Editor’s Note: This article was originally published on June 11, 2024, and updated on December 28, 2024.

The ANY.RUN Threat Intelligence Feeds provide data on the known indicators of compromise: malicious IPs, URLs, domains, files, and ports.   

The data is collected and pre-processed from public malware and phishing samples analyzed by our community of 500,000 researchers in the ANY.RUN sandbox environment.

How ANY.RUN’s TI Feeds Help Organizations

Cyber Threat Intelligence Feeds from ANY.RUN extend the threat coverage of your SIEM and TIP systems. They provide IOCs of recently seen cyber threats so you can proactively prepare to defend your infrastructure against them, as well as: 

• Expand Threat Coverage: Improve system’s ability to detect emerging malware and phishing attacks.  

• Improve Incident Response: Enrich incident response processes with contextual data, providing deeper insights into threats and their behaviors.  

• Strengthen Security Posture: Ensure proactive defense against new and evolving threats.  

• Optimize Threat Hunting: Streamline threat hunting activities, identifying and investigating potential threats more effectively. 

Feeds are easy to use. It’s practically a plug and play solution (as long as your team is already using a SIEM or TIP system).  

Indicators Provided by ANY.RUN’s TI Feeds

The IOCs include information on malicious IP addresses, domain names, and URLs, enriched with contextual details such as related files and ports.   

IP addresses 

IP addresses are important for detecting and preventing malicious network activity. They serve as digital markers of cybercriminal operations, often linked to Command-and-Control (C2) servers or phishing campaigns. 

By analyzing IP addresses, cybersecurity teams can identify and block malicious sources, trace attack origins and monitor threat patterns. 

Domains 

Domains are often used as staging points for cyberattacks. They provide a higher-level view of malicious activity, often connecting multiple IPs or malware instances within a single campaign. 

ANY.RUN’s TI feeds provide comprehensive information about domains, including all the details available for IP addresses, such as threat names, types, detection timestamps, and related file hashes.  

URLs 

URL addresses serve as gateways to distribute malware, execute phishing campaigns, or redirect users to malicious content. Their flexibility and ease of use make them a preferred tool for attackers. 

By analyzing URLs, cybersecurity teams can uncover attack patterns, block harmful traffic, and prevent unauthorized access to systems and data. 

More information on TI Feeds’ structure and additional IOCs  — in our blog post.  

Key Features of ANY.RUN’s TI Feeds

• Fresh Indicators: Mined from the latest public samples uploaded to our interactive sandbox by a global network of over 500,000 security professionals and updated every few hours.  
• Contextual Information: Offer more than just IOCs by providing direct links to sandbox sessions that include memory dumps, network traffic, and events.  
• Rigorous Pre-Processing: Advanced algorithms and proprietary technology used for data filtering and validation.  
• STIX and MISP Formats: Deliver threat intelligence feeds in the STIX and MISP formats, making it easy for security teams to integrate our data into their existing infrastructure.  

Try Demo Sample of ANY.RUN’s TI Feeds 

We provide free samples of ANY.RUN’s Threat Intelligence Feeds with data from 6 months ago, so you can test them in your security setting.

Contact us to access the most up-to-date TI Feeds version or make a purchase.

Here are the steps to integrate the demo feeds: 

1. First, go to the feeds dashboard. 

2. Choose which indicators to receive by checking the boxes — URLs, Domains, IPs or any combination of them. 

3. Copy the URL and paste it into the threat intelligence feeds section of your SIEM or TIP system. This step depends on your vendor, but generally search for “threat intelligence feeds” and find an input for URL or source. 

You can also download a STIX or MISP feeds sample by clicking Get Demo button. 

4. Copy the API key and paste it into the API field in the same SIEM/TIP section where you provided the feeds URL. 

That’s it! You are now receiving demo threat data from ANY.RUN! 

Which vendors can integrate with ANY.RUN? 

Our threat intelligence feeds share data in the standardized STIX and MISP formats. This means that you can practically integrate ANY.RUN feeds with any vendor, including popular platforms like OpenCTI and ThreatConnect.

Contact us to get assistance with your integration.

How TI Feeds Support Business Performance 

Adding Threat Intelligence feeds to your cybersecurity framework significantly raises the sustainability of your organization.  

• Cost reduction: Investing in TI feeds can lead to significant cost savings by preventing data breaches and minimizing the need for reactive security measures.  

• Informed decision-making: Quality TI feeds provide critical insights, ensuring that security efforts are focused on the most pressing threats.  

• Brand reputation: Early detection of threats reduces the likelihood of incidents that could damage a company’s name. 

• Operational efficiency: Integrating CTI feeds with can contribute to better response process, improving mean time to resolution (MTTR). 

• Compliance: TI feeds help document incidents, enrich security reports, and meet requirements for frameworks like GDPR, HIPAA, and PCI.  

For detailed information on the role of Cybersecurity Threat Intelligence Feeds in improving company’s operational performance, refer to this article.  

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post Integrate ANY.RUN Threat Intelligence Feeds with Your Security Platform appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

The outgoing 2024 brought a number of record-breaking data breaches — from the Taylor Swift concert ticket case, to the incident with 100 million Americans’ medical records. AI technology and cybercrime made leaps and bounds all year long. So how can you stay on top of all this to ensure personal information security? Here’s how: make these seven New Year resolutions — and stick to them throughout 2025.

1. Learn to use AI assistants securely

Over the past year, the use of AI has evolved from a trending novelty to a part of life — especially after AI assistants became smartphone features. Given that AI is now literally in the palm of your hand — offering at times quite personal advice — it’s worth getting to grips with the rules for safe chatbot use to keep yourself and others out of harm’s way. Here they are in a nutshell:

• Double-check AI advice — especially when asking for information about medicines, investments, or other queries where errors are costly. Chatbots are known to “hallucinate”, so never blindly follow their tips.
• Disable AI features unless you know what they’re for. The “smart” craze is driving companies to integrate AI even where it’s not needed. The most striking example is the rollout of the controversial Recall feature in Windows 11, where it continuously captures screenshots for AI analysis. Disable AI if you’re not actively using it.
• Never give personal information to AI. Photos of documents, passport details, financial and medical information are almost never needed for AI to function correctly. Given that such data may get stored for a long time and used for AI training — and thus be more likely to leak — it’s better not to upload such data in the first place.
• Don’t chat with family and friends through AI. Such automation is rarely useful and won’t help maintain closeness.

2. Switch to passkeys instead of passwords

Tech majors are gradually ditching passwords for more reliable passkeys; for example, Microsoft plans to move a billion users over to this new technology. With it, logging in to any site will be by means of biometric verification or PIN code. The check is carried out locally on your computer or smartphone, after which the device decrypts from its storage a unique cryptographic key for the website in question, which “recognizes” you by this key. In some services, “Passkey” is the actual name of the login method; others, like Microsoft, mention “Face, Fingerprint, or PIN”. Whatever name it goes by, the method is more reliable than a combination of a password and one-time code — as well as easier and faster to use. If passkeys are on offer — get them!

3. Find and change all old passwords

Despite the advent of passkeys, passwords will remain with us for many years to come, and that means lots more leaks and hacks. Old passwords that you created years ago with little thought to length or strength can be brute-forced without too much trouble. For example, this year saw the biggest password leak in history. Dubbed RockYou2024, it contained 10 billion (!) unique records. Many of them are encrypted, but modern video cards can be used to crack shorter passwords. In our study of password strength, it turned out that six out of ten user passwords found in this leak could be broken in a few seconds to one hour.

To thwart password crackers, go through all your passwords and reset any that are short (fewer than 12 characters) or very old, and create new ones in accordance with best security practices. As you know, passwords should never be reused, so it’s best to generate new ones and store them in a reliable password manager.

4. Teach family and friends how to spot deepfakes

The rapid advance of neural networks has allowed scammers to move from deepfake videos of celebrities, to inexpensive and relatively massive attacks on specific individuals using fake voices and images of… absolutely anyone. Deepfakes were first used to promote financial pyramids or fake charities, but now targeted scams are in play; for example, calls from the victim’s “boss” or a “loved one”. It’s now easier than ever to make a video of someone you know well asking for money or something else, so always double-check unusual requests by making contact with the person through another channel.

Given the vast leakage of medical records in 2024, we can expect to see new targeted “doctor scams” in the coming year.

5. Switch to private messengers

For those who still believe in privacy, 2024 delivered a couple of major setbacks. First, the arrest of Telegram founder Pavel Durov raised fears that intelligence agencies could start snooping on users’ correspondence. Next, the United States was rocked by scandal when it broke that foreign intelligence agencies had hacked the legal wiretapping system operated by all U.S. telecom providers, and gained access to the calls and texts of Americans. The authorities went so far as to advise people to switch to private messengers for greater privacy.

To sleep more soundly at night, follow this tip and, together with your main contacts, move to a messenger with end-to-end encryption.

6. Set aside a monthly “backup hour” in your calendars

If you don’t even remember when you last backed up your data, it’s time to schedule this activity — which is no less important than annual car maintenance or spring cleaning your house; however, backups should be much more frequent: daily, weekly or monthly — depending on the data type.

Backup must be two-way: back up data on your phone and computer to cloud storage, and download cloud data to local storage. An example of the former is photos on your phone. An example of the latter is Gmail messages.

This way, you’ll be protected against a wide range of problems: computer crashes, smartphone theft, ransomware attacks, house fires, your favorite recipe site being shut down, movies and music disappearing from streaming platforms, sudden hikes in cloud-hosting charges, and so on. For best practices for backing up from the cloud, see our post here; and to the cloud, see here. Another of our guides explains how to save important online data stress-free, so you don’t have to worry about your favorite sites or services disappearing. And under the backup tag on our blog, you’ll find no end of practical tips on saving data from anywhere, including messengers, authenticator apps, and note-taking tools.

7. Enter your card number less often

In 2024, cloud storage provider Snowflake suffered a string of massive leaks of customer data. Among the companies affected were AT&T, Live Nation (Ticketmaster), and Santander. The exact makeup of the information in each leak remains unclear.

So as not to be left guessing if your payment data is safe, and not to mess around with contacting banks and reissuing cards after every major leak, save your card to a reputable, secure service (PayPal, Google Pay, Apple Pay, or similar), and use it to pay for purchases wherever possible. That goes for both offline and online purchases. This will make it harder for attackers to intercept your payment data and reduce the likelihood of damage in the event of a large store or online service hack.

If you need to enter card details but your preferred payment service isn’t an option, use the Safe Money feature in any of our home security solutions.

Kaspersky official blog – ​Read More

Overview

U.S. national security and cybersecurity agencies have leveled cyber espionage accusations against the People’s Republic of China (PRC) for much of 2024, accusing the PRC of infiltrating U.S. critical infrastructure and telecom networks – possibly in preparation for a potential cyber war between the two global powers. 

China has pushed back, calling such charges misinformation and accusing the U.S. of its own espionage campaigns. While the PRC’s claims merit skepticism – most notably that alleged Volt Typhoon activities have been U.S. misinformation or “false flag” operations – new claims by China that two recent sophisticated cyberattacks were carried out by the U.S. are worth examining if only for the details and security insights they provide. 

We’ll examine those claims – along with an overview of the depth and breadth of PRC activities in 2024, U.S. responses, and recommendations for telecom and critical infrastructure security. 

China Claims Two U.S. Cyber Espionage Attacks 

China’s counter charges to U.S. cyber espionage claims have largely been based on decade-old NSA leaks, so the PRC’s latest claims are notable for their focus on two recent specific incidents while avoiding those larger claims. 

In a December 18 bulletin, China’s National Internet Emergency Center (CNCERT) claims it “discovered and handled two cases in which the United States launched cyber attacks on large Chinese technology companies and institutions to steal commercial secrets” [translated]. 

Beginning in August 2024, an “advanced material design and research unit … has been attacked by a suspected US intelligence agency,” CNCERT claims. The attackers “exploited a vulnerability in a certain electronic document security management system in China to invade the software upgrade management server deployed by the company, and delivered control Trojans to more than 270 hosts of the company through the software upgrade service, stealing a large amount of commercial secrets and intellectual property of the company.” 

The second alleged attack was against “a large-scale high-tech enterprise in … smart energy and digital information.” The attackers in that case “used multiple overseas springboards to exploit Microsoft Exchange vulnerabilities, invaded and controlled the company’s mail server and implanted backdoor programs to continuously steal mail data. At the same time, the attackers used the mail server as a springboard to attack and control more than 30 devices of the company and its subsidiaries, stealing a large amount of the company’s commercial secrets.” 

While it is impossible to determine the veracity of China’s latest claims, given the extent of PRC campaigns against U.S. targets, it would not be surprising if the U.S. were engaged in counter efforts. Whether those efforts would include what may be industrial espionage in these cases is perhaps less likely, unless the targets could provide important strategic information – which may be possible in the case of the smart energy company, for example. Nonetheless, there is no shortage of nation-state or financially motivated threat actors (TAs) capable of carrying out such attacks, so without technical specifics that could link the attacks to a TA, the claims are unsupported. 

A Timeline of PRC Campaigns Targeting the U.S. 

2024 has seen a notable increase in cyber tensions between the two countries. Here are some of the key developments. 

PRC Positioning in U.S. Critical Infrastructure 

In February, the U.S. and the other “Five Eyes” countries warned that “People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.” 

U.S. national security and cybersecurity agencies have repeated those claims a number of times since then – including speculation that China may be preparing for cyber conflict as part of its goal of having the capability to invade Taiwan by 2027. 

U.S. Government Breaches 

A July 2023 breach of U.S. government email accounts received a thorough accounting in 2024 in reports and hearings, including pledges from Microsoft that it would address the security failings that led to the breaches as well as make security a top priority for the company going forward. 

Wiretap System and Telecom Breaches 

The revelation in early October that the PRC-linked Salt Typhoon group had breached the U.S. court wiretap system was followed a few weeks later by news that the telecom network breaches behind that attack also led to attacks targeting the phone communications of U.S. officials at the highest levels. 

What followed was a stark reassessment of telecom network security – some of which may not be as risk-focused as perhaps would be ideal. 

Focus on Chinese Network Equipment May Overlook Other Risks 

The U.S. is engaged in a $5 billion “rip and replace” effort to remove Chinese equipment from U.S. telecom networks in an effort to address those security issues. 

While government intervention may well be necessary to shore up the significant gaps in telecom and critical infrastructure security, focusing narrowly on only equipment from China ignores gaps from other vulnerabilities that may be just as critical. 

While not revealing details, Senator Mark Warner – a former telecom venture capitalist – recently told the Washington Post that “thousands and thousands and thousands” of vulnerable telecom network devices might need to be replaced. “The big networks are combinations of a whole series of acquisitions, and you have equipment out there that’s so old it’s unpatchable,” Warner said. 

Vulnerable legacy devices, whether in telecom or operational technology (OT) networks, are at the heart of the cybersecurity crisis confronting telecom and critical infrastructure. Replacing just one source of those issues likely won’t provide a comprehensive solution. 

A much broader program that emphasizes replacing legacy devices wherever possible, along with essential security practices like network segmentation and access control, will likely be required to solve persistent security vulnerabilities and threats in telecom and other critical infrastructure. 

The post China Accuses the U.S. of Hacking Back as Cyber Conflict Grows  appeared first on Cyble.

Blog – Cyble – ​Read More

Of the many reports created by Cyble’s talented team of threat researchers this year, seven stand out for their unique and comprehensive insight into the contemporary threat landscape.

We’ll examine some of the key takeaways from the reports, including the changing nature of cyber threats and some surprising solutions readers may not have considered.

Here, then, are insights from seven key Cyble research reports from 2024 that you shouldn’t miss, from broad trends to sector-specific threats that affect us all.

Brand Impersonation and Counterfeit Products

E-Commerce and Brand Monitoring examines the underappreciated risks of counterfeit products and brand impersonation. It includes statistics and case studies that should disturb companies and consumers alike.

Two data points underscore the risks for everyone: 70% of consumers have unknowingly purchased counterfeit products online within the last year, and the average company loses almost $4 billion a year in sales because of counterfeit products.

The report examines the most targeted sectors and methods – and discusses detection technologies, solutions, and actions that can help address the problem.

How Threat Intelligence Became a Core Security Technology

The Year in Cyber Threat Intelligence is a comprehensive look at threat intelligence’s emergence as a central cybersecurity technology, including eight mergers that have remade the sector and revealed its strategic importance even for established security vendors.

The leading threat intelligence platforms have evolved into external attack surface management (EASM) solutions that address risks from the network perimeter to the cloud and beyond. Harnessing AI and vast computing resources, these solutions power a growth rate that’s more than twice as fast as the cybersecurity market as a whole.

Along the way, you’ll get insights into threat intelligence use and features you might not know about, including a few practices that can prevent major cyberattacks before they happen.

Healthcare’s Tough Year

Healthcare cyber incidents in 2024 got bigger and more dramatic than ever before, with crippling ransomware attacks and massive data breaches becoming all too common.

Cyble’s mid-year Healthcare Threat Landscape report looks at incidents from the first half of 2024 – and draws important big-picture inferences and trends from the data. One critical insight: Dark web monitoring is an underappreciated tool for detecting credentials, access, and data leaks before they become much bigger cyberattacks and issues.

The report looks at 10 cases where healthcare access credentials were offered for sale on the dark web. Such breaches can be an important indicator of future attacks for any organization, but they can be particularly dangerous in the healthcare sector. The report also looks at vulnerabilities, data exposures, and ransomware attacks that hit the sector this year.

Medical Device Insecurity

A second healthcare report from Cyble is also worth reading for its insights into the unique systems, devices and challenges that make healthcare security so difficult – and breaches so expensive. In fact, healthcare data breaches are more than 50% more expensive than breaches in any other industry.

Vulnerability Management in Healthcare IoT Devices reveals why healthcare security is so difficult, with a sprawling array of unsupported and insecure devices providing critical patient care – as well as ready access for hackers. Here are some of the disturbing data points from the report:

• 75% of infusion pumps have unpatched security flaws.
• 83% of medical imaging systems run on unsupported operating systems.
• 98% of medical IoT device network traffic is unencrypted.
• Over 50% of hospital IoT devices are vulnerable to attack.
• Medical IoT devices were the root cause of 21% of all ransomware attacks in the healthcare sector.
• Only 52% of companies conduct regular security audits for healthcare IoT devices.

You’ll come away from this report with new insight into healthcare security challenges – along with potential solutions.

Software Supply Chain Risks and Controls

Software supply chain attacks have become a near-daily occurrence, and attacks that come through trusted partners are particularly dangerous because of their privileged access to an organization’s data and environment.

Cyble’s Supply Chain Threats report looked at the many ways that supply chain attacks and vulnerabilities can occur, along with an extensive list of security controls organizations can use to reduce those risks.

The use of open-source components in commercial software adds to those risks, creating an opening for malicious packages and open-source vulnerabilities to enter the commercial supply chain.

As any IT vulnerability from a trusted supplier could be considered a supply chain risk, the section on controls is particularly important. A must for understanding our increasingly interconnected threat landscape.

Financial Cybersecurity

The financial sector was covered in multiple Cyble reports this year, but one stands out above the rest: Cyber Threat Intelligence for Financial Institutions is an exhaustive look at the threats facing financial services companies – along with solutions.

The nearly 5,000-word report enumerates the attack types, vulnerabilities, targets, regions, and threat groups that place the industry at high risk of attack – along with what to expect for threats, controls, and regulatory and compliance pressures in 2025. A must-read for anyone who depends on this vital engine of economic growth.

Transportation Security

The Transportation and Logistics report examines the vast cybersecurity risks that threaten to disrupt transportation and shipping – risks that have grown substantially with automation and AI.

The report looks at the specific vulnerabilities, threat groups, and hacktivists that target the transportation sector, along with the attack types the industry faces.

The report examines eight technologies that can help mitigate those risks. You’ll gain a greater appreciation for the many physical and geopolitical risks that transportation services must negotiate while getting people and goods to their intended destinations.

What’s Next from Cyble Threat Researchers?

In addition to regular reports on sector-specific and general threats, Cyble also publishes comprehensive monthly, semi-annual, and annual reports on the threat landscape that are available for free download. Cyble’s annual threat landscape report will be published in January in the Research Reports section – and will include predictions for 2025.

Cyble’s reports and blogs – along with thousands of daily bulletins sent to threat intelligence subscribers – offer critical, reasoned judgments and insights from seasoned threat researchers into the threats and vulnerabilities meriting priority attention, along with creative solutions to those challenges.

The post Must-Read Cyble Research Reports of 2024: Trends and Key Takeaways appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

Cyble honeypot sensors detected dozens of vulnerabilities under attack in the threat intelligence leader’s most recent sensor intelligence report, including fresh attacks on an Ivanti vulnerability.

Threat actors also targeted vulnerabilities affecting PHP and the Ruby SAML library. Cyble’s Dec. 19 report noted that unpatched networks and IoT devices remain popular targets for hackers looking to breach networks and add to botnets.

The report also looked at Linux and Windows exploits, common brute-force attacks, and phishing campaigns.

Vulnerabilities Under Attack

Cyble detected fresh attacks on CVE-2024-7593, a critical authentication bypass vulnerability in the authentication algorithm implementation of Ivanti’s Virtual Traffic Manager (vTM), excluding versions 22.2R1 and 22.7R2. The 9.8-severity vulnerability can allow a remote, unauthenticated attacker to bypass admin panel authentication. It was added to CISA’s Known Exploited Vulnerabilities catalog in September, one of 11 Ivanti vulnerabilities CISA has added to the KEV catalog this year.

CVE-2024-4577 also remains under attack. The critical PHP vulnerability impacts CGI configurations and remains vulnerable in PHP versions 8.1.* before 8.1.29; 8.2.* before 8.2.20; and 8.3.* before 8.3.8. The 9.8-severity vulnerability enables attackers to execute arbitrary commands through specially crafted URL parameters.

CVE-2024-45409, a vulnerability in the Ruby SAML library designed for implementing the client side of SAML authorization, also remains a frequent target for hackers. In versions 1.12.2 and earlier, and 1.13.0 to 1.16.0, the library fails to verify the signature of SAML Responses properly. The flaw allows an unauthenticated attacker with access to a signed SAML document (issued by the IdP) to forge a SAML Response or Assertion with arbitrary contents, enabling unauthorized login as any user within the affected system. The issue has been resolved in versions 1.17.0 and 1.12.3.

Network and IoT Devices Under Attack

Network and IoT devices remain particularly popular with threat actors, as they can provide entry points into networks as well as additional nodes in a botnet. With many devices with vulnerabilities from 2023 and earlier still unpatched, Cyble noted that the following network vulnerabilities remain particularly popular with attackers:

CVE-2023-20198, a 10.0-severity vulnerability in the web UI feature of the Cisco IOS XE operating system, is being chained with CVE-2023-20273 to gain root privileges in vulnerable devices.

CVE-2023-4966 is a sensitive information disclosure vulnerability in Citrix NetScaler ADC and NetScaler Gateways when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

CVE-2023-1389 is a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface of TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

CVE-2023-46747 could allow undisclosed requests in F5 BIG-IP to bypass the configuration utility authentication, allowing an attacker with network access to the system through the management port and/or self-IP addresses to execute arbitrary system commands.

Vulnerabilities in real-time operating systems (RTOS) and embedded devices remain extremely popular with attackers, exposing operational technology (OT) networks with vulnerable devices to attack.

One last vulnerability hackers keep returning to is CVE-2023-47643, an unauthorized GraphQL Introspection vulnerability in the SuiteCRM Customer Relationship Management (CRM) system in versions before 8.4.2. The flaw allows an attacker to access the GraphQL schema without authentication, revealing all object types, arguments, functions, and sensitive fields such as UserHash. By understanding the exposed API attack surface, attackers can exploit this information to access sensitive data.

Linux systems remain continually under attack by CoinMiner, Mirai Botnet, and IRCBot malware, while hundreds of WannaCry ransomware samples continue to be detected each week in Windows 10, Windows Server 2016, and older systems vulnerable to CVE-2017-0147.

Remote Protocols Targeted in Brute-Force Attacks

Remote access protocols, particularly VNC (port 5900), remain popular targets of brute-force attacks. Examining the ports most targeted by the top five attacker countries, attacks originating from the United States targeted ports 5900 (42%), 22 (36%), 3389 (14%), 80 (5%), and 23 (3%). Attacks originating from Russia targeted ports 5900 (81%), 445 (7%), 22 (5%), 23 (3%), and 1433 (3%). Netherlands, Jordan, and China majorly targeted ports 5900, 22, and 445.

Security analysts are advised to add security system blocks for frequently attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

New Phishing Campaigns Detected

Cyble detected 277 new scam and phishing email addresses in the most recent weekly report. Here are six notable ones, including subject lines:

Recommendations and Mitigations

Cyble researchers recommend the following security controls:

• Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).
• Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
• Constantly check for Attackers’ ASNs and IPs.
• Block Brute Force attack IPs and the targeted ports listed.
• Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
• For servers, set up strong passwords that are difficult to guess.

Conclusion

With many active threats against both new and older vulnerabilities, organizations need to remain vigilant and responsive, patching wherever possible and applying mitigations where patching isn’t possible. The large number of brute-force attacks and phishing campaigns show that attackers remain active even heading into the holiday season.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach will be key in protecting defenses against exploitation and data breaches.

The post Cyble Sensors Detect Attacks on Ivanti, PHP, SAML, Network Devices, and More appeared first on Cyble.

Blog – Cyble – ​Read More