Overview 

Cyble Research & Intelligence Labs (CRIL) has released its latest Weekly Vulnerability Insights report, offering a detailed overview of the critical vulnerabilities discovered between December 25, 2024, and December 31, 2024. The report highlights key security threats and vulnerabilities, including the addition of a major exploit to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. 

The identified vulnerabilities have exposed a range of systems to active exploitation, with attackers leveraging flaws to compromise routers, firewalls, and web servers. During the reporting period, CISA incorporated CVE-2024-3393, a high-severity vulnerability in Palo Alto Networks’ PAN-OS, into its KEV catalog. This flaw, which affects the PAN-OS DNS packet handling, is actively being exploited by attackers to disable Palo Alto firewalls by forcing them to reboot, disrupting service for users worldwide.  

Weekly Vulnerability Insights report: Key Vulnerabilities and Exploits 

The CRIL report also shares details into several critical vulnerabilities, including CVE-2024-33112, CVE-2022-37056, CVE-2019-10891, and CVE-2015-2051, which are primarily impacting D-Link products. These vulnerabilities, predominantly related to command injection flaws, have been exploited by attackers to deploy malware, often providing them with initial footholds within compromised networks. 

1. CVE-2024-33112 (D-Link DIR-845L Router): This critical command injection vulnerability allows remote attackers to execute arbitrary commands on affected devices. Exploitation of this flaw has been linked to various botnets, such as Ficora and Capsaicin, which target outdated routers to facilitate further attacks. 

2. CVE-2022-37056 (D-Link GO-RT-AC750 GORTAC750_revA_v101b03): A command injection vulnerability that allows attackers to exploit a flaw in the router’s web interface, enabling unauthorized command execution. 

3. CVE-2019-10891 (D-Link DIR-806 Devices): This vulnerability allows attackers to inject arbitrary shell commands via specially crafted HTTP headers, leading to potential device compromise. 

4. CVE-2015-2051 (D-Link DIR-645 Wired/Wireless Router): Similar to the above vulnerabilities, this flaw allows attackers to execute arbitrary commands by exploiting a GetDeviceSettings action in the HNAP interface. 

In addition to these, several vulnerabilities with broad internet exposure were found in other widely used systems: 

• CVE-2024-12856 (Four-Faith Routers): An OS command injection vulnerability that affects Four-Faith router models used in Internet of Things (IoT) environments. Attackers can execute arbitrary commands via HTTP requests, with some reports indicating active exploitation of this flaw to establish reverse shells. 

• CVE-2024-45387 (Apache Traffic Control): This SQL injection vulnerability in Apache Traffic Ops, a component critical for managing Content Delivery Networks (CDNs), allows privileged users to execute arbitrary SQL commands, potentially compromising the underlying database. 

• CVE-2024-43441 (Apache HugeGraph-Server): This vulnerability enables an authentication bypass, allowing attackers to access data without proper authorization in Apache HugeGraph, an open-source graph database. 

• CVE-2024-52046 (Apache MINA): A remote code execution (RCE) vulnerability affecting the Apache MINA framework used in network applications. By exploiting this flaw, attackers can gain unauthorized control over systems. 

Vulnerabilities Discussed on Underground Forums 

CRIL also reported on ongoing discussions in underground forums, where cybercriminals actively share exploits and Proof of Concepts (PoCs) for newly discovered vulnerabilities. Key vulnerabilities discussed include: 

• CVE-2023-21554 (Microsoft Message Queuing): A critical RCE vulnerability in Microsoft’s MSMQ service. This flaw, known as “QueueJumper,” was highlighted by a forum user offering to purchase access to vulnerable servers. 

• CVE-2024-9122 (Google Chrome): A Type Confusion vulnerability in Google Chrome, affecting versions prior to 129.0.6668.70. Exploitation of this flaw could allow attackers to execute arbitrary code on affected systems. 

• CVE-2024-54152 (AngularJS): A critical code injection vulnerability in the Angular Expressions library, which could allow attackers to execute arbitrary code on systems running vulnerable versions of AngularJS. 

• CVE-2024-21182 (Oracle WebLogic Server): A high-severity RCE vulnerability in Oracle’s WebLogic Server, allowing attackers to exploit the flaw to gain control of vulnerable systems without needing any authentication. 

• CVE-2024-12987 (DrayTek Vigor Routers): A critical command injection vulnerability affecting DrayTek Vigor2960 and Vigor300B routers. Attackers can exploit this flaw remotely to execute arbitrary commands on affected devices. 

Recommendations and Mitigations 

To defend against these vulnerabilities, CRIL recommends the following best practices: 

1. Ensure that the latest patches from official vendors are promptly applied to all systems and devices. This minimizes the risk of exploitation by reducing the attack surface available to threat actors. 

2. Organizations should establish a comprehensive patch management process that includes regular patch assessments, testing, and deployment. Automating this process can help ensure that critical patches are applied without delay. 

3. Limit the exposure of critical infrastructure by dividing networks into secure segments. This prevents attackers from moving freely within a network and helps protect sensitive systems from internet-facing threats. 

4. Develop and maintain an incident response plan to ensure a coordinated and effective response to security incidents. Regularly test and update the plan to ensure it is aligned with current threat levels. 

5. Implement monitoring solutions to detect and log malicious activities. Utilizing SIEM (Security Information and Event Management) systems can help organizations identify suspicious activities in real-time and respond to mitigate damage. 

6. Enforce strong password policies, encourage regular password changes, and implement Multi-Factor Authentication (MFA) to reduce the risk of unauthorized access. 

7. Regularly perform vulnerability assessments and penetration testing (VAPT) to identify and remediate security flaws within systems. 

Conclusion 

The December Weekly Vulnerability Insights Report highlights the persistent threat posed by both known and newly discovered vulnerabilities. With CVE-2024-3393 now included in the CISA KEV catalog and ongoing exploitation of flaws like CVE-2024-33112 and CVE-2022-37056, it’s evident that attackers are targeting a wide range of systems, from mainstream to niche. 

Organizations must act quickly to patch vulnerabilities and strengthen their cybersecurity posture to protect against these critical risks. Cyble, with its AI-driven threat intelligence and advanced platforms like Cyble Vision, empowers businesses to stay ahead of cyber threats. By leveraging Cyble’s solutions and adhering to the recommendations in this report, organizations can enhance their defenses and protect their infrastructure and sensitive data from exploitation. 

The post Cyble Research Reports Critical Vulnerabilities Exposing Routers, Firewalls, and Web Servers appeared first on Cyble.

Blog – Cyble – ​Read More

Overview 

Ukraine has taken significant steps to enhance its cybersecurity posture, introducing key updates to its Organizational and Technical Model (OTM) of Cybersecurity and implementing new standards for safeguarding critical infrastructure facilities (CIF). These developments are part of the country’s broader Cybersecurity Strategy, aligning with global best practices and addressing evolving cyber threats. 

Unified Cybersecurity Framework Inspired by NIST 

The Cabinet of Ministers of Ukraine has approved amendments to the OTM of Cybersecurity, adopting a unified approach based on NIST’s Cybersecurity Framework 2.0. The updated framework provides state bodies and critical infrastructure operators with a structured methodology for identifying, mitigating, and recovering from cyber risks. 

We take into account the best global practices in responding to cyber threats to more effectively counter the challenges facing Ukraine and the global cyberspace. By improving the organizational and technical model of cyber defense, the Administration of the State Service for Special Communications is introducing a single common approach to ensuring cybersecurity in the state,” said Oleksandr Potiy, Head of the State Service for Special Communications and Information Protection of Ukraine. 

Key components of the updated Cyber Defense Strategy include: 

1. Risk Management: Developing strategies and policies to identify, analyze, and manage cyber risks. 
2. Risk Identification: Assessing current and potential vulnerabilities to preemptively address threats. 
3. Data Protection: Leveraging advanced procedures to secure sensitive information against unauthorized access and breaches. 
4. Threat Detection: Utilizing specialized tools and system monitoring to identify suspicious activities and incidents. 
5. Incident Response: Implementing rapid measures to contain and remediate cyber threats. 
6. Post-Attack Recovery: Ensuring systems are restored to full functionality and analyzing root causes to prevent recurrence. 

The revised OTM also fosters better coordination among national cybersecurity entities, introducing a three-tiered infrastructure to streamline defense mechanisms. 

Modernizing Cyber Threat Protection Plans 

The Administration of the State Service for Special Communications, in collaboration with the Security Service of Ukraine (SBU), has also introduced updated guidelines for developing and implementing CIF-specific cyber threat protection plans. This initiative aims to strengthen the security of critical infrastructure, particularly in light of heightened geopolitical tensions. 

Key features of the updated protection plans include: 

• Risk Assessment and Dependency Mapping: Identifying critical interdependencies among infrastructure components and evaluating risks. 
• Adaptation to New Threats: Addressing emerging cyber challenges, including those linked to military aggression. 
• Dual-Approval Process: Ensuring a comprehensive review by both the State Service for Special Communications and the SBU, enhancing accountability and effectiveness. 

These measures are designed to provide a robust defense mechanism for critical infrastructure, safeguarding essential services and national security. 

Streamlining Cybersecurity Governance 

The updated policies emphasize a coordinated approach to cybersecurity governance, bringing together key stakeholders under a unified framework. The dual-approval process for CIF protection plans exemplifies the integration of efforts between the State Service for Special Communications and the SBU, ensuring that cybersecurity measures are both comprehensive and rigorously evaluated. 

A Response to Modern Challenges 

The need for these enhancements is due to the escalating complexity of cyber threats, ranging from ransomware and espionage to disinformation campaigns and sabotage. The cybersecurity strategy also considers the increasing risks posed by hybrid warfare, particularly from state-sponsored adversaries. 

By adopting these proactive measures, Ukraine is not only bolstering its internal defenses but also aligning its cybersecurity practices with international standards, signaling its commitment to global cyber resilience. 

Conclusion 

Ukraine’s recent policy advancements reflect a comprehensive effort to address the ever-evolving cybersecurity landscape. By incorporating global best practices, fostering inter-agency collaboration, and emphasizing proactive risk management, the country is laying the groundwork for a resilient and secure digital future. 

These initiatives will serve as a model for nations striving to safeguard their critical infrastructure and adapt to the rapidly changing cyber threat environment. 

References:

• https://www.cip.gov.ua/ua/news/nacionalna-sistema-kiberbezpeki-funkcionuvatime-efektivnishe

• https://www.cip.gov.ua/ua/news/onovleno-formu-planu-zakhistu-vid-kiberzagroz-dlya-ob-yektiv-kritichnoyi-infrastrukturi-spilnii-nakaz-derzhspeczv-yazku-ta-sbu

The post Ukraine Takes Steps to Strengthen its Cybersecurity Framework with Policy Advancements and Strategic Initiatives appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

The Cybersecurity and Infrastructure Security Agency (CERT-In) released an urgent vulnerability note (CIVN-2024-0360) concerning several critical VibeBP vulnerabilities . These vulnerabilities in VibeBP pose online risk to website owners using affected versions, and they could lead to severe security breaches, including arbitrary code execution, privilege escalation, and SQL injection attacks. 

VibeBP is a WordPress plugin developed by VibeThemes that enhances the BuddyPress plugin by adding social networking features to WordPress sites. These features enable users to create profiles, manage activity feeds, send private messages, form groups, and more, transforming an ordinary WordPress website into a dynamic community platform.

Details of the VibeBP Vulnerabilities 

While VibeBP offers useful features for WordPress users, multiple vulnerabilities have been discovered within the plugin that could potentially compromise the security of the affected sites. These vulnerabilities in VibeBP allow attackers to exploit weaknesses in the plugin, including unauthorized privilege escalation, arbitrary code execution, and SQL injection risks. 

The critical flaws identified in VibeBP primarily allow attackers to exploit unauthenticated or low-privilege users (e.g., Subscribers) to gain access to higher-privilege roles, such as administrators. By doing so, attackers could execute arbitrary SQL queries, potentially compromising or extracting sensitive database information. 

The vulnerabilities are particularly concerning because they allow attackers to bypass security restrictions, which could lead to severe consequences such as data theft, system compromise, and unauthorized access. If exploited, these vulnerabilities could allow a malicious actor to take full control of an affected WordPress site, potentially leading to the installation of malware, propagation of ransomware, or even a full system takeover. 

Types of Vulnerabilities in VibeBP 

The vulnerabilities discovered in VibeBP are critical, as they enable attackers to: 

• Escalate Privileges: Low-privilege users can be granted administrator-level access, allowing them to take control of a WordPress site. 

• Execute Arbitrary Code: Attackers can exploit weaknesses to execute arbitrary code on the server, which could lead to remote code execution (RCE) attacks and full site compromise. 

• Perform SQL Injection Attacks: These vulnerabilities allow attackers to inject malicious SQL queries, enabling them to access or manipulate sensitive data stored in the site’s database. 

Each of these flaws presents online risks, potentially exposing users to data theft, loss of control over their WordPress sites, and other malicious actions that could affect the site’s security and performance. 

Impact and Risk Assessment 

The risks associated with these VibeBP vulnerabilities are extremely high. Successful exploitation could allow a remote attacker to execute arbitrary code on a WordPress site, leading to the installation of malicious software or ransomware.  

In addition, attackers could elevate their privileges to administrator levels, gaining complete control over the website and allowing for unauthorized actions. The potential impact includes the theft of user data, malware propagation, and even the destruction or alteration of the affected site’s content and structure. 

Additionally, since SQL injection vulnerabilities are present, attackers could manipulate databases, exposing sensitive information or causing major disruptions in site functionality. These types of security flaws can have devastating consequences for website owners, as the unauthorized access could lead to long-term reputational and financial damage. 

Solution and Mitigation 

To mitigate the risks associated with these vulnerabilities, CERT-In has urged all users of the VibeBP plugin to update to version 1.9.9.7.7 or later. This version of the plugin includes important security patches that address the vulnerabilities, particularly by implementing stricter controls over file uploads, upgraded privilege management during user registration, and improved input validation to prevent SQL injection attacks. 

By upgrading to the latest version, website administrators can protect their sites from potential exploitation. The updated version of VibeBP includes: 

• File Upload Controls: The new update limits the types of files that can be uploaded, adds permission checks, and removes vulnerable code that previously allowed malicious file uploads. 

• Role-Based Restrictions: The update enforces stricter role management during registration, ensuring that only authorized users can register as higher-privilege roles, preventing privilege escalation. 

• SQL Injection Prevention: The developers have introduced stronger input validation measures to secure the plugin’s SQL queries, ensuring that all user inputs are properly escaped and safe from malicious SQL injection attacks. 

Conclusion 

The VibeBP WordPress plugin has been found to contain multiple vulnerabilities that could have severe security consequences for affected WordPress sites. These vulnerabilities expose websites to risks including arbitrary code execution, privilege escalation, and SQL injection attacks, which can lead to unauthorized access, data theft, and even complete system compromise. 

Website owners who use VibeBP are strongly encouraged to upgrade to version 1.9.9.7.7 or higher immediately to protect their sites. By implementing the necessary updates and taking proactive security measures, administrators can minimize the risk of exploitation and protect their WordPress installations from potential attacks. 

For further details about the vulnerabilities in VibeBP or to learn more about the patch released by VibeThemes, users can visit the VibeThemes official website or refer to security resources.  

References

• https://www.cert-in.org.in/ 
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56041 
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56039 
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56040 

The post VibeBP WordPress Plugin Security Flaws Expose Sites to RCE and Privilege Escalation appeared first on Cyble.

Blog – Cyble – ​Read More

The digital world is evolving at lightning speed, and so are the challenges that come with it. For organizations today, their attack surface—the sum of all potential entry points for a cyberattack—is expanding faster than ever before. From misconfigured cloud environments to overlooked IoT devices, vulnerabilities creep around places many don’t think to check. 

In 2025, Attack Surface Management (ASM) will take center stage as organizations shift from reactive defenses to proactive strategies. ASM is no longer just a buzzword; it’s a necessity in the cybersecurity resource. It’s about seeing what attackers see and mitigating threats before they escalate. As organizations struggle with increasing cyber threats, understanding the trends shaping ASM is crucial to staying ahead of adversaries. 

This article delves into the pivotal ASM trends to watch in 2025 and explores how Cyble’s ASM platform is helping organizations adapt to this dynamic landscape. 

Key Trends in Attack Surface Management for 2025 

1. AI-Powered ASM Solutions 

AI and machine learning (ML) have become integral to ASM, enabling organizations to identify threats faster and more accurately. AI-driven platforms analyze vast amounts of data in real time, uncovering vulnerabilities that would be nearly impossible for human analysts to detect.  

For example, in 2024, a global financial institution used an AI-powered ASM tool to identify misconfigured cloud storage buckets. The tool flagged over 1,000 vulnerabilities within hours, preventing a potential data breach that could have exposed millions of customer records. 

In 2025, we expect AI to play an even larger role in predictive analysis, helping organizations anticipate potential attack vectors before they are exploited. 

2. Integration with Zero Trust Architectures 

Zero Trust Architecture (ZTA) is now a standard in cybersecurity frameworks. ASM platforms are being integrated into ZTA to provide a continuous monitoring loop that verifies all devices, users, and applications interacting with the network. This integration ensures that no component of the attack surface is overlooked. 

3. Focus on IoT and OT Security 

The proliferation of Internet of Things (IoT) and Operational Technology (OT) devices has dramatically expanded the attack surface. In 2025, ASM tools are focusing more on securing these devices by identifying vulnerabilities such as default credentials, unpatched firmware, and unsecured communications. 

4. Cloud-Native ASM Solutions 

With organizations increasingly relying on multi-cloud environments, cloud-native ASM solutions are gaining traction. These solutions are designed to monitor cloud assets continuously, ensuring compliance and security across hybrid and multi-cloud setups. 

For instance, a global e-commerce platform operating across AWS, Azure, and Google Cloud leveraged a cloud-native ASM tool to identify misconfigurations in its storage settings. This proactive measure protected the platform from a potential data leak involving millions of transaction records. 

5. Proactive Threat Intelligence Integration 

During a 2024 supply chain attack targeting a major software vendor, an ASM solution integrated with threat intelligence helped downstream customers identify and mitigate the vulnerabilities exploited in the attack within hours. 

ASM platforms are evolving to integrate real-time threat intelligence, providing context around vulnerabilities and enabling faster, more informed decision-making. This trend helps organizations prioritize remediation efforts based on the likelihood and potential impact of an exploit. 

6. ASM for Third-Party Risk Management 

Third-party risk has become a critical area of focus, as vendors and partners often introduce vulnerabilities into an organization’s ecosystem. ASM tools are being used to monitor the digital footprints of third-party vendors, ensuring their security posture aligns with organizational standards. 

In 2024, a multinational retailer discovered a vulnerability in its payment processing partner’s infrastructure using an ASM platform. By addressing the issue proactively, the retailer avoided a potentially catastrophic data breach. 

7. Shift from Reactive to Proactive ASM 

Traditionally, ASM was seen as a reactive process—responding to discovered vulnerabilities after they had already been exploited. In 2025, the shift towards proactive ASM is evident, with platforms emphasizing continuous monitoring, real-time alerts, and predictive analytics. 

8. Human-Centric ASM 

Despite advancements in automation, human expertise remains essential. Human-centric ASM focuses on empowering security teams with intuitive tools and actionable insights. By combining human intuition with machine efficiency, organizations can achieve a more strong security posture. 

The Role of Cyble in Attack Surface Management 

Cyble has established itself as a leading provider of AI-driven ASM solutions. Recognized by Forrester in its Q2 2024 report, Cyble’s innovative approach to securing digital assets makes it a valuable partner for organizations striving to protect their expanding attack surfaces. 

Cyble’s ASM platform offers: 

1. Comprehensive Visibility: Cyble’s platform provides a 360-degree view of the attack surface, covering assets such as cloud environments, web and mobile applications, IoT devices, email servers, and public code repositories. 

2. AI-Driven Insights: The platform uses advanced AI algorithms to identify vulnerabilities and predict potential attack vectors, enabling proactive threat mitigation. 

3. Ease of Integration: Designed to integrate seamlessly with existing SecOps solutions, Cyble’s ASM platform enhances the overall cybersecurity framework without adding complexity. 

4. Proactive Threat Intelligence: Cyble continuously updates its threat intelligence database, providing organizations with actionable insights tailored to their unique attack surfaces. 

Why Cyble Stands Out: According to Beenu Arora, Founder and CEO of Cyble, “We provide organizations with the tools and insights they need to proactively identify and mitigate potential cyber threats before they escalate. Cyble’s inclusion in Forrester’s ASM Solutions Landscape report underscores our commitment to innovation and customer success.” 

Real-World Benefits: For instance, a global logistics firm used Cyble’s ASM platform to identify shadow IT assets that posed significant risks to its operations. By addressing these vulnerabilities, the company not only improved its security posture but also enhanced its operational efficiency. 

Conclusion 

Attack Surface Management in 2025 is characterized by rapid technological advancements, the integration of AI, and a growing focus on proactive security measures. As organizations face increasingly complex attack surfaces, staying ahead of the curve requires adopting cutting-edge ASM solutions. 

Cyble’s AI-driven ASM platform offers a comprehensive, proactive approach to securing digital assets. By leveraging Cyble’s innovative solutions, organizations can strengthen their cybersecurity posture, mitigate risks, and navigate the ever-evolving threat landscape with confidence.

The post Attack Surface Management (ASM) in 2025: Key Trends to Watch  appeared first on Cyble.

Blog – Cyble – ​Read More

Can you believe 2024 has come to an end? As we prepare to step into 2025, we’re excited to share key updates on the cybersecurity front from Q4. The last three months were anything but quiet—new threats emerged, familiar ones evolved, and cybercriminals kept raising the stakes. 

At ANY.RUN, we’ve been monitoring these shifts every step of the way. This report pulls together the most significant trends, from the most active malware families to the tactics and techniques shaping cybersecurity. 

Let’s jump in and see what this quarter taught us about the intriguing world of malware. 

Summary 

In Q4 2024, ANY.RUN users ran 1,151,901 public interactive analysis sessions, marking a 5.6% increase from Q3 2024. Out of these, 259,898 (22.6%) were flagged as malicious, and 71,565 (6.2%) as suspicious. 

Compared to the previous quarter, the percentage of malicious sandbox sessions rose from 19.4% in Q3 2024 to 22.6% in Q4 2024. At the same time, the share of suspicious sessions grew from 4.3% to 6.2%. 

Users collected an impressive 712,151,966 indicators of compromise (IOCs) during Q4, reflecting the heightened activity and complexity of the threats analyzed. 

Top Malware Types in Q4 2024 

Let’s dive into the most common malware types identified by ANY.RUN’s sandbox in Q4 2024: 

Top Malware Types: Highlights 

Q4 2024 saw significant changes in the most detected malware types compared to previous quarters.

• Stealers took the lead with 25,341 detections, continuing their dominance as the top malware threat. This marks a significant rise from 16,511 detections in Q3, reflecting an increase of 53.5% in Stealer activity. In Q2, Stealers had 3,640 detections, meaning their activity more than doubled from Q2 to Q4. 
• Loaders also remained a prominent threat, holding steady in second place with 10,418 detections. This is an increase of 27% compared to Q3, where they were detected 8,197 times. In Q2, Loaders had 5,492 detections, so we’re seeing consistent growth in this malware type across the quarters. 
• RATs continued to be a major concern in Q3 and Q4, although their position dropped to third place in both quarters. In Q4, RATs were detected 6,415 times, representing a 10.8% decrease from Q3 (7,191 detections).  
• Ransomware saw a slight decrease in Q4, with 5,853 detections, down from 5,967 in Q3, marking a decrease of 1.9%. However, compared to Q2, where ransomware detections were at 2,946, there has still been a clear increase in ransomware activity over the last two quarters. 
• Keylogger detections had a notable decrease in Q4, with 1,915 detections compared to 3,172 in Q3. This represents a 39.5% drop from Q3. In Q2, Keyloggers were also detected frequently, but the numbers were lower than what we saw in Q3 and Q4. 

A new threat category appeared in the top ten: Adware, which had 1,666 detections in Q4.  

Other notable malware types include Exploits (905 detections), Backdoors (679 detections), and Trojans (466 detections). These malware types had a relatively stable presence, with minor fluctuations in the number of detections compared to the previous quarter.

Rootkits, at the bottom of the list with 386 detections, are also showing up more frequently in analyses, though still less common than other types of malware.

Collect Fresh Intel on Emerging Cyber Threats

Make sure to use ANY.RUN’s TI Lookup to collect and enrich threat intelligence on the latest malware and phishing attacks.

The service provides access to a database of over 40 types of Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs), from IP addresses to mutexes, extracted from the public samples analyzed in ANY.RUN’s Interactive Sandbox.

With the following query you can find recent samples of Stealer malware uploaded by users in the UK:

TI Lookup returns dozens of sandbox analyses matching the query that you can explore in detail and gather intel on the current threat landscape.

In this session, we can observe the execution process of a Lumma malware sample.

Top Malware Families in Q4 2024 

In Q4 2024, the malware landscape continued to evolve with several shifts in the prevalence of different malware families.

• Lumma maintained its strong position, leading the list with 6,982 detections, showing a significant increase compared to Q3 (4,140 detections). 
• Stealc made an impressive jump to second place, with 4,790 detections, up from 2,030 in Q3. This is a 136.3% increase and positions Stealc as a rising threat in the malware world. 
• Redline followed with 4,321 detections, a 26.7% rise from Q3. 
• AsyncRAT and Remcos showed some decrease in activity, indicating possible shifts in threat actor strategies. 
• Xworm, another notable family, saw a substantial rise, reaching 3,141 detections in Q4, up from 2,188 in Q3. This is a 43.7% increase, making Xworm one of the most concerning threats of the quarter. 

Snake, which appeared on the list for the first time in Q3, continued its activity in Q4, with 1,926 detections, up from 1,782 in Q3, reflecting an 8.1% increase. 

AgentTesla showed a noticeable decrease in activity, dropping to 1,906 detections in Q4 from 2,316 in Q3, which is a 17.7% decline. 

Finally, Sality, which had previously been less active, saw a return to the list with 1,194 detections, making it the tenth most detected malware family in Q4. 

Phishing Activity in Q4 2024 

Phishing activity saw a significant uptick in Q4 2024, with a total of 82,684 phishing-related threats flagged across the ANY.RUN sandbox. This shows just how active cybercriminals were, using phishing tactics to target victims. 

Activity by cyber criminal groups: 

• Storm1747 led the pack with 11,015 phishing-related uploads, making it the most active group. 
• Storm1575 followed with 3,756 uploads, showing strong but more limited activity. 

Activity by phishing kits: 

• The Tycoon2FA kit dominated the scene, with 8,785 instances of use. 
• Mamba2FA came in second with 4,991 detections, reflecting notable activity. 
• Evilginx2/EvilProxy made a smaller but significant impact with 573 detections. 
• Gabagool had 384 detections, indicating a more niche but active presence. 

Top 5 Protectors and Packers from Q4 2024 

In Q4 2024, the top protectors and packers continued to play a significant role in obfuscating malware to evade detection. Here’s a look at the most common ones: 

1. UPX: The clear leader with 12,262 detections, making it the most widely used protector/packer. 
2. Netreactor: With 8,333 detections, it remains a popular choice for malware obfuscation. 
3. Themida: Used in 4,627 detections, Themida was a key player in malware protection.
4. Confuser: Close behind with 4,610 detections, Confuser also stood out for its effectiveness. 
5. Aspack: The least common in the top 5, but still notable with 566 detections. 

These protectors and packers are integral to malware campaigns, helping cybercriminals hide their malicious code and avoid detection. 

See detailed guide on unpacking and decrypting malware

Top 20 MITRE ATT&CK Techniques in Q4 2024 

In Q4 2024, several adversary techniques saw a rise in activity, with PowerShell, Windows Command Shell, and phishing techniques dominating the list. Here’s a breakdown of the top 20 techniques observed: 

Top TTPs: Q4 2024 vs Q3 2024 

In Q4 2024, the landscape of detected techniques saw a few shifts compared to Q3. Here are the key highlights: 

The top three spots for Q4 were claimed by: 

• T1059.003, Command and Scripting Interpreter: Windows Command Shell – claiming the top spot, up from the 3rd position in Q3, with a substantial rise in detections (41,384). 

• T1036.003, Masquerading: Rename System Utilities – staying strong in 2nd place, though with a slight dip in detections compared to Q3 (41,254). 

• T1566.002, Phishing: Spearphishing Link – a significant leap from its previous position, climbing to 3rd with 28,685 detections, marking an increase in phishing-related activities. 

Worthy mentions: 

• T1059.001, Command and Scripting Interpreter: PowerShell – dropped to 4th place after holding the 2nd spot in Q3, now with 26,503 detections. 

• T1497.003, Virtualization/Sandbox Evasion: Time-Based Evasion – although it slipped to 5th place from 4th in Q3, it still saw a notable number of detections (24,177). 

• T1547.001, Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – entering the list in 6th place, showing a steady increase in activity (18,394).

Use TI Lookup’s interactive MITRE ATT&CK matrix which accompanies each TTP with real-world examples of cyber threat samples, analyzed in ANY.RUN’s Interactive Sandbox.

Report Methodology

For this report, we analyzed data from a total of 1,151,901 interactive analysis sessions. This data is drawn from researchers in our community who contributed by running public analysis sessions on ANY.RUN.  

These sessions provided valuable insights into the latest trends and activities in cybersecurity, helping us identify key threats and techniques that are currently on the rise. 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Get a 14-day free trial of ANY.RUN’s products →

The post Malware Trends Report: Q4, 2024  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More