https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-29 11:08:452026-04-29 11:08:4538 Vulnerabilities Found in OpenEMR Medical Software
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-29 11:08:442026-04-29 11:08:44Amazon Prime Day 2026 is likely coming earlier. Here’s everything to know so far
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-29 11:08:442026-04-29 11:08:44Iranian Cyber Group Handala Targets US Troops in Bahrain
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-29 11:08:432026-04-29 11:08:43Checkmarx Confirms Data Stolen in Supply Chain Attack
Generative AI allows defenders to instantly create diverse honeypots, like Linux shells or Internet of Things (IoT) devices, using simple text prompts. This makes deploying complex, convincing deceptive environments much easier and more scalable than traditional methods.
AI-driven attacks often prioritize speed over stealth, making them highly vulnerable to being tricked by these simulated systems. This is critical because it allows defenders to catch and study automated threats that might otherwise overwhelm human teams.
This method shifts the strategy from merely detecting attacks to actively manipulating and misleading threat actors. Organizations can safely observe attacker methodologies in real-time within a controlled “hall of mirrors.”
Ultimately, by exploiting the inherent lack of awareness in AI agents, defenders can level the playing field and turn an attacker’s automation into a liability.
Just as AI brings time-saving advantages to our lives, it brings similar advantages to threat actors. The laborious, time-consuming tasks of finding potentially vulnerable systems, identifying their vulnerabilities, and executing exploit code can be automated and orchestrated using AI.
Clearly, these new capabilities put defenders at a disadvantage, as they expose new vulnerabilities for the threat actor. Attackers seek to minimize exposure. The more that a defender knows about a potential attack, the better they can prepare to repel or detect an attack. Using AI-orchestrated tooling to gain access to systems trades stealth for capability. That trade-off increases attacker visibility, and increased visibility is something defenders can exploit.
AI systems do not possess awareness. They generate plausible responses within a given context and set of inputs. As such they can be tricked or fooled into responding inappropriately through prompt injection or into interacting with systems that are not what they appear to be.
Honeypot systems have long been deployed as a method for gathering information about malicious activities. There are many software projects providing honeypots which can be installed and configured. However, the advent of generative AI systems provides us with the possibility to use AI to masquerade as vulnerable systems and allowing them to be deployed widely and with minimal effort.
In this post, I show how generative AI can be used to rapidly deploy adaptive honeypot systems.
Getting started
The implementation consists of three components: a listener that will accept network connections, a simulated vulnerability that will grant access to the attacker once triggered, and an AI framework that will respond to the attacker’s instructions.
The listener opens a TCP port, accepts incoming connections, and forwards traffic to handle_client. I set HOST to be “0.0.0.0” to accept any incoming connections to any local IPv4 addresses that my device is assigned.
def start_server():
"""Starts the TCP server."""
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
server.bind((HOST, PORT))
server.listen(3) # max number of concurrent connections
print(f"[*] Listening on {HOST}:{PORT}")
while True:
try:
conn, addr = server.accept()
client_handler = threading.Thread(target=handle_client, args=(conn, addr,))
client_handler.start()
except KeyboardInterrupt:
print("n[*] Shutting down server...")
break
except Exception as e:
print(f"[-] Server error: {e}")
server.close()
if __name__ == "__main__":
start_server()
Within handle_client I have created a very basic vulnerability that must be exploited before further access is granted. In this case, the attacker must supply the username “admin”with the password “password123” before they are authenticated.
The nature of the vulnerability need not be this simple. We could respond only to attempts to exploit Shellshock (CVE-2014-6271) or masquerade as a web shell that is only activated in response to port knocking.
def handle_client(conn, addr):
print(f"[*] Accepted connection from {addr}:{addr}")
# Store conversation history for this client to maintain context
conversation_history = [SYSTEM_PROMPT]
try:
authenticated = False
while not authenticated:
conn.sendall(b"Username: ")
username = conn.recv(BUFFER_SIZE).decode('utf-8').strip()
conn.sendall(b"Password: ")
password = conn.recv(BUFFER_SIZE).decode('utf-8').strip()
if username == "admin" and password == "password123":
authenticated = True
conn.sendall(b"Authentication successful.n")
print(f"[*] Client {addr[0]}:{addr[1]} authenticated successfully.")
else:
conn.sendall(b"Invalid credentials. Try again.n")
The remainder of the handle_client code accepts the attacker’s input, forwards it to the ChatGPT instance, and outputs the message and response to the console.
while True:
conn.sendall(b'>')
data = conn.recv(BUFFER_SIZE)
if not data:
print(f"[*] Client {addr}:{addr} disconnected.")
break
command = data.decode('utf-8').strip()
print(f"[*] Received command from {addr}:{addr}: '{command}'")
if command.lower() == 'exit':
print(f"[*] Client {addr}:{addr} requested exit.")
break
conversation_history.append({"role": "user", "content": command})
# Call ChatGPT API
try:
chat_completion = client.chat.completions.create(
model=MODEL_NAME,
messages=conversation_history,
temperature=0.1, # Keep responses less creative, more factual/direct
max_tokens=500 # Limit response length
)
# Extract AI's response
ai_response = chat_completion.choices[0].message.content.strip()
print(f"[*] ChatGPT response: '{ai_response}'")
# Append AI's response to history for continued context
conversation_history.append({"role": "assistant", "content": ai_response})
# Send AI's response back to the client
conn.sendall(ai_response.encode('utf-8') + b'n')
except Exception as e:
error_message = f"Error communicating with ChatGPT: {e}"
print(error_message)
conn.sendall(error_message.encode('utf-8') + b'n')
except ConnectionResetError:
print(f"[*] Client {addr}:{addr} forcibly closed the connection.")
except Exception as e:
print(f"[-] Error handling client {addr}:{addr}: {e}")
finally:
conn.close()
print(f"[*] Connection with {addr}:{addr} closed.")
The key functionality is contained in the instructions to the ChatGPT instance. You must have a valid OpenAI key in order to initiate a ChatGPT instance that will behave as instructed.
OPENAI_API_KEY = os.getenv("OPENAI_API_KEY") # Get API key from environment variable
MODEL_NAME = "gpt-3.5-turbo"
# --- OpenAI Client Initialization ---
if not OPENAI_API_KEY:
print("Error: OPENAI_API_KEY environment variable not set.")
print("Please set the environment variable before running the script.")
exit(1)
client = OpenAI(api_key=OPENAI_API_KEY)
# --- System Prompt for Linux Shell Simulation ---
SYSTEM_PROMPT = {
"role": "system",
"content": (
"You are a Linux bash shell. You will receive commands from the user and execute them, "
"returning only the standard output and standard error. Do not include any conversational text, "
"explanations, or additional formatting like markdown code blocks. You must only behave as a bash shell. "
"If a command produces no output, return an empty string"
"If a command is invalid or unknown, return an appropriate error message consistent with a bash shell."
"The Linux system that you are impersonating belongs to a junior software engineer learning python, "
"the file system structure and the content of any files should reflect that expected of a python learner."
)
}
Generative AI doesn’t just simulate human personas, it can convincingly impersonate entire computing environments. In this example, we instruct the system to masquerade as a basic Linux shell owned by a software engineer learning Python.
We can be more inventive and instruct the system to masquerade as a smart fridge by changing our instructions to ChatGPT.
SYSTEM_PROMPT = {
"role": "system",
"content": (
"You are a smart fridge running Busybox operating system and providing a Bash shell."
"You will receive commands from the user and execute them in the context of being a smart fridge."
"You will only return the standard output and standard error. Do not include any conversational text, "
"explanations, or additional formatting like markdown code blocks. You must only behave as a shell for an "
"IoT device. If a command produces no output, return an empty string"
"If a command is invalid or unknown, return an appropriate error message consistent with a bash shell."
"The file system structure should reflect that of a smart fridge manufactured by SmartzFrijj running "
"Busybox operating system as an embedded device. The current and historical values for temperature are "
"recorded in the file system path '/usr/local', information about stored milk is in the user directory."
)
}
The limiting factor is no longer tooling, but how convincingly we can model a target environment. A skilled human attacker is unlikely to be fooled for long — that milk would be rank. But that’s not the point. We’re not deploying AI honeypots to trick human threat actors.
Let’s ask ChatGPT what it thinks…
The industry narrative around AI in cybersecurity is dominated by fear of faster attacks, lower barriers, and greater scale. But speed and scale come with a cost. AI systems require interaction and context. Automation does not simply amplify attackers. but also constrains and exposes them. In that constraint lies an opportunity: not just to detect attacks, but to mislead, study, and ultimately manipulate the attacker.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-29 11:08:382026-04-29 11:08:38AI-powered honeypots: Turning the tables on malicious AI agents
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting ConnectWise ScreenConnect and Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerabilities are listed below –
CVE-2024-1708 (CVSS score: 8.4) – A path traversal vulnerability in ConnectWise ScreenConnect
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-29 09:06:412026-04-29 09:06:41CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV
Novee researchers find high-severity CVE-2026-26268 flaw in Cursor AI, allowing hackers to run malicious code when developers clone repositories.
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-29 09:06:402026-04-29 09:06:40Cursor AI IDE vulnerability allows code execution via hidden Git hooks
Leading a managed security services provider has never been a comfortable job. And it isn’t now, though the demand for MSSPs has never been higher. The global threat landscape is expanding faster than most enterprise security teams can keep pace with, and organizations across every sector are turning to managed providers to fill the gap.
For MSSP leaders, this looks like an opportunity. And it is. The problem is that seizing it costs more than it used to.
Key Points
Linear scaling kills margins. Adding more clients traditionally requires proportionally more analysts, making profitable growth nearly impossible.
Alert noise is expensive. Up to 70% of alerts are false positives that waste analyst time and inflate operational costs.
Context gaps slow everything down. Disconnected tools force manual aggregation of data from multiple systems, delaying investigations.
Tool switching destroys efficiency. Constant platform hopping increases turnaround time and contributes to missed SLAs.
Standardization is essential for multi-client environments. Every client being unique creates bespoke processes that do not scale and accelerate analyst burnout.
ANY.RUN’s Threat Intelligence (TI Lookup + TI Feeds) and Interactive Sandbox work as an integrated infrastructure layer that reduces manual labor and improves unit economics.
True scalability comes from automation and shared context. MSSPs can serve more clients at higher quality without linear headcount increases, while lowering stress and turnover.
The quiet storm inside every MSSP
Threat actors automate attacks at unprecedented speed, while client environments grow more complex and diverse. MSSP leaders face mounting pressure to deliver faster, deeper, and more reliable protection across dozens or hundreds of customers: all while keeping margins healthy and SLAs intact.
More clients still often means more analysts;
More alerts still means more noise;
More data still doesn’t mean more clarity.
Meanwhile, the analysts carrying the weight are burning out. Turnover in MSSP analyst roles is among the highest in the industry, creating a perpetual cycle of recruitment, onboarding, and knowledge loss that compounds every other problem.
MSSP leaders aren’t looking for “another feature.” They’re looking for something closer to an operational backbone. Something that reduces manual effort and improves unit economics without adding complexity.
1. Linear Growth Equals Margin Death: The Scalability Trap
For many MSSPs, growth is a paradox: every new client increases revenue — but also operational cost at nearly the same rate. Hiring, training, and retaining talent is expensive and painful, with turnover creating constant friction. The more manual the work your analysts do per client, the harder it is to decouple revenue from headcount.
Your revenue line and your cost line climb together, and the margin in between never quite widens the way a growth business should.
How ANY.RUN helps
The Interactive Sandbox directly attacks the cost-per-investigation problem by compressing deep malware analysis from hours to minutes and speeding up triage, so each analyst can handle significantly more cases without sacrificing quality or output depth.
To see how the Sandbox automatically interacts with malware detonating the kill chain elements and eliminating the need for manual interventions for a malware analyst, view an analysis session:
Sandbox analysis with automated CAPTCHA pass and QR link follow
Threat Intelligence Lookup removes repetitive investigation steps by providing instant access to previously analyzed artifacts, indicators, and behaviors. It supports quick search across a huge database of contextual data on indicators and attacks drawn from sandbox investigations of over 15K SOC teams that are using ANY.RUN.
Together, these solutions shift effort from linear human scaling to knowledge reuse and automation. Analysts spend less time rebuilding context and more time making decisions.
ANY.RUN operational and business impact
2. Alert Noise Equals Wasted Money
With up to 70% of alerts representing noise, MSSPs burn resources investigating false positives. Every unnecessary alert translates into extra analyst time, higher operational costs, and increased risk of missing genuine threats amid the fatigue.
The downstream effects compound quickly. Analysts fatigued by noise start to triage faster and less carefully. Real threats get downgraded. Critical detections get buried under the volume. The service quality the MSSP is paid to deliver degrades — quietly, then suddenly.
Improve triage accuracy.
Reduce false positives to protect both your margins and your analysts’ time.
ANY.RUN Threat Intelligence — comprising TI Lookup and Threat Intelligence Feeds — puts a verification and enrichment layer in front of the analyst queue, so that the 70% that doesn’t matter gets filtered before it consumes investigation resources, and the 30% that does matter arrives with actionable context.
Cuts false positive handling time;
Raises triage confidence;
Reduces analyst fatigue across multi-client environments;
Feeds directly into SIEM and SOAR workflows.
TI Lookup provides on-demand, deep queries across a continuously updated database of threats, allowing an analyst to determine in seconds whether a suspicious IP, domain, file hash, or URL is genuinely malicious, benign, or requires deeper analysis.
IP check in TI Lookup with a “malicious” verdict, additional IOCs, and sandbox analyses
TI Feeds deliver structured, high-fidelity threat data enriched with behavioral context that integrates directly into SIEM and SOAR workflows.
TI Feeds integration capabilities
Instead of raw indicator lists that require manual validation, analysts receive intelligence that has already been correlated with real-world malware behavior observed in the Sandbox. The noise doesn’t just get filtered; it gets explained. Analysts spend time on what matters, and triage decisions become faster and more defensible.
3. Missing Context: The Manual Puzzle Problem
An MSSP analyst’s work happens across a fractured landscape. Threat intelligence feeds live in one place. SIEM alerts in another. Endpoint telemetry in a third. Sandboxing results in a fourth. An analyst responding to an incident doesn’t get the full picture handed to them. They construct it, manually, by pulling data from multiple sources, correlating it in their head or in a spreadsheet, and hoping nothing slips through the cracks.
This manual context assembly is slow, error-prone, and analyst-dependent. Investigations that should take minutes take hours. And in a threat landscape where speed matters, fragmented context is a liability that shows up in missed detections and broken SLAs.
How ANY.RUN helps
ANY.RUN collapses the distance between intelligence and action by delivering investigation context as a connected whole, giving MSSPs faster incident resolution, less analyst-dependent knowledge, and investigation outputs that hold their value even when team composition changes.
Eliminates manual context assembly;
Connects intelligence to behavior;
Reduces investigation time per incident.
ANY.RUN’s modules are designed for seamless integration and context sharing. The Interactive Sandbox delivers comprehensive behavioral data in one place: processes, network activity, MITRE ATT&CK mappings, and more. TI Lookup instantly correlates any indicator (IOC, IOA, or IOB) with related threats, full attack chains, and supporting sandbox reports. TI Feeds extend this intelligence across the entire stack, feeding enriched data into existing workflows.
The impact of ANY.RUN’s solution on MSSP processes
Analysts no longer “build the picture manually.” They access unified, actionable intelligence that accelerates triage, investigation, and reporting across all clients, reducing context gaps and enabling consistent, high-quality outcomes. The investigation pipeline becomes a connected workflow rather than a manual collage.
4. Tool-Switching: The Hidden Time Tax
Constantly jumping between platforms kills efficiency and extends turnaround times. Analysts lose momentum with every tab switch, every login, and every manual data transfer, directly impacting SLA compliance and team morale.
When tools are slow, unreliable, or disconnected, analysts route around them. They rely on memory, on informal knowledge-sharing, on workarounds. All of it introduces inconsistency and risk.
How ANY.RUN Helps
ANY.RUN’s API-first architecture is built to disappear into the workflows analysts already use, surfacing intelligence in the context where work is happening, rather than requiring analysts to pivot toward it. The result is less friction, higher adoption, and more consistent investigation quality across the team.
TI Lookup and TI Feeds can be embedded directly into SIEM, SOAR, and ticketing environments, so analysts can surface intelligence without leaving the context they’re already working in. The Interactive Sandbox can be invoked as part of an automated or semi-automated investigation pipeline, with results returned in structured, machine-readable formats that feed directly into case management.
Reports accessible in the Sandbox
The goal is to make ANY.RUN invisible in the best sense: present at every stage of investigation, without requiring analysts to pivot their attention toward it.
Stop scaling pain and start scaling profit.
Check how ANY.RUN Intelligence fits your workflows.
5. No Standardization — Scaling Chaos Across Clients
No two MSSP clients are alike. One runs a legacy on-premises environment with minimal telemetry. Another is cloud-native with dozens of SaaS integrations. A third has custom applications, bespoke logging configurations, and a security team with strong opinions about how investigations should be documented. For the MSSP trying to serve all three, the challenge isn’t just operational: it’s structural.
When client environments are siloed, institutional knowledge about one doesn’t transfer to another. When investigation workflows differ by engagement, onboarding new analysts takes longer, errors are harder to catch, and QA becomes a guessing game. What scales, in the absence of standardization, is chaos. And chaos has a cost.
How ANY.RUN helps
ANY.RUN Threat Intelligence was built with multi-tenant MSSP operations in mind.
Normalizes intelligence across client environments;
Gives analysts a single investigative interface;
Standardizes investigation outputs;
Shortens analyst onboarding.
TI Feeds deliver structured, consistently formatted intelligence that can be normalized and applied across client environments without per-client customization of the data layer.
TI Lookup gives analysts a single investigative interface regardless of which client environment they’re working in. And the Interactive Sandbox produces structured, reproducible analysis outputs — process trees, network maps, MITRE mappings, IOC exports — that can be templated into client-specific reporting workflows without requiring analysts to rebuild their investigation approach from scratch each time.
Standardization doesn’t mean treating every client the same. It means having a consistent intelligence layer beneath the client-specific details, so that quality and speed hold constant even as the client roster grows.
Analyst burnout (the pain that amplifies all others)
When systems don’t scale, people absorb the pressure. Overload, repetitive work, constant alert fatigue — this is where everything converges.
Burnout isn’t just a people problem. It’s an operational risk:
Higher turnover;
Knowledge loss
Reduced investigation quality
How ANY.RUN helps
By reducing noise, minimizing manual work, and accelerating investigations, the combined capabilities of Interactive Sandbox, TI Lookup, and TI Feeds directly lower cognitive and operational pressure. Analysts move from reactive overload to structured, efficient workflows.
Conclusion: What MSSPs Are Actually Looking For
The pains above are not independent problems. They are interconnected symptoms of the same underlying condition: MSSP operations that have scaled their client load without scaling the intelligence infrastructure underneath it.
MSSPs don’t need more isolated features. They need:
Less manual aggregation;
Less switching;
More context, faster;
Reliable, always-available capabilities;
Infrastructure that improves margins, not just performance.
When Threat Intelligence Lookup and Threat Intelligence Feeds operate as a unified threat intelligence layer, and Interactive Sandbox feeds it with fresh behavioral data, the result isn’t just efficiency. It’s a shift in how MSSPs operate: from effort-heavy scaling to intelligence-driven scaling.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.
It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.
ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls.
FAQ
What are the main operational challenges facing MSSP leaders today?
The biggest pains include linear headcount scaling, high alert noise (up to 70%), missing context, constant tool switching, lack of standardization across clients, and resulting analyst burnout and turnover.
How does ANY.RUN help MSSPs scale without proportionally increasing staff?
By combining Threat Intelligence and the Interactive Sandbox, ANY.RUN dramatically reduces time spent on triage and investigation, allowing the same team to handle more clients effectively while maintaining or improving service quality.
Can ANY.RUN reduce alert fatigue?
Yes. TI Feeds deliver high-confidence, low-noise IOCs, while TI Lookup and Sandbox analysis provide rapid behavioral context that helps filter genuine threats from noise.
How does ANY.RUN solve the problem of missing context?
The Interactive Sandbox reveals full attack behavior, and TI Lookup instantly correlates indicators with rich, real-world intelligence — all in one integrated workflow instead of manual collection across tools.
Is ANY.RUN suitable for multi-tenant MSSP environments?
Yes. It supports strong client isolation and centralized management, replacing manual separation processes with reliable, scalable infrastructure.
How fast is analysis with ANY.RUN?
The Interactive Sandbox and Threat Intelligence deliver quick turnaround times, often in seconds to minutes, helping MSSPs comfortably meet aggressive SLAs (typically ~1 hour for initial analysis).
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-04-29 07:06:522026-04-29 07:06:52Critical GitHub Vulnerability Exposed Millions of Repositories