endpoint security. Show all posts
remote monitoring and management
Command And Control Infrastructure Cyber Security Cyber Threats. Healthcare Cybersecurity Endpoint security Multi Factor Authentication ransomware attacks remote monitoring and management

Enterprise Monitoring Tool Misused by Ransomware Gang to Target Businesses


Increasingly, enterprise networks are characterized by tools designed to enhance visibility and oversight applications purchased in the name of enhancing productivity, compliance, and efficiency. However, the same software entrusted with safeguarding workflow transparency is currently being quietly redirected toward far more harmful purposes. 

As ransomware operators weaponize commercially available monitoring and remote management platforms, they avoid traditional red flags and embed themselves within routine administrative traffic. Nevertheless, the result is not immediate chaos, but calculated persistence. This involves silent access, continuous control, and the staging of systems for extortion, extortion, and financial coercion. Huntress has published a technical analysis that illustrates the evolution of this tactic. 

In a study, researchers found that attackers are no longer relying solely on custom malware to maintain access to systems. Instead, they are repurposing legitimate employee surveillance software as well as remote monitoring and management tools to turn passive oversight tools into active intrusion tools. In the field of ransomware tradecraft, a subtle but significant evolution has occurred, as it becomes increasingly difficult to distinguish between administrative utility and adversarial control.

As outlined in a report February 2026 report, a threat actor associated with the Crazy ransomware gang utilized Net Monitor for Employees Professional, a commercially marketed workplace monitoring product in tandem with SimpleHelp, a remote management platform. Together, these tools enabled more than discrete observation of employees. 

As a result, attackers were able to control the system interactively, transfer files, and execute commands remotely—functions reminiscent of legitimate IT administration, but quietly paved the way for the deployment of disruptive ransomware. In accordance with these findings, Huntress investigators discovered that operators consistently used Net Monitor for Employees Professional and SimpleHelp to secure low-noise, durable access to victim environments using Net Monitor for Employees Professional. 

The monitoring agent was initially sideloaded with the legitimate Windows Installer utility, msiexec.exe, during its initial deployment, resulting in a combination of malicious installation activity and routine administrative processes. The agent, once embedded, provided complete access to victim desktops, allowing for real-time screen surveillance, file transfers, and remote command execution without causing the behavioral anomalies commonly associated with customized backdoors. 

A scripted PowerShell command was used by the attackers to install SimpleHelp, which was renamed frequently to mimic benign system artifacts such as VShost.exe or files related to OneDrive synchronization in order to strengthen persistence. As a result of this deliberate masquerading, cursory process reviews and endpoint inspections were less likely to be scrutinized. Attempts were also made to weaken native defenses, including the disablement of Microsoft Defender protections, by researchers. 

It was found several times that the remote management client generated alerts related to cryptocurrency wallet activity or the presence of additional remote access utilities, an indication that the intrusions were not opportunistic reconnaissance alone, but rather preparatory steps aligned with ransomware deployment and the theft of assets. 

In the absence of disparate affiliates, correlated command-and-control endpoints and recurring filename conventions suggest that a single, coordinated operator is responsible for the incidents. The broader trend indicates a growing preference for legitimate remote management and monitoring software as an access vector due to their widespread use in enterprise IT administration. As such, their presence rarely raises immediate suspicions. 

Initial compromise in the cases examined was caused by the exposure or theft of SSL VPN credentials, which enabled adversaries to authenticate into networks and then silently layer commercial management tools over that access. 

Observations such as these reinforce the need for multi-factor authentication to be enforced across all remote access services as well as continuous monitoring controls designed to detect unauthorized deployments of remote management tools. Those who lack such safeguards can exploit trusted administrative frameworks to move laterally, persist, and eventually execute ransomware. The operational model observed in these intrusions has been seen previously. 

During the year 2025, DragonForce ransomware operated on a managed service provider and leveraged SimpleHelp deployments to pivot into downstream customer environments. By utilizing the MSP's own remote monitoring and management system, the attackers were able to conduct reconnaissance at scale without installing conspicuous malware. 

In order to exfiltrate sensitive data and deploy encryption payloads across client networks, the platform was used to enumerate user accounts, system configurations, and active network connections. Upon subverting trusted administrative infrastructure, it can function as a force multiplier—extending a single breach into multiple organizations, thus demonstrating the power of trusted administrative infrastructure. 

Researchers have observed attackers configuring granular monitoring rules within SimpleHelp to track specific operational activities. The agent was configured to continuously search for cryptocurrency-related keywords in connection with wallet applications, exchanges, blockchain explorers, and payment service providers, an indication that digital assets were being discovered and potential financial targets were being targeted. 

Meanwhile, it monitored for references to remote access technologies such as RDP, AnyDesk, UltraViewer, TeamViewer, and VNC so that legitimate administrators or incident responders would be able to determine whether they were communicating with infected systems. Upon reviewing log data, investigators found that the agent repeatedly cycled through triggers and resets associated with these keyword sets, indicating automated surveillance that alerted operators to threats in near real time.

In addition to redundancy, threat actors maintained multiple remote access pathways to maintain control even when one tool was identified and removed from the deployment strategy. The layered persistence approach aligns with a wider “living off the land” strategy, which is a form of adversary exploitation that relies upon legitimate, digitally signed software that has already been trusted within an enterprise environment. 

Remote support utilities and employee monitoring platforms are commonly used as productivity monitors, troubleshooters, and distributed workforce management tools. These platforms offer built-in capabilities such as screen capture, keystroke logging, and file transfer.

In addition to complicating detection efforts and reducing the forensic footprint typically associated with custom backdoors, their behavior closely mirrors sanctioned administrative behavior when repurposed for malicious purposes. Health care and managed services sectors are particularly affected by remote management frameworks, which are often integrated into workflows supporting medical devices, telehealth systems, and electronic health record platforms.

It is possible for attackers to gain privileged access to protected health information and critical infrastructure if these tools are commandeered. A deliberate strategy was demonstrated by ransomware operators in exploiting widely used RMM software: compromising authentication, blending into legitimate management channels, and expanding laterally through the very mechanisms organizations rely on for operational resilience.

Following the successful deployment of the monitoring utility, it became a fully interactive remote access channel for organizations. This allowed operators to monitor victim computers in real time, transfer files bidirectionally, and execute arbitrary commands, effectively assuming the role of local privileged users. 

There were several instances where they used the command net user administrator /active:yes to activate the built-in Windows Administrator account, which was consistent with privilege consolidation and fallback access planning. Through scripted execution of PowerShell, the threat actors obtained and installed the SimpleHelp client, reinforcing persistence. Filenames mimicking Microsoft Visual Studio VShost.exe were frequently used to rename the binary to resemble legitimate development or system artifacts.

A number of times it was staged within directories designed to appear associated with the OneDrive services, including C:/ProgramData/OneDriveSvc/OneDriveSvc.exe, thereby reducing suspicion during routine administrative review processes. Once executed, the payload ensured continued remote connectivity, even if the original employee monitoring agent was identified and removed. Huntress researchers observed attempts to weaken host-based defenses as well. 

By stopping and deleting related services, the attackers attempted to disable Microsoft Defender, reducing real-time protection prior to any encryption attempts. As part of SimpleHelp’s monitoring policies, they were configured so that alerts were generated when cryptocurrency wallets were accessed or remote management tools were invoked behavior which suggests a preparation for reconnaissance and a desire to detect potential incident response activities. 

Based on log telemetry, it is evident that the agent repeatedly triggers based on keywords associated with wallets, cryptocurrency exchanges, blockchain explorers, and payment platforms, while simultaneously flagging references to RDP sessions, AnyDesk sessions, UltraViewer sessions, TeamViewer sessions, and VNC sessions. 

By utilizing multiple remote access mechanisms simultaneously, operational redundancy was achieved. Despite the disruption of one channel, alternative channels permitted the intruders to remain in control of the network. 

Although only one of the documented intrusions resulted in the deployment of the Crazy ransomware gang encryptor, an overlap in command and control infrastructure as well as the re-use of distinctive filenames such as vhost.exe across incidents strongly suggests the presence of one operator or coordinated group. 

Due to the widespread use of remote monitoring and support tools within enterprise environments, their network traffic and process behavior tend to align with sanctioned IT operations, reflecting a larger shift in ransomware tradecraft toward strategic abuse of legitimate administrative software. The result is that malicious activity can remain concealed within routine management processes. 

To identify unauthorized deployments, Huntress suggests that organizations implement strict oversight over the installation and execution of remote monitoring utilities. This can be accomplished through the correlation of endpoint telemetry with change management logs. Because both breaches originated from compromised SSL VPN credentials, the implementation of multi-factor authentication across all remote access services remains a foundational control to prevent adversarial persistence following initial entry. 

All of these incidents illustrate that modern enterprise security models have a structural weakness: trust in administrative tools is not generally scrutinized in the same way as unfamiliar executables or overt malware. Due to the continued operationalization of legitimate remote management frameworks by ransomware groups, defensive strategies must expand beyond signature-based detections and perimeter controls. 

A mature security program will consider unauthorized implementation of RMM as a high-severity event, enforce strict administrative utility access governance, and perform behavioral monitoring to distinguish between sanctioned IT activity and anomalous control patterns in the network.

It is also critical to harden authentication pathways, limit credential exposure, and segment high-value systems in order to reduce blast radius during compromises. It is not possible to ensure resilience in an environment where adversaries are increasingly blending into routine operations by blocking every tool, but by ensuring that every instance of trust is validated.

Read more »
Trusted Update Abuse
Antivirus Update Breach command and control servers Compromised Code Signing Cybersecurity Infrastructure Endpoint security eScan Malware Incident malware Supply Chain Attack Trusted Update Abuse

eScan Antivirus Faces Scrutiny After Compromised Update Distribution


MicroWorld Technologies has acknowledged that there was a breach of its update distribution infrastructure due to a compromise of a server that is used to deliver eScan antivirus updates to end users, which was then used to send an unauthorized file to end users. 

It was reported that the incident took place within a narrow two-hour window on January 20, 2026, in a regional update cluster. It affected only a small fraction of customers who had downloaded updates during that period, and was confined to that cluster. 

Following the analysis of the file, it was confirmed that it was malicious, and this demonstrates how even tightly controlled security ecosystems can be compromised when trust mechanisms are attacked. 

Despite MicroWorld reporting that the affected systems were swiftly isolated, rebuilt from clean baselines, and secured through credential rotation and customer remediation within hours of the incident, the episode took place against the backdrop of escalating cyber risks that are continually expanding. 

An unprecedented convergence of high-impact events took place in January 2026, beginning with a major supply chain breach involving a global antivirus vendor, followed by a technical assault against a European power grid, and the revelation of fresh vulnerabilities in artificial intelligence-driven systems in the first few weeks of January 2026. 

There are a number of developments which have led to industry concerns that the traditional division between defensive software and offensive attack surfaces is eroding, forcing organizations to revisit long-standing assumptions about where trust begins and ends in their security architectures as a result. 

According to further technical analysis, eScan's compromised update channel was directly used to deliver the previously unknown malware, effectively weaponizing a trusted distribution channel that had been trusted. 

A report indicated that multiple security platforms detected and blocked attempted attacks associated with the malicious file the day of its distribution, prompting a quick external scrutiny to take place. It was MicroWorld Technologies who indicated to me that the incident was identified internally on January 20 through a combination of monitoring alerts and customer reports, with the affected infrastructure isolated within an hour of being identified. 

The company issued a security advisory the following day, January 21, as soon as the attack was under control and the situation had been stabilised. In spite of the fact that cybersecurity firm Morphisec later revealed that it had alerted eScan during its own investigation, MicroWorld maintains that containment efforts were already underway when the communication took place. 

The company disputes any suggestion that customers were not informed of the changes, claiming proactive notifications and direct outreach as part of the remediation process to address any concerns. 

A malicious update was launched by a file called Reload.exe, which set off a multi-stage infection sequence on the affected systems through the use of a file called Reload.exe. 

The researchers that conducted the initial analysis reported that the executable modified the local HOSTS file to prevent the delivery of corrective updates from eScan update servers and that this led to a number of client machines experiencing update service errors. 

As part of its persistence strategy, the malware created scheduled tasks, such as CorelDefrag, and maintained communication with external command-and-control infrastructure to retrieve additional payloads, in addition to disrupting operations. 

During the infection process, there was also a secondary malicious component called consctlx.exe written to the operating system, which further embedding the threat within the system. A further detail provided by Morphisec, an endpoint security company, provided a deeper technical insight into the underlying mechanism and intent of the malicious update distributed through the trusted infrastructure of eScan. 

As Morphisec stated in its security bulletin, the compromised update package contained a modified version of the eScan update component Reload.exe that was distributed both to enterprise environments and consumer environments via legitimate update channels. 

Despite the binary's appearance of being signed with eScan's code signing certificate, validation checks conducted by Windows and independent analysis platforms revealed that the signature was not valid. Morphisec's analysis revealed that the altered Reload.exe functions as a loader for a malware framework that consists of several stages. This raises concerns about certificate integrity and abuse of trusted signing processes. 

When the component is executed, it establishes persistence on infected machines, executes arbitrary commands, and alters the Windows HOSTS file to prevent access to eScan's update servers, preventing eScan from releasing updates by using routine update mechanisms.

Additionally, the malware started communicating outwards with a distributed command-and-control infrastructure, thus allowing it to download additional payloads from a variety of different domains and IP addresses in order to increase its reach.

According to Morphisec, the final stage of the attack chain involved the deployment of a second executable, CONSCTLX.exe. This secondary executable acted as both a backdoor and a persistent downloader.

A malicious component that was designed to maintain long-term access created scheduled tasks with benign-sounding names like CorelDefrag that were designed to avoid casual inspection while ensuring that the task would execute across restarts as well. 

The company MicroWorld Technologies developed a remediation utility in response to the incident that is specifically intended to identify and reverse unauthorized changes introduced by the malicious update. Using this tool, the company claims that normal update functionality is restored, a successful cleanup has been verified, and the process only requires a standard reboot of the computer to complete. 

Several companies, including eScan and Morphisec, have advised customers to take additional network-level security measures to protect themselves from further malicious communications during the recovery phase of the campaign by blocking the command-and-control endpoints associated with it. 

In addition, the incident has raised concerns about the recurring exploitation of antivirus update mechanisms, which have caused an increase in industry concern. There was an incident of North Korean threat actors exploiting eScan’s update process in 2024 to install backdoors inside corporate networks, illustrating again how security infrastructure remains one of the most attractive targets for state-sponsored attacks, particularly those aiming for high volumes of information. 

As this breach unfolds, it is part of a wider pattern of consequential supply chain incidents that have taken place in early 2026. These incidents range from destructive malware targeting European energy systems to large-scale intellectual property theft coupled with soon-to-appear AI-driven assault tactics. 

The events highlighted by these events also point to a persistent strategic reality in that organizations are increasingly dependent on trusted vendors and automated updates pipelines. If trust is compromised across the digital ecosystem, defensive technologies can become vectors of systemic risk as a result of a compromise in trust. 

In an industry context, the incident is notable for the unusual method of delivery used by the perpetrators. In spite of the fact that software supply chain compromises have been a growing problem over the past few years, malware is still uncommonly deployed through the security product’s own update channel. 

An analysis of the implants involved indicates that a significant amount of preparation has been performed and that the target environment is well known. A successful operation would have required attackers to have acquired access to eScan’s update infrastructure, reverse engineering aspects of its update workflow, and developing custom malware components designed specifically to function within that ecosystem in order to be successful.

Such prerequisites suggest a deliberate, resource-intensive effort rather than a purely opportunistic one. In addition, a technical examination of the implanted components revealed resilience features that were designed to ensure that attacker access would not be impeded under adverse conditions. 

There were multiple fallback execution paths implemented in the malware, so that continuity would be maintained even if individual persistence mechanisms were disrupted. In one instance, the removal of a scheduled task used to launch a PowerShell payload was not sufficient to neutralize the infection, since the CONSCTLX.exe component would also be able to invoke the same functionality. 

Furthermore, blocking the command-and-control infrastructure associated with the PowerShell stage did not completely eliminate an attacker's capabilities, as CONSCTLX.exe retained the ability to deliver shellcode directly to affected systems, as these design choices highlight the importance of operational redundancy, which is one of the hallmarks of well-planned intrusion campaigns. 

In spite of the sophistication evident in the attack's preparation, the attack's impact was mitigated by its relatively short duration and the techniques used in order to prevent the attack from becoming too effective. 

Modern operating systems have an elevated level of trust when it comes to security software, which means that attackers have theoretically the possibility to exploit more intrusive methods, including kernel-mode implants, which provide attackers with an opportunity to carry out more invasive attacks. 

In this case, however, the attackers relied on user-mode components and commonly observed persistence mechanisms, such as scheduled tasks, which constrained the operation's stealth and contributed to its relatively quick detection and containment, according to analysts. 

It is noteworthy that the behavioral indicators included in eScan's advisory closely correspond with those found by Morphisec independently. Both parties deemed the incident to have a medium-to-high impact on the enterprise environments in question. Additionally, this episode has revealed tensions between the disclosures made by vendors and researchers. 

As reported by Bloomberg News, MicroWorld Technologies has publicly challenged parts of Morphisec's public reporting, claiming some of it was inaccurate. It is understood that they are seeking legal advice in response to these claims. 

It was advised by eScan to conduct targeted checks to determine whether the systems were affected from an operational perspective, including reviewing schedule tasks for anomalous entries, inspecting the system HOSTS file for blocked eScan domains, and reviewing update logs from January 20 for irregularities. 

A remediation utility has been released by the company and is available through its technical support channels. This utility is designed to remove malicious components, reverse unauthorized changes, and restore normal update functionality. 

Consequently, customers are advised to block known command-and-control addresses associated with this campaign as a precaution, reinforcing the lesson of the incident: even highly trusted security infrastructure must continually be examined as potential attack surfaces in a rapidly changing threat environment.
Read more »
Remote Access Trojan
Cyber Security Cybersecurity Endpoint security Evasion Techniques malware MostereRAT phishing Remote Access Trojan

MostereRAT Malware Leverages Evasion Tactics to Foil Defenders

 


Despite the fact that cybercrime has become increasingly sophisticated over the years, security researchers have uncovered a stealthy phishing campaign in which a powerful malware strain called MostereRAT was deployed. This remote access trojan allows attackers to take full control of infected systems in the same way they would normally operate them, as though they were physically a part of them. 

It has recently been revealed that the campaign is being carried out by Fortinet's FortiGuard Labs using an array of advanced evasion techniques to bypass traditional defenses and remain undetected for extended periods of time. This operation was characterized by the unconventional use of Easy Programming Language (EPL) as a visual programming tool in China that is seldom used to carry out such operations. 

Through its use, staged payloads were constructed, malicious activity was obscured, and security systems were systematically disabled. Researchers report that these phishing emails, which are primarily targeted at Japanese users with business related lures, have been shown to lead victims to booby-trapped documents embedded within ZIP archives, and this ultimately allowed the deployment of MostereRAT to be possible. 

A malware campaign designed to siphon sensitive information from a computer is incredibly sophisticated, as it extends its reach by installing secondary plugins, secures its communication with mutual TLS (mTLS), and even installs additional remote access utilities once inside a computer, highlighting the campaign's calculated design and danger of adaptability once it enters the system. 

As FortiGuard Labs identified the threat, it is believed that the campaign distinguishes itself by its layered approach to advanced evasion techniques that can make it very difficult for it to be detected. It is noteworthy that the code is written in a language called Easy Programming Language (EPL) — a simplified Chinese based programming language that is rarely used in cyberattacks — allowing attackers to conceal the malicious activity by staging the payload in multiple steps. 

With MostereRAT, a command-and-control system can be installed on an enterprise network, and it demonstrates that when deployed, it can disable security tools, block antivirus traffic, and establish encrypted communications with the C2 infrastructure, all of which are accomplished through mutual TLS (mTLS). Infection chains are initiated by phishing emails that are crafted to appear legitimate business inquiries, with a particular emphasis on Japanese users. 

In these messages, unsuspecting recipients are directed to download a Microsoft Word file that contains a hidden ZIP archive, which in turn executes a hidden payload in the form of a hidden file. Decrypting the executable's components, installing them in the system directory, and setting up persistence mechanisms, some of which operate at SYSTEM-level privileges, so that control can be maximized. 

Moreover, the malware displays a deceptive message in Simplified Chinese claiming that the file is incompatible in order to further disguise its presence. This tactic serves as a means of deflecting suspicion while encouraging recipients to try to access the file in a more secure manner. As well as these findings, researchers noted that the attack flows and associated C2 domains have been traced to infrastructure first reported by a security researcher in 2020, as part of a banking trojan. 

However, as the threat has evolved, it has evolved into a fully-fledged remote access program called MostereRAT. 

Yurren Wan, the researcher at FortiGuard Labs, emphasized that the campaign was of a high severity, primarily because it integrated multiple advanced techniques in order to allow adversaries to stay undetected while in control of compromised systems, while maintaining complete control of the system at the same time. 

Using legitimate remote access tools to disguise their activity, attackers are able to operate in plain sight by enabling security defenses and disguising activity. It was noted by Wan that one of the most distinctive aspects of this campaign is its use of unconventional methods. For example, it is coded in Easy Programming Language (EPL), intercepts and blocks antivirus traffic at the network level, and can even escalate privileges to the level of Trusted Installer—capabilities that are rarely found in standard malware attacks. 

A MostereRAT exploit can be used to record keystrokes, exfiltrate sensitive data, create hidden administrator accounts, and make use of tools such as AnyDesk and TightVNC in order to maintain persistence over the long term over a target system once it becomes active. According to Wan, defense against such intrusions requires a layered approach that combines advanced technical safeguards with sustained user awareness. 

Additionally, he said that companies should ensure that their FortiGate, FortiClient, and FortiMail deployments are protected by the latest FortiGuard security patches, while channel partners can do the same by providing guidance to customers on how to implement a managed detection and response strategy (MDR) as well as encouraging them to take advantage of training courses such as the free Fortinet Certified Fundamentals (FCF) course in order to strengthen defenses further. 

At Deepwatch, Lauren Rucker, senior cyber threat intelligence analyst, emphasized that browser security is a crucial line of defense against phishing emails that are at the heart of the campaign. In the meantime, the risk of escalation to SYSTEM or TrustedInstaller can be reduced significantly if automatic downloads are restricted and user privilege controls are tightened. As soon as MostereRAT has been installed, it utilizes multiple techniques to undermine computer security. 

As a result of mostereRAT, Microsoft Updates have been disabled, antivirus processes have been terminated, and security software cannot communicate with their servers. By impersonating the highly privileged TrustedInstaller account, the malware escalates privileges, allowing attackers to take over the system almost completely. 

James Maude, the acting chief technology officer at BeyondTrust, explained that the campaign relies on exploiting overprivileged users and endpoints that don't have strong application control as a result of combining obscure scripting languages with trusted remote access tools. 

ManyereRAT is known for maintaining extensive lists of targeted security products, such as 360 Safe, Kingsoft Antivirus, Tencent PC Manager, Windows Defender, ESET, Avira, Avast, and Malwarebytes, among others. This application utilizes Windows Filtering Platform (WFP) filters in order to block network traffic from these tools, effectively preventing them from reaching their vendors' servers to send detection alerts or telemetry. 

In addition, researchers found that another of the malware's core modules, elsedll.db, enabled robust remote access to remote computers by utilizing mutual TLS (mTLS) authentication, and supported 37 distinct commands ranging from file manipulation and payload delivery to screen capture and user identification. It is very concerning that the malware is deliberately installing and configuring legitimate software tools like AnyDesk, TightVNC, and RDP Wrapper to create hidden backdoors for long-term usage. 

To maintain exclusive control over these utilities, attackers stealthily modify the registry, conceal themselves as much as possible, and remain invisible to system users. The experts warn that the campaign represents an important evolution in remote access trojans in that it combined advanced evasion techniques with social engineering as well as legitimate tool abuse to achieve persistent compromise, highlighting the importance of maintaining a high level of security, enforcing strict endpoint controls, and providing ongoing user awareness training in order to avoid persistent compromise. 

There has been a significant evolution in cybercriminal operations, with many campaigns combining technical innovation with thoughtful planning, since the discovery of MostereRAT underscores the fact that cybercriminals have stepped beyond rudimentary malware to create sophisticated campaigns. As a company, the real challenge will be to not only deploy updated security products, but also adopt a layered, forward-looking defense strategy that anticipates such threats before they become a problem. 

A number of measures, such as tightening user privilege policies, improving browser security, as well as increasing endpoint visibility, can help minimize exposure, however, regular awareness programs remain crucial in order to reduce the success rate of phishing lures and prevent them from achieving maximum success. 

Furthermore, by partnering with managed security providers, organizations can gain access to expertise in detection, response, and continuous monitoring that are difficult to maintain in-house by most organizations. It is clear that adversaries will continue to exploit overlooked vulnerabilities and legitimate tools to their advantage in the future, which is why threats like MostereRAT are on the rise. 

In this environment, resilient defenses and cyber capabilities require more than reactive fixes; they require a culture of preparedness, disciplining operational practices, and a commitment to stay one step ahead within the context of a threat landscape that continues to grow rapidly.
Read more »
Vulnerability management
Chinese Hackers Cyber Security Data Privacy Endpoint security Vulnerability management

Chinese APT40 Can Exploit Flaws Within Hours of Public Release

 

A joint government advisory claims that APT40, a Chinese state-sponsored actor, is focusing on recently discovered software vulnerabilities in an attempt to exploit them in a matter of hours.

The advisory, authored by the Cybersecurity and Infrastructure Security Agency, FBI, and National Security Agency in the United States, as well as government agencies in Australia, the UK, Canada, New Zealand, Germany, South Korea, and Japan, stated that the cyber group has targeted organisations in a variety of arenas, employing techniques commonly employed by other state-sponsored actors in China. It has often targeted Australian networks, for instance, and remains a threat, the agencies warned. 

Rather than using strategies that involve user engagement, the gang seems to prefer exploiting vulnerable, public-facing infrastructure and prioritising the collection of valid credentials. It frequently latches on public exploits as soon as they become accessible, creating a "patching race" condition for organisations. 

"The focus on public-facing infrastructure is interesting. It shows they're looking for the path of least resistance; why bother with elaborate phishing campaigns when you can just hit exposed vulnerabilities directly?" stated Tal Mandel Bar, product manager at DoControl. 

The APT targets newly disclosed flaws, but it also has access to a large number of older exploits, according to the agencies. As a result, a comprehensive vulnerability management effort is necessary.

Comprehensive reconnaissance efforts 

APT40 conducts reconnaissance against networks of interest on a regular basis, "including networks in the authoring agencies' countries, looking for opportunities to compromise its targets," according to the joint advice. The group then employs Web shells for persistence and focuses on extracting data from sensitive repositories.

"The data stolen by APT40 serves dual purposes: It is used for state espionage and subsequently transferred to Chinese companies," Chris Grove, director of cybersecurity strategy at Nozomi Networks, stated. "Organizations with critical data or operations should take these government warnings seriously and strengthen their defenses accordingly. One capability that assists defenders in hunting down these types of threats is advanced anomaly detection systems, acting as intrusion detection for attackers able to 'live off the land' and avoid deploying malware that would reveal their presence.” 

APT40's methods have also advanced, with the group now adopting the use of compromised endpoints such as small-office/home-office (SOHO) devices for operations, allowing security agencies to better track it. Volt Typhoon's noted approach is just one of many parts of the group's operation that are comparable to other China-backed threat groups including Kryptonite Panda, Gingham Typhoon, Leviathan, and Bronze Mohawk, the advisory reads. 

The advisory provides mitigating approaches for APT40's four major types of tactics, techniques, and procedures (TTPs), which include initial access, execution, persistence, and privilege escalation.
Read more »
Software Security
Backdoor Courtroom Endpoint security malware Software Security

From Courtroom to Cyber Threat: The JAVS Viewer 8 Incident

From Courtroom to Cyber Threat: The JAVS Viewer 8 Incident

Hackers have broken into a popular brand of recording software used in courtrooms, jails, and prisons, allowing them to obtain complete control of the system via a backdoor implanted in an update to the application.

Software and its purpose

Justice AV Solutions (JAVS) uses its technologies to capture events such as lectures, court proceedings, and council meetings, and they have over 10,000 installations worldwide. It is available for download from the vendor's website and is a Windows installer package. 

The discovery 

However, the company announced this week that it had uncovered a security flaw in an earlier version of its JAVS Viewer program.

Through continuing monitoring and consultation with cyber authorities, the company discovered attempts to replace its Viewer 8.3.7 software with a tainted file.

The company removed all versions of Viewer 8.3.7 from the JAVS website, changed all passwords, and thoroughly assessed all JAVS systems. It also determined that all currently available files on the JAVS.com website are legitimate and free of malware. The company also confirmed that no JAVS source code, certificates, systems, or other software releases were affected during this event.

The backdoor

The malicious file, which contained malware, "did not originate from JAVS or any third party associated with JAVS," and the business advised users to ensure that any software they installed was digitally signed.

Rapid7, a cybersecurity firm, published an investigation of the vulnerability on Thursday, revealing that the compromised JAVS Viewer program — which opens media and logs files in the suite — contains a backdoored installer that allows attackers full access to an infected system. 

Installation and communication

The malware sends data about the host machine to the threat actors' command-and-control (C2) servers. Rapid7 identified the bug as CVE-2024-4978 and stated that it collaborated with the CISA to coordinate the disclosure of the problem. 

Rapid7 stated that the malicious copies of the software were signed by "Vanguard Tech Limited," which is reportedly headquartered in London. 

Rapid7's alert emphasized the importance to reimaging all endpoints where the software was installed, as well as resetting credentials on web browsers and any accounts authenticated into impacted endpoints, both local and remote. 

Data harvesting

Simply uninstalling the software is insufficient, as attackers could have installed further backdoors or malware. They wrote that reimagining allows for a fresh start.

"It is important to completely re-imagine compromised endpoints and reset associated passwords to guarantee that attackers have not persisted via backdoors or stolen credentials. 

A threat intelligence researcher originally raised the matter on X (previously Twitter) in April, claiming that "malware is being hosted on the official website of JAVS." 

On May 10, Rapid7 responded to a client's system warning and traced an infection to an installer downloaded from the JAVS website. The malicious file that the victim had downloaded appears to have been withdrawn from the website, and it is unclear who did so. 

Additional malware

A few days later, the researchers uncovered another installer file carrying malware on the JAVS website. 

Software updates have become a focus in cybersecurity because end users frequently click "update" when requested, or they have them enabled automatically. 

Several firms, most notably SolarWinds and 3CX, have grappled with nation-state intrusions that used the update process to secretly implant malware. 

Read more »
malware
Crypto Mining Cryptojacking Endpoint security GhostEngine malware

Cryptojacking Alert: GhostEngine Disables Endpoint Protections

Cryptojacking Alert: GhostEngine Disables Endpoint Protections

Recently found malware uses advanced techniques to defeat antivirus safeguards, delete signs of infection, and permanently infect devices with cryptocurrency-mining software, experts said. 

"The first goal of the GhostEngine malware is to disable endpoint security solutions and specific Windows event logs, such as Security and System logs, which record process creation and service registration," said Elastic Security Labs researchers, who found the attacks.

The Anatomy of GhostEngine

  • Targeting Endpoint Security Solutions: GhostEngine specifically aims at endpoint security solutions, which include antivirus software, intrusion detection systems, and endpoint detection and response (EDR) tools. By disabling these defenses, the attackers gain a foothold within the victim’s system.
  • Driver Exploitation: The attack exploits vulnerable drivers from popular security software providers, such as Avast and IOBit. These drivers are essential for communication between the operating system and hardware components. GhostEngine manipulates them to gain access to the kernel, a privileged area of the system.
  • Silent Disabling of EDR: Once inside, GhostEngine silently disables the EDR system. This step is crucial because EDR tools monitor system behavior, detect anomalies, and respond to threats. By neutralizing EDR, GhostEngine ensures that its activities remain undetected.
  • Cryptocurrency Mining Payload: With the defenses down, GhostEngine deploys its payload: XMRig, a popular Monero (XMR) mining software. Monero is favored by cybercriminals due to its privacy features, making it difficult to trace transactions. The compromised system becomes a silent miner, contributing computational power to the attacker’s mining pool.

About GhostEngine

A function in the primary payload called GhostEngine disables Microsoft Defender or any other antivirus or endpoint security software that may be running on the targeted computer, which is critical to the extraordinarily complicated malware system's operation. It also masks any signs of compromise. 

When GhostEngine first starts, it checks machines for any EDR, or endpoint protection and response, software that may be running. If it detects any, it loads drivers known to have vulnerabilities that allow attackers to gain access to the kernel, which is severely restricted to prevent manipulation. 

Modus operandi

One of the susceptible drivers is Avast's anti-rootkit file aswArPots.sys. GhostEngine utilizes it to shut down the EDR security agent. A malicious file named smartscreen.exe then deletes the security agent binary using “iobitunlockers.sys” IObit driver.

Once the susceptible drivers are loaded, detection opportunities diminish drastically, and businesses must identify affected endpoints that stop submitting logs to their SIEM, according to the researchers. SIEM stands for security information and event management. Their research is consistent with recent findings from Antiy.

After the EDR has been terminated, smartscreen.exe downloads and installs XMRig, a genuine tool for mining the Monero cryptocurrency, which is frequently abused by threat actors. A configuration file is included, which causes all money generated to be put into an attacker-controlled wallet.

The infection chain begins with the execution of a malicious binary masquerading as the genuine Windows file TiWorker.exe. That file executes a PowerShell script that obtains an obfuscated script called get.png, which downloads additional tools, modules, and configurations from an attacker-controlled server.

File execution to enable the virus

GhostEngine also executes various files that enable the virus to become persistent, which means it loads every time the infected machine restarts. 

To accomplish this, the file get.png creates the following scheduled tasks with SYSTEM, the highest system privileges in Windows:

  • OneDriveCloudSync uses msdtc to start the malicious service DLL C:\Windows\System32\oci.dll every 20 minutes.
  • DefaultBrowserUpdate will launch C:\Users\Public\run.bat, which downloads and executes the get.png script every 60 minutes.
  • OneDriveCloudBackup will run C:\Windows\Fonts\smartsscreen.exe every 40 minutes.

Why GhostEngine Matters

  • Financial Gain: GhostEngine’s primary motive is financial. By harnessing the victim’s computing resources, the attackers mine Monero, potentially yielding substantial profits. The longer the attack remains undetected, the more cryptocurrency they accumulate.
  • Resource Drain: Cryptojacking strains system resources—CPU, memory, and electricity—leading to slower performance and increased energy bills. Users may notice sluggishness but remain unaware of the underlying cause.
  • Corporate Impact: In corporate environments, widespread cryptojacking can disrupt business operations. Overloaded systems affect productivity, and IT teams must allocate resources to investigate and remediate the issue.

Read more »
LLM security
Cyber Security endpoint detection and response Endpoint security Garner LLM security

How are LLMs with Endpoint Data Boost Cybersecurity


The issue of capturing weak signals across endpoints and predicting possible patterns of intrusion attempts is ideally suited for Large Language Models (LLMs). The objective is to mine attack data in order to improve LLMs and models and discover new threat patterns and correlations.

Recently, some of the top endpoint detection and response (EDR) and extended detection and response (XDR) vendors were seen taking on the challenge. 

Palo Alto Network’s chairman and CEO Nikesh Arora says, “We collect the most amount of endpoint data in the industry from our XDR. We collect almost 200 megabytes per endpoint, which is, in many cases, 10 to 20 times more than most of the industry participants. Why do you do that? Because we take that raw data and cross-correlate or enhance most of our firewalls, we apply attack surface management with applied automation using XDR.” 

Co-founder and CEO of Crowdstrike, George Kurtz stated at the company’s annual Fal.Con event last year, “One of the areas that we’ve really pioneered is that we can take weak signals from across different endpoints. And we can link these together to find novel detections. We’re now extending that to our third-party partners so that we can look at other weak signals across not only endpoints but across domains and come up with a novel detection.” 

It has been demonstrated that XDR can produce better signals with fewer noise. Broadcom, Cisco, CrowdStrike, Fortinet, Microsoft, Palo Alto Networks, SentinelOne, Sophos, TEHTRIS, Trend Micro, and VMware being some of the top providers of XDR platforms.

Why LLMs are the new key element of Endpoint Security?

Endpoint security will evolve with the inclusion of telemetry and human-annotated data by enhancing LLMs. 

As per the authors of Gartner’s latest Hype Cycle for Endpoint Security, endpoint security technologies concentrate on faster, automated detection and prevention as well as remediation of attacks, to power integrated, extended detection and response (XDR), which correlates data points and telemetry from endpoint, network, emails, and identity solutions.

Compared to the larger information security and risk management market, spending on EDR and XDR is expanding more quickly. As a result, there is more intense competition across EDR and XDR providers.

According to Gartner, the market for endpoint security platforms will expand at a compound annual growth rate (CAGR) of 16.8% from its current $14.45 billion to $26.95 billion in 2027. With an 11% compound annual growth rate, the global market for information security and risk management is expected to reach $287 billion by 2027 from $164 billion in 2022.  

Read more »
Vulnerabilities and Exploits
Data Leak Endpoint security GPUs side-channel attacks Vulnerabilities and Exploits

Modern GPUs Susceptible to Latest GPU.zip Side-Channel Assault

 

Researchers from numerous American universities have discovered that nearly every contemporary graphics processing units (GPUs) are vulnerable to a brand-new kind of side-channel attack that could be employed to steal sensitive information. 

GPU.zip is a novel attack method discovered and reported by representatives from the University of Texas at Austin, Carnegie Mellon University, the University of Washington, and the University of Illinois Urbana-Champaign. 

The GPU.zip attack employs hardware-based graphical data compression, an optimization in modern GPUs that is created for enhancing performance.

"GPU.zip exploits software-transparent uses of compression. This is in contrast to prior compression side channels, which leak because of software-visible uses of compression and can be mitigated by disabling compression in software,” the researchers stated.

GPU.zip can be used to compromise a device by tricking the targeted user into visiting a malicious website, unlike many other recently revealed side-channel attacks that require physical access to the target device. Through this technique, the attacker's website is able to steal data from other websites that the victim is actively visiting. 

The method can specifically be used by the malicious website to steal individual pixels from another site that is open at the same time. This allows for the theft of visible information on the screen, such as usernames, which can be exploited to deanonymize a user.

While most websites that save sensitive information are designed to avoid this type of leakage, certain popular sites are still vulnerable. 

The researchers demonstrated the attack through stealing the targeted individual's username, which is displayed in the upper right corner of Wikipedia. It is worth mentioning, however, that obtaining the information via a GPU.zip attack takes a significant amount of time.

The researchers' two experiments took 30 minutes and 215 minutes to establish the Wikipedia login. Nevertheless, developers should verify that their websites are not vulnerable by configuring them to refuse being integrated by sites from other domains. 

In March 2023, AMD, Apple, Arm, Intel, Nvidia, and Qualcomm were given information on the discoveries and proof-of-concept (PoC) code, but none of them had committed to releasing updates by September 2023. 

The attack has been demonstrated to operate with the Chrome web browser. Other popular browsers, such as Safari and Firefox, are unaffected. Google was also alerted about the potential risk in March 2023, but the internet giant is currently debating whether and how to fix the issue, the researchers added.
Read more »
Technologies
Agriculture Agriculture industry Cyber Security Endpoint security farmers Food Supply Chain Hackers Technologies

Agriculture Industry Should be Prepared: Cyberattacks May Put Food Supply Chain at Risk


Technological advancement in the agriculture sector has really improved the lives of farmers in recent years. Along with improved crop yields and cutting input costs, farmers can keep an eye on their crops from anywhere in the world.

Now, farmers can even use drone technology without having to transverse countless acres. They can monitor the movements, feeding, and even chewing patterns of every cow in their herd. However, a greater reliance on technology could endanger our farmers. More technology means more potential for hacks that might put the food supply chain in danger. 

For more such technologies, like automated feeding and watering systems, autonomous soil treatment systems or even smart heat pumps or air conditioners, that enable connecting to the internet – known in the security circles as “endpoints” – there is a risk of their vulnerabilities being exploited by threat actors. 

It is crucial that software manufacturers in the agriculture industry give security a high priority in their components and products in order to proactively address these dangers. From the farm to the store, security must be integrated into every step of this supply chain to guarantee that entire systems are kept safe from any potential intrusions. These are not some simple threats, hackers are employing ransomware to target specific farms while jailbreaking tractors. More than 40,000 members of the Union des producteurs agricoles in Quebec were affected by a ransomware attack earlier this month. 

However, it could be difficult to stay protected from all sorts of risks, considering the complexity of new technologies and the diversity in applying them all. From enormous refrigeration units to industrial facilities with intricate operations and technology to networked and more autonomous farming equipment, all pose a potential security risk.

In order to minimize the risk, it is important for the endpoints to adopt the latest embedded security protocols and ensure that all the farm devices are updated with the latest security patches. 

It is interesting to note that humans proved to be a weak link in the cybersecurity chain. It will be easier to prevent some of the most frequent mistakes that let hostile actors in if businesses practice "cyber hygiene," such as adopting two-factor authentication and creating "long and strong" (and private) passwords for every user. Cybercriminals, unlike farmers, are often fairly sluggish, so even a tiny level of security can make them move their nefarious operations elsewhere.

Moreover, education and a free flow of information turn out to be the best tool to safeguard the entire food supply chain. In order to maintain a reliable and resilient food supply chain, it has been suggested that stakeholders work together in sharing information in regard to the best measures ensuring better cybersecurity standards – which may include software manufacturers, farmers, food processors, retailers and regulators.  

Read more »
Web browsing
Cloud Computing Cyber Security Cybersecurity Endpoint security Remote Work Web browsing

The Rising Popularity of Remote Browser Isolation

Browser Isolation

The Importance of Browser Isolation in a Remote Work Environment

The COVID-19 pandemic has caused a seismic shift in the way we work, with remote work becoming the norm for many organizations. While this has brought numerous benefits, it has also presented new security challenges. In response, companies have turned to remote browser isolation as a solution. 

According to the "Innovation Insight for Remote Browser Isolation" report by Menlo Security, remote browser isolation is a rapidly evolving technology that is gaining popularity due to its ability to provide a secure browsing experience. In this blog, we will explore some of the key findings of this report and examine the growing importance of remote browser isolation in today's business landscape.

Amit Jain, who holds the position of Senior Director of Product Management at Zscaler, a cloud-based security company, suggests that due to the increasing number of remote employees utilizing cloud services, browser isolation has become essential in safeguarding both corporate cloud services and the employee's device.

He says, "For modern enterprises, the Internet is now the corporate network. This shift has enabled workers to work from anywhere while being able to access the information they need for their jobs through cloud-based apps and private apps via the Web, while this has provided maximum flexibility to workers, it has also significantly expanded the attack surface and has the potential to expose data."

Key Trends in Remote Browser Isolation: An Analysis of Menlo Security's Report

1. Growing Popularity of Remote Browser Isolation: It is quickly gaining traction as a key security technology, with many organizations recognizing its ability to protect against web-based threats.

2. Increased Need for Scalable Solutions: As more companies adopt remote work policies, the need for scalable remote browser isolation solutions has become more pressing. Many companies are exploring cloud-based solutions to meet this need.

3. The Importance of User Experience: Despite its security benefits, remote browser isolation can be challenging to implement in a way that provides a seamless user experience. The report highlights the importance of user experience in driving the adoption and suggests that solutions that prioritize ease of use are likely to gain traction.

4. New Threats and Attack Vectors: As with any security technology, remote browser isolation is not immune to evolving threats and attack vectors. The report discusses some of the emerging threats that remote browser isolation must contend with and suggests that ongoing innovation in this space will be critical in order to stay ahead of attackers.

5. Integration with Other Security Technologies: Remote browser isolation is most effective when integrated with other security technologies such as secure web gateways and endpoint security solutions. 

Browser Isolation Solutions: Will companies isolate?

Gartner says, "By 2022, 25% of enterprises will adopt browser isolation techniques for some high-risk users and use cases, up from less than 1% in 2017. By effectively isolating endpoints from browser-executable code, attacks that compromise end-user systems will be reduced by 70%, while eliminating the need to detect or identify malware."

Larger companies operating in regulated industries have tended to adopt remote browser isolation due to its ease of deployment and its physical air gap, which provides an additional layer of security. 

Small and medium-sized enterprises tend to opt for local browser isolation technology due to its flexibility. As expected, vendors have varying opinions on whether standalone or integrated solutions are preferable.

Mr. Jain from Zscaler said "The technology should be fully integrated into the zero trust platform providing threat protection for all Web activity and preventing data loss from sanctioned SaaS and corporate private apps. Moreover, HTML smuggling [and other] attacks can be better thwarted by an architecture which involves a tighter combination of browser isolation and sandbox technologies."

As cloud usage has increased, browser isolation has become even more important. Cloud services are often accessed through web browsers, and if a user's device is compromised, the sensitive data stored in the cloud is also at risk. However, using browser isolation significantly reduces the risk of a data breach.

Mark Guntrip, senior director at Menlo Security, said "It's not the fact of what we do — it's the fact that we do it without interfering with that digital experience of the end user." So they can interact with whatever they want. They can click on whatever they want, but we hold anything that's active away from them"



Read more »
Subscribe to: Comments (Atom)