Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike

/in

Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike

Threat actors increasingly deployed web shells against vulnerable web applications and primarily exploited vulnerable or unpatched public-facing applications to gain initial access in Q4, a notable shift from previous quarters. The functionality of the web shells and targeted web applications varied across incidents, highlighting the multitude of ways threat actors can leverage vulnerable web servers as a gateway into a victim’s environment. Prior to this quarter, use of valid accounts had been Cisco Talos Incident Response (Talos IR)’s most observed method of initial access for over a year.  

Ransomware made up a slightly smaller portion of threats observed this quarter than in the past. Notably, the end of the year saw a surge of ransomware and pre-ransomware incidents, primarily involving BlackBasta ransomware, suggesting this as a threat to monitor going into 2025.  

Watch The Talos Threat Perspective for additional insights into the report, and recommendations for defenders

Web shells increasingly observed in adversaries’ post-compromise toolkits 

In 35 percent of incidents in Q4, threat actors deployed a variety of open-source and publicly available web shells against vulnerable or unpatched web applications, a significant increase from less than 10 percent in the previous quarter. In one incident, Talos IR observed the adversary uploading a web shell with the file name “401.php”, which was also seen last quarter. This PHP web shell is based on the publicly available Neo-regeorg web shell on GitHub and has been leveraged in several adversaries’ attack chains, according to a CISA advisory. Another incident involved the web fuzzer Fuzz Faster U Fool, which is used to perform brute force attacks against web applications to discover usernames and passwords and perform directory and virtual host discovery.  

Adversaries also leveraged older tools to support their post-compromise objectives, serving as a reminder for organizations to remain vigilant in adding applications to the allowlist/blocklist to control what software operates on their systems. In one incident, the attacker targeted a vulnerable server of JBoss using a tool called JexBoss, which was originally released on Github in 2014 and can be used to test and exploit vulnerabilities in Java platforms. The adversary saved JexBoss as a WAR file, and the contents included a malicious web shell named “jexws4.jsp”.  

Ransomware trends 

Ransomware, pre-ransomware, and data theft extortion accounted for nearly 30 percent of engagements this quarter, a slight decrease from the previous quarter, in which these types of engagements accounted for 40 percent. Talos IR observed Interlock ransomware for the first time, while also responding to previously seen ransomware variants BlackBasta and RansomHub. Talos IR was able to identify dwell times in the majority of engagements this quarter, which ranged from approximately 17 to 44 days. For example, in the Interlock ransomware incident, it took the adversary 17 days from the initial compromise stage until the deployment of the ransomware encryptor binary. Longer dwell times can indicate that an adversary is trying to expand their access, evade defenses, and/or identify data of interest for exfiltration. For example, in a RansomHub incident this quarter, operators had access to the compromised network for over a month before executing the ransomware and performed actions such as internal network scanning, accessing passwords for backups, and credential harvesting.  

Operators leveraged compromised valid accounts in 75 percent of ransomware engagements this quarter to obtain initial access and/or execute ransomware on targeted systems, highlighting the risk of identity-based attacks and the need for secure authentication methods. In a BlackBasta incident, for example, operators posed as the targeted entity’s IT department and used social engineering to gain access to an employee’s account, which consequently facilitated lateral movement into the network. In a RansomHub engagement, affiliates leveraged a compromised Administrator account to execute the ransomware, dump credentials, and run scans using a commercial network scanning tool. Of note, all organizations impacted by ransomware incidents this quarter did not have multifactor authentication (MFA) properly implemented or MFA was bypassed during the attack. 

As forecasted in last quarter’s IR quarterly trends report, this quarter featured two RansomHub incidents, in which affiliates leveraged newly identified tools and techniques. Talos IR observed affiliates leveraging a Veeam password stealer to target the Veeam data backup application, and KMS Auto, a tool designed to illicitly activate cracked Microsoft products. The operators also used a previously unseen persistent access technique, modifying Windows Firewall settings on targeted hosts to enable remote access. This activity occurred shortly before the ransomware was executed, potentially as a method to maintain direct access to the compromised systems. 

Talos IR observed operators leveraging remote access tools in 100 percent of ransomware engagements this quarter, a significant uptick from last quarter, when it was only seen in 13 percent of ransomware or pre-ransomware engagements. Commercial remote desktop software Splashtop in particular was involved in 75 percent of ransomware engagements this quarter, and other observed remote access tools included Atera, Netop, AnyDesk, and LogMeIn. In at least 50 percent of engagements, these tools were used to facilitate lateral movement, as actors used this remote access to pivot to other systems in the environment. 

Looking forward: Talos IR saw BlackBasta ransomware in one engagement that closed this quarter, as well as in a number of engagements that kicked off near the end of the year. In the observed attack chain, BlackBasta operators impersonate IT personnel to conduct double extortion attacks, which involves exfiltration of sensitive information that is then encrypted to pressure victims into paying. Our observations and corresponding public reporting on the group’s recent uptick in activity since December indicate that this is a ransomware threat to monitor going into the new year. 

Targeting  

Organizations in the education vertical were most affected for the second quarter in a row, accounting for nearly 30 percent of engagements. This is also consistent with Talos IR Q1 2024 (January–March) targeting trends, where the education sector was tied for the top targeted industry vertical. 

Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike

Initial access 

For the first time in over a year, the most observed means of gaining initial access was the exploitation of public-facing applications, accounting for nearly 40 percent of engagements when initial access could be determined. This is a significant departure compared to previous quarters, where the use of valid accounts was consistently a top observed technique leveraged for initial access. While we still observed adversaries leverage compromised credentials and valid accounts to gain access, this shift is likely largely due to the number of web shell and ransomware incidents that took advantage of poorly patched or publicly exposed applications. 

Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike

Looking forward: Since early December 2024, Talos IR has observed a surge in password-spraying attacks, leading to user account lockouts and denied VPN access. These attacks are often characterized by large volumes of traffic. For example, one organization reported nearly 13 million attempts were made in 24 hours against known accounts, indicating the adversary was likely running automated attacks. This activity primarily affected organizations in the public administration sector and was likely random and opportunistic. Although adversaries have been using password-spraying attacks for credential access for years, the sheer volume of authentication attempts in quick succession is a reminder that organizations should continue to stress the importance of MFA and strong password policies to limit unauthorized access attempts. 

Recommendations for addressing top security weaknesses 

 Implement MFA and other identity and access control solutions  

Talos IR recommends ensuring MFA is enforced on all critical services, including all remote access and identity and access management (IAM) services. In addition, to defend against MFA bypass via social engineering where prompts are accepted by a legitimate user, regular cybersecurity awareness training should cover relevant and updated social engineering topics. 

We continue to see a significant number of compromises involving misconfigured, weak, or lack of MFA. This issue was present in nearly 40 percent of total engagements this quarter and, as mentioned above, 100 percent of organizations impacted by ransomware incidents did not have MFA properly implemented or it was bypassed via social engineering.  

Since compromised accounts remains a top initial access vector, consider investing in IAM sevices and User Behavior Analytics (UBA), which can help identity suspicious account usage. 

Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike

Patch regularly and replace end-of-life assets 

Talos IR also strongly recommends organizations ensure all operating systems and software in the environment are currently supported and replace those that have reached end-of-life. Unpatched and/or vulnerable software helped facilitate initial access across several incidents this quarter, and nearly 15 percent of incidents suffered from outdated and end-of-life software.  

If patching is not possible consider other mitigations, such as monitoring, especially for typical post-exploitation tools and behaviors; improving segmentation through firewalls, switch VLANs, subnetting, etc.; and disabling access to administrative shares.  In 40 percent of the web shell engagements, poor network segmentation and access to administrative shares resulted in adversaries moving laterally. 

Implement properly configured EDR solution  

Implement properly configured EDR and other security solutions. If an organization lacks the resources to successfully implement these solutions, they can consider outsourcing to a Managed XDR vendor to ensure proper configuration and 24/7 monitoring by security experts. 

Misconfigured or missing EDR solutions affected over 25 percent of all incidents for the quarter.   

Top-observed MITRE ATT&CK techniques  

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list.  

Key findings from the MITRE ATT&CK framework include: 

  • The use of remote access tooling, such as Splashtop or AteraAgent, was leveraged in nearly 40 percent of engagements, compared to 5 percent in the previous quarter. 
  • Remote access tooling was leveraged in 100 percent of the ransomware incidents observed in Q4, a significant shift compared to that of the previous quarter. 
  • This is the first quarter in well over a year in which the use of valid accounts was not the top initial access technique. Instead, exploitation of public-facing applications, largely contributed by the high number of web shell incidents, was the top means of gaining access this quarter. 

Reconnaissance (TA0043)

T1589.001 Gather Victim Identity Information: Credentials

Adversaries may gather credentials that can be used during their attack.

T1598.003 Phishing for Information: Spearphishing Link

Adversaries may send a spearphishing email with a link to a credential harvesting page to collect credentials for their attack.

T1595.002 Active Scanning: Vulnerability Scanning

Adversaries may run vulnerability scans against an organization’s public-facing infrastructure to identify potential vulnerabilities to exploit.

T1598 Phishing for Information

Threat actor sent phishing messages to elicit sensitive information that can be used during targeting.

T1598.004 Phishing for Information: Spearphishing Voice

After clicking a malicious link contained within a trusted third-party site, the user was directed to call a fake Microsoft support site. After the user did so, they received repeated vishing calls for further information.

Initial Access (TA0001)

T1190 Exploit in Public-Facing Application

Adversaries may exploit a vulnerability to gain access to a target system.

T1078 Valid Accounts

Adversaries may use compromised credentials to access valid accounts during their attack.

T1189 Drive-by Compromise

Uses compromised websites or ads to lure victims into downloading a malicious installer.

T1566 Phishing Link

Adversary sends a phishing email which contains a malicious link.

Execution (TA0002)

T1059.001 Command and Scripting Interpreter: PowerShell

Adversaries may abuse PowerShell to execute commands or scripts throughout their attack.

T1204.001 User Execution: Malicious Link

The victim clicked on a malicious link in a phishing email.

T1059.006 Command and Scripting Interpreter: Python

Adversary used Python commands for execution.

T1059.003 Command and Scripting Interpreter: Windows Command Shell

Adversaries may abuse Windows Command Shell to execute commands or scripts throughout their attack.

T1047 Windows Management Instrumentation

Adversaries may use Windows Management Instrumentation (WMI) to execute malicious commands during the attack.

T1059.004 Command and Scripting Interpreter: Unix Shell

The adversary executed shell commands.

Persistence (TA0003)

T1505.003 Server Software Component: Web Shell

Deploy web shells on vulnerable systems.

T1136 Create Account

Adversaries may create a new account to maintain persistence in a target environment.

T1053.005 Scheduled Task/Job: Scheduled Task

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for recurring execution of malware or malicious commands.

Privilege Escalation (TA0004)

T1078.002 Valid Accounts: Domain Accounts

Adversaries may abuse their access to valid accounts allowing access to privileged resources of the domain.

Defense Evasion (TA0005)

T1562.001 Impair Defenses: Disable or Modify Tools

Adversaries may disable or uninstall security tools to evade detection.

T1027.010 Obfuscated Files or Information: Command Obfuscation

Adversaries may obfuscate commands to evade detection during their attack.

T1070.004 Indicator Removal: File Deletion

Adversaries may delete files to cover their tracks during the attack.

T1484.001 Domain or Tenant Policy Modification: Group Policy Modification

Modify GPOs to push out malicious scheduled tasks.

T1070.001 Indicator Removal: Clear Windows Event Logs

Adversaries may clear the Windows event logs to cover their tracks and impair forensic analysis.

T1036 Masquerading

The attacker deployed a ransomware encryptor binary with the file name “conhost.exe”, masquerading as a legitimate file onto the victim machine.

T1070.002 Indicator Removal: Clear Linux or Mac System Logs

Log clearing via sudo.

T1218.014 System Binary Proxy Execution: MMC

Adversaries abuse MMC to carry out malicious activities, such as execute malicious files.

T1112 Modify Registry

Adversary used some registry modifications to get privilege escalation.

Credential Access (TA0006)

T1003 OS Credential Dumping

Adversaries may dump credentials from various sources to enable lateral movement.

T1110.003 Brute Force: Password Spraying

Adversaries use a list of usernames and passwords to try and gain access to user accounts.

T1621 Multi-Factor Authentication Request Generation

Adversaries may generate MFA push notifications causing an MFA exhaustion attack.

T1555.003 Credentials from Password Stores: Credentials from Web Browsers

Adversaries may obtain credentials from the victim’s Chrome browser.

T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting

Use Kerberoasting PowerShell commands for credential access.

Discovery (TA0007)

T1046 Network Service Discovery

Adversaries may use tools like Advanced Port Scanner for network scanning.

T1069.002 Permission Groups Discovery

Adversary identified domain admins in the environment.

T1018 Remote System Discovery

Adversaries may attempt to discover information about remote systems with commands, such as “net view”.

T1082 System Information Discovery

Adversary performed large scale host enumeration

T1083 File and Directory Discovery

Adversary enumerated files and directories to identify certain key files.

T1033 System Owner / User Discovery

Adversaries may attempt to discover information about the logged in user of a compromised account with commands, such as “whoami”.

T1016 System Network Configuration Discovery

Adversaries may use commands, such as ifconfig and net use, to identify network connections.

T1087.001 Account Discovery: Local Account

Enumerate user accounts on the system.

T1135 Network Share Discovery

Enumerate network shares on a host.

Lateral Movement (TA0008)

T1021.001 Remote Services: Remote Desktop Protocol

Adversaries may abuse valid accounts using RDP to move laterally in a target environment.

T1021.004 Remote Services: SSH

Adversaries may abuse valid accounts using SSH to move laterally in a target environment.

T1550.002 Use Alternative Authentication Material: Pass the Hash

Adversaries may bypass access controls by using stolen password hashes.

T1570 Lateral Tool Transfer

Adversary transfers tools and files between systems in a compromised environment

Collection (TA0009)

T1005 Data from Local System

Adversaries may collect information from an infected system

T1074 Data Staged

Adversary collected data in a central location prior to exfiltration

T1560 Archive Collected Data

Adversaries may archive staged data using tools, such as WinRAR.

T1530 Data from Cloud Storage

Collect files from cloud services.

Command and Control (TA0011)

T1219 Remote Access Software

Adversaries may abuse remote access software, such as AnyDesk, to establish an interactive C2 channel during their attack.

T1105 Ingress Tool Transfer

Adversaries may transfer tools from an external system to a compromised system.

T1071.001 Application Layer Protocol: Web Protocols

Communicate between compromised hosts and attacker-controlled servers via HTTP POST/GET requests.

T1090 Proxy

An adversary used a tool called Invoke-SocksProxy, intended for command and control.

T1102 Web Service

Adversary performed reconnaissance and made network connections to a Discord IP address.

Exfiltration (TA0010)

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltrate data to web server.

T1537 Transfer Data to Cloud Account

Adversary exfiltrated data to an attacker-controlled cloud account.

Impact (TA0040)

T1486 Data Encrypted for Impact

Adversaries may use ransomware to encrypt data on a target system.

T1490 Inhibit System Recovery

Adversaries may disable system recovery features, such as volume shadow copies.

Software/Tool

S0029 PsExec

Free Microsoft tool that can remotely execute programs on a target system.

S0349 LaZagne

A post-exploitation, open-source tool used to recover stored passwords on a system.

S0357 Impacket

An open-source collection of modules written in Python for programmatically constructing and manipulating network protocols.

S0002 Mimikatz

Credential dumper that can obtain plaintext Windows logins and passwords.

S0154 Cobalt Strike

Adversary simulation tool.

S0552 AdFind

Freely available command-line query tool used for gathering information from Active Directory.

S0097 Ping

An operating system utility commonly used to troubleshoot and verify network connections.

S0225 Sqlmap

An open-source penetration testing tool used to automate the process of detecting and exploiting SQL injection flaws.

Cisco Talos Blog – ​Read More

UK, US Introduce “Content Credentials” Labeling to Counter Deepfakes, Misinformation in the Age of AI

/in

Cyble UK, US Introduce “Content Credentials” Labeling to Counter Deepfakes, Misinformation in the Age of AI

Overview

The rapid evolution of generative artificial intelligence (AI) has introduced both opportunities and risks in the digital landscape. While AI-generated content can enhance creativity and efficiency, it also presents significant challenges related to misinformation, deepfakes, and digital content authenticity. In response, the concept of Content Credentials has emerged as a critical solution for maintaining transparency and trust in multimedia content.

The Rise of AI-Generated Content and Its Challenges

Generative AI tools allow users to create realistic images, videos, and audio clips with minimal effort. This accessibility has raised concerns about digital deception, particularly in cybersecurity, journalism, and law enforcement. Malicious actors can leverage AI-generated media for fraudulent activities, impersonation, and disinformation campaigns, eroding trust in online information.

Traditional verification methods, such as metadata analysis and forensic detection, are increasingly inadequate in detecting sophisticated AI-generated content. As a result, organizations and governments worldwide are seeking innovative solutions to establish content provenance and ensure media integrity.

What Are Content Credentials?

Content Credentials serve as a digital “nutrition label” for media, embedding cryptographically signed metadata that tracks the origin, authorship, and modifications of digital content. This metadata can be attached to images, videos, and other media at the point of creation or during post-processing.

The Coalition for Content Provenance and Authenticity (C2PA) has been at the forefront of developing Content Credentials as an open standard. Supported by major technology firms like Adobe, Microsoft, and Google, this initiative aims to enhance transparency and counteract the proliferation of deceptive content.

Durable Content Credentials to Enhance Media Integrity

To further strengthen digital provenance, Durable Content Credentials have added additional layers of security through:

  • Digital Watermarking: Embedding invisible watermarks in media files to retain metadata even when content is altered or stripped of visible credentials.

  • Media Fingerprinting: Creating a unique fingerprint for content that enables verification even if metadata is removed.

These mechanisms help ensure the persistence of Content Credentials, making them more resistant to tampering or erasure.

Use Cases of Content Credentials

The implementation of Content Credentials extends across multiple industries, including:

  • Journalism: News organizations can use Content Credentials to verify the authenticity of images and videos, preventing the spread of doctored media.

  • Cybersecurity: Organizations can track the origins of AI-generated media to mitigate the risks of deepfake attacks and impersonation fraud.

  • Forensics and Law Enforcement: Digital evidence can be authenticated to maintain chain-of-custody integrity.

  • Government and National Security: Authorities can use Content Credentials to combat foreign interference and disinformation campaigns.

  • Artificial Intelligence and Data Science: AI models can be trained with verified data, reducing the risk of “model collapse” from synthetic data contamination.

The Global Push for Adoption

Governments and cybersecurity agencies worldwide are recognizing the importance of Content Credentials. The National Security Agency (NSA), Australian Signals Directorate (ASD), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK) have jointly emphasized the need for widespread adoption of these technologies.

The European Union’s AI Act also mandates transparency measures for AI-generated content, reinforcing the importance of provenance tracking.

Preparing for a Future of Trusted Digital Content

Organizations looking to integrate Content Credentials should take proactive steps:

  1. Upgrade Software and Hardware: Use cameras and editing software that support Content Credentials.

  2. Implement Metadata Preservation Policies: Ensure that metadata remains intact throughout content creation and distribution.

  3. Engage with Open Standards Initiatives: Join the C2PA community to stay informed about best practices and technological advancements.

  4. Educate Stakeholders: Train employees and users on the importance of media provenance and how to verify Content Credentials.

Conclusion

As AI-generated content becomes more prevalent, the need for verifiable digital integrity has never been more urgent. Content Credentials offer a robust framework for establishing trust in digital media by providing transparent, verifiable information about content origins. By adopting and promoting these technologies, organizations, and individuals can help safeguard the integrity of digital ecosystems, ensuring a more trustworthy information landscape in the generative AI era.

References:

https://media.defense.gov/2025/Jan/29/2003634788/-1/-1/0/CSI-CONTENT-CREDENTIALS.PDF

The post UK, US Introduce “Content Credentials” Labeling to Counter Deepfakes, Misinformation in the Age of AI appeared first on Cyble.

Blog – Cyble – ​Read More

ICS Vulnerability Report: Cyble Urges Critical mySCADA Fixes

/in

Cyble ICS Vulnerability Report: Cyble Urges Critical mySCADA Fixes

Overview

A pair of 9.8-severity flaws in mySCADA myPRO Manager SCADA systems were among the vulnerabilities highlighted in Cyble’s weekly Industrial Control System (ICS) Vulnerability Intelligence Report.

Cyble Research & Intelligence Labs (CRIL) examined eight ICS vulnerabilities in the January 28 report for clients, including high-severity flaws in critical manufacturing, energy infrastructure, and transportation networks.

OS Command Injection (CWE-78) and Improper Security Checks (CWE-358, CWE-319) accounted for half of the vulnerabilities in the report, “indicating a persistent challenge in securing authentication and execution processes in ICS environments,” Cyble said.

Critical mySCADA Vulnerabilities

The critical mySCADA myPRO supervisory control and data acquisition (SCADA) vulnerabilities haven’t yet appeared in the NIST National Vulnerability Database (NVD) or the MITRE CVE database, but they were the subject of a CISA ICS advisory on January 23.

The mySCADA myPRO Manager system provides user interfaces and functionality for real-time monitoring and control of industrial processes across a range of critical industries and applications. CISA said the vulnerabilities can be exploited remotely with low attack complexity, potentially allowing a remote attacker to execute arbitrary commands or disclose sensitive information.

CVE-2025-20061 was assigned a CVSS v3.1 base score of 9.8 and is an Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability. CISA said mySCADA myPRO does not properly neutralize POST requests sent to a specific port with email information, so the vulnerability could be used to execute arbitrary commands on an affected system.

CVE-2025-20014 is also a 9.8-severity OS Command Injection vulnerability, as myPRO also does not properly neutralize POST requests sent to a specific port with version information, which could potentially lead to an attacker executing arbitrary commands.

The following mySCADA products are affected:

  • myPRO Manager: Versions prior to 1.3

  • myPRO Runtime: Versions prior to 9.2.1

mySCADA recommends that users update to the latest versions:

  • mySCADA PRO Manager 1.3

  • mySCADA PRO Runtime 9.2.1

CISA also recommended that users minimize network exposure for all control system devices and systems to ensure they are not accessible from the Internet, locate control system networks and remote devices behind firewalls, and isolate them from business networks. If remote access is necessary, additional security steps, such as an updated VPN on a secure device, should be used.

Recommendations for Mitigating ICS Vulnerabilities 

Cyble recommends several controls for mitigating ICS vulnerabilities and improving the overall security of ICS systems. The measures include:

  1. Staying on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA is recommended. A risk-based approach to vulnerability management reduces the risk of exploitation.

  2. Implementing a Zero-Trust Policy to minimize exposure and ensure that all internal and external network traffic is scrutinized and validated.

  3. Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification. Automating these processes can help maintain consistency and improve efficiency.

  4. Proper network segmentation can limit the potential damage caused by an attacker and prevent lateral movement across networks. This is particularly important for securing critical ICS assets.

  5. Conducting regular vulnerability assessments and penetration testing to identify gaps in security that might be exploited by threat actors.

  6. Establishing and maintaining an incident response plan and ensuring that it is tested and updated regularly to adapt to the latest threats.

  7. All employees, especially those working with Operational Technology (OT) systems, should be required to undergo ongoing cybersecurity training programs. The training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations.

Conclusion

Industrial Control Systems (ICS) vulnerabilities can threaten critical infrastructure environments, with the potential to disrupt operations, compromise sensitive data, and cause physical damage. Staying on top of ICS vulnerabilities and applying good cybersecurity hygiene and controls are critical cybersecurity practices for ICS, OT, and SCADA environments.

To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by  Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape.

The post ICS Vulnerability Report: Cyble Urges Critical mySCADA Fixes appeared first on Cyble.

Blog – Cyble – ​Read More

Whatsup Gold, Observium and Offis vulnerabilities

/in

Whatsup Gold, Observium and Offis vulnerabilities

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   

These vulnerabilities exist in Observium, a network observation and monitoring system; Offis DCMTK, a collection of libraries and applications implementing DICOM (Digital Imaging and Communications in Medicine) standard formats; and WhatsUp Gold, an IT infrastructure management product.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.   

Observium Vulnerabilities  

Discovered by Marcin “Icewall” Noga.   

Two cross-site scripting vulnerabilities exist in Observium, which can lead to arbitrary JavaScript code execution, as well as one HTML code injection vulnerability. All three can be triggered by an authenticated user clicking a malicious link crafted by the attacker.  

Offis Vulnerabilities  

Discovered by Emmanuel Tacheau.   

Three vulnerabilities were found in the Offis DCMTK libraries that support the DICOM standard format. TALOS-2024-1957 (CVE-2024-28130) is an incorrect type conversion vulnerability that can lead to arbitrary code execution, and TALOS-2024-2121 (CVE-2024-52333) and TALOS-2024-2122 (CVE-2024-47796) are improper array index validation vulnerabilities that can lead to out-of-bounds write capabilities. All can be triggered with specially crafted malicious DICOM files.  

Whatsup Gold Vulnerabilities  

Discovered by Marcin “Icewall” Noga.   

Two Whatsup Gold vulnerabilities include a risk of information disclosure (TALOS-2024-1932 (CVE-2024-5017) and TALOS-2024-2089 (CVE-2024-12105)), which can be triggered by an attacker making an authenticated HTTP request. 

There is also a risk of disclosure of sensitive information (TALOS-2024-1933 (CVE-2024-5010)), and denial of service (TALOS-2024-1934 (CVE-2024-5011)). These two vulnerabilities can be triggered by an attacker making an unauthenticated HTTP request. 

Cisco Talos Blog – ​Read More

New ICS Vulnerabilities Discovered in Schneider Electric and B&R Automation Systems

/in

Cyble New ICS Vulnerabilities Discovered in Schneider Electric and B&R Automation Systems

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued two urgent advisories regarding serious ICS vulnerabilities in industrial control systems (ICS) products. These ICS vulnerabilities, identified in Schneider Electric’s RemoteConnect and SCADAPack x70 Utilities, as well as B&R Automation’s Runtime software, pose online risks to critical infrastructure systems worldwide. The ICS vulnerabilities, if exploited, could lead to potentially devastating impacts on the integrity, confidentiality, and availability of systems within energy, critical manufacturing, and other essential sectors.

Schneider Electric’s Vulnerability in RemoteConnect and SCADAPack x70 Utilities

The ICS vulnerability in Schneider Electric’s RemoteConnect and SCADAPack x70 Utilities arises from the deserialization of untrusted data, identified as CWE-502. This flaw could allow attackers to execute remote code on affected workstations, leading to several security risks, including the loss of confidentiality and integrity. The issue is triggered when a non-admin authenticated user opens a malicious project file, which could potentially be introduced through email, file sharing, or other methods.

Schneider Electric has assigned the CVE identifier CVE-2024-12703 to this vulnerability, with a base CVSS v3 score of 7.8 and a CVSS v4 score of 8.5. Both versions highlight the severity of the issue, with potential consequences including unauthorized remote code execution.

This vulnerability affects all versions of both RemoteConnect and SCADAPack x70 Utilities, products widely deployed in sectors such as energy and critical manufacturing across the globe. Although Schneider Electric is working on a remediation plan for future product versions, there are interim steps that organizations can take to mitigate the risk. These include:

  • Only opening project files from trusted sources

  • Verifying file integrity by computing and checking hashes regularly

  • Encrypting project files and restricting access to trusted users

  • Using secure communication protocols when exchanging files over the network

  • Following established SCADAPack Security Guidelines for added protection

CISA recommends minimizing the network exposure of control system devices, ensuring they are not directly accessible from the internet, and placing control system networks behind firewalls to isolate them from business networks. When remote access is necessary, using secure methods like Virtual Private Networks (VPNs) is strongly advised. However, organizations should ensure that VPNs are regularly updated and adequately secured.

B&R Automation Runtime Vulnerability

The second advisory concerns a vulnerability in B&R Automation Runtime, a key software used in industrial control systems. The flaw arises from the use of a broken or risky cryptographic algorithm in the SSL/TLS component of B&R Automation Runtime versions prior to 6.1 and B&R mapp View versions prior to 6.1. Unauthenticated network-based attackers could exploit this vulnerability to impersonate legitimate services on impacted devices, creating opportunities for unauthorized access.

B&R Automation assigned CVE-2024-8603 to this vulnerability, which is identified as CWE-327. The CVSS v3 base score for this flaw is 7.5, indicating a moderately high risk to the affected systems. This vulnerability is especially concerning as it is exploitable remotely, with low attack complexity, making it a viable target for attackers seeking to compromise ICS environments.

The affected products are used worldwide, primarily in the critical manufacturing sector. B&R Automation has released an update (version 6.1) that corrects the issue, and users are strongly encouraged to apply this update to mitigate the risk. In the meantime, CISA recommends several mitigation strategies to limit exposure, including:

  • Applying the update to B&R Automation Runtime and B&R mapp View products as soon as possible

  • Minimizing network exposure for all control system devices to prevent direct internet access

  • Implementing firewalls and isolating control system networks from business networks

  • Utilizing VPNs for remote access while ensuring that VPNs are kept up-to-date and secure

Conclusion

While no known public exploits targeting these vulnerabilities have been reported to CISA at the time of publication, the discovery of these flaws in Schneider Electric and B&R Automation products highlights the ongoing risks facing critical infrastructure sectors. Exploiting vulnerabilities in ICS products can lead to serious consequences, including data breaches, operational disruptions, and physical damage to infrastructure.

These incidents emphasize the urgent need for organizations to adopt proactive cybersecurity measures, such as regular patching, file integrity verification, and secure network configurations. By following CISA’s guidance and implementing comprehensive defense-in-depth strategies, organizations can better protect their systems from both known and emerging threats, ultimately reducing their exposure to cyber risks and ensuring the security of critical assets.

References:

The post New ICS Vulnerabilities Discovered in Schneider Electric and B&R Automation Systems appeared first on Cyble.

Blog – Cyble – ​Read More

What scareware is and how to protect yourself | Kaspersky official blog

/in

Imagine: you’re calmly working away on your computer, when suddenly a scary message appears on the screen: “Your computer is infected with viruses! Install an antivirus immediately!” or “Your data is at risk! Clean your system immediately!” Panic? That’s what the scammers are hoping for.

This post explains what scareware is and why this threat is dangerous. We also give tips for avoiding falling for scarewarers’ tricks, and protecting you and your family from such attacks.

What is scareware?

Scareware is a type of digital fraud that weaponizes users’ fears. The aim is to frighten the victim into visiting a malicious site and downloading something they shouldn’t. Scareware usually mimics antiviruses, system optimizers, registry cleaners, and the like. But other, more exotic types also exist.

Scareware notification

The user is not so subtly informed that no fewer than five viruses have been found on their computer. However, the window header contains a small misprint: “Threaths detected” Source

To display their alarming messages, scammers tend to deploy browser pop-up windows and notifications, banner ads, and on occasion even good-old email.

Scareware creators use a variety of social engineering tricks to instill a sense of danger in the user. Often, threatening messages appear at the most unexpected moment — catching the victim off guard.

And scammers frequently hurry the victim into taking rash actions — not giving them time to think things over. Then, when the target has been properly prepared (that is, put into a state of panic), the attackers offer a simple solution to the problem: just install such-and-such software and all your troubles will be gone.

Fake antivirus

Fake antiviruses pretend to search for malware in the user’s system. Source

Upon receiving a scareware notification, in the best case scenario the victim will install a useless but harmless program on their device and pay a relatively small sum for the pleasure. But sometimes an attack can have more serious consequences. Under the guise of an “antivirus” or “system optimizer”, the victim may be fed proper malware that encrypts data or steals money from online bank accounts.

Sextortion scareware

Sometimes scammers employ a hybrid scheme: scareware combined with sextortion. It may go as follows: the user receives an intimidating email saying they’ve been caught in a compromising video.

To see for themselves, the victim is invited to visit a website where they can watch the footage. However, to view the video, they first need to install a special player. This, of course, is malware in disguise.

Faulty screen caused by a virus

In a new variant of the scareware scheme, the user is told that a virus has infected their smartphone. Nothing unusual so far — mobile versions of scareware have been around for ages. Here, however, the focus is artfully placed on what perhaps all smartphone owners fear the most: a faulty screen:

A faulty screen — falsely presented as the result of a virus

The scareware simulates screen damage caused by a virus that must be removed.Source

Curiously, the “faulty” display — which also blinks for added alarm — is capable of clearly showing the message about the supposed virus infection. How this window is able to float above a damaged screen is a mystery… To “fix” the screen, you just need to tap the button in the box and purchase the offered “antivirus”.

How to protect against scareware

Of course, the best defense against fake “protection” is the real thing. To defeat scareware, install a bona fide antivirus from a reputable developer, keep a close eye on its notifications, and always heed its recommendations.

Also bear in mind that it’s seniors who are most likely to fall victim. So it’s worth helping your older relatives get the right protection since it can be a challenge for them.

Kaspersky official blog – ​Read More

Australia’s Health Sector Receives $6.4 Million Cybersecurity Boost with New Threat Information-Sharing Network

/in

Cyble Australia’s Health Sector Receives $6.4 Million Cybersecurity Boost with New Threat Information-Sharing Network

The Australian Government has awarded a $6.4 million grant to CI-ISAC Australia, enabling the establishment of a new Health Cyber Sharing Network (HCSN). This initiative is designed to facilitate the rapid exchange of critical cyber threat information within Australia’s healthcare industry, which has become a target for cyberattacks.

The recent surge in cyberattacks on Australian healthcare organizations, including hospitals and health insurance providers, has highlighted the pressing need for enhanced cybersecurity measures. In response, the Australian Government has made healthcare the priority sector for its formal funding efforts.

This grant is part of a broader strategy to address the vulnerabilities in the nation’s health sector and ensure it is better equipped to handle the cyber threats faced by the industry.

A Growing Threat: The Cost of Cybersecurity Breaches

The healthcare industry globally has been facing increasing cybersecurity challenges, and Australia is no exception. According to reports from 2023, the global healthcare sector continues to experience the most expensive data breaches across industries for the 13th consecutive year. The average cost of a healthcare data breach was a staggering AUD$10.93 million, nearly double that of the financial industry, which recorded an average cost of $5.9 million.

Australia’s health sector, which encompasses a diverse range of organizations, from public and private hospitals to medical clinics and insurance providers, is increasingly vulnerable to cyber threats. This sector includes approximately 750 government hospitals, 650 private hospitals, and over 6,500 general practitioner clinics, along with numerous third-party suppliers and vendors.

The creation of the HCSN aims to address these risks by providing a secure, collaborative platform for information sharing. The network will enable health sector organizations to work together more effectively, breaking down silos and improving the speed and quality of cybersecurity threat information exchange.

The Role of CI-ISAC and the Health Cyber-Sharing Network

CI-ISAC Australia, the recipient of the $6.4 million Australian Government grant, will spearhead the creation and management of the Health Cyber Sharing Network. The HCSN will focus on fostering collaboration between Australian healthcare organizations, ensuring they can share relevant cyber threat information in a secure and confidential environment.

David Sandell, CEO of CI-ISAC Australia, emphasized the importance of this initiative: “The health and medical sector holds a large amount of incredibly private and personal medical and financial information. We have already seen several high-profile data breaches in the health sector, and the new network can help members reduce their cyber risks. Cyberattacks can also greatly disrupt important health services, and this industry cannot afford interruptions with patients’ wellbeing at stake.”

The Health Cyber Sharing Network will support the healthcare sector and bolster Australia’s broader critical infrastructure. Many critical infrastructure sectors, including healthcare, are interdependent. By participating in the network, healthcare organizations will contribute to improving the overall cyber resilience of Australia’s critical infrastructure.

Strengthening Cybersecurity Resilience

The new Health Cyber Sharing Network aims to better equip Australian healthcare organizations to manage and mitigate cyber threats. The platform will serve as a ‘neighborhood watch’ for the health sector, where organizations can exchange cybersecurity intelligence and collaborate to identify and respond to threats more efficiently.

Lieutenant General Michelle McGuinness CSC, the National Cyber Security Coordinator, expressed the strategic importance of this initiative: “We have seen in recent years the very real impact that healthcare-related cyberattacks can have on millions of Australians. Increasing threat information sharing contributes to the prevention of cyberattacks and builds resilience.”

The Australian Government’s funding is seen as an important step in achieving the nation’s goal of becoming a global leader in cybersecurity by 2030. McGuinness further noted, “Many in the healthcare sector would know well the philosophy that prevention is better than a cure. This also applies to cybersecurity and is the driving concept behind this grant.”

Invitation for Healthcare Organizations to Join the Network

To launch the Health Cyber Sharing Network, CI-ISAC is inviting eligible Australian healthcare organizations and their suppliers to join the network. As part of the initiative, new members will receive a complimentary 12-month CI-ISAC membership, which will provide them with access to a wealth of cybersecurity threat intelligence from across Australia’s critical infrastructure sectors.

By joining the network, healthcare organizations will benefit from closed-source, cross-sectoral cyber threat intelligence shared by other CI-ISAC members, which include organizations with high cyber maturity. This collaboration will improve the detection and response times to cyber threats, ultimately enhancing the security posture of Australian healthcare organizations.

A Trusted Platform for Collaboration

CI-ISAC, as a not-for-profit organization, facilitates collaboration between organizations within a trusted, industry-led environment. This includes the bi-directional sharing of cyber threat intelligence, which is essential for improving cybersecurity across Australia’s critical sectors. The new funding will allow CI-ISAC to expand its educational efforts, offering training on mitigating cyber threats, cyber and insider threat awareness, attack surface monitoring, and improving cyber incident response plans (CIRPs).

The broader cybersecurity ecosystem benefits as well, as CI-ISAC’s members span across 11 critical infrastructure sectors, including government, education, energy, water, telecommunications, and more. Existing members include major organizations such as Google Cloud AU, NBN, DXC Technology, and Transgrid. As the network grows, the value of cross-sector sharing will continue to increase, improving the ability of healthcare organizations to act swiftly and decisively when cyber threats are detected.

“The value for all sectors increases exponentially as more participants join the trusted network and share their own insights,” said Sandell. “Cross-sector sharing improves incident detection and response times, enabling health organizations and their suppliers to act more swiftly on threats observed in other industries.”

Conclusion

This initiative marks an important step forward in protecting the health sector’s sensitive data and ensuring the continued delivery of critical health services. The Australian Government’s $6.4 million grant to CI-ISAC Australia demonstrates the growing importance of cybersecurity within the healthcare sector. The Health Cyber Sharing Network is positioned to become a cornerstone in Australia’s broader strategy to strengthen its cybersecurity resilience and ensure the safety of its most sensitive data in the digital age.

The post Australia’s Health Sector Receives $6.4 Million Cybersecurity Boost with New Threat Information-Sharing Network appeared first on Cyble.

Blog – Cyble – ​Read More

3 Major Cyber Attacks in January 2025

/in

Our cyber threat analysts detected and explored a number of malware campaigns this January. Here are the three most dangerous attacks dissected with the aid of ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup

Fake YouTube links redirect users to phishing pages 

Original post on X 

Using the Uniform Resource Identifier authority (URI), phishers obfuscate links and place a legitimate resource address, like http://youtube, at the beginning of URLs to deceive users and make the link appear authentic and safe.   

Not just YouTube is getting abused. We’ll keep monitoring and sharing the details with you, so your company can make effective decisions to address the threat. 

Watch how the attack unveils in our Interactive Sandbox and gather IOCs for setting up your security systems. 
 
View analysis

Opening a letter with a phishing link in the sandbox 

Use this search request in TI Lookup to find more sandbox sessions and enforce the protection of your business by fine-tuning malware detection in your network:  
 
commandLine:”youtube.com%” 

Sandbox analyses featuring malicious pseudo-YouTube links 
  • Technically, the URI Scheme replaces the userinfo field (user:pass) with a domain name: foo:// <user:pass> @ domain . Zone. 
  • Storm 1747 domain infrastructure — checkers, redirectors and main pages — has a standard template for Tycoon 2FA phishkit installed.  
  • The technique of replacing user info is also employed by various other phishing kits, such as Mamba 2FA and EvilProxy. 

To study the behavior and indicators of all these malware samples, use ANY.RUN’s Interactive Sandbox.  

Analyze malicious files and URLs
with ANY.RUN’s Interactive Sandbox 



Get 14-day trial


Phishers use fake online shops with surveys to steal credit card information 

Original post on X 

The new phishing scheme we named FoxWhoops targets American e-commerce customers with fake sites promising a reward for completing a survey 

The attack utilizes a system of checks. Users who fail them are sent to a Fox News RSS page or a page with a ‘Whoops!’ image. Those who pass the checks are offered to enter their bank card info to purchase the ‘reward’ at a discount.  

The attack’s algorithm with successful and fail outcomes

 
A number of examples of such attacks have been submitted in our sandbox:  

Checks and redirects:  

  1. A script detects scanning by Google, Bing, Baidu, DuckDuckGo, etc.
  2. If the first check is passed, the script triggers a redirect 
  3. If the second check is passed, the user is redirected to a phishing page with a fake online shop payment form 
  4. If the first check fails, the user is redirected to a Fox News RSS feed  
  5. If the second check fails, the ‘Whoops’ page is displayed.  

Possible attack scenarios based on these steps:

  • Phishing scenario: 1 → 2 → 3. A phishing survey with a ‘reward’ after a small payment in a fake store. Credit card info stolen. 
  • Evasion scenario: 1 → 4. If the victim fails the first check, they are redirected to what appears to be a Fox News RSS feed. The URL includes a ‘q’ parameter that specifies the reason for the redirect, such as:  “IP provider is blacklisted! ASN-CXA-ALL-CCI-22773-RDC“. 
  • Placeholder scenario: 1 → 2 → 5. Users are shown a placeholder page.  
FoxWhoops attack on the invasion scenario runs in the sandbox

Examine the attack’s mechanics to facilitate employee security training in your organization and prevent social engineering attempts with ANY.RUN’s Sandbox! 

A SystemBC client is targeting Linux-based platforms

Original post on X 

The Linux version of SystemBC proxy implant is potentially designed for internal corporate services. It is commonly used to target corporate networks, cloud servers, and even IoT devices. 

This Remote Access Trojan is designed to maintain encrypted communication with C2 servers, using the same custom protocol, ensuring connection to a unified infrastructure of both Windows and Linux implants.   

A proxy implant within a victim’s infrastructure is a crucial tool for attackers, allowing for lateral movement and pivoting without deploying additional detectable tools, further evading detection on the host. 

This version is more stealthy and far more dangerous. Samples do not have clear family detection by security vendors. 

Take a look at the Linux version analysis in the sandbox:  

SystemBC sandbox session with a Suricata rule triggered 

To respond effectively, use ANY.RUN’s Linux virtual machine and quickly detect malicious communication with in-depth network traffic insights, powered by advanced Suricata rules from our experts. 


ANY.RUN cloud interactive sandbox interface

Major Attacks in December 2024

Learn about phishing attacks leveraging Microsoft’s Azure and OneDrive services and discover details on the LogoKit phish kit.


See details


Conclusion 

The cyber threat landscape this January was marked by sophisticated and varied attack strategies targeting individuals and organizations alike. From phishing schemes exploiting trusted platforms to deceptive fake online shops, hackers demonstrated increasing ingenuity and adaptability. 

Organizations must remain vigilant and proactive by leveraging tools such as ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup to identify and analyze threats in real time. Staying informed and prepared is the key to safeguarding critical assets in this ever-changing digital battlefield. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post 3 Major Cyber Attacks in January 2025 appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

How to migrate to SASE and zero trust | Kaspersky official blog

/in

The traditional network security model — with a secure perimeter and encrypted channels for external access to that perimeter — is coming apart at the seams. Cloud services and remote working have challenged the very notion of “perimeter”, while the primary method of accessing the perimeter — VPN — has in recent years become a prime attack vector for intruders. Many high-profile hacks began by exploiting vulnerabilities in VPN solutions: CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893 in Ivanti Connect Secure, and CVE-2023-4966 in Citrix solutions. By compromising a VPN server, which needs to be accessible online, intruders gain privileged access to an enterprise’s internal network and plenty of scope for covert attack development.

Server and enterprise applications are often configured to trust — and be accessible to — all intranet-based hosts, making it easier to find and exploit new vulnerabilities, and extract, encrypt, or destroy important data.

Often, VPN access is granted to company contractors too. If a contractor violates the information security requirements while being granted standard VPN access with extensive privileges in the corporate network, attackers can penetrate the network by compromising the contractor, and gain access to information through the latter’s accounts and privileges. And their activities can go unnoticed for a long time.

A radical solution to these network security issues requires a new approach in terms of network organization — one whereby each network connection is analyzed in detail, and participants’ credentials and access rights are checked. Any of them lacking explicit permission to work with a particular resource are denied access. This approach applies to both internal network services as well as public and cloud-based ones. Last year, cybersecurity agencies in the United States, Canada and New Zealand released joint guidance on how to migrate to this security model. It consists of the following tools and approaches.

Zero trust

The zero trust model seeks to prevent unauthorized access to data and services through granular access control. Each request for access to a resource or microservice is analyzed separately, and the decision is based on a role-based access model and the principle of least privilege. During operation, every user, device, and application must undergo regular authentication and authorization — processes which are, of course, made invisible to the user by technical means. See our dedicated post for more about zero trust and its implementation.

Secure service edge

Secure service edge (SSE) is a set of tools for securing applications and data regardless of users’ and their devices’ location. SSE helps implement zero trust, adapt to the realities of hybrid cloud infrastructure, protect SaaS applications, and simplify user verification. SSE components include zero trust network access (ZTNA), cloud secure web gateway (CSWG), cloud access security broker (CASB) and firewall-as-a-service (FWaaS).

Zero trust network access

ZTNA provides secure remote access to a company’s data and services based on strictly defined access policies in line with zero trust principles. Even if intruders compromise an employee’s device, their ability to develop an attack is limited. For ZTNA, an agent application is deployed that checks the identity of the user or service, and access rights, then matches them with the policies and user-requested actions. Other factors that can be monitored are the security level of the client device (software versions, security solution database updates), the client’s location, and the like. The agent can also be used in multifactor authentication. Periodic reauthentication occurs during user sessions. If the user requires access to new resources and applications, the authentication and authorization process is repeated in full. However, depending on the solution settings, this may be transparent to the user.

Cloud secure web gateway

CSWG protects both users and devices from online threats and helps enforce network policies. Features include filtering web connections by URL and content, controlling access to web services, and analyzing encrypted TLS/SSL connections. It’s also involved in user authentication and provides analytics on web application usage.

Cloud access security broker

CASB helps enforce access policies for cloud SaaS applications — bridging them to their users, as well as manage data transferred between different cloud services. This makes it possible to detect threats targeting cloud services and unauthorized attempts to access cloud data, as well as to bring control of various SaaS applications under a single security policy.

Firewall-as-a-service

Cloud-based FWaaS performs the functions of a traditional firewall — except that traffic analysis and filtering take place in the cloud instead of on a separate device in the company’s office. Besides the convenience of scalability, FWaaS makes it easier to protect a distributed infrastructure consisting of cloud and on-premises data centers, offices, and branches.

Secure access service edge

Combining software-defined networks (SD-WAN) with full SSE functionality, SASE delivers the most effective integration of network control and security management. There are several advantages for companies in terms of not only security, but also cost efficiency:

  • Reducing the cost of setting up a distributed network and combining different communication channels to increase speed and reliability
  • Taking advantage of centralized network management, high visibility, and extensive analysis capabilities
  • Lower administration costs due to automatic configuration and failure response
  • All SSE functions (SWG, CASB, ZTNA, NGFW) can be integrated into the solution, giving defenders full visibility of all servers, services, users, ports, and protocols — plus automatic application of security policies when deploying new services or network segments
  • Simplifying administration and policy enforcement with a centralized management interface

The SASE architecture allows all traffic to be routed dynamically and automatically, taking into account speed, reliability and security requirements. With information security requirements integrated deep into the network architecture, there is granular control over all network events — traffic is classified and inspected at multiple levels, including the application level. This delivers automatic access control as prescribed by zero trust, with granularity extending to a single application function and user rights in the current context.

The use of a single platform dramatically boosts monitoring performance and speeds up and improves incident response. SASE also simplifies updates and general management of network devices, which is another security benefit.

Migration technicalities

Deploying the above solutions would help your company replace the traditional “perimeter behind firewall plus VPN” approach with a more secure, scalable, and cost-effective model, which factors in cloud solutions and employee mobility. At the same time, cybersecurity agencies that recommend this set of solutions warn that each case requires an in-depth analysis of a company’s requirements and current state of affairs, plus a risk analysis and step-by-step migration plan. When switching from VPN to SSE/SASE-based solutions, you must:

  • Strictly limit access to the network control plane
  • Separate and isolate the interface for managing the solution and the network
  • Update the VPN solution and analyze its telemetry in detail to rule out the possibility of compromise
  • Test the user authentication process and explore ways to simplify it, such as authentication in advance
  • Use multifactor authentication
  • Implement version control of the management configuration, and keep track of changes

Kaspersky official blog – ​Read More

How ANY.RUN Helps Healthcare Organizations Against Ransomware: Interlock Case Study

/in

Ransomware attacks have become a relentless threat to the healthcare sector, exposing sensitive patient data, disrupting life-saving treatments, and placing lives at risk. With healthcare systems underfunded and critical infrastructure vulnerable, cybercriminals find this sector an easy and lucrative target. 

In recent years, ransomware attacks have not only caused financial losses but have also shaken public trust in healthcare organizations. Hospitals, medical service providers, and even blood donation centers have been hit, leaving a trail of chaos. 

This article highlights how healthcare organizations can benefit from ANY.RUN‘s Interactive Sandbox and Threat Intelligence Lookup to identify, investigate, and analyze ransomware attacks, using a real-world case study of the Interlock ransomware group. 

The Impact of Ransomware on Healthcare 

Before we dive deeper into how ANY.RUN helps counter such threats, let’s examine how devastating ransomware attacks can be across the healthcare sector. 

UnitedHealth  190 million records stolen in the largest healthcare breach 
Ascension  5.6 million patients affected in a Black Basta ransomware attack. 
Kootenai Health  464,000 patient records leaked. 
ConnectOnCall  Exposed the health data of over 910,000 patients in a breach of its SaaS system. 
Medusind  A December 2023 breach impacted 360,000 individuals, exposing sensitive billing and health information. 
Anna Jaques Hospital  Ransomware exposed sensitive health data for over 316,000 patients, disrupting critical medical services. 

What’s at stake? 

  • Loss of patient trust: Exposed personal and health information undermines confidence in healthcare providers. 
  • Operational disruption: Hospitals and medical facilities are forced to halt services, delaying critical treatments. 
  • Financial strain: Organizations face ransom demands, legal fees, and recovery costs, compounding the impact. 

Why Healthcare Is a Prime Target 

  1. Sensitive data: Patient records are incredibly valuable on the black market. Ransomware groups exploit this by encrypting data and demanding payments for decryption. 
  1. Critical infrastructure: Many healthcare systems cannot afford prolonged downtime due to their role in patient care. 
  1. Underfunded cybersecurity: Many healthcare providers operate on tight budgets, often prioritizing patient services over robust IT defenses. 
  1. Slow detection: A common issue is the inability to identify and respond to attacks in their early stages, which allows ransomware to spread undetected. 

Interlock Group: Active Ransomware Threat to Healthcare 

Interlock is a ransomware actor that engages in double-extortion. 

In late 2024, the Interlock ransomware group launched targeted attacks against multiple healthcare facilities in the United States, causing significant disruptions and exposing sensitive patient data: 

  • Brockton Neighborhood Health Center: Breached on October 20, 2024, undetected until December 17, 2024. 
  • Legacy Treatment Services: Attack detected on October 26, 2024. 
  • Drug and Alcohol Treatment Service: Breach discovered on October 24, 2024. 

How ANY.RUN Helps at Different Stages of Interlock Attacks

ANY.RUN provides healthcare organizations with proactive tools to analyze and investigate ransomware attacks at various stages. 

Let’s discover how by having a look at the Interlock ransomware group. The stages of the attack are taken from one of the most detailed reports on the threat from Talos, released on January 14, 2025. 

1. Initial Compromise (TA0001) 

At this stage, the Interlock ransomware group uses the Drive-by Compromise technique to gain access to the victim’s infrastructure. 

Drive-by Compromise: How It Happened 

The Interlock ransomware group either compromised or newly registered a phishing website, as evidenced by recent registration data in Whois. This phishing site was designed to appear as a news feed, complete with links for downloading software. Unwary users visiting the site were tricked into downloading malicious files. 

Here is how ANY.RUN’s Threat Intelligence Lookup could be used by analysts at this stage of the attack. 

Early Detection of Malicious Domains 

By querying the domain apple-online.shop, ANY.RUN found that users first flagged and analyzed the website on September 6, 2024, almost a month before public mentions of the group appeared in this report.

domainName:”apple-online.shop$”
TI Lookup provides dozens of sandbox reports featuring the queried malicious domain

This means ANY.RUN detected suspicious activity nearly two months before the Talos report was published. 

Thanks to ANY.RUN’s access to public samples of the latest cyber threats from around the world, users of TI Lookup were able to identify Interlock’s domain as malicious before public reports. With such early detection, healthcare organizations can take preventative measures long before public alerts are raised. 

Collect threat intelligence with TI Lookup to improve your company’s security 



Get 50 free requests


Understanding Website Content 

With the help of ANY.RUN’s Interactive Sandbox, you can view how the malicious website looked like and what content was used to deceive users. By analyzing such sites, healthcare organizations can train employees to recognize and avoid similar threats in the future. 

View analysis session 

The malicious website used by Interlock displayed in ANY.RUN’s sandbox

The virtual machine allows anyone to see the behavior of this threat and interact with it in real time. 

Expanding on Known Threat Information 

ANY.RUN’s data can also enrich users’ existing knowledge of the attack.  

While reports stated that the attackers used malware disguised as a Google Chrome updater, ANY.RUN uncovered additional tactics, such as mimicking MSTeams and MicrosoftEdge updates (evident in filenames like MSTeamsSetup.exe and MicrosoftEdgeSetup.exe). 

ANY.RUN reports with analysis of Interlock’s fake updater programs

This shows that by identifying alternative disguises used for malware, ANY.RUN equips organizations to anticipate a broader range of file disguises utilized by Interlock. 

IOCs and File Analysis 

Reports mentioned a specific file named upd_2327991.exe used in the attack. ANY.RUN’s database reveals additional files with similar naming conventions, such as: 

Search with ANY.RUN’s TI Lookup reveals additional file names used by Interlock

This suggests that the attackers generated file names using random alphanumeric patterns. Each file had distinct hash values (SHA256), which serve as unique Indicators of Compromise (IOCs): 

  • 8d911ef72bdb4ec5b99b7548c0c89ffc8639068834a5e2b684c9d78504550927 
  • 97105ed172e5202bc219d99980ebbd01c3dfd7cd5f5ac29ca96c5a09caa8af67 

The analysis showed that with the help of ANY.RUN’s TI Lookup and Interactive Sandbox, healthcare organizations facing Interlock ransomware attacks could: 

Integrate proactive threat analysis with ANY.RUN
to strengthen your company’s security 



Get 14-day free trial


  • Discover the Start Date of Attacks: Get information about the first activities of the attacking group, which often happen before public reports.  
  • Study the Attacker’s Setup: Identify the domains, IP addresses, and other parts of the attacker’s setup to learn more about their tactics and methods.  
  • Improve Detection Systems: Collect additional IOCs to configure defensive mechanisms and improve attack detection. 

2. TA0002: Execution

Once attackers gain initial access, the Execution phase begins. This stage involves deploying malicious payloads or executing harmful commands on the compromised device. In the Interlock ransomware attacks, users unknowingly launch a fake updater file, triggering the execution of malware and allowing attackers to establish control over the victim’s system. 

How Interlock Group Executes Their Attacks

The reports revealed that the attackers leveraged Remote Access Tools (RATs), which provided them with full control of the infected machine. By disguising these RATs as legitimate software, such as Chrome, MSTeams, or Microsoft Edge updaters, the attackers ensured that their actions remained unnoticed until significant damage was done. 

Detecting Encrypted URLs in Fake Updaters

With ANY.RUN Sandbox, analysts could uncover that the fake-updater contained encrypted URLs used to communicate with the attackers’ infrastructure. For example, the xor-url tag in ANY.RUN revealed hidden URLs within the malware’s configuration files. 

View analysis session 

The CFG label indicates that there is a configuration data available for the process 

By clicking on the CFG (Configuration) option in the sandbox, analysts can view decrypted URLs. These insights provide actionable intelligence about the malware’s communication methods and help identify similar patterns in future attacks. 

The URL decrypted by ANY.RUN 

Using YARA Search to Find More Samples

ANY.RUN’s YARA Search functionality allowed researchers to create a rule for detecting RAT samples linked to the attack.  

Here’s an example of a YARA rule tailored for identifying Interlock’s disguised RAT samples: 

rule Interlock_RAT {  

    strings:  

        $ = "/MSTeamsSetup.exe\" xor  

        $ = "/ChromeSetup.exe\" xor  

        $ = "/MicrosoftEdgeSetup.exe\" xor  

    condition:  

        any of them  

}

This YARA rule uncovered over 44 new malicious files, each representing a new indicator.

YARA Search in TI Lookup 

These IOCs can be added to detection systems, expanding the scope of protection. 

Discovering Additional IOCs 

In addition to detecting malicious files, ANY.RUN’s sandbox session revealed network IOCs such as URLs and IP addresses that previously were not covered in other reports. 

One of the URLs found via TI Lookup and not mentioned in Talos’s report

The URL shown above was not included in the detailed report from Talos.  

Had the organizations encountering this URL and payload used ANY.RUN’s Interactive Sandbox, they would be able to run the RAT in a safe virtual environment and see its malicious nature. This could have prevented them from detonating the payload on their own systems. 

During Execution, ANY.RUN helps users: 

  • Discover IOCs: Find additional file and network IoCs, including those found in configurations. 
  • Find Unknown Threats: Discover previously unknown threats. 
  • Analyze Threats: Safely explore suspicious URLs and detonate payloads. 

3. TA0006: Credential Access 

Once attackers gain the ability to execute commands on a compromised system, their next move often involves stealing access credentials. In the Interlock ransomware attack, the group employed a custom stealer tool to gather and exfiltrate these credentials. 

How Credential Stealing Works in This Attack

  • The attackers’ stealer was designed to collect sensitive data, including usernames, passwords, and other access credentials. 
  • According to vendor reports, the stolen data was stored in a file named “chrgetpdsi.txt.” This file served as a repository for harvested credentials before exfiltration. 

Let’s use TI Lookup to find more information on the stealer:  

filePath:”chrgetpdsi.txt$”
Results of a TI Lookup search for a txt file used in the attack

As a result, we see that the Stealer had been detected by ANY.RUN as early as August 2024, well before users began investigating the compromised domain. 

The first sandbox report on the stealer used by Interlock 

Early detection of malicious tools like this Stealer provides security teams with actionable intelligence to defend against evolving threats. 

4. TA0008: Lateral Movement 

At the Lateral Movement phase, attackers aim to spread across the network, gaining access to additional systems and resources.  

The Interlock ransomware group moved laterally within networks using legitimate remote administration tools like Putty, Anydesk, and RDP. These tools are often abused by attackers to access additional systems undetected. 

TI Lookup Queries 
Putty  threatName:”putty”
Anydesk  threatName:”anydesk”
RDP  threatName:”rdp”

The ANY.RUN Sandbox excels at identifying the presence of these tools when they are abused for malicious purposes.

Signature in ANY.RUN’s Interactive Sandbox indicating the presence of Putty

By executing suspicious files in a controlled environment, ANY.RUN can: 

  • Detect the execution of Putty, Anydesk, or RDP-related activities. 
  • Provide detailed insights into how these tools are being used by attackers. 


ANY.RUN cloud interactive sandbox interface

Sandbox for Business

Discover all features of the Enterprise plan designed for businesses and large security teams.


See details


5. TA0010: Data Exfiltration 

In the Data Exfiltration phase, attackers transfer stolen data out of the victim’s network. The Interlock ransomware group used Azure cloud storage to exfiltrate data. 

Inside the ANY.RUN sandbox, you can see the system configuration data being sent to a Command and Control (C2) server via the RAT. 

ANY.RUN captures data sent by the RAT to attacker-controlled servers. For this example, logs revealed information sent to IP 217[.]148[.]142[.]19 over port 443: 

Network traffic of the RAT captured by ANY.RUN’s Interactive Sandbox

Using tools like CyberChef, we can decrypt the logged traffic (e.g., XOR-encrypted data) to identify what attackers exfiltrated. 

Decryption with CyberChef shows that the RAT sent system data to attackers

Thus, during the Data Exfiltration phase, ANY.RUN Sandbox logs traffic sent to external systems, allowing analysts to identify exactly what data is being transmitted to the attacker’s server. 

ANY.RUN’s Key Benefits for Healthcare Organizations

ANY.RUN empowers healthcare organizations with fast, safe, and effective tools to investigate and analyze cyber threats: 

  • Pin malicious indicators to actual threats to gain a better understanding of the risks your organization is facing.  
  • Receive in-depth reports with IOCs, TTPs, and malware behavior summaries. 
  • Simplify and speed up threat analysis for SOC team members at all levels, saving time and increasing productivity.
  • Accelerate the alert triage process and reduce the workload through fast operation speeds, a user-friendly interface, and smart automation.
  • Safely examine sensitive data in a private mode, ensuring compliance with cybersecurity and data protection requirements.
  • Gain access to detailed insights into malware’s behavior and better understand threats to streamline incident response.
  • Collaborate with team members, share results, and coordinate efforts efficiently during incident handling.
  • Optimize the cost of responding to incidents by accessing detailed data with ANY.RUN’s interactive analysis, which helps in developing new detection and protection methods.

Conclusion 

ANY.RUN can be an invaluable tool at various stages of ransomware attacks. During incident investigations, TI Lookup can provide critical data on the threat at hand. Running malware in the ANY.RUN Sandbox before executing it on a local machine allows for a proactive identification of the threat and thorough analysis of its behavior.

By combining ANY.RUN’s tools, healthcare organizations can not only enhance the understanding of the threats’ capabilities but also ensure that they are identified and mitigated effectively. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post How ANY.RUN Helps Healthcare Organizations Against Ransomware: Interlock Case Study appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More