The IT help desk kindly requests you read this newsletter

The IT help desk kindly requests you read this newsletter

Welcome to this week’s edition of the Threat Source newsletter. 

Authority bias is one of the many things that shape how we think. Taking the advice of someone with recognized authority is often far easier (and usually leads to a better outcome) than spending time and effort in researching the reasoning and logic behind that advice. Put simply, it’s easier to take your doctor’s advice on health matters than it is to spend years in medical school learning why the advice you received is necessary. 

This tendency to respect and follow authoritative instructions translates into our use of computers, too. If you’re reading this, you’ve likely been the recipient of many questions about computer-related matters from friends and family. However, your trust can be abused, even by someone who seems knowledgeable and respectable. 

Attackers have learned that by impersonating individuals with some form of authority, such as banking staff, tax officials or IT professionals, they can persuade victims to carry out actions against their own interests. In our most recent Incident Response Quarterly Trends update, we describe how ransomware actors masquerade as IT agents when contacting their victims, instructing them to install remote access software. This allows the threat actor to set up long-term access to the device and continue the pursuit of their malicious objectives. 

If someone contacts you out of the blue professing to be an IT or bank/tax expert with urgent or helpful instructions, end the conversation immediately. Follow up with a call to the main contact details of the team or organization that contacted you to verify if the call was genuine. Be aware of the scams that the bad guys are using and spread awareness far and wide. Expect threat actors to attempt to exploit human nature and its own vulnerabilities. 

The one big thing 

Threat hunting is an integral part of any cyber security strategy because identifying potential incursions early allows issues to be swiftly resolved before harm is incurred. There are many different approaches to threat hunting, each of which may uncover different threats.

Why do I care? 

As threat actors increasingly use living-off-the-land binaries (LOLBins) — i.e. using either dual-use tools or the tools that they find already in place on compromised systems — detecting the presence of an intruder is no longer a case of simply finding their malware.  

Spotting bad guys is still possible, but requires a slightly different approach: either looking for evidence of the potential techniques they use, or finding evidence that things aren’t quite as they should be. 

So now what? 

Read about the different types of threat hunting strategies the Talos IR team uses and investigate how these can be used within your environment to improve your chances of finding incursions early.

Top security headlines of the week 

MySQL turns 30  
The popular database was founded on May 23, 1995 and is at the heart of many high-traffic applications such as Facebook, Netflix, Uber, Airbnb, Shopify, and Booking.com. (Oracle

Disney Slack attack wasn’t Russian protesters, just a Cali dude with malware 
A resident of California has pleaded guilty to conducting an attack in which 1.1 TB of data was stolen. The attack was conducted by releasing a trojan masquerading as an AI art generation application. (The Register

Ransomware Group Claims Attacks on UK Retailers 
The DragonForce ransomware group says it orchestrated the disruptive cyberattacks that hit UK retailers Co-op, Harrods, and Marks & Spencer (M&S). (Security Week

Attackers Ramp Up Efforts Targeting Developer Secrets 
Attackers are increasingly seeking to steal secret keys or tokens that have been inadvertently exposed in live environments or published in online code repositories. (Dark Reading)

Can’t get enough Talos? 

Spam campaign targeting Brazil abuses Remote Monitoring and Management tools 
A new spam campaign is targeting Brazilian users with a clever twist — abusing the free trial period of trusted remote monitoring tools and the country’s electronic invoice system to spread malicious agents. Read now

Threat Hunting with Talos IR
Talos recently published a blog on the framework behind our Threat Hunting service, featuring this handy video:

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/  
Typical Filename: VID001.exe  
Detection Name: Win.Worm.Bitmin-9847045-0  

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
Typical Filename: img001.exe  
Detection Name: Simple_Custom_Detection  

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
MD5: 71fea034b422e4a17ebb06022532fdde   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
Typical Filename: VID001.exe   
Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0   
MD5: 8c69830a50fb85d8a794fa46643493b2 
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
Typical Filename: AAct.exe 
Detection Name: W32.File.MalParent 

Cisco Talos Blog – ​Read More

Spam campaign targeting Brazil abuses Remote Monitoring and Management tools

  • Cisco Talos identified a spam campaign targeting Brazilian users with commercial remote monitoring and management (RMM) tools since at least January 2025. Talos observed the use of PDQ Connect and N-able remote access tools in this campaign. 
  • The spam message uses the Brazilian electronic invoice system, NF-e, as a lure to entice users into clicking hyperlinks and accessing malicious content hosted in Dropbox. 
  • Talos has observed the threat actor abusing RMM tools in order to create and distribute malicious agents to victims. They then use the remote capabilities of these agents to download and install Screen Connect after the initial compromise.
  • Talos assesses with high confidence that the threat actor is an initial access broker (IAB) abusing the free trial periods of these RMM tools. 

Spam campaign targeting Brazil abuses Remote Monitoring and Management tools

Talos recently observed a spam campaign targeting Portuguese-speaking users in Brazil with the intention of installing commercial remote monitoring and management (RMM) tools. The initial infection occurs via specially crafted spam messages purporting to be from financial institutions or cell phone carriers with an overdue bill or electronic receipt of payment issued as an NF-e (see Figures 1 and 2). 

Spam campaign targeting Brazil abuses Remote Monitoring and Management tools
Figure 1. Spam message purporting to be from a cell phone provider. 
Spam campaign targeting Brazil abuses Remote Monitoring and Management tools
Figure 2. Spam message masquerading as a bill from a financial institution. 

Both messages link to a Dropbox file, which contains the malicious binary installer for the RMM tool. The file names also contain references to NF-e in their names: 

  • AGENT_NFe_<random>.exe 
  • Boleto_NFe_<random>.exe 
  • Eletronica_NFe_<random>.exe 
  • Nf-e<random>.exe 
  • NFE_<random>.exe 
  • NOTA_FISCAL_NFe_<random>.exe 

Note: <random> means the filename uses a random sequence of letters and numbers in that position. 

The victims targeted in this campaign are mostly C-level executives and financial and human resources accounts across several industries, including some educational and government institutions. This assessment is based on the most common recipients found in the messages Talos observed during this campaign. 

Spam campaign targeting Brazil abuses Remote Monitoring and Management tools
Figure 3. Targeted recipients.

Abusing RMM tools for profit 

This campaign’s objective is to lure the victims into installing an RMM tool, which allows the threat actor to take complete control of the target machine. N-able RMM Remote Access is the most common tool distributed in this campaign and is developed by N-able, Inc., previously known as SolarWinds. N-able is aware of this abuse and took action to disable the affected trial accounts. Another tool Talos observed in some cases is PDQ Connect, a similar RMM application. Both provide a 15-day free trial period.

To assess whether these actors were using a trial version rather than stolen credentials to create these accounts, Talos checked samples older than 15 days and confirmed all of them returned errors that the accounts were disabled, while newer samples found in the last 15 days were all active.

Talos also examined the email accounts used to register for the service. They all use free email services such as Gmail or Proton Mail, as well as usernames following the theme of the spam campaign, with few exceptions where the threat actors used personal accounts. These exceptions are potentially compromised accounts which are being abused by the threat actors to create additional trial accounts. Talos did not find any samples in which the registered account was issued by a private company, so we can assess with high confidence these agents were created using trial accounts instead of stolen credentials.

N-able is aware of this abuse and took action to disable the affected trial accounts.

Talos found no evidence of a common post-infection behavior for the affected machines, with most machines staying infected for days before any other malicious activity was executed by the tool. However, in some cases, we observed the threat actor installing an additional RMM tool and removing all security tools from the machine a few days after the initial compromise. This is consistent with actions of initial access broker (IAB) groups. 

An IAB’s main objective is to rapidly create a network of compromised machines and then sell access to the network to third parties. Threat actors commonly use IABs when looking for specific target companies to deploy ransomware on. However, IABs have varied priorities and may sell their services to any threat actors, including state-sponsored actors.  

Adversaries’ abuse of commercial RMM tools has steadily increased in recent years. These tools are of interest to threat actors because they are usually digitally signed by recognized entities and are a fully featured backdoor. They also have little to no cost in software or infrastructure, as all of this is generally provided by the trial version application.  

Talos created a trial account to test what features were available for a trial user. In the case of the N-able remote access tool, the trial version offers a full set of features only limited by the 15-day trial period. Talos was able to confirm that by using a trial account, the threat actor has full access to the machine, including remote desktop like access, remote command execution, screen streaming, keystroke capture and remote shell access. 

Spam campaign targeting Brazil abuses Remote Monitoring and Management tools
Figure 4. N-able management interface showing available remote access tools. 
Spam campaign targeting Brazil abuses Remote Monitoring and Management tools
Figure 5. Administrative shell executed on a remote machine. 

The threat actor also has access to a fully featured file manager to easily read and write files to the remote file system. 

Spam campaign targeting Brazil abuses Remote Monitoring and Management tools
Figure 6. N-able file manager. 

The network traffic these tools create is also disguised as regular traffic, with many tools using communication over HTTPS and connecting to resources which are part of the infrastructure provided by the application provider. For example, N-able Remote Access uses a domain associated with its management interface, hosted on Amazon Web Services (AWS): 

  • hxxps://upload1[.]am[.]remote[.]management/ 
  • hxxps://upload2[.]am[.]remote[.]management/ 
  • hxxps://upload3[.]am[.]remote[.]management/ 
  • hxxps://upload4[.]am[.]remote[.]management/ 

Disclaimer: The URLs above are part of the management infrastructure for the RMM tools described in this blog and are not controlled by the threat actor. Customers must complete an assessment before enabling block signatures for these domains. 

The domain the agent uses is the same for any customer using the tool, with only the username and API key differentiating which customer the agent belongs to, as can be seen in Figure 7. This makes it even more difficult to identify the origin of the attacks and perform threat actor attribution.

Spam campaign targeting Brazil abuses Remote Monitoring and Management tools
Figure 7. Example configuration file. 

By extracting the configuration files inside the agent installer files still available on Dropbox, we can see some email addresses follow the same theme of the spam emails, using names of finance-related users and domains, while others could be potentially compromised accounts being used to create trial accounts for N-able Remote Access.  

With these trial versions being limited only by time and providing full remote-control features with little to no cost to the threat actors, Talos expects these tools to become even more common in attacks. 

Cisco Secure Firewall Application control is able to detect the unintended usage of RMM tools in customer’s networks. Instructions on how to set up Application control can be found at Cisco Secure Firewall documentation

Coverage 

Ways our customers can detect and block this threat are listed below. 

Spam campaign targeting Brazil abuses Remote Monitoring and Management tools

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org

ClamAV detections are also available for this threat:  

Txt.Backdoor.NableRemoteAccessConfig-10044370-0
Txt.Backdoor.NableRemoteAccessConfig-10044371-0 
Txt.Backdoor.NableRemoteAccessConfig-10044372-0 

Indicators of Compromise 

Disclaimer: The URLs below are part of the management infrastructure for the RMM tools described in this blog and are not controlled by the threat actor. An assessment must be done by customers before enabling block signatures for these domains. 

IOCs for this threat can be found on our GitHub repository here. 

Network IOCs 

hxxps://upload1[.]am[.]remote[.]management/ 
hxxps://upload2[.]am[.]remote[.]management/ 
hxxps://upload3[.]am[.]remote[.]management/ 
hxxps://upload4[.]am[.]remote[.]management/ 
198[.]45[.]54[.]34[.]bc[.]googleusercontent[.]com 

RMM Installer – Hashes 

03b5c76ad07987cfa3236eae5f8a5d42cef228dda22b392c40236872b512684e 
0759b628512b4eaabc6c3118012dd29f880e77d2af2feca01127a6fcf2fbbf10 
080e29e52a87d0e0e39eca5591d7185ff024367ddaded3e3fd26d3dbdb096a39 
0de612ea433676f12731da515cb16df0f98817b45b5ebc9bbf121d0b9e59c412 
1182b8e97daf59ad5abd1cb4b514436249dd4d36b4f3589b939d053f1de8fe23 
14c1cb13ffc67b222b42095a2e9ec9476f101e3a57246a1c33912d8fe3297878 
2850a346ecb7aebee3320ed7160f21a744e38f2d1a76c54f44c892ffc5c4ab77 
4787df4eea91d9ceb9e25d9eb7373d79a0df4a5320411d7435f9a6621da2fd6b 
51fa1d7b95831a6263bf260df8044f77812c68a9b720dad7379ae96200b065dd 
527a40f5f73aeb663c7186db6e8236eec6f61fa04923cde560ebcd107911c9ff 
57a90105ad2023b76e357cf42ba01c5ca696d80a82f87b54aea58c4e0db8d683 
63cde9758f9209f15ee4068b11419fead501731b12777169d89ebb34063467ea 
79b041cedef44253fdda8a66b54bdd450605f01bbb77ea87da31450a9b4d2b63 
a2c17f5c7acb05af81d4554e5080f5ed40b10e3988e96b4d05c4ee3e6237c31a 
b53f9c2802a0846fc805c03798b36391c444ab5ea88dc2b36bffc908edc1f589 
c484d3394b32e3c7544414774c717ebc0ce4d04ca75a00e93f4fb04b9b48ecef 
ca11eb7b9341b88da855a536b0741ed3155e80fc1ab60d89600b58a4b80d63a5 
d1efebcca578357ea7af582d3860fa6c357d203e483e6be3d6f9592265f3b41c 
e2171735f02f212c90856e9259ff7abc699c3efb55eeb5b61e72e92bea96f99c 
e34b8c9798b92f6a0e2ca9853adce299b1bf425dedb29f1266254ac3a15c87cd 
ebdefa6f88e459555844d3d9c13a4d7908c272128f65a12df4fb82f1aeab139f 
f52b4d81c73520fd25a2cc9c6e0e364b57396e0bb782187caf7c1e49693bebbf 
f5efd939372f869750e6f929026b7b5d046c5dad2f6bd703ff1b2089738b4d9c 
F68ae2c1d42d1b95e3829f08a516fb1695f75679fcfe0046e3e14890460191cf 
a71e274fc3086de4c22e68ed1a58567ab63790cc47cd2e04367e843408b9a065

Cisco Talos Blog – ​Read More

Safeguarding your browsing history | Kaspersky official blog

In April, the release of version 136 of Google Chrome finally addressed a privacy issue for the browser that’s been widely known about since 2002 (which issue, btw, is also present in all other major browsers). This was real bad news for unscrupulous marketers, who’d been exploiting it wholesale for 15 years. From this menacing description, you might be surprised to learn that the threat is a familiar and seemingly harmless convenience: links that your browser highlights a different color after you visit them.

From a blue sky to purple rain

Changing the color of links to visited sites (by default from blue to purple) was first introduced 32 years ago in the NCSA Mosaic browser. After that, this user-friendly practice was adopted by almost all browsers in the 1990s. And it later became the standard for Cascading Style Sheets (CSS) — a language for adding stylization to web pages. Such recoloring occurs by default in all popular browsers today.

However, as early as in 2002, researchers noticed that this feature could be abused by placing hundreds or thousands of invisible links on a page and using JavaScript to detect which of them the browser renders as visited. In this way, a rogue site could partially uncover a user’s browsing history.

In 2010, researchers discovered that this technique was being used in the wild by some major sites to snoop on visitors — among which were YouPorn, TwinCities, and 480 other sites then popular. It was also found that platforms like Tealium and Beencounter were offering history-sniffing services, while the advertising firm Interclick was implementing this technology for analytics, and even faced legal action. Although it won the lawsuit, the major browsers have since modified their code for processing links to make it impossible to read whether a link was visited or not.

However, advances in web technologies created new workarounds for snooping on browsing history. A 2018 study described four new ways to check the state of links — two of which affected all tested browsers except the Tor Browser. One of the vulnerabilities — CVE-2018-6137 — made it possible to check visited sites at up to 3000 links per second. Meanwhile new, increasingly sophisticated attacks to extract browsing history continue to appear.

Why history theft is dangerous

Exposing your browsing history, even partially, poses several threats to users.

Not-so-private life. Knowing what sites you visit (especially if it relates to medical treatment, political parties, dating/gambling/porn sites, and similar sensitive topics), attackers can weaponize this information against you. They can then tailor a scam or bait to your individual case — be it extortion, a fake charity, the promise of new medication, or something else.

Targeted checks. A history-sniffing site could, for example, run through all the websites of the major banks to determine which one you use. Such information can be of use to both cybercriminals (say, for creating a fake payment form to fool you) and legitimate companies (say, for seeing which competitors you’ve looked at).

Profiling and deanonymization. We’ve written many times about how advertising and analytics companies use cookies and fingerprinting to track user movements and clicks across the web. Your browsing history serves as an effective fingerprint, especially when combined with other tracking technologies. If an analytics firm’s site can see what other sites you visited and when, it essentially functions as a super-cookie.

Guarding against browser history theft

Basic protection appeared in 2010 almost simultaneously in the Gecko (Firefox) and WebKit (Chrome and Safari) browser engines. This guarded against using basic code to read the state of links.

Around the same time, Firefox 3.5 introduced the option to completely disable the recoloring of visited links. In the Firefox-based Tor Browser, this option is enabled by default — but the option to save browsing history is disabled. This provides a robust defense against the whole class of attacks but sorely impacts convenience.

Unless you sacrifice an element of comfort, however, sophisticated attacks will still be able to sniff your browsing history.

Attempts are underway at Google to significantly change the status quo: starting with version 136, Chrome will have visited link partitioning enabled by default. In brief, it works like this: links are only recolored if they were clicked from the current site; and when attempting a check, a site can only “see” clicks originating from itself.

The database of website visits (and clicked links) is maintained separately for each domain. For example, suppose bank.com embeds a widget showing information from banksupport.com, and this widget contains a link to centralbank.com. If you click the centralbank.com link, it will be marked as visited — but only within the banksupport.com widget displayed on bank.com. If the exact same banksupport.com widget appears on some other site, the centralbank.com link will appear as unvisited. Chrome’s developers are so confident that partitioning is the long-awaited silver bullet that they’re nurturing tentative plans to switch off the 2010 mitigations.

What about users?

If you don’t use Chrome, which, incidentally has plenty of other privacy issues, you can take a few simple precautions to ward off the purple menace.

  • Update your browser regularly to stay protected against newly discovered vulnerabilities.
  • Use incognito or private browsing if you don’t want others to know what sites you visit. But read this post first — because private modes are no cure-all.
  • Periodically clear cookies and browsing history in your browser.
  • Disable the recoloring of visited links in the settings.
  • Use tools to block trackers and spyware, such as Private Browsing in Kaspersky Premium, or a specialized browser extension.

To find out how else browsers can snoop on you, check these blogposts out:

Kaspersky official blog – ​Read More

Nitrogen Ransomware Exposed: How ANY.RUN Helps Uncover Threats to Finance 

The financial sector is heavily targeted by cybercriminals. Banks, investment firms, and credit unions are prime victims of attacks aimed at stealing sensitive data or holding it hostage for massive ransoms. One emerging threat in this landscape is Nitrogen Ransomware, a malicious group discovered in September 2024.  

It has since then been notoriously renowned for several successful attacks like that on SRP Federal Credit Union in South Carolina in December 2024. However, there is still a scarcity of information on the group’s TTPs, and this deficit highlights the value of solutions like ANY.RUN’s threat intelligence and malware analysis suite.

Why Financial Sector Is Vulnerable 

The numbers don’t lie: in 2024, 10% of all cyberattacks targeted the financial industry, according to reports.  

From ransomware to financial fraud and cloud infrastructure exploits, banks and credit unions face all the kinds of threats that there are. The stakes are high — cyberattacks now cost organizations up to $2.5 billion per incident, with ransomware attacks alone spiking to 20–25 major incidents daily, a fourfold increase in financial losses since 2017. 

Why is the financial sector so attractive? It’s simple: money and data. Financial institutions hold sensitive customer information and control vast sums of capital, which makes them tempting targets for ransomware groups like Nitrogen. Early detection and adversary tactics analysis are critical to minimizing damage, and that’s where services like ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup come in handy. 

Meet Nitrogen Ransomware 

There are traces of Nitrogen from July 2023, but it’s consensual to track it from September 2024. It was initially observed targeting not only finance but also construction, manufacturing, and tech, primarily in the United States, Canada, and the United Kingdom. The routine was to encrypt critical data and demand a ransom to unlock it. One of their confirmed victims, SRP Federal Credit Union, a South Carolina-based institution serving over 195,000 customers, fell prey on December 5, 2024. 

Little is known about Nitrogen’s tactics due to limited public data, but a report by StreamScan provides a starting point.  

It offers key indicators of compromise and some insights into the methods. Interestingly, Nitrogen shares similarities with another ransomware strain, LukaLocker, including identical file extensions for encrypted files and similar ransom notes. This overlap raises questions about their origins, but deeper analysis is needed to confirm connections. 

The StreamScan report is the primary source of information on Nitrogen, detailing a few critical IOCs

  • Ransomware File: A malicious executable with the SHA-256 hash 55f3725ebe01ea19ca14ab14d747a6975f9a6064ca71345219a14c47c18c88be 
  • Mutex: A unique identifier, nvxkjcv7yxctvgsdfjhv6esdvsx, created by the ransomware before encryption. 
  • Vulnerable Driver: truesight.sys, a legitimate but exploitable driver used to disable antivirus and endpoint detection tools. 
  • System Manipulation: Use of bcdedit.exe to disable Windows Safe Boot, hindering system recovery. 

While this report is a good start, it’s light on details. This is where ANY.RUN steps in, offering deeper insights through dynamic analysis and threat intelligence enrichment.  

ANY.RUN’s Threat Intelligence Versus Nitrogen 

Let’s research some of the above-mentioned indicators via Threat Intelligence Lookup to find more IOCs, behavioral data, and technical details on Nitrogen attacks.  

1. Tracking the Mutex 

Before encrypting files, Nitrogen creates a unique mutex (nvxkjcv7yxctvgsdfjhv6esdvsx) to ensure only one instance of the ransomware runs at a time. Using ANY.RUN’s Threat Intelligence Lookup, analysts can search for this mutex and uncover over 20 related samples, with the earliest dating back to September 2, 2024.  

syncObjectName:”nvxkjcv7yxctvgsdfjhv6esdvsx” 

Mutex search results in TI Lookup  

For each sample, an analysis session can be explored to enrich the understanding of the threat and gather additional indicators not featured in public research.

All sandbox analyses contain a selection of linked IOCs

ANY.RUN’s analyses also link Nitrogen to LukaLocker, as both share similar code structures and behaviors. By identifying additional IOCs from related tasks, ANY.RUN helps organizations update their detection systems to block Nitrogen before it strikes. 

An analysis session in the sandbox where Luka was detected 

Collect threat intelligence with TI Lookup to improve your company’s security 



Get 50 free requests


2. Exposing the Vulnerable Driver 

Nitrogen exploits truesight.sys, a legitimate driver from RogueKiller AntiRootkit, to kill AV/EDR processes and thus disable antivirus and endpoint detection tools. This driver, listed in the LOLDrivers catalog, is used by threat actors because it’s not inherently malicious, so it does not trigger standard defenses. 

truesight.sys description in LOLDrivers’ catalog

ANY.RUN’s TI Lookup reveals over 50 analyses linked to truesight.sys: 

sha256:”Bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c” 

Sandbox sessions featuring the abused driver  

By parsing these analyses, teams see how the driver can be abused, from terminating security processes to evading detection.  

Malicious behavior exposed by a sandbox analysis 

The driver’s name as a search query with the “CommandLine” parameter gives a selection of system events involving the driver:  

commandLine:”*truesight.sys” 

System events observed via TI Lookup 

ANY.RUN’s Interactive Sandbox’s ability to detect and flag this activity ensures organizations can block such exploits early. 


Enrich your threat knowledge with TI Lookup

Learn to Track Emerging Cyber Threats

Check out expert guide to collecting intelligence on emerging threats with TI Lookup



3. Catching System Manipulation 

Nitrogen uses the Windows utility bcdedit.exe to disable Safe Boot, a recovery mechanism that could otherwise help restore an infected system. As the StreamScan report says: 

Example from the StreamScan report

ANY.RUN allows analysts to use YARA rules to search for this behavior, identifying samples that tamper with system settings.  

YARA rule from the StreamScan report 

A simple YARA search in ANY.RUN’s TI Lookup returned several files linked to this tactic, each with associated analysis sessions that reveal additional IOCs. 

YARA rule search in TI Lookup 

By integrating these IOCs into SIEM or EDR systems, organizations can detect and block attempts to modify Windows boot settings before encryption begins, stopping Nitrogen in its tracks. To defend against threats like Nitrogen, security teams should: 

  • Monitor for unusual use of PowerShell, WMI, and DLL sideloading. 
  • Block known malicious infrastructure and domains. 
  • Educate employees about phishing and social engineering tactics. 
  • Use threat intelligence services to proactively hunt for related IOCs and TTPs

Conclusion 

The financial sector’s battle against ransomware is far from over, but solutions like ANY.RUN are leveling the playing field. By dissecting Nitrogen Ransomware’s tactics —system manipulation, driver exploitation, and mutex creation — ANY.RUN empowers cybersecurity teams to detect, analyze, and respond to the threat faster. Its dynamic analysis capabilities let analysts observe malware in action, from file encryption to system components abuse, in a safe sandbox environment. Meanwhile, its TI Lookup enriches threat data by providing additional indicators, uncovering connections to other attacks, campaigns, and techniques. 

Nitrogen is a reminder that today’s cyberattacks are not only persistent — they’re precise. As Nitrogen and similar groups continue to evolve, staying proactive with dynamic analysis and enriched threat intelligence is the key to keeping financial institutions safe, to avoid direct capital losses, reputation damage.

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post Nitrogen Ransomware Exposed: How ANY.RUN Helps Uncover Threats to Finance  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Mamona: Technical Analysis of a New Ransomware Strain

Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X. 

These days, it’s easy to come across new ransomware strains without much effort. But the ransomware threat landscape is far broader than it seems, especially when you dive into the commodity ransomware scene. This type of ransomware is developed by a group that sells a builder to third-party operators, with no formal agreement or contract between them, unlike the more organized Ransomware-as-a-Service (RaaS) model. 

On this side of the fence, we see countless new products appearing on the cybercrime shelf every day. They’re much harder to track, as victims, strains, infrastructure, and builds often have no direct connection to each other. 

Let’s take a look at one of them: Mamona Ransomware. Never heard of it? That’s probably because it’s a new strain but despite its short lifespan, it has already made some noise. It’s been spotted in campaigns run by BlackLock affiliates (who are also linked to Embargo), one of its online builders was exposed and later leaked on the clearnet, and the DragonForce group even stole the main website’s .env file, publishing it on their Dedicated Leak Site on Tor under the headline: “Is this your .env file?” 

So, let’s find out what this is all about. 

Mamona Ransomware in action

Mamona Ransomware: Key Takeaways 

  • Emerging threat: Mamona is a newly identified commodity ransomware strain. 
  • No external communication: The malware operates entirely offline, with no observed Command and Control (C2) channels or data exfiltration. 
  • Local encryption only: All cryptographic processes are executed locally using custom routines, with no reliance on standard libraries. 
  • Obfuscated delay technique: A ping to 127[.]0.0[.]7 is used as a timing mechanism, followed by a self-deletion command to minimize forensic traces. 
  • False extortion claims: The ransom note threatens data leaks, but analysis confirms there is no actual data exfiltration. 
  • File encryption behavior: User files are encrypted and renamed with the .HAes extension; ransom notes are dropped in multiple directories. 
  • Decryption available: A working decryption tool was identified and successfully tested, enabling file recovery. 
  • Functional, despite poor design: The decrypter features an outdated interface but effectively restores encrypted files. 

This emerging ransomware can be clearly observed within ANY.RUN’s cloud-based sandbox environment. You can explore a full analysis session below for a detailed visual breakdown. 

View analysis session with Mamona ransomware 

Offline and Dangerous: Mamona’s Silent Tactics 

When you hear about ransomware, your first educated guess is usually a threat that comes from the outside, exfiltrates sensitive files, encrypts the local versions, and then demands a ransom. Pretty much the full ransomware cycle. But this one is different. it has no network communication at all, acting surprisingly as a mute ransomware. So far, the only connections it attempts are local, plus one to port 80 (HTTP), where no data is actually sent or received. 

A connection to port 80 is attempted, but not established 

This lack of network communication strongly suggests that the encryption key is either generated locally on the fly or hardcoded within the binary itself. In the medium term, this increases the chances of reverse-engineering a working decrypter which, fortunately, we already have in this case. 

A closer look reveals that the encryptor relies entirely on homemade routines. There are no calls to standard cryptographic libraries, no use of the Windows CryptoAPI, and no references to external modules like OpenSSL. Instead, all cryptographic logic is implemented internally using low-level memory manipulation and arithmetic operations. 

Speed up and simplify analysis of malware and phishing threats with ANY.RUN’s Interactive Sandbox 



Sign up with business email


One key routine is located at internal offsets such as 0x40E100. This function is repeatedly called after pushing registers and buffer pointers to the stack and exhibits patterns typical of custom symmetric logic. 

Custom encryption logic with no standard crypto 

The symmetric structure reinforces the hypothesis of a static or trivially derived key, making Mamona a strong example of commodity ransomware that prioritises simplicity over cryptographic robustness. 

Still, just because this malware doesn’t communicate with external hosts doesn’t mean it can’t cause serious local damage. Let’s take a closer look. 

How Mamona Executes Its Attack 

The first thing Mamona does is execute a ping command as a crude time delay mechanism, chaining it with a self-deletion routine via cmd.exe. 

The use of ping 127[.]0.0[.]7 is a classic trick in commodity malware: instead of using built-in sleep APIs or timers (which can be flagged by behavioural monitoring), the malware sends ping requests to a loopback IP address, effectively pausing execution.  

Interestingly, it uses 127[.]0.0[.]7 instead of the more common 127[.]0.0[.]1, likely as a basic form of obfuscation. It’s still within the reserved localhost block (127[.]0.0[.]0/8) but may bypass simple detection rules that specifically target 127[.]0.0[.]1. 


A crude yet useful delay mechanism

Once the short delay is complete, the second part of the command attempts to delete the executable from disk using Del /f /q. Since a process can’t delete itself while it’s still running, this whole sequence is executed in a separate shell process. This is a simple but effective form of self-cleanup, aimed at reducing forensic traces post-infection. 

Even if the mechanism isn’t simple, ANY.RUN understands the hidden intention and flags the behavior

Mamona begins with a straightforward reconnaissance phase, harvesting basic host data like the system’s name and configured language. It then proceeds to drop a ransom note (README.HAes.txt) not only on the Desktop, but recursively inside multiple folders, increasing the chances the victim will see it. 

Recon routine and ransom note dropping

Following the ransom note deployment, Mamona begins encrypting user files, renaming them with the .HAes extension and making them inaccessible. To reinforce the impact, it changes the system wallpaper to a stark warning: “Your files have been encrypted!” 

Files receive a new extension

The ransom note shares links to a dedicated leak site (DLS) and a victim’s chat support, both on Tor. Also, it states that “we have stolen a significant amount of your important files from your network” and “Refuse to pay: your stolen data will be published publicly” but that actually does not happen, as we discussed earlier. There’s literally no network activity so this seems to be a threat to coerce the victim into paying the ransom. 

“Mamona, R.I.P!”. Ransom note, with a couple of lies

But we have an ace up our sleeve. For this engagement, alongside the malware sample, we also managed to obtain a decrypter thanks to Merlax, a friend and fellow malware researcher. Let’s take a look at how it works. 

Undoing Mamona’s Damage 

We’re dealing with a Ctrl-Z in .exe form, so let’s give it a chance and see how it performs. Visually, it’s a mess: the interface looks like a homemade project built with an older version of Visual Studio. UI elements are poorly rendered, often misaligned or clipping outside window boundaries.  

But the backend does its job far better than the frontend, and the files are back to normal. 

Files on the desktop went back to normal

By analysing the decrypter, we find an interesting internal function at offset 0x40C270. Much like in the ransomware sample, we observe a series of low-level operations: alignment to 4-byte boundaries (and $0xfffffffc, %ecx), fixed memory offsets (add $0x23), and repeated use of instructions such as mov, lea, and arithmetic operations, all indicative of a custom-built symmetric routine. 

Despite the absence of a traditional XOR operation, the logic appears reversible and consistent with homemade encryption mechanisms. 

Disassembly of the decrypter around offset 0x40C270

We have already infected our test machine and vaccinated it, and we are ready for the next stop on our journey: the ATT&CK Matrix. As usual, ANY.RUN takes care of that automagically. 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

Follow along a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



Mapping the Threat: Mamona via MITRE ATT&CK 

ANY.RUN’s ATT&CK integration makes it easy to understand and track malware behaviour by profiling its events, tactics, and techniques.  

Mamona’s ATT&CK Matrix on ANY.RUN

Let’s take a look at how Mamona’s behaviour fits into this framework: 

  • Discovery: T1012: Query Registry + T1082: System Information Discovery. The reconnaissance routine where the malware queries different local registries like hostname and language. 
  • Execution: T1059.003: Command and Scripting Interpreter. Since Mamona spawns CMD to invoke ping as a cheap delay mechanism and then moves on to its self-deletion. 
  • Defense Evasion: T1070.004: Indicator Removal. The self deletion routine attached to the previous ping command. 
  • Impact: T1486: Data Encrypted for Impact. The encryption process where all our files end up having the “.HAes” extension. 

This sums up Mamona’s behavior, which deviates from the usual pattern seen in commodity ransomware. It shows no network activity, no Command and Control channels over Telegram, Discord, or similar platforms. Instead, it relies on a weak, locally executed key generation routine and doesn’t include any form of double extortion, making its threats of data theft and publication purely coercive. 

What it does have is a retro-styled decrypter that, despite its clunky and outdated interface, simply works. 

Mamona Threat Impact 

The Mamona ransomware campaign presents significant risks despite its offline, minimalistic design: 

For end users: Victims face immediate file encryption, system disruption, and psychological pressure through false claims of data theft. The ransom note’s threatening tone adds urgency, even though there’s no actual data exfiltration. 

For organizations: Mamona can interrupt workflows, encrypt shared drives, and complicate incident response, especially in environments lacking offline backups or real-time monitoring. Its simplicity also makes it harder to detect through conventional network-based defenses. 

For security teams: The absence of C2 traffic and use of locally executed logic reduce visibility in traditional detection systems. Its use of basic commands like ping and cmd.exe mimics legitimate activity, requiring deeper behavioral analysis to flag accurately. 

For the broader threat landscape: Mamona exemplifies the rise of easy-to-use, builder-based ransomware that favors simplicity over sophistication. Its leaked builder lowers the entry barrier for attackers, raising concerns about wider adoption by low-skilled threat actors. 

Conclusion 

The analysis of Mamona Ransomware shows how even a quiet, offline threat can cause disruptions.  

This strain highlights a rising trend: ransomware that trades complexity for accessibility. It’s easy to deploy, harder to detect with traditional tools, and still effective enough to encrypt systems and pressure victims into paying. Its leaked builder and low barrier to entry only raise the risk of widespread abuse by less sophisticated attackers. 

By analyzing Mamona in real time using ANY.RUN’s Interactive Sandbox, we were able to capture the full attack chain, from initial execution and system changes to ransom note deployment and encryption logic, all without needing external network traces. 

Here’s how this type of dynamic analysis helps defenders stay ahead: 

  • Detect threats faster: Spot unusual behavior, even in offline-only attacks. 
  • See everything in motion: Monitor local activity, file operations, and persistence techniques as they happen. 
  • Speed up investigations: Gather and interpret IOCs without jumping from one tool to another. 
  • Respond more effectively: Share artifacts and tactics across security teams. 

Experience real-time visibility with ANY.RUN and catch threats others might miss. 

Try ANY.RUN’s Interactive Sandbox today 

IOCs 

SHA256:b6c969551f35c5de1ebc234fd688d7aa11eac01008013914dbc53f3e811c7c77 

SHA256:c5f49c0f566a114b529138f8bd222865c9fa9fa95f96ec1ded50700764a1d4e7 

Ext:.HAes 

File:README.HAes.txt 

References 

https://bazaar.abuse.ch/sample/c5f49c0f566a114b529138f8bd222865c9fa9fa95f96ec1ded50700764a1d4e7

https://bazaar.abuse.ch/sample/b6c969551f35c5de1ebc234fd688d7aa11eac01008013914dbc53f3e811c7c77

https://app.any.run/tasks/cdcc75cd-d1f0-4fae-8924-d1aa44525e7e

The post Mamona: Technical Analysis of a New Ransomware Strain appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Proactive threat hunting with Talos IR

Proactive threat hunting with Talos IR

At Cisco Talos, we understand that effective cybersecurity isn’t just about responding to incidents — it’s about preventing them from happening in the first place. One of the most powerful ways we do this is through proactive threat hunting. Our Talos Incident Response (Talos IR) team works closely with organizations to not only address existing threats but to anticipate and mitigate potential future risks. A key component of our threat-hunting approach is the Splunk SURGe team’s PEAK Threat Hunting Framework, which enables us to conduct comprehensive and proactive hunts with precision.

What is the PEAK Threat Hunting Framework?

The PEAK Framework (Prepare, Execute, and Act with Knowledge) offers a structured methodology for conducting effective and focused threat hunts. It ensures that every hunt is aligned with an organization’s specific needs and threat landscape. At the core of the PEAK framework are baseline hunts, which lay the foundation for proactive threat detection, alongside advanced techniques such as hypothesis-driven hunts and model-assisted threat hunts (M-ATH), which further enhance threat detection and mitigation.

Baseline hunts: the foundation of proactive threat hunting

Baseline hunts involve establishing a clear understanding of an organization’s normal operating environment in terms of user activity, network traffic and system processes. By documenting and analyzing this baseline, Talos IR can identify anomalous behavior that may signal malicious activity.

While these hunts can be a reactive measure, it’s important to use them proactively to detect threats trying to blend in with regular operations, such as insider threats, advanced persistent threats (APTs) and even novel attack techniques that might otherwise go undetected.

The key steps in baseline hunts are:

  1. Defining Normal Activity: Understanding what “normal” looks like in your environment, using data from system logs, user behavior, and network traffic.
  2. Anomaly Detection: Proactively hunting for deviations from the baseline that could indicate potential threats.
  3. Refining the Baseline: Continuously improving and updating the baseline to account for emerging threats and changes in your infrastructure.

Hypothesis-driven hunts: Testing assumptions about threats

In addition to baseline hunts, Talos IR also uses hypothesis-driven hunts to proactively test assumptions about potential threats. These hunts are guided by specific hypotheses or educated guesses about what attackers might be doing in a given environment. Rather than relying on a static, one-size-fits-all approach without adjustments, hypothesis-driven hunts are dynamic, adapting to the specific questions and emerging threats that arise.

For example, a hypothesis-driven hunt might begin with the assumption that a particular group of users is being targeted by a phishing campaign. The hunt would focus on testing this assumption by looking for evidence of malicious emails, unusual login patterns or attempts to collect or exfiltrate data.

The key steps in hypothesis-driven hunts are:

  1. Forming Hypotheses: Based on threat intelligence and past incidents, teams generate specific hypotheses about possible attack vectors or adversary behaviors.
  2. Testing Hypotheses: Using data sources such as endpoint telemetry, authentication logs or network traffic, the hypothesis is tested to see if evidence supports the theory.
  3. Analyzing Results: If the hypothesis is validated, further investigation is done to understand the full scope of the potential threat.

Model-assisted threat hunts: Leveraging machine learning to find hidden threats

Another powerful tool in Talos IR’s proactive hunting approach is model-assisted threat hunts (M-ATHs). These hunts leverage machine learning and advanced statistical models to sift through vast amounts of data and identify patterns that may indicate hidden threats. M-ATHs allow our team to detect threats that would be difficult to find using traditional methods.

Machine learning models are trained to detect suspicious behavior across different domains — such as user activity, network traffic or system logs — by looking for deviations from typical patterns. Over time, as these models learn from new data and threat intelligence, they improve in their ability to detect emerging threats.

The key steps in M-ATHs are:

  1. Data Collection: Gathering large datasets from multiple sources, including network traffic, endpoint data, authentication logs, and more.
  2. Model Training: Using machine learning algorithms to identify patterns in normal and malicious behavior.
  3. Anomaly Detection: The trained model helps identify new, previously undetected anomalies or potential threats by looking for deviations from established patterns.
  4. Refinement: The model is refined as new data is collected and analyzed, improving its ability to detect subtle threats.

Empowering threat hunts with Talos Threat Intelligence

A crucial element that enriches and empowers every Talos IR threat hunt is Talos Threat Intelligence. By integrating up-to-date, high-fidelity threat intelligence into our hunts, we enhance the accuracy, relevance, and speed of our investigations. Talos Threat Intelligence provides a continuous stream of data on emerging threats, attack trends and adversary tactics, which helps us refine hypotheses, adjust baselines and improve our machine learning models.

This intelligence is not just a complement to our hunting process; it is embedded in every stage. It helps guide our hypothesis-driven hunts, sharpens our baseline detections and feeds into the models we use for anomaly detection. With Talos Threat Intelligence, we ensure that every hunt is aligned with the latest threat landscape, empowering your team with the knowledge needed to stay one step ahead of attackers.

Proactive engagements for IR Retainer customers

For Talos IR Retainer customers, baseline hunts, hypothesis-driven hunts, and model-assisted threat hunts provide a valuable layer of ongoing, proactive support. These hunts help organizations detect and mitigate threats before they escalate into full-blown incidents. Our expert hunters work directly with your teams, ensuring that you stay ahead of evolving threats.

Some key benefits of these proactive engagements include:

  • Early Detection: Identifying abnormal activities that could signal a breach or malicious action, reducing the risk of an attack spreading.
  • Continuous Improvement: As we refine the baseline and hunting models, your security posture improves over time, allowing for faster and more accurate threat detection.
  • Actionable Insights: Proactive hunts deliver actionable intelligence that helps your teams strengthen their defenses, based on the latest threat trends and attack methods.

Why it matters

The cybersecurity landscape is constantly evolving, and traditional defensive methods alone are no longer sufficient. Threat actors are adept at blending malicious activity with normal operations, making it difficult to spot attacks using conventional means. By conducting baseline hunts, hypothesis-driven hunts and model-assisted threat hunts, Talos IR gives your organization the tools it needs to stay ahead of adversaries.

As new evidence is uncovered during a hunt, our team adapts and refines the investigation in real time — evolving the hypothesis, adjusting the scope or pivoting to new areas of focus based on what the data reveals.

If an active threat, adversary or malicious activity is detected during a hunt, Talos IR can dynamically pivot the engagement and escalate the situation to our 24/7 on-call Incident Response team. This ensures rapid response for containment, mitigation and eradication, effectively minimizing the potential impact of the threat.

Our Talos IR team collaborates seamlessly with the hunting team to deliver real-time support in identifying, isolating and neutralizing active threats. This integrated approach ensures your systems remain secure and prevents the threat from escalating further.

At Talos, our goal is to empower your team with the knowledge and tools to detect threats proactively, before they turn into incidents. Through our IR Retainer services, we provide continuous support to help you improve your security posture and stay one step ahead of emerging threats, all while leveraging the full power of Talos Threat Intelligence.

For more information about this service, download our At-a-Glance:

Cisco Talos Blog – ​Read More

Apple beefs up parental controls: what it means for kids | Kaspersky official blog

Earlier this year, Apple announced a string of new initiatives aimed at creating a safer environment for young kids and teens using the company’s devices. Besides making it easier to set up kids’ accounts, the company plans to give parents the option of sharing their children’s age with app developers so as to be able to control what content they show.

Apple says these updates will be made available to parents and developers later this year. In this post, we break down the pros and cons of the new measures. We also touch on what Instagram, Facebook (and the rest of Meta) have to do with it, and discuss how the tech giants are trying to pass the buck on young users’ mental health.

Before the updates: how Apple protects kids right now

Before we talk about Apple’s future innovations, let’s quickly review the parental control status quo on Apple devices. The company introduced its first parental controls way back in June 2009 with the release of the iPhone 3.0, and has been developing them bit by bit ever since.

As things stand, users under 13 must have a special Child Account. These accounts allow parents to access the parental control features built into Apple’s operating systems. Teenagers can continue using a Child Account until the age of 18, as their parents see fit.

Child Accounts on Apple devices

What Apple’s Child Account management center currently looks like. Source

Now for the new stuff…

The company has announced a series of changes to its Child Account system related to how parental status is verified. Additionally, it’ll soon be possible to edit a child’s age if it was entered incorrectly. Previously, for accounts of users under 13, it wasn’t even an option: Apple suggested waiting “for the account to naturally age up”. In borderline cases (accounts of kids just under 13), you could try a workaround involving changing the birth date — but such tricks won’t be needed for much longer.

But perhaps the most significant innovation relates to simplifying the creation of these Child Accounts. Henceforth, if parents don’t set up a device before their under-13-year-old starts using it, the child can do it themselves. In this case, Apple will automatically apply age-appropriate web content filters and only allow pre-installed apps, such as Notes, Pages, and Keynote.

Upon visiting the App Store for the first time to download an app, the child will be prompted to ask a parent to complete the setup. On the other hand, until parental consent is given, neither app developers nor Apple itself can collect data on the child.

At this point, even the least tech-savvy parent might ask the logical question: what if my child enters the wrong age during setup? Say, not 10, but 18. Won’t the deepest, darkest corners of the internet be opened up to them?

How Apple intends to solve the age verification issue

The single most substantial of Apple’s new initiatives announced in early 2025 attempts to address the problem of online age verification. The company proposes the following solution: parents will be able to select an age category and authorize sharing this information with app developers during installation or registration.

This way, instead of relying on young users to enter their date-of-birth honestly, developers will be able to use the new Declared Age Range API. In theory, app creators will also be able to use age information to steer their recommendation algorithms away from inappropriate content.

Through the API, developers will only know a child’s age category — not their exact date of birth. Apple has also stated that parents will be able to revoke permission to share age information at any time.

In practice, access to the age category will become yet another permission that young users will be able to give (or, more likely, not give) to apps — just like permissions to access the camera and microphone, or to track user actions across apps.

This is where the main flaw of the proposed solution lies. At present, Apple has given no guarantee that if a user denies permission for age-category access, they won’t be able to use a downloaded app. This decision rests with app developers, as there are no legal consequences for allowing children access to inappropriate content. Moreover, many companies are actively seeking to grow their young audience, since young kids and teens spend a lot of their time online (more on this below).

Finally, let’s mention Apple’s latest innovation: its updating its age-rating system. It will now consist of five categories: 4+, 9+, 13+, 16+, and 18+. In the company’s own words, “This will allow users a more granular understanding of an app’s appropriateness, and developers a more precise way to rate their apps”.

Apple's new age rating system

Apple is updating its age rating system — it will comprise five categories. Source

Apple and Meta disagree over who’s responsible for children’s safety online

The problem of verifying a young person’s age online has long been a hot topic. The idea of showing ID every time you want to use an app is, naturally, hardly a crowd-pleaser.

At the same time, taking all users at their word is asking for trouble. After all, even an 11-year-old can figure out how to edit their age in order to register on TikTok, Instagram, or Facebook.

App developers and app stores are all too eager to lay the responsibility for verifying a child’s age at anyone else’s doorstep but their own. Among app developers, Meta is particularly vocal in advocating that age verification is the duty of app stores. And app stores (especially Apple’s) insist that the buck stops with app developers.

Many view Apple’s new initiatives on this matter as a compromise. Meta itself has this to say:

“Parents tell us they want to have the final say over the apps their teens use, and that’s why we support legislation that requires app stores to verify a child’s age and get a parent’s approval before their child downloads an app”.

All very well on paper — but can it be trusted?

Child safety isn’t the priority: why you shouldn’t trust tech giants

Entrusting kids’ online safety to companies that directly profit from the addictive nature of their products doesn’t seem like the best approach. Leaks from Meta, whose statements on Apple’s solution we cited above, have repeatedly shown that the company targets young users deliberately.

For example, in her book Careless People, Sarah Wynne-Williams, former global public policy director at Facebook (now Meta), recounts how in 2017 she learned that the company was inviting advertisers to target teens aged 13 to 17 across all its platforms, including Instagram.

At the time, Facebook was selling the chance to show ads to youngsters at their most psychologically vulnerable — when they felt “worthless”, “insecure”, “stressed”, “defeated”, “anxious”, “stupid”, “useless”, and/or “like a failure”. In practice, this meant, for example, that the company would track when teenage girls deleted selfies to then show them ads for beauty products.

Another leak revealed that Facebook was actively hiring new employees to develop products aimed at kids as young as six, with the goal of expanding its consumer base. It’s all a bit reminiscent of tobacco companies’ best practices back in the 1960s.

Apple has never particularly prioritized kids’ online safety, either. For a long time its parental controls were quite limited, and kids themselves were quick to exploit holes in them.

It wasn’t until 2024 that Apple finally closed a vulnerability allowing kids to bypass controls just by entering a specific nonsensical phrase in the Safari address bar. That was all it took to disable Screen Time controls for Safari — giving kids access to any website. The vulnerability was first reported back in 2021, yet it took three years for the company to react.

Content control: what really helps parents

Child psychology experts agree that unlimited consumption of digital content is bad for children’s psychological and physical health. In his 2024 book The Anxious Generation, US psychologist Jonathan Haidt describes how smartphone and social media use among teenage girls can lead to depression, anxiety, and even self-harm. As for boys, Haidt points to the dangers of overexposure to video games and pornography during their formative years.

Apple may have taken a step in the right direction, but it’ll be for nothing if third-party app developers decide not to play ball. And as the example of Meta illustrates, relying on their honesty and integrity seems premature.

Therefore, despite Apple’s innovations, if you need a helping hand, you’ll find one… at the end of your own arm. If you want to maintain control over what and how much your child consumes online with minimal interference in their life, look no further than our parental control solution.

Kaspersky Safe Kids lets you view reports detailing your child’s activity in apps and online in general. You can use these to customize restrictions and prevent digital addiction by filtering out inappropriate content in search results and, if necessary, blocking specific sites and apps.

What other online threats do kids face, and how to neutralize them? Essential reading:

Kaspersky official blog – ​Read More

RSAC 2025 wrap-up – Week in security with Tony Anscombe

From the power of collaborative defense to identity security and AI, catch up on the event’s key themes and discussions

WeLiveSecurity – ​Read More

Understanding the challenges of securing an NGO

Understanding the challenges of securing an NGO

Welcome to this week’s edition of the Threat Source newsletter. 

Recently, I was invited to sit on a panel at the CIO4Good Conference here in Washington D.C., where I talked about incident response and cyber preparedness to a room full of CIOs who help lead wonderful missions to help others. I’m incredibly fortunate to be able to volunteer for the NGO community. I’ve been involved with them for a few years now, and it has been a singular experience.  

I sit in a uniquely blessed situation. Cisco Talos is resourced to help protect our customers — we have expertise, tooling and a huge array of diverse security skillsets. A humanitarian assistance or non-governmental organization (NGO) usually has none or very few of these luxuries. If I can take some of my time and experience here at Talos and help others who provide housing to the homeless, protect refugees or feed the hungry, damn right I’m gonna do it. And NGOs? They really need help.  

In today’s global humanitarian funding climate, money and grants are very scarce to come by. This means the competition for the dollars that remain is fierce, and that things like cybersecurity can fall by the wayside. But security in an NGO is incredibly important. We’re talking about incredibly vulnerable and marginalized people who deserve aid, and the amazing volunteers who should have privacy without malicious interference. 

The hard truth is that cybersecurity can be a bleak space. We as professionals do not operate in the “good news” business. We work, and thrive, in adversarial conditions — actively searching for what the bad guys are doing and learning how they are coming after the good guys. They’re launching ransomware. They are extorting and causing real harm to others. This is day in and day out, and it can wear you down mentally. You have to endure and focus on the mission. After all, that’s the gig. 

This is why I enjoy volunteering by either giving some of my time and expertise to a mentee or to an NGO that has an outstanding mission to help others. It puts fuel in your soul and reminds you that others are fighting their own good fights. These organizations are some of the best. They have a thankless, often dangerous, mission to help others have better lives. The way I see it, volunteering is the least I could do. 

If you want to join me, there are some places that could use your help. Check out the Cyber Peace Institute, or Defcon Project Franklin.

The one big thing 

This week is bittersweet because we’re discussing the final section of Talos’ 2024 Year in Review report. Let’s jump into the abyss of AI-based threats together. 

Why do I care? 

AI may not have upended the threat landscape last year, but it’s setting the stage for 2025, where agentic AI and automated vulnerability discovery could pose serious challenges for defenders. The future may bring:

  1. The use of agentic AI to conduct multi-stage attacks or find creative ways to access restricted systems 
  2. Improved personalization and professionalization of social engineering 
  3. Automated vulnerability discovery and exploitation 
  4. Capabilities to compromise AI models, systems and infrastructure that organizations around the world are building 

So now what? 

Continue to stay informed and alert, and for more information, read Talos’ blog post about these threats or download the full Year in Review.

Top security headlines of the week 

AirPlay Vulnerabilities Expose Apple Devices to Zero-Click Takeover. The identified security defects, 23 in total, could be exploited over wireless networks and peer–to-peer connections, leading to the complete compromise of not only Apple products, but also third-party devices that use the AirPlay SDK. (SecurityWeek

4 Million Affected by VeriSource Data Breach. VeriSource says the stolen information belonged to employees and dependents of companies using its services. It has been working with its customers to “collect the necessary information to notify additional individuals affected by this incident.” (SecurityWeek

SAP NetWeaver Visual Composer Flaw Under Active Exploitation. CVE-2025-31324 is a critical vulnerability with a maximum CVSS score of 10 that affects all SAP NetWeaver 7.xx versions. It allows unauthenticated remote attackers to upload arbitrary files to Internet exposed systems without any restrictions. (DarkReading

FBI shares massive list of 42,000 LabHost phishing domains. The FBI has shared 42,000 phishing domains tied to the LabHost cybercrime platform, one of the largest global phishing-as-a-service (PhaaS) platforms that was dismantled in April 2024. (BleepingComputer)

Can’t get enough Talos? 

State-of-the-art phishing: MFA bypass. Cybercriminals are bypassing multi-factor authentication (MFA) using adversary-in-the-middle (AiTM) attacks via reverse proxies, intercepting credentials and authentication cookies.

IR Trends Q1 2025: Phishing soars as identity-based attacks persist. This quarter, phishing attacks surged as the primary method for initial access. Learn how you can detect and prevent pre-ransomware attacks.

TTP Episode 11. Craig, Bill and Hazel discuss three of the biggest callouts from Cisco Talos’ latest Incident Response Quarterly Trends.

Talos Takes: Identity and MFA. Hazel and friends discuss how AI isn’t rewriting the cybercrime playbook, but it is turbo charging some of the old tricks, particularly on the social engineering side.

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/  
Typical Filename: VID001.exe 
Detection Name: Win.Worm.Bitmin-9847045-0 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Typical Filename: img001.exe 
Detection Name: Simple_Custom_Detection 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Typical Filename: VID001.exe  
Detection Name: Coinminer:MBT.26mw.in14.Talos

Cisco Talos Blog – ​Read More

State-of-the-art phishing: MFA bypass

  • Cybercriminals are bypassing multi-factor authentication (MFA) using adversary-in-the-middle (AiTM) attacks via reverse proxies, intercepting credentials and authentication cookies. 
  • The developers behind Phishing-as-a-Service (PhaaS) kits like Tycoon 2FA and Evilproxy have added features to make them easier to use and harder to detect.
  • WebAuthn, a passwordless MFA solution using public key cryptography, prevents password transmission and nullifies server-side authentication databases, offering a robust defense against MFA bypass attacks. 
  • Despite its strong security benefits, WebAuthn has seen slow adoption. Cisco Talos recommends that organizations reassess their current MFA strategies in light of these evolving phishing threats.  

State-of-the-art phishing: MFA bypass

For the past thirty years, phishing has been a staple in many cybercriminals’ arsenals. All cybersecurity professionals are familiar with phishing attacks: Criminals impersonate a trusted site in an attempt to social engineer victims into divulging personal or private information such as account usernames and passwords. In the early days of phishing, it was often enough for cybercriminals to create fake landing pages matching the official site, harvest authentication credentials and use them to access victims’ accounts.  

Since that time, network defenders have endeavored to prevent these types of attacks using a variety of techniques. Besides implementing strong anti-spam systems to filter phishing emails out of users’ inboxes, many organizations also conduct simulated phishing attacks on their own users to train them to recognize phishing emails. These techniques worked for a time, but as phishing attacks have become more sophisticated and more targeted, spam filters and user training have become less effective. 

At the root of this problem is the fact that usernames are often easy to guess or discover, and people are generally very bad at using strong passwords. People also tend to re-use the same weak passwords across many different sites. Cybercriminals, armed with a victim’s username and password, will often attempt credential stuffing attacks, and log into many different sites using the same username/password combination. 

To prove that users are valid, authentication systems generally rely on at least one of three authentication methods or factors: 

  • Something you know (ex. a username and password
  • Something you have (ex. a smartphone or USB key
  • Something you are (ex. your fingerprint or face recognition

In the presence of increasingly sophisticated phishing messages, using only one authentication factor, such as a username/password, is problematic. Many network defenders have responded by implementing MFA, which includes an additional factor, such as an SMS message or push notification, as an extra step to confirm a user’s identity when logging in. By including an additional factor in the authentication process, compromised usernames and passwords become much less valuable to cybercriminals. However, cybercriminals are a creative bunch, and they have devised a clever way around MFA. Enter the wild world of MFA bypass! 

How do attackers bypass MFA? 

In order to bypass MFA, attackers insert themselves into the authentication process using an adversary-in-the-middle (AiTM) attack

Typically, this is done using a reverse proxy. A reverse proxy functions as an intermediary server, accepting requests from the client before forwarding them on to the actual web servers to which the client wishes to connect.  

To bypass MFA the attacker sets up a reverse proxy and sends out phishing messages as normal. When the victim connects to the attacker’s reverse proxy, the attacker forwards the victim’s traffic onwards to the real site. From the perspective of the victim, the site they have connected to looks authentic — and it is! The victim is interacting with the legitimate website. The only difference perceptible to the victim is the location of the site in the web browser’s address bar.  

By inserting themselves in the middle of this client-server communication the attacker is able to intercept the username and password as it is sent from the victim to the legitimate site. This completes the first stage of the attack and triggers an MFA request sent back to the victim from the legitimate site. When the expected MFA request is received and approved, an authentication cookie is returned to the victim through the attacker’s proxy server where it is intercepted by the attacker. The attacker now possesses both the victim’s username/password as well as an authentication cookie from the legitimate site.

State-of-the-art phishing: MFA bypass
Figure 1. Flow diagram illustrating MFA bypass using a reverse proxy.

Phishing-as-a-Service (PhaaS) kits 

Thanks to turnkey Phishing-as-a-Service (Phaas) toolkits, almost anyone can conduct these types of phishing attacks without knowing much about what is happening under the hood. Toolkits such as Tycoon 2FA, Rockstar 2FA, Evilproxy, Greatness, Mamba 2FA and more have emerged in this space. Over time the developers behind some of these kits have added features to make them easier to use and harder to detect:

  • Phaas MFA bypass kits typically include templates for the most popular phishing targets to aid cybercriminals in the task of setting up their phishing campaigns. 
  • MFA bypass kits limit access to the phishing links to only users who possess the correct phishing URL and redirect other visitors to benign webpages.  
  • MFA bypass kits often check the IP address and/or User-Agent header of the visitor, preventing access if the IP address corresponds to a known security company/crawler or if the User-Agent indicates that it is a bot. User-Agent filters may also be used to further target the phishing attacks towards users running specific hardware/software. 
  • Reverse proxy MFA bypass kits typically inject their own JavaScript code into the pages they serve to victims to gather additional information about the visitor, and handle redirects after the authentication cookie has been stolen. These scripts are often dynamically obfuscated to prevent static fingerprinting that would allow security vendors to identify the MFA bypass attack sites. 
  • To thwart anti-phishing defenses which may automatically visit URLs contained in an email at the time it is received, there may be a short, programmable delay between when the phishing message is sent and when the phishing lure URL is activated. 
State-of-the-art phishing: MFA bypass
Figure 2. An example phishing message associated with the Tycoon 2FA phishing toolkit.

Accelerating the rise in MFA bypass attacks via reverse proxy are publicly available open-source tools, such as Evilginx. Evilginx debuted in 2017 as a modified version of the popular open-source web server nginx. Over time, the application was redesigned and rewritten in Go and implements its own HTTP and DNS server. Although it is marketed as a tool for red teams’ penetration testing needs, because it is open source, anyone can download and modify it. 

Fortunately for defenders, there are characteristics common to Evilginx deployments, as well as other AiTM MFA bypass toolkits, that can provide clues an MFA bypass attack may be in progress: 

  • Many MFA bypass reverse proxy servers are hosted on relatively newly registered domains/certificates.  
  • Capturing an authentication cookie only gives attackers access to the victim’s account for that single session. Once they have access to a victim’s account, many attackers add additional MFA devices to the account to maintain persistence. By auditing MFA logs for this kind of activity, defenders may find accounts that have fallen victim to MFA bypass attacks. 
  • By default, Evilginx phishing lure URLs have a URL path consisting of 8 mixed case letters. 
  • By default, Evilginx uses HTTP certificates obtained from LetsEncrypt. Additionally, the certificates it creates by default have an Organization set to “Evilginx Signature Trust Co.”, and a CommonName set to “Evilginx Super-Evil Root CA”. 
  • After a session authentication cookie has been intercepted by the attacker, they will typically load this cookie into their own browser to impersonate the victim. Unless the attacker is careful, for a time, there will be two different users with different User-Agents and IP addresses using the same session cookie. This may be discoverable through web logs or security products that look for things like “impossible travel”. 
  • To avoid the victim clicking a link that redirects them away from the phishing site, the Evilginx reverse proxy rewrites URLs contained in the HTML from the legitimate site. Popular phishing targets may utilize very specific URL paths, and network defenders can look for these URL paths being served from servers other than the legitimate site.  
  • Many MFA bypass reverse proxy implementations are written using Transport Layer Security (TLS) implementations that are native to that programming language. Thus, the TLS fingerprint of the reverse proxy and the legitimate website will be different.  

WebAuthn to the rescue? 

FIDO (Fast IDentity Online) Alliance and W3C  created WebAuthn (Web Authentication API) — a specification that enables MFA based on public key cryptography. WebAuthn is essentially passwordless. When a user registers for MFA using WebAuthn, a cryptographic keypair is generated. The private key is kept on the user’s device, and the corresponding public key is kept on the server.  

When a client wants to log in, they indicate this to the server who responds with a challenge. The client then signs this data and returns it to the server. The server can verify the challenge was signed using the user’s private key. No passwords are ever entered into a web form, and no passwords are transmitted over the internet. This also has the side effect of making server-side authentication databases useless to attackers. What good will stealing a public key do? 

State-of-the-art phishing: MFA bypass
Figure 3. The WebAuthn authentication process.

As an extra layer of security, WebAuthn credentials are also bound to the website origin where they will be used. For example, suppose a user clicks a link in a phishing message and navigates to an attacker-controlled reverse proxy at mfabypass.com, which is impersonating the user’s bank. The location in the web browser’s address bar will not match the location of the bank to which the credentials are bound, and the WebAuthn MFA authentication process will fail. Binding credentials to a specific origin also eliminates related identity-based attacks such as credential stuffing, where attackers try to reuse the same credentials at multiple sites. 

Although the WebAuthn specification was first published back in 2019, it has experienced relatively slow adoption. Based on authentication telemetry data from Cisco Duo for the past six months, it appears that WebAuthn MFA authentications still make up a very low percentage of all MFA authentications.  

To a certain degree, this is understandable. Many organizations may have already rolled out other types of MFA and may feel like that is enough protection. However, they may want to rethink their approach as more and more phishing attacks implement MFA bypass strategies.  

Coverage

State-of-the-art phishing: MFA bypass

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Talos Blog – ​Read More