CyberSecurity news

FlagThis - #edr

CyberNewswire@hackread.com //

EDR and AV Solutions Miss Two-Thirds of Malware Infections

SpyCloud has released new research indicating a significant gap in the effectiveness of endpoint detection and response (EDR) and antivirus (AV) solutions. According to their analysis of recaptured darknet data, a staggering 66% of malware infections occur on devices that already have endpoint security solutions installed. This highlights the increasing ability of threat actors to bypass traditional security measures.

The report emphasizes that modern infostealer malware employs sophisticated tactics to evade detection, even by EDR solutions with advanced AI and telemetry analysis. These tactics include polymorphic malware, memory-only execution, and exploiting zero-day vulnerabilities or outdated software. Data from 2024 showed that nearly one in two corporate users were victims of malware infections, and in the prior year, malware was the cause of 61% of all breaches.

Damon Fleury, Chief Product Officer at SpyCloud, stated that the consequences of undetected malware infections can be "catastrophic." He emphasized the ongoing "arms race" where attackers constantly evolve their techniques to avoid detection. SpyCloud aims to provide a crucial line of defense by uncovering infostealer infections that slip past EDR and AV solutions, detecting when stolen data surfaces in the criminal underground, and automatically feeding this intelligence back to EDRs to facilitate quarantine and remediation.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Cyber Security News: SpyCloud Research Shows that EDR & Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections
  • hackread.com: SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections
  • The Last Watchdog: News alert: SpyCloud study shows gaps in EDR, antivirus — 66% of malware infections missed
  • gbhackers.com: EDR & Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections – SpyCloud Research
  • www.csoonline.com: SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections
  • securityboulevard.com: SpyCloud, the leading identity threat protection company, today released new analysis of its recaptured darknet data repository that shows threat actors are increasingly bypassing endpoint protection solutions: 66% of malware infections
  • www.lastwatchdog.com: SpyCloud study shows gaps in EDR, antivirus — 66% of malware infections missed
  • cybersecuritynews.com: SpyCloud Research Shows that EDR & Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections
  • gbhackers.com: EDR & Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections – SpyCloud Research
  • securityboulevard.com: SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections
  • hackernoon.com: SpyCloud Research Reveals Endpoint Detection And Antivirus Solutions Miss 66% Of Malware Infections
  • securityaffairs.com: SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections
Classification:
Aman Mishra@gbhackers.com //

RansomHub Affiliates Share EDR Killer with Other Groups

ESET researchers have uncovered connections between RansomHub affiliates and other ransomware groups, including Medusa, BianLian, and Play. This link is established through the shared use of EDRKillShifter, a custom tool designed to disable endpoint detection and response (EDR) software on compromised systems. EDRKillShifter utilizes a "Bring Your Own Vulnerable Driver" (BYOVD) tactic, leveraging a legitimate but vulnerable driver to terminate security solutions, ensuring the smooth execution of ransomware encryptors without detection.

This sharing of tools highlights an evolving trend in the ransomware landscape, where groups collaborate and repurpose tooling from rivals. ESET's analysis reveals that even closed ransomware-as-a-service (RaaS) operations like Play and BianLian, known for their consistent use of core tools, have members utilizing EDRKillShifter in their attacks. RansomHub, a relatively new player, quickly rose to prominence in the ransomware scene after emerging in February 2024, dominating the landscape by recruiting affiliates from disrupted groups such as LockBit and BlackCat. The tool, custom-developed by RansomHub, is offered to its affiliates as part of its RaaS program.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • DataBreaches.Net: The RansomHub ransomware-as-a-service (RaaS) operation affiliates were linked to established gangs Medusa, BianLian, and Play, which share the use of RansomHub’s custom-developed EDRKillShifter.
  • The Hacker News: Hackers Repurpose RansomHub's EDRKillShifter in Medusa, BianLian, and Play Attacks
  • hackread.com: Cybercriminals exploit AbyssWorker driver to disable EDR systems, deploying MEDUSA ransomware with revoked certificates for stealthy attacks.
  • gbhackers.com: New Research Links RansomHub’s EDRKillShifter to Established Ransomware Gangs
  • Cyber Security News: New Research Reveals RansomHub’s EDRKillShifter Connected to Major Ransomware Gangs
  • www.cybersecuritydive.com: Custom tool developed by RansomHub, dubbed “EDRKillShifter,â€� is used by several other rival ransomware gangs.
Classification:

Posts

Blogs

Research Tools