All news with #endpoint security tag

🔒 Security researchers warn of a new scareware strain, CypherLoc, used in around 2.8 million attacks since early 2026. The campaign starts with phishing that directs victims to a malicious page which only activates when specific URL fragments and cryptographic checks pass. Once triggered, the code forces full-screen browser lockdowns, disables controls, displays fake security warnings and a fraudulent support number, with operators posing as Microsoft support. Barracuda urges anti-phishing, browser and endpoint protections and user education to mitigate the threat.

🔍 In a sweeping analysis of 25 million enterprise security alerts, researchers found that nearly 1% of confirmed incidents began as low‑severity or informational alerts, rising to about 2% on endpoints. The dataset included 10 million monitored endpoints, 82,000 forensic endpoint investigations with live memory scans, and 180 million files analyzed. The report shows EDR remediation frequently reports systems as 'mitigated' even when memory forensics reveal active malware, and it documents evolving phishing and cloud persistence tactics that evade legacy triage models.

🔒 Microsoft announces Agent 365 is generally available, offering a unified control plane to observe, govern, and secure AI agents across endpoints, cloud, and SaaS. The release adds discovery of local and cloud agents (including OpenClaw, GitHub Copilot CLI, and Claude Code) and integrates with Intune and Defender for inventory, policy controls, runtime blocking, and alerting. Agent 365 also introduces Windows 365 for Agents, partner integrations, and licensing via Microsoft 365 E7 or standalone at USD 15 per user per month.

🛠️ Microsoft expanded its in-box app removal policy for Windows 11 to add a dynamic list that allows IT admins to specify which preinstalled Microsoft Store apps to uninstall by Package Family Name (PFN). The RemoveDefaultMicrosoftStorePackages policy can be applied via Group Policy or a custom OMA-URI for MDM and requires the April 2026 non-security update (Insiders can get it with the March 13, 2026 Dev/Beta builds). Intune support for the dynamic list will arrive in the coming months.

🏥 A new RunSafe Security index found that 24% of healthcare organizations experienced cyber-attacks affecting medical devices in the past year, with 80% of those incidents causing moderate or significant patient impact, from delayed imaging to interruptions in critical care. The survey of 551 professionals across the US, UK and Germany shows growing integration of security into procurement—82% deploying runtime exploit protection and 84% including cyber requirements in vendor RFPs—yet legacy devices remain a major exposure.

🔒 This buyer's guide explains what Endpoint Detection and Response (EDR) is, which core capabilities to expect, and which vendors and solutions are recommended. It highlights EDR features such as real-time behavioral telemetry, deep investigation tools, centralized analytics, and integrations with SIEM, SOAR, firewalls and other security controls. Vendor profiles include CrowdStrike, Microsoft, Palo Alto, SentinelOne, Sophos and Trend Micro, and four practical questions to ask vendors before purchasing are provided.

⚡Microsoft is rolling out a set of File Explorer enhancements to Windows 11 Insiders that aim to improve launch speed and overall performance. While implementation details are limited, the company earlier tested optional background preloading to accelerate startup times and offers a toggle to disable that behavior. The update also improves reliability around stopping explorer.exe after closing windows and expands fixes for bright white flashes in dark mode. A new full-screen Xbox mode is available as well; changes are arriving for Release Preview Insiders on Builds 26100.8313 and 26200.8313 (KB5083631).

🔒 Huntress researchers uncovered a digitally signed adware campaign that deployed SYSTEM‑privilege payloads to disable antivirus protections on thousands of endpoints. The binaries, signed by Dragon Boss Solutions LLC and bundled in browser-like PUPs such as Chromstera and WorldWideWeb, used an Advanced Installer MSI to drop a PowerShell script, ClockRemoval.ps1, which stops services, uninstalls AVs, edits the hosts file and persists via WMI and scheduled tasks. After registering the operator’s unclaimed update domain, Huntress sinkholed infrastructure and observed over 23,500 infected hosts checking in across 124 countries, including hundreds in high-value networks. Administrators are urged to search for specific WMI subscriptions, scheduled tasks, blocked vendor domains in hosts, and processes signed by the publisher.

⚠️ Huntress has identified a signed adware operation linked to Dragon Boss Solutions LLC that has disabled antivirus products on approximately 23,565 endpoints worldwide. The campaign leverages a legitimate code‑signing certificate and an MSI update mechanism to deploy a PowerShell payload, ClockRemoval.ps1, which systematically kills, uninstalls and blocks reinstallation of AVs. Targets include Malwarebytes, Kaspersky, McAfee and ESET, and persistence is maintained via scheduled tasks and WMI event subscriptions. Researchers sinkholed an unregistered update domain and observed infections across 124 countries, including universities, utilities and government networks.

🔒 Security researchers have observed a sharp rise in brute-force attempts aimed at edge devices, notably SonicWall and Fortinet appliances, with 88% of observed traffic traced to the Middle East. Barracuda reports most attempts failed, often blocked or directed at invalid usernames. The activity peaked between February and March and accounted for 56% of confirmed incidents targeting perimeter devices. Analysts warn these probes increase the risk posed by weak credentials or misconfigurations and urge stronger controls.

🔍 Amazon WorkSpaces Advisor is an AI-powered troubleshooting assistant for Amazon WorkSpaces Personal. It analyzes WorkSpace configurations, identifies problems, and provides actionable recommendations to restore service and optimize performance. Administrators can use its generative AI insights to streamline investigations, reduce downtime, and proactively maintain virtual desktop infrastructure. The feature is now available in all AWS commercial regions via the WorkSpaces console.

🔒 Kaspersky highlights that security management consoles themselves expand an organization’s attack surface and therefore must be hardened. Kaspersky Security Center Linux 16.1 adopts a secure-by-default model by enabling two-factor authentication for all console access and removing the global option to disable it. Administrators are required to ensure 2FA is configured for users who access the Web Console or use OpenAPI automation before upgrading. Kaspersky also publishes a structured hardening checklist to audit roles and privileges, restrict network access, strengthen encryption, protect APIs, and ensure comprehensive logging and auditing.

🔒 Business resilience begins at the endpoint. Drawing on N-able SOC data, the article highlights that over 900,000 alerts were processed between March and December 2025 and that 18% originated from network and perimeter exploits—threats many endpoint-only tools missed. It prescribes continuous asset visibility, standardized secure configurations, automated patching and remediation, EDR for behavioral detection and response, and integrated backup and recovery to minimize downtime.

🔒 Apple has implemented a camera-indicator approach that carefully blends hardware and system design to ensure users are alerted when the camera is active. While a dedicated LED appears inherently more tamper-resistant than an on-screen widget, Apple addresses overlay and spoofing concerns through integrated hardware–software controls and system-level protections. The result is a thoughtfully engineered notification mechanism that substantially reduces the risk of unnoticed camera use.

🔒 HP announced TPM Guard, a hardware-plus-firmware solution introduced at its Imagine event, which creates an authenticated, encrypted tunnel between the TPM and the CPU to protect keys in transit. The design cryptographically binds the TPM to the host processor so the chip stops functioning if removed. HP says the feature thwarts low-cost physical attacks that can intercept TPM communications and will be available via firmware update on selected G2 commercial PCs starting in July, with broader integration in future models.

🛡️Research by Absolute Security finds endpoint cybersecurity software fails to protect one in five enterprise devices, creating an equivalent of 76 days per year of increased exposure to attackers. The 2026 Resilience Risk Index, published March 23, ties this gap to patch delays and rising endpoint complexity, with 24% of vulnerability platforms out of compliance. The report urges stronger enforcement of patch and update policies to reduce downtime and remediation costs.

🔒 A new ESET analysis identified 54 EDR-killer tools that leverage BYOVD, abusing 34 signed vulnerable drivers to gain kernel-mode privileges and neutralize endpoint protection. These utilities are frequently reused in ransomware operations to disable defenses prior to encryption, decoupling evasion from the encryptor. ESET recommends blocking misused drivers and adopting layered detection to mitigate the threat.

🔒 ESET's research examines the prevalence and mechanics of EDR killers—separate tools attackers deploy to neutralize endpoint protection immediately before executing encryptors. Based on telemetry and incident analysis of nearly 90 active samples, the blogpost covers BYOVD, anti-rootkit abuse, driverless disruption, commercialization of kits, and indicators suggestive of AI-assisted development. The authors highlight predictable affiliate-driven tooling choices and warn that driver-based attribution is often misleading; they recommend prevention-focused, multilayered defenses and rapid containment.

🔒 CISA warns of malicious activity targeting endpoint management systems following the March 11, 2026 attack against Stryker Corporation that affected its Microsoft environment. The agency urges organizations to harden endpoint management configurations and adopt Microsoft’s newly released best practices for securing Microsoft Intune, while applying those principles to other endpoint management tools. Key recommended controls include RBAC-based least-privilege administrative roles, phishing-resistant MFA and privileged access hygiene using Microsoft Entra ID, and configuring Multi Admin Approval policies for high-impact actions such as device wipes, application and script changes, and RBAC modifications.

🧟 Researchers disclosed a technique called 'Zombie ZIP' that manipulates ZIP headers to hide DEFLATE-compressed payloads so scanners treat them as uncompressed, producing widespread false negatives in antivirus and EDR tools. The author, Chris Aziz of Bombadil Systems, published proof-of-concept archives showing scanners trust the ZIP Method field and therefore scan raw bytes instead of compressed data. CERT/CC assigned CVE-2026-0866 and recommends stricter archive validation; end users should delete archives that raise 'unsupported method' or extraction errors.