Denmark-based data protection company Keepit has raised $50 million, which brings the total investment to $90 million.
The post Keepit Raises $50 Million for SaaS Data Protection Solution appeared first on SecurityWeek.
SecurityWeek – Read More
Find out the key security risks of firmware security: Identify threats, and learn best practices and protection methods…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
New Guidelines Aim to Strengthen Security Against Scams, Phishing, and Smart Contract Exploits.
The rapid adoption of cryptocurrency has opened new doors for financial innovation and investment, but it has also made this digital asset an increasingly attractive target for cybercriminals. Recognizing the growing risks in this space, the Singapore Police Force (SPF) and the Cyber Security Agency of Singapore (CSA) have issued a joint advisory to help the public protect their cryptocurrency holdings. The advisory outlines the tactics employed by threat actors and provides best practices for safeguarding digital assets. This blog takes a closer look at the advisory, analyzes the evolving threats, and recommends preventive measures to ensure a safer cryptocurrency ecosystem in Singapore.
As cryptocurrencies gain popularity, cybercriminals have refined their methods to exploit unsuspecting victims. SPF and CSA have highlighted several tactics used by threat actors:
To counter these threats, SPF and CSA have outlined several precautionary measures:
Despite precautions, falling victim to cryptocurrency crimes is still a possibility. SPF and CSA recommend the following steps if you suspect or confirm an incident:
The tactics outlined by SPF and CSA illustrate the deception of modern cybercriminals targeting cryptocurrency users. These methods leverage both technical exploits and psychological manipulation to deceive victims. For example:
Cryptocurrency security is a shared responsibility among users, developers, and regulatory bodies. Here are some actionable recommendations:
As threats in the cryptocurrency space continue to evolve, staying one step ahead of cybercriminals is critical. The joint advisory from SPF and CSA underscores the importance of proactive measures to protect digital assets. By adopting best practices, users can significantly reduce their risk of falling victim to scams and attacks.
It’s equally important to foster a culture of shared responsibility and collaboration. Whether you’re a cryptocurrency user, developer, or policymaker, your role is integral to creating a safer cryptocurrency ecosystem.
The post Singapore Warns Against Crypto Scams: Best Practices to Safeguard Digital Wealth appeared first on Cyble.
Blog – Cyble – Read More
ANY.RUN’s Threat Intelligence (TI) feeds provide an invaluable solution for organizations seeking to detect and mitigate the latest malware and phishing campaigns, attacks, and cybercriminal tactics.
But what exactly is inside these feeds, and how can they help companies strengthen their cybersecurity?
Let’s dive into the details.
ANY.RUN’s Threat Intelligence (TI) feeds are a comprehensive collection of Indicators of Compromise (IOCs) that can expand security systems’ threat detection capabilities. These feeds don’t just give you the basics, they go deep, providing malicious IPs, URLs, domains, file hashes, and even links to actual analysis sessions, showing you how threats behave.
Where does this data come from? An international community of over 500,000 researchers and cybersecurity pros who upload and analyze real-world malware and phishing samples every day to ANY.RUN’s Public submissions repository.
With TI Feeds from ANY.RUN, organizations can:
Here’s what makes ANY.RUN’s CTI feeds valuable for cybersecurity teams:
The IOCs include information on malicious IP addresses, domain names, and URLs, enriched with contextual details such as related files and ports. Here’s a closer look at what’s inside:
IP addresses are important for detecting and preventing malicious network activity. They serve as digital markers of cybercriminal operations, often linked to Command-and-Control (C2) servers or phishing campaigns.
By analyzing IP addresses, cybersecurity teams can:
Example:
type: ipv4-addr
id: ipv4-addr--75725b48-17a3-575d-a5de-b5d9798bde8d
value: 103.168.67.9
created: '2024-06-13T06:26:00.704Z'
modified: '2024-06-13T06:26:00.704Z'
external_references:
- source_name: ANY.RUN task 11ce507f-d535-4bf1-8973-989d7654017a
url: https://app.any.run/tasks/11ce507f-d535-4bf1-8973-989d7654017a
labels:
- RedLine
related_objects:
- relationship_type: contains
source_ref: ipv4-addr--75725b48-17a3-575d-a5de-b5d9798bde8d
target_ref: file--49ef9153-94eb-5d05-bac2-19a54738afab
created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
score: 90
revoked: falseANY.RUN’s TI feeds don’t just list malicious IPs. They provide detailed context that turns raw data into actionable insights for cybersecurity teams. This enriched information helps assess the behavior and impact of each IP. Here’s what’s usually included:
Domains play a crucial role in hosting malicious content, phishing campaigns, and distributing malware. They are often used as staging points for cyberattacks, making them a key focus for threat detection and mitigation.
ANY.RUN’s TI feeds provide comprehensive information about domains, including all the details available for IP addresses, such as threat names, types, detection timestamps, and related file hashes.
Example:
type: domain-name
id: domain-name--f17dd142-08ac-54cb-bb88-97f1e07fb6fc
value: mail.sdil.ac.ir
created: '2024-06-10T21:13:17.465Z'
modified: '2024-06-17T13:37:53.620Z'
external_references:
- source_name: ANY.RUN task 64e1d470-dcd4-4d78-b1f0-aa4d9bd6f225
url: https://app.any.run/tasks/64e1d470-dcd4-4d78-b1f0-aa4d9bd6f225
- source_name: ANY.RUN task 090c21da-a050-4f88-bb09-1bae142df1cb
url: https://app.any.run/tasks/090c21da-a050-4f88-bb09-1bae142df1cb
labels:
- AgentTesla
related_objects:
- relationship_type: contains
source_ref: domain-name--f17dd142-08ac-54cb-bb88-97f1e07fb6fc
target_ref: file--dbee2af2-3be4-5e2a-9bf3-94e3fe8637b3
- relationship_type: contains
source_ref: domain-name--f17dd142-08ac-54cb-bb88-97f1e07fb6fc
target_ref: file--9794dd40-085a-5c84-8d95-70cbd8efcf1d
created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
score: 100
revoked: falseKeep in mind that domains provide a higher-level view of malicious activity, often connecting multiple IPs or malware instances within a single campaign.
URLs play a significant role in cybercriminal operations, often serving as gateways to distribute malware, execute phishing campaigns, or redirect users to malicious content. Their flexibility and ease of use make them a preferred tool for attackers.
By analyzing URLs, cybersecurity teams can uncover attack patterns, block harmful traffic, and prevent unauthorized access to systems and data.
Example:
type: url
id: url--001c0f70-93f8-583d-96ce-7c260da3a193
value: http://www.goog1evip15.com/dogw/
created: '2024-06-11T21:35:59.640Z'
modified: '2024-06-11T21:35:59.640Z'
external_references:
- source_name: ANY.RUN task 55051854-38c4-4d03-a70a-6dd2ce3d89ca
url: https://app.any.run/tasks/55051854-38c4-4d03-a70a-6dd2ce3d89ca
labels:
- Formbook
related_objects: []
created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
score: 100
revoked: falseNote that URLs often serve as entry points for malicious activity, acting as gateways for malware delivery, phishing attacks, or redirection to exploit kits, making them critical for identifying and mitigating cyber threats.
In addition to the core Indicators of Compromise (IOCs) such as URLs, domains, and IPs, ANY.RUN’s CTI feeds include a wealth of contextual information.
This additional data enriches the IOCs, offering deeper insights into the nature and behavior of each indicator.
For file indicators, ANY.RUN’s CTI feeds provide detailed information to help identify and assess malicious files. Here are the key data fields included:
Example:
type: file
id: file--249382b0-209d-5904-b725-b47663c6c412
hashes:
SHA-256: d564eb94afb174fe3b854de086eda2a4e015d778a9aea9806e79f82044eac74e
SHA-1: 14b96459dff641245aea6dacd34512830d945ee2
MD5: 5edee175c5003771dea841893ea46602
created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
score: 100
file_name: d564eb94afb174fe3b854de086eda2a4e015d778a9aea9806e79f82044eac74e.exe
- type: url
id: url--d65b67ec-39f2-5309-8cc9-56e016b6a48f
value: http://109.248.151.196/rvBZyVEAb230.bin
created: '2024-06-11T18:44:15.898Z'
modified: '2024-06-11T18:44:15.898Z'
external_references:
- source_name: ANY.RUN task 35d75e14-c1a2-418c-b98f-f7d58cca93cb
url: https://app.any.run/tasks/35d75e14-c1a2-418c-b98f-f7d58cca93cb
labels:
- guloader
related_objects:
- relationship_type: contains
source_ref: url--d65b67ec-39f2-5309-8cc9-56e016b6a48f
target_ref: file--249382b0-209d-5904-b725-b47663c6c412
created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
score: 100
revoked: falsePort indicators describe network activities related to specific port usage, offering insights into malicious connections.
Example:
type: port
id: port--60027215-4cf1-5773-bef7-62051468dbd3
port_value: 5555
created: '2024-06-16T02:32:35.010Z'
modified: '2024-06-16T02:32:35.010Z'
labels:
- NjRat
related_objects:
- relationship_type: services
source_ref: domain-name--8ee2a029-d3e7-53f1-84fb-bee3008c0060
target_ref: port--60027215-4cf1-5773-bef7-62051468dbd3
created_by_ref: identity--96a9cd9c-2f73-5ad3-a2ab-c14b3eba65c7
score: 100
You can test ANY.RUN’s Threat Intelligence Feeds in STIX and MISP formats completely for free by getting a free demo sample here.
ANY.RUN also runs a dedicated MISP instance that you can syncronize your server with or connect to your security solutions. To get started, contact our team via this page.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Get a 14-day free trial of ANY.RUN’s Threat Intelligence service →
The post What’s Inside ANY.RUN’s Cyber Threat Intelligence Feeds? appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
With the evolution of modern software development, CI/CD pipeline governance has emerged as a critical factor in maintaining both agility and compliance. As we enter the age of artificial intelligence (AI), the importance of robust pipeline governance has only intensified. With that said, we’ll explore the concept of CI/CD pipeline governance and why it’s vital, especially as AI becomes
The Hacker News – Read More
Staffers at the Cybersecurity and Infrastructure Security Agency tell WIRED they fear the new administration will cut programs that keep the US safe—and “persecution.”
Security Latest – Read More
Cybersecurity researchers have discovered a new PHP-based backdoor called Glutton that has been put to use in cyber attacks targeting China, the United States, Cambodia, Pakistan, and South Africa.
QiAnXin XLab, which discovered the malicious activity in late April 2024, attributed the previously unknown malware with moderate confidence to the prolific Chinese nation-state group tracked Winnti (
The Hacker News – Read More
Cybersecurity researchers are calling attention to a new kind of investment scam that leverages a combination of social media malvertising, company-branded posts, and artificial intelligence (AI) powered video testimonials featuring famous personalities, ultimately leading to financial and data loss.
“The main goal of the fraudsters is to lead victims to phishing websites and forms that harvest
The Hacker News – Read More
Digital license plates sold by Reviver, already legal to buy in some states and drive with nationwide, can be hacked by their owners to evade traffic regulations or even law enforcement surveillance.
Security Latest – Read More
Cyble Research and Intelligence Labs (CRIL) researchers investigated 16 IT vulnerabilities and 11 dark web exploits in the week ended Dec. 10, including actively exploited vulnerabilities in Cleo managed file transfer (MFT) software and Microsoft Windows.
Other vulnerabilities analyzed by Cyble affect WordPress and Ivanti Cloud Services Appliances (CSA), while dark web exploits include claims of an exploitable zero-day vulnerability in Palo Alto Networks devices.
Here are the vulnerabilities highlighted by Cyble’s vulnerability intelligence unit as meriting high-priority attention by security teams.
CVE-2024-50623 hasn’t been rated by NVD yet, but researchers have discovered that this high-severity vulnerability in Cleo managed file transfer (MFT) software solutions is being actively exploited in remote code execution (RCE) data theft and corporate network attacks, and CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on Dec. 13. The vulnerability affects Cleo Harmony, Cleo VLTrader, and Cleo LexiCom MFT products used for secure and efficient data exchange between organizations. The flaw leads to unrestricted file upload and download, which could lead to RCE attacks.
CVE-2024-49138 is another high-severity vulnerability awaiting NVD analysis, but this one was added to CISA’s KEV Catalog as soon as Microsoft released a patch for it in its December 2024 Patch Tuesday updates. The flaw in the Windows Common Log File System (CLFS) Driver has been exploited in the wild and can enable attackers to gain SYSTEM privileges.
CVE-2024-38193 is a high-severity elevation of privilege vulnerability affecting Windows Ancillary Function Driver for WinSock, commonly referred to as afd.sys. The critical system driver in the Windows operating system plays a vital role in managing network communications and handles the Winsock API, which is essential for TCP/IP networking. The vulnerability was observed to be actively exploited by North Korean hackers to install a rootkit on targets in August 2024. With a recently released public proof of-concept (PoC) code available, there could be a new wave of exploitation attempts.
CVE-2024-49041 is a medium-severity spoofing vulnerability identified in Microsoft Edge (Chromium-based). The vulnerability arises from the user interface performing incorrect actions in response to user requests, which can lead to spoofing attacks. This means that an attacker could potentially manipulate the UI to mislead users into taking actions that they did not intend.
CVE-2024-11205 is an 8.5-severity vulnerability affecting WPForms, a widely used WordPress plugin designed for creating various types of online forms quickly and easily. The flaw can lead to unauthorized data modification due to a missing capability check on the ‘wpforms_is_admin_page’ function in versions starting from 1.8.4 up to and including 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.
CVE-2024-11639 is a 10.0-severity critical authentication bypass vulnerability in Ivanti Cloud Services Appliance (CSA), an internet appliance that serves as a secure gateway for enterprise users to access internal network resources. The flaw lies in the admin web console of Ivanti CSA before 5.0.3, allowing a remote, unauthenticated attacker to gain administrative access.
CVE-2024-11680 is a 9.8-severity improper authentication vulnerability affecting ProjectSend, an open-source file-sharing application designed for secure and private file management, particularly aimed at facilitating interactions between businesses and their clients. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application’s configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript. Threat Actors were observed discussing exploits of the vulnerability on the dark web (see next section).
CRIL researchers observed multiple Telegram channels and cybercrime forums where threat actors (TAs) shared or discussed exploits weaponizing vulnerabilities. Cyble also observed a TA offering an exploit chain for an undisclosed vulnerability present in Palo Alto Networks devices. The TA quoted a price of USD $5K for the exploit. The other vulnerabilities discussed by TAs include:
CVE-2024-51378: A critical security vulnerability in CyberPanel versions prior to 1c0c6cb that allows remote attackers to bypass authentication, enabling them to execute arbitrary commands on the server.
CVE-2024-11680: A critical authentication vulnerability affecting ProjectSend versions prior to r1720. Remote, unauthenticated attackers can exploit the flaw by sending crafted HTTP requests to the options.php endpoint.
CVE-2024-38144: A critical security vulnerability in Microsoft Windows, specifically related to the Kernel Streaming WOW Thunk Service Driver, that allows for Elevation of Privilege attacks.
CVE-2024-10914: A critical command injection vulnerability in legacy D-Link NAS devices that allows unauthenticated attackers to inject arbitrary OS commands via HTTP GET requests, exploiting the cgi_user_add function in the account_mgr.cgi script.
CVE-2024-50483: A critical vulnerability affecting the Meetup plugin for WordPress versions up to and including 0.1 that is characterized as Authorization Bypass Through User-Controlled Key, which allows unauthenticated attackers to gain access to user accounts by exploiting improper verification processes during authentication.
CVE-2024-42327: A critical SQL injection vulnerability affecting Zabbix server versions 6.0.0 to 6.0.31, 6.4.0 to 6.4.16, and 7.0.
CVE-2023-6553: A TA shared a list of about 100,000 websites vulnerable to this critical Remote Code Execution vulnerability identified in the Backup Migration plugin for WordPress. The vulnerability affects all versions up to 1.3.7.
CVE-2024-35286, an SQL injection vulnerability, and CVE-2024-41713, a path traversal vulnerability, impact the NuPoint Unified Messaging (NPM) component and are critical vulnerabilities that could be exploited in sequence.
CVE 2024-11477: A critical vulnerability affecting versions of 7-Zip prior to 24.07 that allows for remote code execution due to an integer underflow in its Zstandard decompression feature. A TA quoted a price of USD $8K for the exploit.
To protect against these vulnerabilities and exploits, organizations should implement the following best practices:
These vulnerabilities highlight the urgent need for security teams to prioritize patching exploitable vulnerabilities in important products, as well as vulnerabilities that could be weaponized as entry points for wider attacks. With increasing discussion of these exploits on dark web forums, organizations must stay vigilant and proactive.
Implementing strong security practices is essential to protecting sensitive data and maintaining system integrity. A comprehensive threat intelligence solution like Cyble can monitor for threats and leaks specific to your environment, allowing you to respond quickly to events and prevent them from becoming wider incidents.
The post IT Vulnerability Report: Cleo, Windows Flaws Under Attack appeared first on Cyble.
Blog – Cyble – Read More