Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Windows. Show all posts
Windows
CAPTCHA malware Scam Windows

Fake CAPTCHA Scams Trick Windows Users into Downloading Malware

 



Cybercriminals have found a new way to trick Windows users into downloading harmful software by disguising malware as a CAPTCHA test. A recent investigation by security researchers revealed that attackers are using this method to install infostealer malware, which secretly collects sensitive data from infected computers.  


How the Scam Works  

The attack begins when a user visits a compromised website and encounters what appears to be a routine CAPTCHA verification. These tests are usually used to confirm that a visitor is human, but in this case, clicking on it unknowingly triggers a harmful command.  

Instead of simply verifying the user’s identity, this fake CAPTCHA executes a hidden script that launches a multi-step infection process. The malware then installs itself and starts collecting sensitive information like usernames, passwords, and banking details.  


Step-by-Step Breakdown of the Attack  

1. Fake CAPTCHA Displayed: The user sees what looks like a normal CAPTCHA test.  

2. PowerShell Command Executed: Clicking on the CAPTCHA activates a hidden script that runs harmful commands.  

3. Additional Malicious Code Downloaded: The script retrieves more files, which help the malware spread without detection.  

4. Final Infection: The malware, such as Lumma or Vidar, is installed and begins stealing personal data.  


How Attackers Evade Detection  

Hackers use several techniques to keep their malware hidden from security software:  

Obfuscation: The malware code is made more complex to avoid being detected by antivirus programs.  

Multiple Layers of Encryption: Attackers scramble the malware’s code so that security tools cannot recognize it.  

Bypassing Security Measures: The script manipulates Windows settings to prevent detection and removal.  

In some cases, the malware uses a special trick called XOR encryption to disguise itself. Some versions even include commands that trick Windows security tools into believing the malware is safe.  


How to Protect Yourself  

To avoid falling victim to this scam, follow these precautions:  

1. Be Wary of Suspicious CAPTCHAs: If a CAPTCHA test appears unusual or asks for unexpected actions, do not interact with it.  

2. Stay on Trusted Websites: Avoid unknown or unverified sites, as they may be compromised.  

3. Keep Your System Updated: Install the latest security updates for Windows and your antivirus software.  

4. Use Reliable Security Tools: A strong antivirus program can help detect and block suspicious activity.  

5. Enable Browser Protections: Modern web browsers offer security features that warn against unsafe websites — keep them turned on.  


This deceptive CAPTCHA scam is a reminder that cybercriminals are always coming up with new ways to infect devices and steal personal data. By staying alert and following basic security practices, users can reduce their chances of being targeted by such attacks.

Read more »
Windows
Akira CyberCrime Cybersecurity Cyberthreats EDR EDR Protections Ransomware S-RM Technology Webcam Windows

Webcam Exploited by Ransomware Group to Circumvent EDR Protections

 


Researchers at S-RM have discovered an unusual attack method used by the Akira ransomware gang. The Akira ransomware gang utilized an unsecured webcam to conduct encryption attacks against victims' networks via the use of an unsecured webcam. The attackers were able to bypass the Endpoint Detection and Response (EDR) mechanisms, which had been successful in stopping the ransomware encryptor from functioning on Windows computers.

During an investigation conducted by the S-RM team as part of an incident response, the S-RM team uncovered Akira's sophisticated adaptations in response to security defences. As a first step, the threat actors tried to implement encryption tools on Windows endpoints, but these attempts were thwarted by the EDR solution provided by the victim. 

It is important to note that the attackers reacted to this by exploiting the unsecured webcam as an entry point for the malware to infiltrate the network and launch their ransomware attacks. This incident illustrates how ransomware operators are increasingly using unconventional vulnerabilities to circumvent modern cybersecurity defenses, highlighting the evolution of ransomware operations. 

Network vulnerabilities exploited by Akira ransomware operators. 


Researchers in the cybersecurity field recently discovered a sophisticated attack strategy that was employed by the Akira ransomware group. Initially, the threat actors gained access to the network via an externally exposed remote access solution through which unauthorized access was gained. The attackers then installed AnyDesk.exe, a legitimate remote desktop tool, to maintain persistent access within the compromised network, and proceeded to exfiltrate sensitive data using this tool. 

In the months following the initial breach, the attackers used Remote Desktop Protocol (RDP) to move laterally through the network, simulating legitimate system administrator activities to conceal their activity and blend into normal networking operations. They evaded detection by mimicking legitimate system administrator activities. 

Akira Ransomware Group: A Rising Threat in the Cybercrime Landscape 


Emergence and Rapid Expansion 


Originally identified in early 2023, the Akira ransomware group has rapidly gained popularity as one of the most active ransomware operations in the world. As of 2024, the Akira group is responsible for around 15% of all ransomware incidents that were examined by cybersecurity firm S-RM. The company specializes in targeting small to medium sized businesses (SMEs) in North America, Europe, and Australia, especially businesses that have fewer than 1,000 employees as their primary target market. 

Operational Model and Organizational Structure 


Rather than using the typical paid-for model, Akira also uses a ransomware-as-a-service model: within this model, the group's core developers provide a running platform that allows its affiliates to access its binary and leak sites in exchange for a share of the ransom payments received by the group's owners. 

Triple Extortion Strategy and Technical Adaptability 


By employing a triple approach of extortion, or a series of layers of coercion to maximize leverage over their victims, Akira achieves extreme leverage over them: 

Data Encryption – Locking files and systems to disrupt business operations. 

Data Exfiltration – Stealing sensitive information before encryption. 

Public Disclosure Threats – Threatening to release exfiltrated data unless the ransom is paid. 

Akira's technical adaptability is exemplified by its ability to adjust its attack methods based on security threats. A recent webcam attack highlighted the group's innovative tactics. In this case, the group circumvented Endpoint Detection and Response (EDR) protections by using unsecured Internet of Things devices as an alternative entry point to bypass the system's protections. 

As ransomware operations such as Akira become more sophisticated, organizations, particularly small and medium-sized enterprises, must take proactive cybersecurity measures to mitigate the threats posed by these highly adaptive threat actors. To mitigate these risks, organizations must implement robust endpoint security, network segmentation, and IoT security protocols. 

Initially, the threat actors managed to breach the corporate network through an exposed remote access solution, likely using stolen credentials or brute-force techniques to gain access to the network. Once inside, they deployed AnyDesk, an authentic remote access tool, to gain persistent access and gain access to sensitive data. The data was then used as leverage in a double extortion scheme that later resulted in a double extortion attack. 

When the attack was first initiated, the attackers took advantage of the Remote Desktop Protocol (RDP) to enable them to move laterally, systematically spreading their presence across multiple systems before launching the ransomware attack. Their attack was carried out by introducing a password-protected archive file, win.zip, with the ransomware payload, win.exe, as a payload. Although the threat was initially detected and quarantined by the victim's Endpoint Detection and Response (EDR) system, it was ultimately neutralized when the virus was identified and quarantined. 

The attackers modified their strategy after experiencing this setback by finding alternative ways to attack the device. During a thorough network scan, several potential entry points were discovered, including a webcam and a fingerprint scanner. S-RM, a cybersecurity firm, explains that threat actors eventually chose the webcam as their primary pivot point for gaining access to its data, as it is easy for remote shell access and unauthorized video feeds. Moreover, the attackers took advantage of the device's lightweight Linux-based operating system, which was compatible with Akira's Linux encryptor. 

Since the webcam was without a protection agent against EDR attacks, it was an ideal choice for the ransomware attack to take place. The threat actors were able to successfully encrypt files on network shares by leveraging their connectivity to the Internet, circumventing conventional security measures and demonstrating the evolving sophistication of ransomware tactics. Instead of abandoning their original objective, the ransomware operators chose to utilize a previous internal network scan data as the basis for their next strategy. 

An investigation of the Internet of Things (IoT) revealed that several vulnerable devices were not adequately protected, including webcams and fingerprint scanners. As the attackers recognized the potential of unprotected devices as alternative entry points to traditional security systems, they sought to bypass those mechanisms. They discovered several vulnerabilities during their assessment, including an unsecured webcam, which proved to be the most feasible vulnerability. 

Several reasons contributed to this, most notably that it lacked Endpoint Detection and Response (EDR) protection, which made it an ideal target for exploiting. Additionally, the device was capable of being accessed remotely through a remote shell, making it even easier for attackers to gain access.

In addition, the Linux-based operating system presented a lightweight security footprint, which reduced the chances of detection and strengthened the appeal of the operating system as a potential entry point for cybercriminals. Execution of the Attack Through IoT Exploitation This attacker was able to create malicious SMB traffic directed towards a target Windows server by compromising a vulnerable webcam, which was able to be used by the attacker to create malicious SMB traffic. 

Due to the organization's lack of active monitoring of IoT devices, this technique enabled the ransomware payload to bypass traditional detection mechanisms. As a result of the attack, a large number of files were encrypted across the network of the victim. Even though SMB-based attacks have generally been considered to be less efficient than other intrusion techniques, this attack proved extremely effective in this case, mainly because they are frequently incompatible with conventional security monitoring tools, such as this tool. 

It is as a consequence of this incident that organizations must take proactive steps to ensure that all network-connected devices, most notably IoT endpoints, are secured via encryption so that sophisticated ransomware operators are not able to exploit them as attack vectors. 

The fact that the compromised webcam lacked an Endpoint Detection and Response (EDR) protection was a critical factor in the success of this attack, as largely due to its limited storage capacity, it could not cope with advanced security measures needed to defend itself. 

The Akira ransomware group exploited this vulnerability to deploy its Linux-based ransomware quickly from the compromised machine, encrypting files across the victim's network by using the Server Message Block protocol (SMB). As a result of this strategic approach, the attackers were able to operate covertly since malicious SMB traffic originating from the webcam was not detected by security systems, allowing them to evade detection by the organization's cybersecurity team. 

In light of these events, it is due to the growing necessity for comprehensive security protocols, in particular for securing Internet of Things (IoT) devices, that are more and more exploited as attack vectors by cyber criminals. A proactive cybersecurity approach is imperative to mitigate similar threats by ensuring that IoT devices are patched and managed, conducting regular vulnerability assessments within the organization's internal networks, and implementing robust network segmentation so that connected devices are limited in their ability to communicate. 

Further, turning off IoT devices when not in use can serve as a preventive measure against potential exploitation. To effectively defend against emerging threats, it is imperative to continuously monitor your network and implement robust security frameworks. As demonstrated by the Akira ransomware group, you must monitor your network constantly and implement robust security measures. With ransomware-as-a-service (RaaS) operations continuing to evolve at a rapid pace, organizations must remain vigilant, improving their cybersecurity strategies proactively to remain protected from increasingly sophisticated cyberattacks.
Read more »
Windows
BYOVD Attack CyberCrime Cybersecurity CyberThreat Vulnerabilities and Exploits Vulnerability Windows

Cybercriminals Target Paragon Partition Manager Vulnerability in BYOVD Attacks

 


It has been reported that threat actors have been actively exploiting a security vulnerability within the BioNTdrv.sys driver of Paragon Partition Manager in ransomware attacks by elevating privileges and executing arbitrary code under the guise of attacks. The CERT Coordination Center (CERT/CC) has identified this zero-day vulnerability as CVE-2025-0289, one of five security flaws discovered by Microsoft during the past year. 

Other flaws have been identified, including arbitrary memory mapping, arbitrary memory write, null pointer dereferences, insecure kernel resource access, and arbitrary memory move vulnerabilities. It is especially concerning that an adversary may be able to exploit this vulnerability. It involves a Microsoft-signed driver, which allows adversaries to take advantage of the Bring Your Own Vulnerable Driver (BYOVD) technique. 

Using this method, attackers can compromise systems regardless of whether Paragon Partition Manager is installed, broadening the attack surface significantly. As BioNTdrv.sys operates at the kernel level, threat actors can exploit these vulnerabilities to execute commands with elevated privileges. This allows them to bypass security measures and defensive software, as attackers can access the system and deploy additional malicious payloads. 

Even though Microsoft researchers have identified all five security flaws, the company can not divulge what ransomware groups have been leveraging CVE-2025-0289 to execute their attacks. They are only aware that it has been weaponized in ransomware operations. A bulletin issued by Microsoft's CERT Coordination Center (CERT/CC) indicated that threat actors have been exploiting this vulnerability to conduct BYOVD-based ransomware attacks. 

According to the CVE-2025-0289 vulnerability, further malicious code within compromised environments can be executed by exploiting this vulnerability to escalate privileges to the SYSTEM level. This vulnerability can be exploited to facilitate the exploitation of BYOVD attacks, even on systems where the affected driver is not installed, and this can result in threat actors gaining elevated privileges and executing malicious code without the protection of security systems in place. 

As part of the identified security flaws affecting BioNTdrv.sys versions 1.3.0 and 1.5.1, CVE-2025-0285 is a flaw in version 7.9.1 which permits the mapping of kernel memory to arbitrary user inputs by not properly validating the length of the input. By exploiting this vulnerability, the user can escalate their privileges even further. 

There is a CVE-2025-0286 vulnerability that exists in version 7.9.1, resulting from improper validation of input controlled by users, which allows attackers to exploit this flaw to execute malicious code on the target machine. An unprivileged code execution vulnerability has been found in version 7.9.1, caused by an insufficient MasterLrp structure in the input buffer, which can result in a null pointer dereference vulnerability. 

Successful exploit allows arbitrary kernel-level code to be executed, facilitating privilege escalation and further misuse. Version 7.9.1 contains a vulnerability in the memmove function. This function fails to properly sanitize user-supplied data, allowing attackers to manipulate kernel memory and escalate privileges. 

Inversion of the CVE-2025-0289 vulnerability, an insecure kernel resource access vulnerability, has been found in version 17 of the Linux kernel due to a failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware during the detection process. By exploiting this vulnerability, attackers can compromise the system. 

This security vulnerability has been addressed by Paragon Software by releasing the updated driver BioNTdrv.sys version 2.0.0 across all products within Paragon Software's Hard Disk Manager suite, including Partition Manager versions 17.45.0 and later versions. This update has been developed to reduce the risks associated with the previously identified security vulnerabilities. 

There is also a dedicated security patch available for 64-bit versions of Windows 10, Windows 11, and Windows Server 2016, 2019, 2022, and 2025 that will provide users with an additional layer of protection against any exploits that might occur in the future, thereby enhancing the level of security. As part of Microsoft's efforts to protect its ecosystem, it has updated its Vulnerable Driver Blocklist, which effectively disables the execution of BioNTdrv.sys versions that are compromised within Windows environments, thereby preventing exploitation. 

Users and enterprises are strongly encouraged to ensure that this protection mechanism is kept in place to prevent exploitation. In light of the ongoing threat posed by these vulnerabilities, especially as a result of ransomware attacks, all users of Paragon Partition Manager and its associated products must update their software as soon as possible to the newest version available. 

As a further precaution, all Windows users should make sure that they enable the Microsoft Vulnerable Driver Blocklist feature as soon as possible. This is because it serves as a critical defense against BYOVD (Bring Your Vulnerable Driver) attacks, where outdated or insecure drivers are leveraged to elicit privileges and compromise a computer system.
Read more »
Windows
Cyber Security LibreOffice Updates Windows

LibreOffice Fixes Security Flaw That Allowed Malicious File Execution

 



LibreOffice, a popular free office suite, recently fixed a major security flaw that could have let hackers run harmful files on Windows computers. The issue, identified as CVE-2025-0514, was related to how the software handled links inside documents. If exploited, it could allow attackers to trick users into opening dangerous files.  


How the flaw worked  

LibreOffice allows users to click on hyperlinks in documents to open websites or files. Normally, it blocks links that try to open unsafe files, but older versions (before 24.8.5) failed to properly check certain types of links.  

Hackers found a way to trick the software by using specially designed web addresses. When a user clicked one of these deceptive links, LibreOffice could mistakenly treat it as a local file path and execute harmful programs. Unlike other document-based attacks that require macros, this method only needed the user to click a link, making it especially dangerous.  


LibreOffice fixes the issue  

To prevent such attacks, LibreOffice released version 24.8.5 on February 25, 2025. The update improves how the software checks links, ensuring that unsafe web addresses cannot be mistaken for local files.  

Developers Caolán McNamara from Collabora Productivity and Stephen Bergman from allotropia worked on fixing the issue after it was reported by security researcher Amel Bouziane-Leblond. The flaw highlighted how small errors in how software reads links can create serious security risks.  


What users should do  

This vulnerability could be used in phishing scams where hackers send fake documents to trick people into clicking malicious links. To stay safe, users should update their LibreOffice software immediately.  

Here are some steps to stay protected:  

1. Install the latest LibreOffice update (24.8.5 or later) to fix the issue  

2. Be cautious with documents from unknown sources, especially if they contain links  

3. Avoid clicking hyperlinks in documents unless you trust the sender  

4. Businesses should ensure all their computers are updated to reduce security risks  


The importance of updates 

While this flaw mainly affected Windows users, it highlights the need for strong security measures in office software. Cybercriminals constantly find new ways to exploit common tools, making software updates and user awareness essential.  

So far, there are no known real-world attacks using this vulnerability, but security experts consider it critical. Users can download the latest LibreOffice version from the official website or update it through Linux package managers.

Read more »
Windows
data security LightSpy Linux Mac malware Windows

LightSpy Malware Attacks Users, Launches Over 100 Commands to Steal Data


Cybersecurity researchers at Hunt.io have found an updated version of LightSpy implant, a modular surveillance framework for data collection and extraction. Famous for attacking mobile devices initially, further enquiry revealed it can attack macOS, Windows, Linux, and routers. 

LightSpy has been executed in targeted attacks, it uses watering hole techniques and exploit-based delivery, coupled with an infrastructure that swiftly escapes detection. LightSpy was first reported in 2020, targeting users in Hong Kong.

History of LightSpy

LightSpy has been historically famous for attacking messaging apps like WeChat, Telegram, QQ, Line, and WhatsApp throughout different OS. According to ThreatFabric report, the framework can extract payment data from WeChat, remove contacts, wipe out messaging history, and alot of other things.

The compromised things include WiFi network details, iCloud Keychain, screenshots, location, browser history, photos, call history, and SMS texts.

Regarding server analysis, the LightSpy researcher said they "share similarities with prior malicious infrastructure but introduce notable differences in the command list."

Further, "the servers analyzed in this research As previously observed, the cmd_list endpoint is at /ujmfanncy76211/front_api. Another endpoint, command_list, also exists but requires authentication, preventing direct analysis."

LightSpy Capabilities

In 2024, ThreatFabric reported about an updated malware version that has destructive capability to stop compromised device from booting up, in addition to the number of supported plugins from 12 to 28.

Earlier research has disclosed potential overlaps between an Android malware called "DragonEgg" and LightSpy, showing the threat's cross-platform nature.

Hunt.io's recent analysis study of the malicious command-and-control (C2) infrastructure linked with the spyware has found support for more than 100 commands spread across iOS, macOS, Linux, routers, and Windows.

Expert insights

Commenting on the overall impact of the malware, Hunt.io experts believe “LightSpy's infrastructure reveals previously unreported components and administrative functionality.” However, the experts remain unsure if it symbolizes new growths or earlier versions not publicly reported. “Command set modifications and Windows-targeted plugins suggest that operators continue to refine their data collection and surveillance approach across multiple platforms,” concludes 

To stay safe, experts suggest users to:

Limit app permissions to avoid unwanted access to important data. “On Android, use Privacy Dashboard to review and revoke permissions; on iOS, enable App Privacy Reports to monitor background data access.”

Turn on advanced device security features that restrict the exploitability of devices. iOS users can enable Lockdown Mode and Android users can turn on Enhanced Google Play Protect and use protection features to identify and block suspicious activities. 

Read more »
Windows
BlackLock Cyber Attacks Linux Ransomware Windows

BlackLock Ransomware: The Fastest-Growing Cyber Threat and How to Stay Safe

 



Ransomware remains a major problem for businesses, and a new cybercriminal group is expanding at an alarming rate. Security researchers at ReliaQuest have identified BlackLock as the fastest-growing ransomware operation today, with its activity increasing by 1,425% since late 2024. Although it is currently the seventh most active ransomware group, experts predict it could become the biggest threat in 2025.  

Despite law enforcement cracking down on major ransomware gangs like LockBit in 2024, the number of cyberattacks continues to grow. A report from January 31 suggested ransomware incidents had risen by 15% compared to the previous year. However, a February 20 study by Symantec showed a slower increase of just 3%. No matter the rate, the takeaway is the same, ransomware remains a serious risk.  


How BlackLock Ransomware Operates  

BlackLock ransomware is designed to infect Windows, Linux, and VMware ESXi systems, making it a versatile and dangerous threat. Cybercriminals behind this operation have developed unique methods to pressure victims into paying ransom quickly.  


1. Blocking access to stolen data  

  • Ransomware groups often leak stolen information on dark web sites to force victims to pay.  
  • BlackLock makes it harder for victims and cybersecurity teams to access leaked data by blocking repeated download attempts.  
  • If someone tries to retrieve files too often, they either receive no response or only see empty files with contact details instead of real data.  
  • This tactic prevents companies from fully understanding what was stolen, increasing the likelihood of paying the ransom.  


2. Recruiting criminals to assist with attacks  

  • BlackLock actively hires "traffers," cybercriminals who help spread ransomware by tricking people into downloading malware.  
  • These traffers guide victims toward fake websites or malicious links that install ransomware.  
  • The group openly recruits low-level hackers on underground forums, while more skilled cybercriminals are privately contacted for higher-level roles.  


Steps to Protect Your Systems  

Security experts recommend taking immediate action to strengthen defenses, especially for companies using VMware ESXi servers. Here are some key steps:  

1. Turn off unnecessary services  

  • Disable unused features like vMotion and SNMP to reduce possible entry points for attackers.  

2. Strengthen security restrictions  

  •  Configure VMware ESXi hosts to only allow management through vCenter, making it harder for hackers to exploit weaknesses.  

3. Limit network access  

  •  Use firewalls and strict access controls to prevent unauthorized users from reaching sensitive systems.  

Additional recommendations include:  

1. Activating multi-factor authentication (MFA) to prevent unauthorized logins.  

2. Disabling Remote Desktop Protocol (RDP) on systems that do not need remote access.  

The rapid rise of BlackLock ransomware shows that cybercriminals ar constantly developing new strategies to pressure victims and avoid detection. Organizations must take proactive steps to secure their networks and stay informed about emerging threats. Implementing strong security controls today can prevent costly cyberattacks in the future.

Read more »
Windows
ADFS Microsoft Password Phishing Attacks Technology Windows

Hackers Steal Login Details via Fake Microsoft ADFS login pages

Microsoft ADFS login pages

A help desk phishing campaign attacked a company's Microsoft Active Directory Federation Services (ADFS) via fake login pages and stole credentials by escaping multi-factor authentication (MFA) safety.

The campaign attacked healthcare, government, and education organizations, targeting around 150 victims, according to Abnormal Security. The attacks aim to get access to corporate mail accounts for sending emails to more victims inside a company or launch money motivated campaigns such as business e-mail compromise (BEC), where the money is directly sent to the attackers’ accounts. 

Fake Microsoft ADFS login pages 

ADFS from Microsoft is a verification mechanism that enables users to log in once and access multiple apps/services, saving the troubles of entering credentials repeatedly. 

ADFS is generally used by large businesses, as it offers single sign-on (SSO) for internal and cloud-based apps. 

The threat actors send emails to victims spoofing their company's IT team, asking them to sign in to update their security configurations or accept latest policies. 

How victims are trapped

When victims click on the embedded button, it takes them to a phishing site that looks same as their company's authentic ADFS sign-in page. After this, the fake page asks the victim to put their username, password, and other MFA code and baits then into allowing the push notifications.

The phishing page asks the victim to enter their username, password, and the MFA code or tricks them into approving the push notification.

What do the experts say

The security report by Abnormal suggests, "The phishing templates also include forms designed to capture the specific second factor required to authenticate the targets account, based on the organization's configured MFA settings.” Additionally, "Abnormal observed templates targeting multiple commonly used MFA mechanisms, including Microsoft Authenticator, Duo Security, and SMS verification."

After the victim gives all the info, they are sent to the real sign-in page to avoid suspicious and make it look like an authentic process. 

However, the threat actors immediately jump to loot the stolen info to sign into the victim's account, steal important data, make new email filter rules, and try lateral phishing. 

According to Abnormal, the threat actors used Private Internet Access VPN to hide their location and allocate an IP address with greater proximity to the organization.  

Read more »
Windows
Cyber Attacks Mac OS North Korea Remote Work threat mitigation Windows

Hackers Disguise as IT Employees: FBI Warns to Disable Local Admin Accounts

Hackers Disguise as IT Employees: FBI Warns to Disable Local Admin Accounts

Hackers use various ways to steal user data, one recent trend, according to the FBI, shows they have started gaining employment with companies. The agency has pushed out public announcement I-012325-PSA, warning organizations in the U.S. to disable local admin accounts, business must pay attention to it.

North Korean Hackers Disguising as IT Workers

The FBI has warned the public, private sector, and the world about the “victimization of US-based businesses”, as cyberattacks involving remote IT workers from North Korea are on the rise. It has noticed North Korean IT workers gaining illegal access to systems to steal confidential data and launch other cyber-crime operations. 

In an FBI announcement reported by Forbes, it was disclosed that “victims have seen proprietary data and code held to ransom,” and “the copying of corporate code repositories to attacker user profiles and personal cloud accounts.” Additionally,  the attackers have also “attempted harvesting of company credentials and session cookies for further compromise opportunities.” 

Understanding the “Principle of Least Privilege”

Law enforcement and intelligence agencies like the FBI and NSA (National Security Agency) have advised the principle of least privilege,  to “only allow designated administrator accounts to be used for administrative purposes.” The aim is to limit the administrative rights available to Mac and Windows users to ensure security. 

The principle of least privilege gives admin account access to only selected people, and nobody else. The method ensures company employees only have access to particular resources needed to get the job done, not admin rights. For instance, the user account completes day-to-day needs, whereas for something critical, like software installation, the systems will ask for admin credentials. 

Wikipedia is one great example of using this technique, it has user accounts for making backups that don’t need to install software and only have rights for running backups and related applications. 

Mitigating Threats- Advice from FBI and Security Experts

The FBI suggests businesses disable local administrator accounts and restrict privileges for installing remote desktop apps, keeping an eye out for any unusual network traffic. It has warned organizations to remember that “North Korean IT workers often have multiple logins into one account in a short period of time,” coming from various IP addresses linked with different countries. 

The agency has also advised HRs, development teams, and hiring managers to focus “on changes in address or payment platforms during the onboarding process.”

Read more »
Windows
Amaday Bot Lumma Stealer malware Malware Campaign Manufacturing Windows

New Malware Campaign Attacks Manufacturing Industry


Lumma Stealer and Amaday Bot Resurface

In a recent multi-stage cyberattack, Cyble Research and Intelligence (CRIL) found an attack campaign hitting the manufacturing industry. The campaign depends upon process injection techniques aimed at delivering malicious payloads like Amaday Bot and Lumma Stealer.

Using a chain of evasive actions, the threat actor (TA) exploits diverse Windows tools and processes to escape standard security checks, which leads to persistent system control and potential data theft. 

About the campaign

CRIL found an advanced multi-level attack campaign that starts with a spear-phishing mail. The email has a link that directs to an LNK file, hidden as a PDF file. When the fake PDF is clicked, it launches a series of commands. The LNK file is hosted on a WebDAV server, making it challenging for security software to trace.

“For instance, one of the malicious links observed in the campaign was hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-ns.shop. The attack’s effectiveness stems from its ability to exploit the name of a legitimate cloud-based document management system (LogicalDOC), commonly used in manufacturing and engineering industries, to convince targets into opening the file,” reports the Cyber Express.

How the campaign works

After executing the LNK file, it opens ssh.exe, a genuine system utility that can escape security software checks. Via ssh.exe, a PowerShell command is activated to retrieve an extra payload via a remote server from mshta.exe. 

Threat actors use this process to avoid detection via Google’s Accelerated Mobile Pages (AMP) framework merged with a compressed URL. The retrieved payload is a malicious script containing extra hacked commands that gradually deliver the last malicious payload to the target system.

Once the LNK file is executed, it launches ssh.exe, a legitimate system utility that can bypass security software’s detection. Through ssh.exe, a PowerShell command is triggered, which fetches an additional payload from a remote server using mshta.exe. This process is designed to evade detection by using Google’s Accelerated Mobile Pages (AMP) framework combined with a shortened URL. 

The payload fetched is a script that contains additional obfuscated commands that eventually deliver the final malicious payload to the victim’s system. 

CYBLE blog says, “The final payload, which involves the deployment of both Lumma stealer and Amadey bot, highlights the TA’s intent to steal sensitive information and maintain persistent control over compromised systems. Yara and Sigma rules to detect this campaign, are available for download from the linked GitHub repository.”    

Read more »
Windows
Cyber Attacks Fake Website Firefox RomCom Windows

Russian Hackers Use Firefox and Windows Vulnerabilities in Global Cyberattack

 



A sophisticated cyberattack carried out by the Russian cyber threat group RomCom APT has raised alarms within the global cybersecurity community. Exploiting two previously unknown zero-day vulnerabilities in Firefox and Windows, the attack, which took place in October, was able to infiltrate systems without any user interaction. This tactic marks a concerning escalation in cyberattack methods, highlighting the ever-growing sophistication of threat actors. 
 

How the Attack Unfolded 

 
RomCom APT used two critical vulnerabilities to carry out its campaign: 
 
1. Firefox Animation Timeline Vulnerability (CVE-2024-9680) 
 
A severe flaw in Firefox's animation timelines allowed the attackers to remotely execute malicious code. Rated 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), the vulnerability was exploited through fake websites. Victims who visited these websites unknowingly downloaded malware disguised as the RomCom backdoor. Once installed, the malware silently redirected users to the legitimate websites they intended to visit, leaving them unaware of the compromise. This vulnerability also affected Tor, which shares a code base with Firefox, broadening its potential impact. 

2. Windows Task Scheduler Vulnerability (CVE-2024-49039) 
 
The second vulnerability resided in the Windows Task Scheduler, with a CVSS score of 8.8. This flaw allowed the attackers to bypass the security sandbox of the browser, escalating privileges and providing them with full access to the victim's system. With this level of control, RomCom hackers were able to execute further malicious activities undetected. 

 
Targets and Techniques 

 
RomCom APT deployed fake websites posing as well-known platforms, including ConnectWise, Devolutions, and Correctiv, to lure victims. The group targeted high-value sectors such as **insurance**, pharmaceuticals, defense, energy, and government institutions, with the majority of victims located in North America and Europe, particularly in Germany, France, and the United States. 
 
RomCom is notorious for combining cybercrime with politically motivated espionage. This attack is part of a broader pattern targeting politically and economically sensitive sectors. Prompt responses from cybersecurity teams, including collaboration with security experts, helped prevent the attack from spreading widely, limiting its impact. 
 

Swift Vulnerability Patching 
 

Fortunately, both vulnerabilities were addressed promptly. Mozilla released a patch for the Firefox flaw on October 9, just 25 hours after it was notified. Similarly, Microsoft issued a patch for the Windows vulnerability on November 12. These swift responses underscore the importance of keeping systems updated, as timely patches are often the first line of defense against zero-day vulnerabilities. 

 
Cybersecurity Takeaways 

 
This attack serves as a stark reminder of the necessity for robust software maintenance and a proactive patch management strategy. Zero-day vulnerabilities are often exploited rapidly, making regular updates crucial for minimizing the risk of exploitation. While the RomCom attack was relatively short-lived, it underscores the evolving nature of cyber threats. Organizations and individuals alike must stay vigilant, prioritize timely software updates, and adopt comprehensive cybersecurity measures to protect against increasingly sophisticated attacks.   
 

Key Points for Cybersecurity Practitioners: 

  • Maintain Updated Software: Regular updates and patches are essential to protecting against zero-day vulnerabilities. 
  • Awareness of Emerging Threats: Understand and mitigate the risks associated with zero-click attacks and other advanced persistent threats. 
  • Strengthen Incident Response: Timely detection and rapid response are critical to minimizing the impact of cyberattacks.
Read more »
Windows
Check Point research CyberCrime Cyberhackers Cybersecurity Cyberthreats GodLoader Godot Game iOS Linux macOS malware Windows

Godot Game Engine Targeted in Widespread Malware Attack

 


A newly identified malware threat, GodLoader, is targeting gamers globally by exploiting the Godot game development engine, according to a report from Check Point Research. This sophisticated attack has already impacted more than 1.2 million users across various platforms. 

How GodLoader Works 

 
GodLoader infiltrates devices by leveraging Godot’s .pck files, which package game assets. These files can embed harmful scripts that execute malicious code upon launching a game, effectively bypassing traditional antivirus detection. The malware primarily targets: 

-Windows 
- macOS 
- Linux 
- Android 
- iOS 

Check Point Research reported that hackers have infected over 17,000 systems in just the past three months. By utilizing Godot’s GDScript (a Python-like scripting language), attackers distribute malware via more than 200 GitHub repositories, often masked as legitimate game assets. 

Exploitation of Open-Source Trust 


Eli Smadja, Security Research Group Manager at Check Point Software Technologies, highlighted the exploitation of open-source platforms:  

"Cybercriminals have turned the flexibility of the Godot Engine into a vulnerability, spreading cross-platform malware like GodLoader by capitalizing on the trust users place in open-source software." 

Infected computers are not only compromised but may also be converted into cryptocurrency mining rigs through XMRig, rendering them unusable for other tasks. 

Stargazers Ghost Network: Distribution-as-a-Service (DaaS) 


The attackers used the Stargazers Ghost Network to distribute GodLoader. This platform, active since 2022, employs over 3,000 ghost GitHub accounts to create networks of malicious repositories. These repositories: 

- Host info stealers like RedLine, Lumma Stealer, Rhadamanthys, and RisePro. 
- Manipulate GitHub’s trending section by starring, forking, and subscribing to their own repositories to appear legitimate. 

During a campaign between September and October 2024, Check Point discovered four separate attacks targeting developers and gamers. These attacks aimed to distribute infected tools and games, enticing users to download malware through seemingly credible GitHub repositories. 

Broader Implications and Future Risks 


The malware’s ability to target multiple platforms significantly enlarges the attack surface, posing a growing threat to the gaming community. Experts warn that attackers could embed malware into cheats, mods, or cracks for popular Godot-built games, increasing the vulnerability of millions of gamers. 

The Stargazers Ghost Network has already earned over $100,000 by distributing malware through its DaaS platform. With its continuous evolution, this network poses an ongoing threat to both developers and users of the Godot engine. 

Call to Action for Developers and Gamers 


Industry experts emphasize the urgent need for proactive cybersecurity measures to counter such threats. Recommendations include: 

- Avoid downloading game assets from unverified sources. 
- Regularly update antivirus and anti-malware software. 
- Implement robust security practices when developing or downloading games built with Godot. 

As the gaming ecosystem continues to expand, vigilance and collaboration between developers and security researchers will be critical in mitigating threats like GodLoader and ensuring a safer gaming environment.
Read more »
Winos4.0
China Hackers malware Windows Winos4.0

Growing Use of Winos4.0 Toolkit Poses New Threat to Windows Users

 



Advanced hacking toolkit Winos4.0 spreads across the globe, security experts warn. Originally reported by Trend Micro, this new toolkit-just like known kits Cobalt Strike and Sliver-was connected to a string of recent cyber attacks in China, having initially spread through fake software downloads. This year, Fortinet reported that the toolkit is also disseminated through game-themed files, which now tends to expand and might pose a risk to a larger user base.


Attack Framework

Winso4.0 is a post-exploitation toolkit: after successfully gaining initial access to a system, the attackers use it for further invasion and domination. First, it was discovered inside the applications downloaded by users who considered it software in their interest, including VPNs or Google Chrome downloads for the Chinese market. Under the aliases Void Arachne or Silver Fox, the attackers entice users with these very popular applications full of malicious components designed to compromise their systems.

New strategies involve attackers using game applications, via which they have broadcasted Winos4.0, again targeting Chinese users mainly. This way, hackers change and utilise attractive downloads to penetrate devices.


Infection Stages

When one of such benign-looking files is downloaded by a victim, the Winos4.0 toolkit initiates a four-phase infection:

1. Stage 1: After installation, a DLL file you.dll, was retrieved from a remote domain. This file installed persistence on the device by setting values in the Windows Registry such that the malware would persist after the system restarts:.

2. Stage 2: At this step, the injected shellcode is loaded to download necessary APIs and communicate with a C2 server, which enables hackers to send commands and retrieve files from the infected device.

3. Stage 3: It fetches more encoded data from the C2 server in a second DLL file named上线模块.dll which saves to the Windows Registry to be used later, apart from updating server addresses to maintain an active link between the malware and its operators.

4. Final Stage: The last stage (login module.dll) will activate all main functions of the toolkit, including detailed system data gathering (like IP address and type of OS), detection of security tools, searching for crypto-wallets, and keeping a hidden backdoor. Through this backdoor connection, hackers can exfiltrate data, execute commands, and sustain their activity monitoring.

 

Evasion Techniques

Winos4.0 already has an inbuilt scanner for the detection of security products, including commercial products by Kaspersky, Avast, Bitdefender, and Malwarebytes. It will then change its behaviour to avoid detection or even quit if the toolkit finds itself running in an environment that is under surveillance. This versatility makes the tool very dangerous when it gets into cybercriminals' hands.

 

Emerging Menace

The fact that the toolkit Winos4.0 is still being used and fine-tuned points towards the growing importance of this toolkit in cyberattack strategies. As explained by Fortinet, it is a versatile and powerful framework "designed for remote control of compromised systems." Ongoing activity like this indicates that Winos4.0 is becoming a tool hackers like to use to gain control over Windows machines.


Preventive Actions

Always ready for downloading is a constant warning from the security experts to users, especially when it comes to free softwares or games which seem popular.

Avoid downloading applications and other forms of files from unknown sources. Even verifying if the software or file is coming from a legitimate source may also save it from infection. Moreover, one's security software must be updated frequently.

Knowing the threats of Winos4.0 would prevent many users from this malicious software by making them aware of this sophisticated malware.


Read more »
Windows PC
Cyber Vulnerabilities CyberCrime Cybersecurity IP Address Kaspersky malware STeelFox Windows Windows PC

Windows PCs at Risk as SteelFox Malware Targets Driver Vulnerabilities

 


Several experts have warned that hackers are using malware to attack Windows systems with the intention of mining cryptocurrency and stealing sensitive information from their devices. The latest Kaspersky Security Report claims to have spotted tens of thousands of infected endpoints. Cybercriminals have obtained fake cracks and activators for several commercial software products, such as Foxit PDF Editor, JetBrains, or AutoCAD, which they are selling to users. 

There is a vulnerability in a driver called WinRing0.sys that is associated with some fake cracks. The victim of this attack has reintroduced the CVE-2020-14979 and the CVE-2021-41285 vulnerabilities back onto the system by adding this driver at the same time, two three-year-old vulnerabilities that extended the privileges of the attacker to the maximum possible. 

SteelFox is a malware package that has been designed to mine cryptocurrency and steal credit card details via SYSTEM privileges by taking advantage of the "bring your own vulnerable driver" attack method. In forums and torrent trackers, malware bundle droppers appear as crack tools. These tools act as crack tools that activate legitimate versions of various software, such as Foxit PDF Editor, JetBrains, and AutoCAD. 

To evade detection and evade detection, state-sponsored threat actors and ransomware groups are known to exploit vulnerable drivers to escalate privileges. As of late, however, this method seems to be extended to attack against information-stealing malware as well. According to Kaspersky researchers, the SteelFox campaign was discovered in August of this year, but they add that the malware has been active since February 2023 and has been distributed through various channels (such as torrents, blogs and forum posts) in the past few weeks. 

The Rhadamanthys data theft malware has been available for download for some time, but since July 2024 the virus' version has been updated with copyright-related themes in an ongoing phishing campaign. There is a large-scale cybercrime campaign being tracked by the checkpoint group under the name CopyRightAdamantys. In addition to targeting the U.S., Europe, East Asia, and South America, the organization targets other regions as well. 

The campaign tries to impersonate dozens of companies, while each email is sent from a different Gmail account, providing a tailored impersonation of the target company as well as a tailored language based on the targeted entity, according to a technical analysis provided by the company. In the case of impersonated companies, there is almost 70% of them from the entertainment/media/technology/software sector." 

There is an element that stands out about the attacks: the deployment of the Rhadamanthys stealer version 0.7, which, as described by Insikt Group, Recorded Future's security division, early last month, is utilized to carry out optical character recognition. Cisco Talos, an Israeli company that specializes in cyber security, disclosed last week that it had been targeting users of Facebook business and advertising accounts in Taiwan by delivering malware known as Lumma or Rhadamanthys, which is designed to steal information.

There are three components inside the RAR archive. A legitimate executable vulnerable to DLL side-loading, a malicious DLL containing the stealer payload, and a decoy document containing the stealer payload. After the binary has been executed, it will sideload the DLL file that will create the environment that will allow Rhadamanthys to be deployed. It is likely that the threat actors were using artificial intelligence tools to spread the malware, based on both the scale of the campaign and the variety of lures that were included in the campaign and the emails sent by the sender, which Check Point attributed to a possible cybercrime group. 

It seems likely that this campaign was orchestrated by a financially motivated cybercrime group and not a nation-state actor, particularly given the large number of organizations across multiple regions targeted in this campaign," he continued. In addition to its global reach, the use of automated phishing tactics, and the use of a variety of lures, this campaign demonstrates how attackers continue to enhance their success rates." 

As part of these findings, Kaspersky also revealed a full-featured crimeware bundle dubbed SteelFox, which has been spreading via forums posts, torrent trackers, and blogs, passing itself off as legitimate utilities like Foxit PDF Editor, JetBrains, and AutoCAD in order to steal personal information. In the last two years, the campaign of terrorism has claimed victims in nearly 50 countries. The majority of the victims were in Brazil, China, Russia, Mexico, the United Arab Emirates, Egypt, Algeria, Vietnam, India, and Sri Lanka, with many more in Brazil, China, Russia, and Mexico. 

At this point in time, there is no known threat actor or group associated with this attack. A security researcher, Kirill Korchemny, said: "Delivered via sophisticated execution chains, notably shellcode, this type of malware abuses both Windows services and drivers in an attempt to accomplish its objectives." As a result of it, he said that he used stealer malware to obtain details about the victim's device as well as his credit card information. 

A dropper program is the starting point of this setup, in the sense that it mimics cracked versions of popular software, so when it is run, the dropper application will request administrator permissions and drop a next-stage loader which, in turn, will establish persistence and launch the SteelFox module. It is Kaspersky's opinion that although SteelFox's C2 domain is hardcoded, it has managed to conceal its presence through the use of multiple IP addresses and using DNS over HTTPS to resolve its IP addresses in order to hide its presence. Although SteelFox attacks don't have specific targets, they seem to focus on users of AutoCAD, JetBrains, and Foxit's Adobe PDF Editor app. 

In accordance with Kaspersky's visibility information, Kaspersky indicates that the malware is compromising systems in Brazil, China, Russia, Mexico, the UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka among others. Researchers have identified a new and potent cyber threat: the SteelFox malware, a sophisticated crimeware bundle targeting Windows PCs through vulnerable drivers. This malware, still relatively new to the landscape, demonstrates advanced functionality and appears to be the product of a skilled C++ developer who has integrated multiple external libraries to enhance its capabilities. 

In a related development, analysts from FortiGuard Labs have reported the discovery of another malicious software framework named Winos4.0. This advanced framework, embedded in game-related applications, is engineered specifically to target Windows users. Originating as an evolved version of the Gh0strat malware, Winos4.0 enables attackers to remotely execute various actions, providing them with substantial control over compromised systems. The infection process for Winos4.0 is particularly deceptive. 

It spreads through game-related applications, such as installation utilities and performance enhancement tools, designed to appeal to gamers and other Windows users. Once an individual downloads and installs one of these compromised applications, a seemingly harmless BMP file is retrieved from a remote server. This file subsequently extracts and activates the Winos4.0 DLL file, initiating the malware’s operations. 

In its initial phase, Winos4.0 sets up an environment for deploying further modules and establishes persistence on the infected machine by modifying system registry keys or creating scheduled tasks. Through this multi-stage infection process, Winos4.0 builds a durable foothold on affected devices, opening avenues for continuous exploitation and control.
Read more »
Windows
Cyber Security JPCERT Logs Ransomware Windows

JPCERT Explains How to Identify Ransomware Attacks from Windows Event Logs

 




Japan Computer Emergency Response Team (JPCERT/CC) has published guidance on early identification of ransomware attacks in the system using Windows Event Logs. Probably by reviewing these logs, firms would identify some signs or clues of an existing ransomware attack and find themselves in a position to forestall this threat from spreading across the network.

JPCERT/CC stresses that the discovery of ransomware as early in the attack as possible is extremely important. Many ransomware variants leave apparent traces in Windows Event Logs, and that particular knowledge might be useful for cybersecurity teams to discover and finally stop attacks before they spread further. It's a strategy especially valuable in identifying the type of attack and tracing how ransomware might have entered the system.


Types of Event Logs to Monitor

The agency recommends checking four main types of Windows Event Logs, namely: Application, Security, System, and Setup logs. These types can carry some very important clues left by ransomware along with how it came into the environment and what systems are under attack.


Identifiable Ransomware Signatures in Event Logs

This JPCERT/CC report includes several specific log entries associated with certain ransomware families, which indicate that this was an active attack.

  • Conti Ransomware: This malware typically generates a broad set of logs associated with the Windows Restart Manager, observable through their event IDs 10000 and 10001. The variants such as Akira, Lockbit3.0, HelloKitty, and Bablock all generate almost identical logs because they share code from Lockbit and Conti.

Others, such as 8base and Elbie, also create similar patterns along with traces related to this malware.

  • Midas: This malware changes network configurations to spread across machines. It creates logs having an event ID of 7040.

  • BadRabbit- BadRabbit mostly creates logs with an event ID of 7045 when it instals the encryption modules, further suggesting an attack in progress.

  • Bisamware  Generates entries at both ends of Windows Installer transactions. The event IDs are 1040 and 1042.

Other older ransomware families, like Shade, GandCrab, and Vice Society, similarly display the same event patterns. They especially generate errors with event IDs 13 and 10016, linked to the failed access attempts to COM applications. The reason behind it is ransomware tries to remove Volume Shadow Copies so the victims won't be able to recover encrypted files.


Event Log Monitoring: Not a Silver Bullet But a Mighty Defence

Monitoring these specific Windows Event Logs can certainly prove extremely useful in identifying ransomware, though JPCERT/CC believes such should only be part of the total security strategy. This would truly be transformational were early detection to be combined with other control measures against spreading the attack.

Surprisingly, this method is much more potent for newer ransomware variants rather than those already in the wild, like WannaCry and Petya, which left very minor traces in Windows logs. As ransomware continues to progress, the patterns they leave behind in logs are becoming very obvious, and log monitoring will be more of a good ear for today's cybersecurity infrastructure.

In 2022, another well-known cybersecurity group also published a SANS ransomware detection guide from Windows Event Logs. Both sources point out how ransomware detection has evolved with time, helping organisations better prepare for such threats.


Read more »
Windows
Authentication CVE-2024-8260 Cyber Security NTLM OPA Patch relay Tenable Vulnerability Windows

Critical Flaw in Open Policy Agent Exposed NTLM Credentials, Patch Released

 

A now-resolved security vulnerability in Styra's Open Policy Agent (OPA) could have exposed New Technology LAN Manager (NTLM) hashes, potentially leading to credential leakage. If exploited, the flaw allowed attackers to capture the NTLM credentials of the OPA server’s local user account and send them to a remote server. From there, they could either crack the password or relay the authentication, according to a report by cybersecurity firm Tenable, shared with The Hacker News.

The vulnerability, identified as CVE-2024-8260 and classified as a Server Message Block (SMB) force-authentication flaw, affected both the Command Line Interface (CLI) and the Go software development kit (SDK) on Windows. The issue arose from improper input validation, enabling unauthorized access by leaking the Net-NTLMv2 hash of the logged-in user on the Windows device running OPA.

Exploiting this vulnerability required specific conditions: the victim had to initiate outbound SMB traffic over port 445, gain an initial foothold through social engineering, or run the OPA CLI using a Universal Naming Convention (UNC) path rather than a Rego rule file.

Tenable security researcher Shelly Raban explained that when a Windows machine accesses a remote share, it sends the NTLM hash of the local user to authenticate to the remote server. Attackers can capture these credentials to perform relay attacks or crack the password offline. Following the responsible disclosure in June 2024, the issue was patched in version 0.68.0, released on August 29, 2024.

Tenable emphasized the importance of securing open-source projects to avoid exposing vendors and users to potential threats. The disclosure of this vulnerability coincides with Akamai's revelation of a privilege escalation flaw (CVE-2024-43532) in Microsoft's Remote Registry Service, which also involved NTLM relay attacks.

Microsoft, in response to NTLM vulnerabilities, reiterated its commitment to replace NTLM with Kerberos in Windows 11 to enhance authentication security.
Read more »
Windows
Antivirus Memory Integrity Microsoft performance Protection Ransomware Security system Technology Virtualization Windows

How to Enhance Your Windows Security with Memory Integrity

 

Windows Security, the antivirus program built into Microsoft’s operating system, is generally sufficient for most users. It provides a decent level of protection against various threats, but a few important features, like Memory Integrity, remain turned off by default. This setting is crucial as it protects your system’s memory from malicious software that attempts to exploit Windows drivers, potentially taking control of your PC.

When you enable Memory Integrity, it activates Virtualization Based Security (VBS). This feature separates the code verification process from the operating system, creating a secure environment and adding an additional layer of protection. Essentially, VBS ensures that any code executed on your system is thoroughly checked, preventing malicious programs from sneaking through Windows’ defenses.

However, Microsoft disables Memory Integrity by default to maintain smoother app performance. Some applications may not function properly with this feature on, as the extra layer of security can interfere with the way certain programs execute code. For users who prioritize app performance over security, this trade-off may seem appealing.

But for those concerned about malicious attacks, enabling Memory Integrity is a smart choice. It prevents malware from bypassing the usual system checks, providing peace of mind when dealing with potential security threats. On older PCs, though, you might notice a slight reduction in performance once Memory Integrity is activated.

Curious to see how your system handles this extra protection? Enabling and disabling Memory Integrity is a simple process. First, type “Windows Security” into the search bar or Start menu. Under Device Security, you may see a notification if Memory Integrity is off. Click Core Isolation, then toggle Memory Integrity on. To deactivate it, return to the same settings and flip the switch off.

It’s not just Memory Integrity that comes disabled by default in Windows. Microsoft leaves certain protections off to strike a balance between security and user experience. Another useful feature you can enable is ransomware protection, which safeguards specific folders and prevents unauthorized apps from locking you out of your data. Similarly, you can turn on advanced app screening to block potentially harmful programs.

While leaving Memory Integrity and other protections off can offer a smoother computing experience, activating them significantly strengthens your system’s defenses against cyber threats. It’s a choice between performance and security, but for those prioritizing protection, flipping these settings on is an easy step towards a safer PC.
Read more »
Windows
Advanced Technology Microsoft Microsoft Copilot Security Feature Windows

Windows 11’s Recall feature is Now Ready For Release, Microsoft Claims

 

Microsoft has released an update regarding the Recall feature in Windows 11, which has been on hold for some time owing to security and privacy concerns. The document also details when Microsoft intends to move forward with the feature and roll it out to Copilot+ PCs. 

Microsoft said in a statement that the intention is to launch Recall on CoPilot+ laptops in November, with a number of protections in place to ensure that the feature is safe enough, as explained in a separate blog post. So, what are these measures supposed to appease the critics of Recall - a supercharged AI-powered search in Windows 11 that uses regular screenshots ('snapshots' as Microsoft calls them) of the activity on your PC - as it was originally intended? 

One of the most significant changes is that, as Microsoft had previously informed us, Recall will only be available with permission, rather than being enabled by default as it was when the function was first introduced. 

“During the set-up experience for Copilot+ PCs, users are given a clear option whether to opt-in to saving snapshots using Recall. If a user doesn’t proactively choose to turn it on, it will be off, and snapshots will not be taken or saved,” Microsoft noted. 

Additionally, as Microsoft has stated, snapshots and other Recall-related data would be fully permitted, and Windows Hello login will be required to access the service. In other words, you'll need to check in through Hello to prove that you're the one using Recall (not someone else on your PC). 

Furthermore, Recall will use a secure environment known as a Virtualization-based Security Enclave, or VBS Enclave, which is a fully secure virtual computer isolated from the Windows 11 system that can only be accessed by the user via a decryption key (given with the Windows Hello sign-in).

David Weston, who wrote Microsoft’s blog post and is VP of Enterprise and OS Security, explained to Windows Central: “All of the sensitive Recall processes, so screenshots, screenshot processing, vector database, are now in a VBS Enclave. We basically took Recall and put it in a virtual machine [VM], so even administrative users are not able to interact in that VM or run any code or see any data.”

Similarly, Microsoft cannot access your Recall data. And, as the software giant has already stated, all of this data is stored locally on your machine; none of it is sent to the cloud. This is why Recall is only available on Copilot+ PCs - it requires a strong NPU for acceleration and local processing to function properly. 

Finally, Microsoft addresses a previous issue about Recall storing images of, say, your online banking site and perhaps sensitive financial information - the tool now filters out things like passwords and credit card numbers.
Read more »
Subscribe to: Posts (Atom)