All news with #endpoint security tag

🔍 Aryaka Threat Research Lab has identified a campaign that distributes resume-like attachments to target HR and recruiting staff, deploying a component named BlackSanta that attempts to disable endpoint detection and response. The multi-stage infection chain performs system reconnaissance, sandbox and VM checks, and geographic and language filtering before downloading further payloads. Attackers appear Russian-speaking and leverage routine hiring workflows to increase success, while encrypted communications and data exfiltration help maintain persistence.

🔒 This contributed piece from Bitdefender explains how a unified security platform can help mid-market organizations meet enterprise-level expectations without enterprise budgets. The article promotes Bitdefender GravityZone and an upcoming webinar that shows how consolidating tools can simplify operations, reduce costs, and strengthen security posture. It targets IT directors, CISOs, and lean security teams seeking practical steps to demonstrate reduced risk and free up resources.

🔍 ESET’s threat research team combines telemetry, incident investigation and curated intelligence to help SMBs understand attacker methods and improve detections. Through MDR the company layers human-led hunting and rapid, tailored responses on top of endpoint protection, giving organizations clearer visibility and faster containment. This practical blend of technology and expertise makes advanced defence accessible without the cost of an in-house SOC.

🔒 Malwarebytes researchers warn of a convincing fake Zoom meeting page that silently downloads and installs a covert build of Teramind on Windows endpoints. Victims see scripted participants and an “Update Available” countdown that triggers a silent download while a fake Microsoft Store screen displays a staged installation. Because the payload is a repackaged commercial monitoring tool, many defenses may not flag it, so prompt verification and training are essential.

🔒 Attackers frequently exploit common endpoint weaknesses—exposed Remote Desktop Protocol (RDP), sophisticated phishing, abused Remote Monitoring and Management (RMM) tools, and unpatched software—to gain access and persist. The article shows how brute-force RDP, AI-enhanced phishing, and misconfigured RMMs enable lateral movement and stealthy persistence. Implement MFA, regular patching, EDR, RMM audits, and user training to reduce risk.

🔒 Traditional endpoint defenses miss a growing class of non-binary software — browser extensions, code packages, IDE plugins, local servers, containers and model artifacts — that employees and developers install without centralized oversight. AI agents amplify that blind spot by acting with user credentials, autonomously discovering, invoking and installing components at machine speed. Palo Alto Networks says it intends to acquire Koi to deliver Agentic Endpoint Security, focused on visibility, continuous risk analysis and real-time policy enforcement to remediate risky behaviors.

🔐 The NCSC's CEO Richard Horne has warned that small and medium-sized enterprises (SMEs) wrongly assume they are not attractive to cybercriminals and are failing to take basic protective measures. He stressed that attackers seek opportunity and weaknesses rather than high-profile brands, and urged businesses to adopt Cyber Essentials. The scheme focuses on five core controls — secure configuration, user access control, malware protection, security update management and firewalls — to reduce the risk of common attacks. Horne warned that leaving these protections undone is comparable to operating without physical security or insurance and called on SMEs to act immediately as the NCSC reports rising incidents and risks to critical infrastructure.

🛡️ Google Threat Intelligence Group (GTIG) details persistent, multi-vector cyber threats to the defense industrial base. State-sponsored and hacktivist actors target UAVs and battlefield systems, exploit personnel and hiring processes, and increasingly compromise edge devices and appliances to bypass EDR. The report documents campaigns against messaging apps, Android and Windows malware, and recruitment-themed lures. It also highlights ransomware and supply‑chain risks that can disrupt production and surge capacity.

🔍 Most enterprise work now takes place in the browser, yet security architectures still center on endpoints, email, and network layers. Keep Aware calls this mismatch a "safe haven" that attackers exploit with user-driven flows that leave little forensic evidence. Common techniques include click‑prompt social engineering, malicious extensions, man‑in‑the‑browser variants, and HTML smuggling — all of which can appear legitimate to EDR, email security, or SASE. Without browser-level visibility, teams struggle to prevent, reconstruct, or learn from these incidents.

🛡️ Huntress reported attackers used a decade-old, signed EnCase kernel driver during an early 2026 intrusion to disable EDRs via a Bring Your Own Vulnerable Driver (BYOVD) technique. The incident began after compromised SonicWall SSL VPN credentials and involved a custom “EDR killer” that decoded and installed a kernel driver (OemHwUpd.sys) to terminate protected processes from kernel mode. Because the driver was timestamped while its certificate was valid, Windows still accepts its signature, allowing attackers to load the driver and repeatedly kill security tooling. Huntress recommends enabling Microsoft’s Vulnerable Driver Blocklist, enforcing MFA on VPNs, and enabling HVCI.

🛡️ Fortinet has been named a 2026 Gartner Peer Insights Customers’ Choice for Endpoint Protection Platforms, marking its fourth consecutive year receiving the distinction. The recognition is based on verified end‑user reviews through November 2025, yielding a 4.8/5 overall rating and a 98% willingness to recommend from 168 ratings. Fortinet highlights its unified FortiEndpoint agent — combining FortiEDR and FortiClient — to deliver EPP, EDR, ZTNA, vulnerability management, centralized management, and simplified operations with minimal performance impact.

🔒 CrowdStrike has been named a Customers’ Choice in the 2026 Gartner Peer Insights Voice of the Customer for Endpoint Protection Platforms report. The Falcon platform earned the most 5‑star ratings (592) and a 97% Willingness to Recommend score from roughly 800 responses, reflecting strong product capabilities and deployment experience. CrowdStrike credits its AI‑native architecture and recent innovations—APEX, remote ransomware prevention, automated leads, Malware Analysis Agent, and Charlotte Agentic SOAR—for improving detection, reducing false positives, and automating response workflows.

🔒 The Android Security Team announced a set of theft protection updates designed to make devices harder targets for criminals. Available on devices running Android 16+ and recovery tools on Android 10+, the changes add a dedicated toggle for Failed Authentication Lock, expand Identity Check coverage to all apps using the Biometric Prompt, and increase lockout times while preventing identical repeated guesses from counting toward retries. Remote Lock gains an optional security challenge, and new devices activated in Brazil will ship with Theft Detection Lock and Remote Lock enabled by default.

🔒 Meta announced a new Strict Account Settings mode on WhatsApp to protect high-risk users such as journalists and public figures by locking accounts to their most restrictive options. The mode, available under Settings > Privacy > Advanced, blocks attachments and media from unknown senders, silences unknown callers, and restricts additional features to reduce attack surface. Meta said the controls will roll out gradually over the coming weeks. The company also highlighted a global rollout of a Rust-based media library, wamedia, and other memory-safety hardening efforts to guard against spyware and memory corruption.

🔒 Removable media remains a persistent enterprise risk, enabling both data exfiltration and device-borne intrusion whenever USB drives connect to endpoints. The article highlights evolving threats — including MUSTANG PANDA’s USBFect campaigns (2023–2025) and late-2025 coinminer infections — and high-profile insider exfiltration cases. CrowdStrike recommends a dual approach using Falcon Data Protection to stop sensitive data from leaving endpoints and Falcon Device Control to block or restrict untrusted devices, both delivered via the single Falcon sensor to simplify deployment and reduce operational overhead.

🔒 The Forrester Consulting Total Economic Impact (TEI) study commissioned by Airlock Digital reports a 224% ROI and a $3.8 million net present value over three years for organizations that adopt Airlock’s allowlisting approach. The analysis cites a >25% reduction in overall breach risk and notes zero breaches among interviewed customers after deployment. It also highlights operational efficiency gains — policy management requiring roughly 2.5 hours per week — and reduced administrative overhead thanks to Airlock’s modern, operationally friendly implementation of allowlisting.

🔒 Web browsers remain a primary enterprise attack surface, and the market for secure browsers is maturing as vendors and hyperscalers fold browser isolation into broader security platforms. The article summarizes evaluation criteria — from MFA, isolation and DLP to extension control, logging and anonymous surfing — and highlights recent consolidation and vendor offerings. It emphasizes integration, support and cost tradeoffs when choosing a deployment mode.

🔒 AppGuard critiques heavy reliance on AI-enhanced detection and promotes a controls-first, default-deny approach to shrink the endpoint attack surface. CEO Fatih Comlekoglu argues that AI-driven detection cannot "parse infinity," leaving defenders overwhelmed by alerts as organizations limit data ingestion. AppGuard positions its controls-based agent as requiring 10–100× fewer policy rules while auto-adapting to endpoint changes and malware techniques. The company has reopened an Insider Release for MSSPs and experienced operators to test its reengineered lightweight agent and cloud console.

🔒 Endpoint disruption following serious breaches can take up to two weeks to remediate, and most US and UK organizations report recovery costs in the millions. In a survey of 750 CISOs compiled for an e-book, Absolute Security found 55% had experienced incidents that disabled mobile, remote or hybrid endpoints in the past 12 months. A majority (57%) required 3–6 days for full endpoint remediation, while 19% needed 7–14 days. The report places the average cost per incident at $2.5m, with 98% of respondents spending between $1m and $5m on recovery.

🔐 Cybersecurity in 2025 is framed as an architectural challenge rather than a set of isolated controls. This contributed report surveys shifts across authentication, endpoint and network security, software supply chains, SaaS data governance, AI-driven defenses, and human risk. It highlights hardware‑backed authentication, passkeys, binary-level verification, and network telemetry as pivotal controls. Vendors stress speed, visibility, and provable trust as the operational priorities.