U.S. prosecutors in recent days won an extradition case to bring a suspected cybercriminal from Spain to the United States and may be able to get another suspect shipped from the UK to face charges in an unrelated hacking case.
Artem Stryzhak, a Ukrainian citizen arrested in Spain last year for launching a series of ransomware attacks against organizations in the United States, Canada, and Australia that cost victims millions of dollars in ransom payments and damage to their systems, was extradited from Spain earlier this month to face a range of crimes, according to the U.S. Justice Department.
Stryzhak is accused of using the Nefilim ransomware in the attacks, striking a deal in 2021 with administrators of the ransomware-as-a-service (RaaS) operations to use its malware in return for 20% of what he collected through ransom payments.
“He operated the ransomware through his account on the online Nefilim platform, known as the ‘panel,’” the DOJ wrote in announcing his extradition from Spain. “When he first obtained access to the panel, Stryzhak asked a co‑conspirator whether he should choose a different username from the one he used in other criminal activities in case the panel ‘gets hacked into by the feds.’”
Big Targets
Stryzhak and his unnamed co-conspirators targeted organizations that had more than $100 million in annual revenue, using online databases to get data about their targets like net worth, size, and contact information. In July 2021, a Nefilim administrator was encouraged to go bigger and attack companies with more than $200 million in yearly revenue, prosecutors said.
In keeping with Nefilim tactics, he would run double-extortion campaigns, not only encrypting victims’ data but also exfiltrating it and threatening to publicly expose the data on public leak sites if a ransom wasn’t paid.
In the partially redacted indictment against Stryzhak, prosecutors wrote that affiliates using the Nefilim ransomware “typically customized the ransomware executable file … for each ransomware victim. The customization allowed the ransomware actors to create a decryption key that could only decrypt the network of the specific victim against which the ransomware was deployed and allowed ransomware actors to create customized ransom notes.”
A Range of Victims
Victims who paid the ransom usually got a decryption key in return to restore their data, prosecutors wrote. Those victims included companies in such industries as engineering, aviation, chemicals, construction, and oil and gas. There was also an international eyewear firm and a pet care organization that were targeted in the attacks, they wrote.
“The criminals who carry out these malicious cyber-attacks often do so from abroad in the belief that American justice cannot reach them.,” John Durham, U.S. attorney for the Eastern District of New York, said in a statement, adding that the extradition and charges filed against Stryzhak “prove that they are wrong.”
Stryzhak is charged with conspiracy to commit fraud, extortion, and other crimes.
Hacking-for-Hire Alleged
Earlier in the same week, an English judge reportedly cleared the path for an Israeli private investigator accused by U.S. prosecutors of running an elaborate “hacking-for-hire” campaign against climate activists and environmental groups.
The DOJ has charged Amit Forlit with conspiracy to commit computer hacking, conspiracy to commit wire fraud, and wire fraud, alleging he was hired a lobbyist group that represented oil-and-gas giant ExxonMobil, among other companies. The hacking campaign almost a decade ago was designed to discredit environmentalist organizations and leaders that were pursuing climate change lawsuits in the United States, claiming that fossil fuel companies for decades misled the public about the threats of a warming planet, such as more extreme storms and flooding due to rising ocean levels.
According to The New York Times, prosecutors are alleging that the 57-year-old Forlit – who ran two investigation companies in Israel and a third in the United States – hacked more than 100 victims and stole confidential information at the request of the lobbying and consulting firm, an effort that earned him at least $16 million.
Officials with ExxonMobil and the lobbying group, DCI Group, denied involvement in any hacking campaigns.
Big Oil vs. Climate Activists
Forlit was arrested in London months after an associate, Aviram Azari – another Israeli private detective – pleaded guilty to such charges as conspiracy and wire fraud. According to NPR, a DOJ affidavit filed in the extradition case outlined how the operation allegedly worked, with a D.C. lobbying firm telling Forlit which people and organizations to target and Forlit or a co-conspirator giving the list to Azari.
Forlit reportedly has two weeks to appeal the British court’s ruling.
Azari then allegedly hired the hackers who targeted the activists and firms, with the lobbying firm then allegedly sharing private documents obtained via the hacking with the oil company. The private documents would then find their way into media reports and then used in court filings to push back against the lawsuits.
The Union of Concerned Scientists was among those targeted, as was the head of the Rockefeller Family Fund, the New York Times reported.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Tech Edge hosted a fireside chat on April 29 at RSAC 2025 in San Francisco with Corey Still, Vice President of Strategic Alliances at Corero Network Security. The in-person interview was joined by Editor-in-Chief John Jannarone and they discussed which technological breakthroughs in cybersecurity will have the most significant impact in the next two years, among other topics.
About Corey Still
Corey Still is the Vice President of Strategic Alliances with Corero Network Security. In this role, he is responsible for forging and nurturing strategic partnerships to enhance Corero’s market presence and drive growth. Corey leverages his extensive industry experience in order to identify and capitalize on opportunities for collaboration, ensuring mutual success for Corero and its partners across the globe.
Previously, Corey was the Director of Cyber Security and Software Defined Wide Area Network (SDWAN) Practices with Bell Business Markets. There, he led the security and SDWAN product teams, which were responsible for the Professional Service and Managed Services products and services delivered to the market. He and his team established strategic direction, development, and support for offerings across all layers of a customer’s infrastructure, including endpoint, on premise, network, mobility, and cloud.
About Corero Network Security
Corero Network Security is a leading provider of DDoS protection solutions, specializing in automatic detection and protection solutions with network visibility, analytics, and reporting tools. Corero’s technology protects against external and internal DDoS threats in complex edge and subscriber environments, ensuring internet service availability. With operational centers in Marlborough, Massachusetts, USA, and Edinburgh, UK, Corero is headquartered in London and listed on the London Stock Exchange’s AIM market (ticker: CNS) and the US OTCQX Market (OTCQX: DDOSF).
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
CUJO AI, the leading provider of AI-driven cybersecurity and network intelligence solutions for network service providers (NSPs), has won the Next Gen Cybersecurity Visionary award from Cyber Defense Magazine (CDM), the industry’s leading information security publication. The award was announced during the RSA Conference 2025 (RSAC).
The awards are judged by certified security experts (CISSP, FMDHS, CEH), who independently evaluate each submission. CDM prioritizes innovation over company size or revenue, seeking out next-generation InfoSec solutions that push the boundaries of cybersecurity.
“We scoured the globe looking for cybersecurity innovators that could make a huge difference and potentially help turn the tide against the exponential growth in cybercrime. CUJO AI is absolutely worthy of this coveted award and consideration for deployment in your environment,” said Yan Ross, Global Editor of Cyber Defense Magazine.
With a global clientele comprising major network operators, CUJO AI understands the unique challenges of securing connected devices. Its innovative solutions are tailored to provide comprehensive protection for IoT environments, ensuring the integrity and resilience of entire network infrastructures.
“We’re proud to be recognized among the best in cybersecurity,” said Remko Vos, CEO of CUJO AI. “Being evaluated by leading InfoSec experts from around the globe means only the most proven solutions are celebrated — and we’re thrilled to be among them.”
About CUJO AI
CUJO AI enables network service providers to understand, serve, and protect consumers with advanced cybersecurity and granular network and device intelligence. CUJO AI’s advanced AI algorithms help NSPs uncover previously unavailable insights to raise the bar for customer experience and retention with new value propositions and improved operations. Fully compliant with all privacy regulations, CUJO AI services are trusted by the largest broadband operators worldwide, including Comcast, Charter Communications, T-Mobile USA, Deutsche Telekom, TELUS, Sky Italia, Sky UK, Rogers, Cox, Shaw, Videotron, BT and EE.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Trend Micro has introduced new AI-powered threat detection capabilities aimed at enterprises scaling up their AI operations.
The new solution has been developed to protect AI-driven workloads and enterprise business processes, managing risks associated with the transition from generative AI to agentic AI, such as data theft, sabotage, and operational disruption.
Trend Micro’s latest offering brings together its security expertise with NVIDIA’s accelerated computing and AI enterprise software, while deploying on AWS’s secure, cloud-native infrastructure. The integration is intended to enable real-time, scalable threat detection and protection for organisations with expanding AI footprints.
The AI Detection Model at the core of this development leverages the NVIDIA Morpheus AI framework, which is part of NVIDIA AI Enterprise. The detection model operates on the high-performance cloud environment provided by AWS, allowing rapid and precise analysis of vast enterprise data streams.
According to Trend Micro, AWS was selected for its global reach, integrated security, and compliance-oriented architecture, while NVIDIA’s technology contributes the computational capacity necessary for running advanced detection models with high efficiency.
Chris Grusz, Managing Director, Technology Partnerships for AWS, said, “Built on AWS’s cloud-native infrastructure, Trend’s platform takes full advantage of NVIDIA AI software and accelerated computing capabilities to power scalable, low-latency threat detection. With AWS’s global footprint and integrated services, Trend can securely process telemetry at scale, adapt detection models to evolving threats, and support customers worldwide—all while accelerating time to value.”
The wider Trend Vision One platform also integrates AWS AI services, including Amazon Bedrock, which supports Workbench Insights. These components are designed to improve investigation workflows and deliver additional context to security operations centre (SOC) teams during incident response situations.
Mick McCluney, ANZ Field CTO at Trend, commented, “AI is reshaping the enterprise, and security has to evolve just as fast. We’re bringing together best-in-class partners in both cloud and AI to deliver something truly differentiated. AWS’s secure and resilient infrastructure gives us the scale, performance, and global availability needed to meet the always-on demands of today’s enterprises. So our customers can detect and respond to threats faster, with confidence.”
The anomaly detection capability within the solution employs AI models based on NVIDIA Morpheus. This allows the system to identify novel patterns in large streams of telemetry data and logs. The implementation on AWS enables the platform to scale effectively, managing extensive datasets and rapidly building custom detection models for individual customers. This approach seeks to prioritise the most critical events and prompt faster security responses.
Key features of the technology include NVIDIA Morpheus Digital Fingerprinting, which identifies subtle, previously unknown anomalies. There is also the use of NVIDIA RAPIDS to expedite large-scale data classification, enhancing real-time detection and prevention of sensitive information leaks. The platform’s native operation on AWS allows it to leverage the elasticity, global reach, and inherent security of AWS services, supporting ongoing advancements in AI-enabled detection while meeting enterprise compliance and performance benchmarks.
Robert Miller, VP of Corporate Security at Sierra-Cedar, highlighted the practical benefits of the solution: “We’re dealing with an increasingly complex environment with more data. Trend stands out as it doesn’t just provide threat intelligence, it helps make sense of it. Our team can access Trend’s AI-powered platform directly via AWS Marketplace, streamlining procurement and deployment across global cloud environments. This powerful combination allows us to strengthen our security posture and identify threats much faster than we could manually.”
The introduction of these new AI-powered threat detection capabilities is positioned to address the rapidly evolving landscape of enterprise cybersecurity as organisations integrate artificial intelligence deeper into their operations.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source: https://securitybrief.com.au/story/trend-micro-launches-ai-threat-detection-for-enterprise-security
Living-off-the-land attacks are rising fast. Learn why they work — and how tailored hardening helps stop them without disrupting your business.
Living-off-the-land (LotL) attacks — where adversaries exploit legitimate system tools to carry out malicious activities — are becoming increasingly prevalent and sophisticated. Bitdefender’s internal threat analysis reveals that nearly 70% of successful cyberattacks utilize LotL techniques.
What’s driving this surge? An overreliance on detection, an unnecessarily large attack surface at nearly every organization, and a failure of traditional application control and attack surface reduction rules. You might call it a living-off-the-land trifecta.
Leaked Threat Actor Chats: We Live Off the Land
When someone leaked communications from the Black Basta ransomware group, it revealed the group’s LotL strategy. One of the group’s leaders shared: “If we use standard utilities, we won’t be detected… we never drop tools on machines.”
In other words, instead of the noisy attacks of the past, they leverage your legitimate tools and applications to secretly go deeper into your environment, most often leveraging this access for ransomware and data exfiltration.
These attacks are popular for four main reasons. They leverage what’s already there, so threat actors can avoid investing in tools of their own. They also cover all stages of an attack, from initial reconnaissance to lateral movement, data exfiltration, and even data encryption. And many of these tools are flexible, so threat actors can adapt them to their needs.
And perhaps the biggest advantage of LotL attacks is the ability to blend seamlessly with normal system activity. By using legitimate tools, attackers bypass legacy security solutions that rely on detecting suspicious custom tools and behavior.
Attack Surfaces and Failed Controls
For years now, IT and security teams have tried to minimize their attack surface by using allow lists. While they reduce attack surfaces somewhat, these tools often miss key preinstalled binaries and utilities, and they impair productivity or add overhead for IT teams when deployed on any system other than fixed-function devices. Similarly to attack surface reduction rules, as modern environments evolve rapidly, keeping up with changes and exceptions becomes overwhelming for administrative teams.
This is why attackers now celebrate that they can expect to find legitimate tools to abuse and remain hidden in their victims’ environments. To avoid slowing down business, organizations have invested in improving their detection and response capabilities to be able to discover and stop attackers that attempt to blend in using trusted tools. However, even the best security operations teams struggle to differentiate between legitimate tool usage by employees and attacker activity, which can give attackers the time they need to achieve their goals.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source: https://www.darkreading.com/endpoint-security/lotl-attacks-new-defensive-strategy
These attacks need to be a wake-up call for every business in the UK,” Pat McFadden, chancellor of the Duchy of Lancaster, said.
Recent cyber-attacks and attempted hacks at some of the UK’s biggest retailers – Marks and Spencer’s, Co-op, and Harrods – have sparked a government response as fears mount across the retail sector.
The cyber-attacks all took place within a matter of days, impacting internal IT systems, and in the case of Co-op, even potentially affecting customer data, the BBC reported.
The UK’s National Cyber Security Centre is working with affected organizations to better understand the nature of the attacks, which left M&S with empty shelves and impacted the integrity of Co-op Teams communications.
Currently, the NCSC cannot say if these attacks are linked or part of a targeted campaign, but noted speculations that the M&S attack was proliferated by cyber-crime group Scattered Spider, and that remote access could have been gained over social engineering tactics.
Pat McFadden, chancellor of the Duchy of Lancaster, will set out action the government is taking to improve cybersecurity in a speech this week.
McFadden will call these attacks a “wake-up call for every business in the UK.
“In a world where the cyber-criminals targeting us are relentless in their pursuit of profit – with attempts being made every hour of every day – companies must treat cybersecurity as an absolute priority.
“We’ve watched in real-time the disruption these attacks have caused – including to working families going about their everyday lives. It serves as a powerful reminder that just as you would never leave your car or your house unlocked on your way to work. We have to treat our digital shop fronts the same way.”
The NCSC is urging leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.
These include back-t0-basics measures ranging from multi-factor authentication, enhanced monitoring against unauthorised account misuse and domains, reviewing passwords, advanced identifying systems, and better threat management tactics.
McFadden will also lay out how the government is aiming to enhance the UK’s cyber protections.
“We’re modernising the way the state approaches cyber, through the Cyber Security and Resilience Bill. That legislation will bolster our national defences,” McFadden will say.
“It will grant new powers for the Technology Secretary to direct regulated organisations to reinforce their cyber defences It will require over 1,000 private IT providers to improve their data and network security.
“It will require companies to report a wider array of cyber incidents to the NCSC in the future – to help us build a clearer picture of who, and what, hostile actors are targeting.”
While the NCSC says they have provided specific guidance to the retail sector, the centre “beleive[s] by following best practice, all companies and organisations can minimise the chances of falling victim to actors like this.”
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source: https://www.digit.fyi/cyber-attacks-a-wake-up-call-to-retail-sector/
The Windows security landscape has dramatically evolved in early 2025, marked by increasingly sophisticated attack vectors and Microsoft’s accelerated defensive innovations.
February 2025 witnessed a sharp 87% increase in ransomware incidents globally, with 956 reported victims compared to January. As threat actors adapt their techniques, Microsoft has responded with significant security enhancements while organizations navigate a complex threat environment dominated by privilege escalation attacks and driver vulnerabilities.
Emerging Threat Landscape
The “Bring Your Own Vulnerable Driver” (BYOVD) attack has emerged as one of the most concerning Windows security threats in 2025. This technique involves attackers exploiting legitimate but flawed driver software to disable security controls and compromise systems.
These attacks are particularly effective because drivers operate at the most privileged level of the operating system (ring 0), giving them direct access to critical system resources.
According to recent reports, cyberattacks related to vulnerabilities in Windows drivers have increased by 23% based on 2024 vulnerability analysis.
In March 2025, a zero-day vulnerability in a Microsoft-signed driver from Paragon Software (CVE-2025-0289) was actively exploited in ransomware attacks.
The CERT Coordination Center warned that this insecure kernel resource access vulnerability could be used to escalate privileges or execute DoS attacks, even on systems where Paragon Partition Manager was not installed. Microsoft observed threat actors using this vulnerability “to achieve privilege escalation to SYSTEM level, then execute further malicious code.”
Elevation of privilege vulnerabilities continue to dominate the Windows security landscape, accounting for 40% of total vulnerabilities in 2023. This persistence indicates that hackers’ objectives remain unchanged – they need to gain privileges to execute their attacks.
InfoStealer malware campaigns have also seen a sharp increase since the start of 2025, with attackers leveraging social engineering via fake CAPTCHA prompts. These attacks direct users to paste malicious commands into the Windows “Run” dialog, establishing code execution that enumerates credentials and stored sessions before exfiltrating them.
Microsoft’s Defensive Strategy
In response to these evolving threats, Microsoft has announced several significant security enhancements. The most notable is Administrator Protection, a new feature that gives users standard permissions by default and requires Windows Hello authentication for actions needing administrator rights.
This creates a temporary token that is destroyed once the task is completed, making it “disruptive to attackers as they no longer have automatic, direct access to the kernel or other critical system security without specific Windows Hello authorization.”
Microsoft Defender XDR (formerly Microsoft 365 Defender) has received major updates to provide incident-level visibility across the cyberattack chain.
The solution now features automatic disruption of advanced attacks with AI to limit cyberattackers’ progress early on. At Microsoft’s Secure 2025 event, the company announced further enhancements to alleviate the burden of repetitive tasks for SOC analysts as phishing threats grow increasingly sophisticated.
A new “Quick Machine Recovery” feature will help administrators remotely fix systems rendered unbootable via Windows Update “targeted fixes,” eliminating the need for physical access to affected machines.
This development appears to address concerns raised by the CrowdStrike meltdown that caused billions of dollars in damage by crashing millions of PCs and servers worldwide.
Windows Protected Print mode, introduced with Windows 11 24H2 in October 2024, eliminates the need for third-party print drivers that have become effective entry points for attackers.
This represents the first major change to Windows printing in 25 years and prevents the installation of V3 or V4 printer drivers, requiring Mopria-certified printers using the Microsoft IPP class driver instead.
Recent Security Incidents
April’s Patch Tuesday addressed 121 vulnerabilities, including a Windows zero-day (CVE-2025-29824) actively exploited by the Storm-2460 ransomware group.
This Windows Common Log File System Driver elevation-of-privilege flaw affected most Windows Server and desktop systems, allowing attackers with local access and a regular user account to gain full system privileges.
Storm-2460 targeted organizations across the U.S., Venezuela, Spain, and Saudi Arabia, infiltrating vulnerable systems to deploy malware.
February 2025’s ransomware landscape showed unprecedented growth, with Clop ransomware seeing a staggering 453% increase compared to January, while Play experienced a 360% spike. The Manufacturing sector was hardest hit, with attacks increasing 112% from January to February.
Looking Forward
As Microsoft continues to reduce critical vulnerabilities and remove excessive privileges on endpoints, attackers are increasingly forced to exploit elevation of privilege vulnerabilities.
The company’s roadmap includes plans to allow security products to operate in user mode instead of kernel mode, with a private preview scheduled for July 2025.
These developments represent a significant shift in Windows security architecture, addressing fundamental flaws exposed by recent incidents while countering the sophisticated techniques employed by modern threat actors.
For organizations, staying ahead of these evolving threats requires vigilant patching, implementing advanced threat detection, and adopting Microsoft’s latest security features.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source: https://cybersecuritynews.com/windows-security-in-2025/
Dive Brief:
- Google continued to ratchet up spending on technical infrastructure to meet growing demand for cloud compute services during the first three months of the year. The tech giant reported capital expenditures of $17.2 billion, primarily in servers and data centers to support consumer and enterprise products, cloud services and AI research, CFO Anat Ashkenazi said during a Q1 2025 earnings call last week.
- The company plans to increase capital expenditures by more than 40% to roughly $75 billion this year, compared to $52.5 billion in 2024. “We exited the year in cloud specifically with more customer demand than we had capacity and that was the case this quarter as well,” Ashkenazi said. “We want to make sure we ramp up to support customer needs and customer demands.”
- Google saw its cloud division revenues increase 28% year over year to $12.3 billion, driven by core infrastructure and AI services. Operating income for Google Cloud, which reported its first profitable quarter two years ago, grew 142% to nearly $2.2 billion during the three months ending March 31.
Dive Insight:
AI is the driving force behind massive capital investments by Google and its two larger hyperscale competitors, AWS and Microsoft. The technology shaped the infrastructure used to train and deploy large language models and opened the floodgates for a fresh wave of data center spend.
Less than 24 hours after the earnings call, Google announced a $3 billion commitment to build out facilities in Virginia and Indiana. The company also created a $75 million AI training fund and launched an AI fundamentals training course, according to last week’s announcement.
In early April, Google unveiled the seventh generation of its AI-optimized tensor processing unit, called Ironwood. The processor was designed to speed inference workloads and power an expanding suite of AI agents created by Google and several of the hyperscaler’s key enterprise technology provider partners, including Accenture, Deloitte and KPMG.
As autonomous AI tools raised security concerns and cyber leaders looked to leverage generative AI tools, Google beefed up its cloud protection portfolio through its $32 billion acquisition of Wiz in March.
“Together we can make it easier — and faster — for organizations of all types and sizes to protect themselves, end-to-end and across all major clouds,” said Sundar Pichai, CEO of Google and parent company Alphabet, during the recent earnings call.
“We think this will help spur more multi-cloud computing — something customers want,” Pichai added.
Cloud security is a perennial priority for CIOs, ranking just below cost controls, according to Flexera. It’s also an ongoing area of focus among providers.
Microsoft tightened internal security controls and said it had improved cloud vulnerability response protocols as part of its Secure Future Initiative update in April. Amazon CEO Andy Jassy highlighted AWS’s attention to security last year after Microsoft suffered a series of state-linked cyber breaches.
During the earnings call, Google executives made no mention of a federal court ruling that found the company’s online advertising technology violates antitrust regulations. The company had already filed an appeal in a separate antitrust case pertaining to its online search business.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source: https://www.cybersecuritydive.com/news/google-cloud-ai-infrastructure-cybersecurity-spend/746861/
In 2025, as the digital world grows increasingly interconnected and the line between corporate and personal tech fades, Endpoint Security for CISOs becomes more critical than ever.
Chief Information Security Officers (CISOs) are faced with the daunting task of protecting a growing array of endpoints, from traditional laptops and smartphones to IoT devices and remote workstations.
The attack surface has expanded dramatically, and cybercriminals are exploiting these changes with increasingly sophisticated tactics. Ransomware, fileless malware, and AI-driven attacks are now common threats that can bypass outdated defenses.
As organizations rely more on digital infrastructure, the risks associated with endpoint vulnerabilities have become business-critical.
To stay ahead, CISOs must fundamentally rethink their approach to endpoint security, ensuring it is dynamic, adaptive, and resilient enough to meet the challenges of the modern threat landscape.
Gone are the days when a simple antivirus program was sufficient to protect organizational endpoints. The modern endpoint is a gateway to sensitive data and critical business operations, making it a prime target for attackers.
With remote work now standard practice and employees connecting from various locations and devices, the network perimeter is effectively gone.
Attackers exploit this complexity, using advanced techniques that evade traditional detection. Endpoints are now the frontline in the battle for cybersecurity, requiring protection that is proactive rather than reactive.
CISOs must recognize that relying on legacy tools and fragmented solutions is no longer viable. Instead, they need to adopt holistic security strategies that provide real-time visibility, rapid response, and continuous adaptation to new threats.
The endpoint has become the new perimeter, and its security is central to the organization’s overall resilience.
Key Strategies for Modern Endpoint Protection
To address the evolving threat landscape, CISOs must implement a comprehensive endpoint security framework that goes beyond basic prevention. This involves multiple layers of defense, intelligent automation, and a strong focus on risk management.
A robust endpoint security strategy includes several essential elements:
- Zero Trust Implementation – Zero Trust principles require that every device and user be continuously verified, regardless of their location or network. This approach limits access to only what is necessary, reducing the risk of lateral movement if an endpoint is compromised.
- AI-Driven Threat Detection – Modern endpoint solutions leverage artificial intelligence to identify unusual behaviors and patterns that may indicate a threat. This enables faster detection of sophisticated attacks that traditional systems might miss.
- Cloud-Native Security Platforms – Cloud-based security tools provide scalability and real-time updates, ensuring consistent protection across all endpoints. They also simplify management and enable organizations to respond quickly to emerging threats.
- Automated Patch Management – Keeping endpoints updated is critical, as unpatched vulnerabilities are a common entry point for attackers. Automated systems can prioritize and deploy patches efficiently, reducing the window of exposure.
- Endpoint Detection and Response (EDR) – EDR solutions offer continuous monitoring and rapid incident response. They provide detailed visibility into endpoint activity, enabling security teams to investigate and contain threats before they cause significant damage.
Each of these strategies plays a vital role in building a resilient endpoint security posture. By integrating these elements, CISOs can create a layered defense that adapts to new threats and reduces the risk of successful attacks.
Aligning Security with Business Objectives
For CISOs, the challenge is not only technical but also organizational. Gaining executive buy-in and aligning security initiatives with business goals are crucial steps toward building a successful endpoint security program.
This requires clear communication of how endpoint security supports the organization’s strategic objectives and protects its most valuable assets.
CISOs must adopt a risk-based approach, focusing resources on the endpoints that present the greatest risk to the business. This means understanding the business impact of potential threats and prioritizing security investments accordingly.
By demonstrating how improved endpoint security reduces operational disruption, regulatory risk, and financial loss, CISOs can make a compelling case for necessary resources and support.
Two key practices can help CISOs bridge the gap between security and business leadership:
- Articulating the value of security initiatives in terms of business outcomes, such as reduced downtime, improved customer trust, and compliance with industry regulations.
- Developing metrics and dashboards that track the effectiveness of endpoint security measures, making it easier to report progress and justify further investment.
Ultimately, the success of any endpoint security strategy depends on its alignment with the organization’s overall mission.
By positioning security as a business enabler rather than just a technical requirement, CISOs can foster a culture of shared responsibility and continuous improvement.
In 2025, this holistic, business-driven approach will be essential for protecting endpoints and ensuring long-term organizational resilience.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source: https://cybersecuritynews.com/endpoint-security-for-cisos/
A previously documented threat actor known as Outlaw (or “Dota”) has resurfaced with an enhanced malware toolkit targeting Linux servers globally, according to a recent incident response investigation by Securelist analysts.
The group, active since at least 2018, has shifted focus to cryptographic mining and botnet propagation, exploiting weak SSH credentials to infiltrate systems in Brazil, the U.S., Germany, Italy, and Southeast Asia.
This latest campaign leverages Perl-based backdoors, modified XMRig miners, and IRC botnet clients to maintain persistence and evade detection while monopolizing victim resources.
The malware’s initial access vector remains consistent with historical Outlaw activity: brute-force attacks against SSH services using default or easily guessable credentials.
Once inside, attackers deploy a multi-stage payload beginning with a shell script (tddwrt7s.sh) that fetches and decompresses a malicious archive (dota.tar.gz).
This artifact creates a hidden directory (.configrc5) housing components for process manipulation, cryptocurrency mining, and command-and-control (C2) communication.
Securelist researchers noted the malware’s sophistication lies in its layered obfuscation, resource hijacking, and anti-forensic measures, including the systematic elimination of competing cryptominers on infected hosts.
Infection Mechanism: SSH Compromise and Payload Execution
The breach begins with attackers establishing SSH access using compromised credentials, often targeting accounts like suporte (Portuguese for “support”) with weak passwords.
Upon successful login, the threat actor executes a sequence of commands to download and unpack the primary payload.
This script retrieves a UPX-packed XMRig miner (kswapd0) and an obfuscated Perl IRC botnet client.
The .configrc5 directory structure includes subdirectories for payload execution (a/), persistence scripts (b/), and Tor proxies to mask mining pool communications.
Of particular note is the a /init0 script, which performs reconnaissance to identify and kill rival miners like tsm, rsync, and blitz using grep and kill -9 commands.
Persistence is achieved through SSH key manipulation and cron job injection. Attackers replace the victim’s .ssh /authorized_keys file with their own public key, ensuring repeated access even if credentials change.
The b/run script embeds a Base64-encoded Perl backdoor that deobfuscates to an IRC client masquerading as rsync. This client connects to C2 servers over port 443, enabling remote command execution, DDoS attacks, and lateral movement via SSH.
Securelist’s analysis revealed the malware’s adaptability, with recent samples incorporating Tor-based mining pools and process whitelisting to avoid disrupting its own operations.
While XMRig configurations default to CPU mining, the modular nature of the toolkit suggests potential expansion to GPU-based attacks.
The combination of credential brute-forcing, multi-layered payloads, and anti-detection routines positions Outlaw as a persistent threat to inadequately secured Linux environments.
Mitigation strategies emphasize SSH hardening, including disabling password authentication, enforcing firewall rate limits, and monitoring for unauthorized .ssh directory modifications.
Securelist advocates for tools like Fail2Ban paired with stringent sshd_config policies to disrupt Outlaw’s primary infiltration vector.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source: https://cybersecuritynews.com/outlaw-cybergang-attacking-linux-environments/
