Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft Defender. Show all posts
Ransomware Protection
Attack Disruption Automatic Device Isolation Cyber Security Cyber Threat Detection Endpoint security Microsoft Defender Microsoft Defender XDR Ransomware Protection

Microsoft Adds Automated Endpoint Isolation to Strengthen Cyber Defense


Microsoft is advancing its automated cyber defence strategy with the release of Microsoft Defender for Endpoints, which is capable of isolating compromised devices as soon as malicious activity is detected. 


The feature was introduced as a preview and has been designed to curb the most damaging stage of an intrusion by preventing endpoints from connecting to the broader corporate network while maintaining a secure connection to Microsoft's Defender service. By integrating this capability into the automatic attack disruption framework, the company hopes to accelerate containment, reduce the attacker's operating window, and provide security teams with valuable time for investigation and remediation during the critical early moments of a breach without relying solely on manual interventions. 

In spite of Microsoft's assertion that automated response systems can be deployed quickly in the event of active intrusions, security researchers caution that they must be implemented with carefully defined safeguards. Microsoft introduced the feature earlier this month as part of ongoing enhancements to Microsoft Defender, though a timeline for general availability has not yet been provided. 

In addition, a recent SANS Institute report outlined a potential risk scenario in which threat actors could manipulate automated disruption workflows to interfere with administrator accounts, potentially resulting in difficulties during incident response. According to Johannes Ullrich, Dean of Research at SANS Institute, automated isolation and attack disruption technologies have existed in both commercial and open-source security platforms for years, yet their effectiveness relies heavily on how they are configured and tuned. 

As Ullrich points out, organizations with limited security resources will significantly benefit from automated containment, however poorly configured policies may allow attackers to delay remediation by targeting privileged accounts, leading to delayed remediation. Nonetheless, industry experts agree that automation has become increasingly important as ransomware and malware operations continue to execute at machine speed. 

According to Robert Enderle, when a human analyst detects malicious activity, adversaries might have already established persistence, expanded their foothold, or begun encryption of data by the time he identifies it. Through the introduction of the new capability, Microsoft Defender XDR addresses this gap by automatically isolating workstations that are subject to ransomware or advanced intrusion activity upon detection of high-confidence indicators. 

While the network access is severed to prevent command-and-control communications, lateral movement, and data exfiltration, the endpoint is still connected to Microsoft Defender services, which enables continuous telemetry collection, remote investigation, and forensic analysis. The functionality is currently restricted to managed devices enrolled in Microsoft Defender for Endpoint and does not yet extend to servers or unmanaged assets. 

In addition to integrating signals from endpoints, identities, email environments, and SaaS applications, Defender XDR creates a comprehensive incident view by correlating signals across these technologies to trigger containment actions when malicious activity reaches a certain level of confidence. 

With a focus on isolated devices rather than wider network segments, the platform aims to contain threats with minimal operational impact, while reducing the potential for ransomware to spread throughout an organisation. In addition to operational safeguards built into the feature, Microsoft has also implemented measures to ensure that aggressive containment measures do not disrupt business operations in an unnecessary manner.

At present, only end-user workstations that have been onboarded through Microsoft Defender for Endpoint are capable of automatic isolation, with security teams remaining in control of remediation decisions once investigations are completed and threats have been mitigated.

Defender portal administrators have immediate control over recovery actions, as they can release devices directly from the Device Inventory or through the individual device management page. This latest development is a continuation of Microsoft's ongoing commitment to endpoint containment, a strategy that has steadily grown over the past several years. 

By June 2022, Defender introduced manual containment capabilities for unmanaged Windows devices, enabling administrators to prevent inbound and outbound communication from Defender-protected endpoints that are compromised. In early 2023, support for isolating onboarded Linux devices began testing, and general availability was expected later that year. 

The Microsoft Corporation has subsequently extended its automatic attack disruption framework to include user account isolation, a measure aimed at preventing lateral movement during the exploitation of hands-on-keyboard ransomware attacks. As part of an ongoing evaluation of Defender for Endpoint enhancements, the company is currently testing automatic traffic blocking for previously undiscovered Windows devices, thereby reducing the possibility of attackers pivoting to unprotected devices within a network. 

The Microsoft company has also provided an overview of scheduled antivirus scanning for Linux-onboarded systems, in addition to these containment-focused developments. Administrators can schedule quick or full scans recurring through the Defender portal, managed JSON configurations, or command-line controls, with options for low-priority execution, idle-time scheduling, and randomised scans. 

Providing flexibility through automated recovery, administrator-driven release controls, exclusion policies for business-critical assets, and targeted containment logic that isolates only systems that are directly associated with malicious activity is a major component of the new automated isolation framework. 

Throughout the Microsoft Defender portal, all isolations, restorations, and response actions are recorded, and security teams can review detailed event timelines, trigger detections, and automated remediation activities through centralised investigation and action management interfaces. 

In a world where speed of detection is no longer sufficient without equally rapid containment, Microsoft's latest move highlights a broader shift in enterprise security. With threat actors increasingly automating intrusion, ransomware deployment, and lateral movement, organisations are increasingly relying on security platforms capable of determining the appropriate response in real time based on their high level of confidence.

However, the effectiveness of such automation ultimately relies upon its careful implementation, ongoing validation, and clearly defined operational safeguards. The challenge for defenders is not simply adopting autonomous security capabilities, but also ensuring they remain accurate, transparent, and aligned with corporate objectives. Success in cyber resilience is determined by finding the right balance between speed and control.
Read more »
Microsoft Defender
Cyber Attacks Cyber Defender cybersecurity risks Malware Attack Malware Service Microsoft Defender

CountLoader and GachiLoader Malware Campaigns Target Cracked Software Users

 

Cybersecurity analysts have uncovered a new malware campaign that relies on cracked software download platforms to distribute an updated variant of a stealthy and modular loader known as CountLoader. According to researchers from the Cyderes Howler Cell Threat Intelligence team, the operation uses CountLoader as the entry point in a layered attack designed to establish access, evade defenses, and deploy additional malicious payloads. 

CountLoader has been observed in real-world attacks since at least June 2025 and was previously analyzed by Fortinet and Silent Push. Earlier investigations documented its role in delivering widely used malicious tools such as Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and cryptomining malware. The latest iteration demonstrates further refinement, with attackers leveraging familiar piracy tactics to lure victims. 

The infection process begins when users attempt to download unauthorized copies of legitimate software, including productivity applications. Victims are redirected to file-hosting platforms where they retrieve a compressed archive containing a password-protected file and a document that supplies the password. Once extracted, the archive reveals a renamed but legitimate Python interpreter configured to run malicious commands. This component uses the Windows utility mshta.exe to fetch the latest version of CountLoader from a remote server.  

To maintain long-term access, the malware establishes persistence through a scheduled task designed to resemble a legitimate Google system process. This task is set to execute every 30 minutes over an extended period and relies on mshta.exe to communicate with fallback domains. CountLoader also checks for the presence of endpoint protection software, specifically CrowdStrike Falcon, adjusting its execution method to reduce the risk of detection if security tools are identified. 

Once active, CountLoader profiles the infected system and retrieves follow-on payloads. The newest version introduces additional capabilities, including spreading through removable USB drives and executing malicious code entirely in memory using mshta.exe or PowerShell. These enhancements allow attackers to minimize their on-disk footprint while increasing lateral movement opportunities. In incidents examined by Cyderes, the final payload delivered was ACR Stealer, a data-harvesting malware designed to extract sensitive information from compromised machines. 

Researchers noted that the campaign reflects a broader shift toward fileless execution and the abuse of trusted, signed binaries. This approach complicates detection and underscores the need for layered defenses and proactive threat monitoring as malware loaders continue to evolve.  

Alongside this activity, Check Point researchers revealed details of another emerging loader named GachiLoader, a heavily obfuscated JavaScript-based malware written in Node.js. This threat is distributed through the so-called YouTube Ghost Network, which consists of hijacked YouTube accounts used to promote malicious downloads. The campaign has been linked to dozens of compromised accounts and hundreds of thousands of video views before takedowns occurred. 

In some cases, GachiLoader has been used to deploy second-stage malware through advanced techniques involving Portable Executable injection and Vectored Exception Handling. The loader performs multiple anti-analysis checks, attempts to gain elevated privileges, and disables key Microsoft Defender components to avoid detection. Security experts say the sophistication displayed in these campaigns highlights the growing technical expertise of threat actors and reinforces the importance of continuously adapting defensive strategies.
Read more »
Vulnerabilities and Exploits
Akira Ransomware GuidePoint Security Microsoft Defender SonicWall VPN Vulnerabilities and Exploits

Hackers Bypassed Microsoft Defender to Deploy Ransomware on PCs

 

GuidePoint Security's latest report reveals a sophisticated Akira ransomware campaign exploiting SonicWall VPNs through the strategic use of malicious Windows drivers. The campaign, which began in late July 2025, represents a significant escalation in the group's tactics for evading security controls. 

From late July through early August 2025, multiple security vendors reported a surge in Akira ransomware deployments following SonicWall VPN exploitation. While the underlying cause remains disputed—potentially involving a zero-day vulnerability—SonicWall has acknowledged the activity but hasn't disclosed specific vulnerability details. 

Key technical findings 

GuidePoint's incident response teams identified two drivers consistently used by Akira affiliates in a Bring Your Own Vulnerable Driver (BYOVD) attack chain: 

Primary Driver - rwdrv.sys: This legitimate driver from ThrottleStop, a Windows performance monitoring utility for Intel CPUs, is being weaponized by attackers. Once registered as a service, it provides kernel-level access to compromised systems, essentially giving attackers the highest privileges possible on Windows machines. 

Secondary Driver - hlpdrv.sys: This malicious driver specifically targets Windows Defender by modifying the DisableAntiSpyware registry settings through automated registry edits. The driver's hash has been identified in commercial malware repositories. 

The researchers suspect the legitimate rwdrv.sys driver enables execution of the malicious hlpdrv.sys driver, though the exact mechanism remains unclear. 

Detection and response

GuidePoint has developed a comprehensive YARA rule to detect the malicious hlpdrv.sys driver based on its PE structure, imports, and associated strings. The rule validates specific characteristics including section layouts, import functions from ntoskrnl.exe, and unique artifact strings.

The report provides critical Indicators of Compromise (IOCs), including file paths typically found in Users$$REDACTED]\AppData\Local\Temp\ and service registrations under names "mgdsrv" and "KMHLPSVC". 

Mitigation tips 

SonicWall has issued specific hardening recommendations for organizations using their VPN solutions: 

  • Disable SSLVPN services where operationally feasible.
  • Restrict SSLVPN connectivity to trusted source IP addresses only. 
  • Enable comprehensive security features including Botnet protection and Geo-IP filtering.
  • Enforce multi-factor authentication (MFA) for all VPN access.
  • Remove unused accounts and maintain strict password hygiene practices. 

This campaign highlights Akira's evolution toward more sophisticated anti-detection techniques, moving beyond simple encryption to actively disabling endpoint security solutions. The consistent use of these drivers across multiple incident response cases makes them high-fidelity indicators for both proactive threat hunting and forensic analysis. 

The report emphasizes that defenders should prioritize log review and YARA rule deployment to identify pre-ransomware activity, potentially enabling intervention before full system compromise occurs.
Read more »
Subscribe to: Posts (Atom)