EDR | Breaking Cybersecurity News | The Hacker News

The China-linked threat actor known as Mustang Panda has been attributed to a cyber attack targeting an unspecified organization in Myanmar with previously unreported tooling, highlighting continued effort by the threat actors to increase the sophistication and effectiveness of their malware. This includes updated versions of a known backdoor called TONESHELL , as well as a new lateral movement tool dubbed StarProxy, two keyloggers codenamed PAKLOG, CorKLOG, and an Endpoint Detection and Response (EDR) evasion driver referred to as SplatCloak . "TONESHELL, a backdoor used by Mustang Panda, has been updated with changes to its FakeTLS command-and-control (C2) communication protocol as well as to the methods for creating and storing client identifiers," Zscaler ThreatLabz researcher Sudeep Singh said in a two-part analysis . Mustang Panda, also known as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, and RedDelta, is a China-aligned state-sponsored threat ...

A new analysis has uncovered connections between affiliates of RansomHub and other ransomware groups like Medusa , BianLian , and Play . The connection stems from the use of a custom tool that's designed to disable endpoint detection and response (EDR) software on compromised hosts, according to ESET. The EDR killing tool, dubbed EDRKillShifter , was first documented as used by RansomHub actors in August 2024. EDRKillShifter accomplishes its goals by means of a known tactic called Bring Your Own Vulnerable Driver (BYOVD) that involves using a legitimate but vulnerable driver to terminate security solutions protecting the endpoints. The idea behind using such tools is to ensure the smooth execution of the ransomware encryptor without it being flagged by security solutions. "During an intrusion, the goal of the affiliate is to obtain admin or domain admin privileges," ESET researchers Jakub Souček and Jan Holman said in a report shared with The Hacker News. "...

The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver ( BYOVD ) attack designed to disable anti-malware tools. Elastic Security Labs said it observed a Medusa ransomware attack that delivered the encryptor by means of a loader packed using a packer-as-a-service (PaaS) called HeartCrypt. "This loader was deployed alongside a revoked certificate-signed driver from a Chinese vendor we named ABYSSWORKER, which it installs on the victim machine and then uses to target and silence different EDR vendors," the company said in a report. The driver in question, "smuol.sys," mimics a legitimate CrowdStrike Falcon driver ("CSAgent.sys"). Dozens of ABYSSWORKER artifacts have been detected on the VirusTotal platform dating from August 8, 2024, to February 25, 2025. All the identified samples are signed using likely stolen, revoked ce...

Cybersecurity researchers have uncovered a new malicious campaign that leverages a technique called Bring Your Own Vulnerable Driver ( BYOVD ) to disarm security protections and ultimately gain access to the infected system. "This malware takes a more sinister route: it drops a legitimate Avast Anti-Rootkit driver (aswArPot.sys) and manipulates it to carry out its destructive agenda," Trellix security researcher Trishaan Kalra said in an analysis published last week. "The malware exploits the deep access provided by the driver to terminate security processes, disable protective software, and seize control of the infected system." The starting point of the attack is an executable file (kill-floor.exe) that drops the legitimate Avast Anti-Rootkit driver, which is subsequently registered as a service using Service Control (sc.exe) to perform its malicious actions. Once the driver is up and running, the malware gains kernel-level access to the system, allowing it...

A cybercrime group with links to the RansomHub ransomware has been observed using a new tool designed to terminate endpoint detection and response (EDR) software on compromised hosts, joining the likes of other similar programs like AuKill (aka AvNeutralizer) and Terminator . The EDR-killing utility has been dubbed EDRKillShifter by cybersecurity company Sophos, which discovered the tool in connection with a failed ransomware attack in May 2024. "The EDRKillShifter tool is a 'loader' executable – a delivery mechanism for a legitimate driver that is vulnerable to abuse (also known as a 'bring your own vulnerable driver,' or BYOVD , tool)," security researcher Andreas Klopsch said . "Depending on the threat actor's requirements, it can deliver a variety of different driver payloads." RansomHub , a suspected rebrand of the Knight ransomware, surfaced in February 2024, leveraging known security flaws to obtain initial access and drop legitimate rem...

Here's How to Enhance Your Cyber Resilience with CVSS In late 2023, the Common Vulnerability Scoring System (CVSS) v4.0 was unveiled, succeeding the eight-year-old CVSS v3.0, with the aim to enhance vulnerability assessment for both industry and the public. This latest version introduces additional metrics like safety and automation to address criticism of lacking granularity while presenting a revised scoring system for a more comprehensive evaluation. It further emphasizes the importance of considering environmental and threat metrics alongside the base score to assess vulnerabilities accurately. Why Does It Matter? The primary purpose of the CVSS is to evaluate the risk associated with a vulnerability. Some vulnerabilities, particularly those found in network products, present a clear and significant risk as unauthenticated attackers can easily exploit them to gain remote control over affected systems. These vulnerabilities have frequently been exploited over the years, ...

Stopping new and evasive threats is one of the greatest challenges in cybersecurity. This is among the biggest reasons why  attacks increased dramatically in the past year  yet again, despite the estimated $172 billion spent on global cybersecurity in 2022. Armed with cloud-based tools and backed by sophisticated affiliate networks, threat actors can develop new and evasive malware more quickly than organizations can update their protections.  Relying on malware signatures and blocklists against these rapidly changing attacks has become futile. As a result, the SOC toolkit now largely revolves around threat detection and investigation. If an attacker can bypass your initial blocks, you expect your tools to pick them up at some point in the attack chain. Every organization's digital architecture is now seeded with security controls that log anything potentially malicious. Security analysts pore through these logs and determine what to investigate further. Does this wor...