Last year, we introduced Automated Interactivity — a feature that simulates user behavior inside the ANY.RUN sandbox to automatically force cyber attack execution. 

The first stage of Automated Interactivity focused on basic user interactions like clicking buttons and completing CAPTCHA challenges. This allowed many analysts to simplify their investigations and streamline the sandbox use via API. 

Today, we are excited to announce the release of the next stage of Automated Interactivity — the Smart Content Analysis mechanism that takes its threat detection capabilities to a new level, delivering better and more in-depth examination of the most complex attacks. 

Here’s what you need to know about this exciting upgrade. 

What is Smart Content Analysis 

Smart content analysis is a mechanism that enables Automated Interactivity to automatically execute malware and phishing attacks by identifying and detonating their key components at each stage of the kill chain. 

It works in three steps: 

• Content Identification: It scans uploaded samples for notable content, such as URLs and email attachments. 

• Content Extraction: It extracts the content that needs to be detonated to force the attack to move forward like URLs from QR codes and phishing links that were rewritten by security tools. 

• Simulated User Interactions: It then simulates user interactions with the extracted content, for instance, by opening URLs in a browser and launching malware payloads inside archives. 

How Smart Content Analysis Adapts to New Threats 

Unlike traditional automated solutions that are limited by pre-programmed algorithms, ANY.RUN’s Smart Content Analysis is built to continuously evolve with the current threat landscape. 

Our team of threat analysts update it with new attack scenarios as soon as they are detected. This ensures nearly instant adaptability to the latest threats and techniques. 

Why Use It 

The upgraded version of Automated Interactivity is an excellent addition to your security workflow, as it:  

• Improves threat detection for sandbox sessions launched via API  

• Helps security specialists with analysis by automating complex tasks, providing them with valuable insights and reducing the learning curve  

• Automates repetitive tasks, reducing the manual effort required for threat analysis and allowing analysts to focus on more strategic activities  

• Speeds up analysis by quickly identifying and analyzing threats, enabling faster response and remediation  

Types of Content It Can Detonate 

Smart Content Analysis can automatically identify and detonate different types of content when moving along the kill chain, including: 

• URLs inside QR codes: It can automatically extract and open URLs embedded within QR codes, a common tactic for phishing attempts or malware distribution.  

• Modified Links: Security solutions and spam filters can often rewrite malicious URLs to prevent them from reaching users. This can prevent automated sandboxes from forcing the attack execution beyond the safe link. Smart Content Analysis easily removes the security layer and detonates the original malicious URL. 

• Multi-Stage Redirects: Many cyber attacks employ complex chains of redirects to obfuscate their final destination. Smart Content Analysis quickly locates the hidden page by bypassing the redirect ones. 

• Email Attachments: Email attachments are a popular method for attackers to deliver malware. Smart Content Analysis can automatically process and detonate these attachments, as well as their contents. 

• Payloads within Archives: Modern attacks often utilize archives (ZIP, RAR, etc.) to bundle malicious payloads. Smart Content Analysis executes these payloads with no problem. 

Use Cases for Upgraded Automated Interactivity 

Extracting URL from QR and Solving a CAPTCHA

Let’s demonstrate how Automated interactivity works using a multi-stage phishing attack that starts with an email: 

Step 1: We upload the email file to the ANY.RUN sandbox, switch on Automated Interactivity, and start analysis. 

Step 2: Automated Interactivity launches the .eml file via Outlook, identifies a PDF attachment, and opens it. 

Step 3: After scanning the PDF, it detects a QR code, automatically extracts its embedded URL, and opens it inside a browser. 

Step 5: The opened page has a CAPTCHA challenge, a common method for evading detection. Thanks to Automated Interactivity, the sandbox successfully solves the CAPTCHA and proceeds to the next stage. 

Step 6: Once the final phishing page is loaded, the sandbox instantly assigns the “phish-url” tag to the session and marks it with the “malicious activity” label. 

Forcing Formbook Execution from an Archive Attachment 

Automated Interactivity is also excellent for analyzing malware attacks.  

Consider the following analysis session where the feature was used to detonate a sample of Formbook distributed via a phishing email. 

The service was able to automatically extract the ZIP file found in the email. It then identified a Formbook executable inside the archive and ran it to observe its behavior.

Extracting Rewritten URL 

Modern email systems are equipped with spam filtering. While it protects users against threats, it complicates the work of security analysts by blocking their access to the actual malicious content that they wish to examine. 

Automated Interactivity bypasses such filters and quickly reaches the resources controlled by the threat actors, saving analysts’ time. 

Here is a sandbox session featuring a blocked phishing URL.

The phishing link inside the analyzed email is rewritten to Microsoft’s domain safelinks[.]protection[.]outlook[.]com and now contains a warning.

While it indicates that the link is malicious, it prevents us from learning more about the threat we’re facing. 

To go beyond the block, we can simply enable Automated Interactivity and rerun the analysis.  

In the new sandbox session, the rewritten URL is skipped, and all the stages of the attack, including those requiring solving a CAPTCHA, are detonated automatically and as intended. 

This allows us to go further and discover that the attack is carried out by the Storm-1575 threat actor using the DadSec phishing platform, as shown by the corresponding tags. 

What’s Next for Automated Interactivity 

Smart Content Analysis is not the final chapter of Automated Interactivity.  

We are already working on Stage 3 — another mechanism that will further improve the detection rate and make the sandbox even better at automatically detonating attacks.  

Stay tuned for updates! 

Try It Now

See how you can speed up your analysis of the latest cyber attacks with Automated Interactivity. The feature is available to Hunter and Enterprise-plan users. It is also activated by default for all sandbox sessions launched via API. 

To manually enable Automated Interactivity: 

1. Navigate to ANY.RUN’s home screen and submit your sample

2. Switch on the Automated Interactivity (ML) toggle 

3. Run analysis 

You can get a 14-day free trial of ANY.RUN’s Interactive Sandbox to try Automated Interactivity along with other PRO features like private mode, teamwork, and advanced VM configuration. 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

• Detect malware in seconds
• Interact with samples in real time
• Save time and money on sandbox setup and maintenance
• Record and study all aspects of malware behavior
• Collaborate with your team 
• Scale as you need

Request free trial of ANY.RUN’s products →

The post Automated Interactivity: Stage 2 appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Serious cybersecurity incidents often impact many different parties — including those who don’t typically handle IT or security matters on a daily basis. Of course, the initial response needs to focus on identifying, containing, and recovering from an incident. But once the dust has settled, the time comes for another crucial stage: learning from the experience. What can the incident teach us? How can we improve our chances of preventing similar attacks in the future? These questions are well worth answering — even if the incident caused no significant damage due to an effective response or simply luck.

Involving people

Incident analysis is important for the whole organization. It’s crucial to involve not only IT and security teams but also senior management and IT system stakeholders, as well as any third-party vendors affected by the incident or involved in its response. A productive atmosphere is crucial. It’s important to emphasize that this isn’t a witch hunt (though mistakes will be discussed). Blame-shifting and manipulating information will only distort the picture, hinder analysis, and harm the organization’s long-term security.

Many companies keep incident details under wraps, fearing reputational damage or a repeat attack. While this is completely understandable, and certain details should indeed remain confidential, striving for maximum transparency in response is important. Specifics of an attack and response should be shared, if not with the general public, then at least with a trusted circle of peers in the cybersecurity field who can then help others prevent similar attacks on their organizations.

Detailed incident analysis

Although much incident data is already collected during the response phase, post-incident analysis provides an opportunity for deeper insights. First of all, answer questions like: How and when did the adversary penetrate the organization? What vulnerabilities and technical/organizational weaknesses were exploited? How did the attack unfold? Mapping attacker actions and response efforts on a timeline helps pinpoint when anomalies were detected, how they were identified, what response measures were taken, whether all relevant teams were promptly engaged, and if escalation scenarios were followed.

The answers to these questions should be documented meticulously, referencing factual data like SIEM logs, timestamps for task creation in the task manager, timestamps for emails being sent, and so on. This enables you to build a comprehensive and detailed picture, allowing for collective evaluation of both the speed and effectiveness of each response step.

It’s also necessary to separately assess an incident’s impact on other aspects of the business, such as continuity of operations, data integrity and leaks, financial losses (both direct and indirect), and company reputation. This will help balance the scale and cost of the incident against the scale and cost of measures to strengthen information security.

Identifying strengths and weaknesses

Technical incident reports may seem to contain all the information you need, but in reality they often lack crucial organizational context. A report might state that attackers accessed the system by exploiting a certain vulnerability, and that the organization needs to patch said vulnerability on all servers. However, this superficial analysis overlooks critical questions: How long did this vulnerability remain unpatched after it was disclosed? What other known vulnerabilities exist on the servers? What are the agreed-upon patching SLAs between IT and cybersecurity? Does vulnerability prioritization exist within the company?

Each stage and process affected by the incident deserves this level of scrutiny. This holistic approach allows to assess the security landscape flaws that enabled the incident. It’s important not to focus solely on the negatives: if certain teams responded quickly and effectively or if existing processes/technologies aided in incident detection or mitigation, these aspects should also be analyzed to understand whether this positive experience can be applied elsewhere.

Human error and behavioral factors warrant special attention. What role did they play? Again, the goal isn’t to blame but to identify measures to mitigate or balance the inevitable impact of human factors in the future.

Planning for improvement

This is the most creative and organizationally challenging phase of the incident review. It requires developing effective, realistic steps to address weaknesses within resource constraints. Involving senior management in this process is especially beneficial — as the saying goes, cybersecurity budgets are never approved faster than after a major incident. Several aspects should be considered in the plan:

IT asset map update. The incident may have revealed a lot of new information about how the company’s data is processed and how processes are implemented in general. It’s often necessary to update priorities, reflecting a better understanding of which assets require the most protection.

Detection and response technologies. By analyzing which stages of the attack went undetected by defenders, and which technical measures were missing to stop the attack’s progression, the team can plan to implement additional security tools, such as EDR, SIEM, and NGFW. Sometimes it becomes clear that while the necessary tools seem to be in place, they lack automation (for example, automated response playbooks), or data streams (such as threat intelligence feeds). Or, perhaps, log storage practices facilitated their wholesale deletion by the attackers. Technology enhancements should receive special attention if the analysis showed that defenders spent an excessive amount of time manually searching for compromised hosts or other laborious tasks, lacked access to critical information, or didn’t have the tools for enterprise-wide response.

Processes and policies. Having determined whether the incident occurred due to violations of existing policies or their absence, it’s essential to address this by revisiting the entire chain of events, correcting any identified process deficiencies, and reflecting these corrections in the security policy. Ranging from processes, policies, and regulatory timelines for vulnerability and account management, to incident response playbooks — the revised company processes should ensure the prevention of any similar future incidents.

The overall incident response plan should also be updated and refined based on practical experience. It’s important to clarify which parties were unable to fully participate in the process, and how to organize rapid communication between them to ensure swift decision-making in emergencies.

Proactive measures: technology. Incidents provide an opportunity to take a fresh look at existing practices for account management and patch management. Step-by-step improvements should be planned in areas where the company hasn’t followed best practices: implementing the principle of least privilege and centralized identity management, and prioritizing and systematically addressing key infrastructure vulnerabilities.

Proactive measures: people. Each human error requires corrective measures — targeted training or even drills tailored to individual roles. It’s worth discussing what training is necessary for specific individuals, departments, or the entire organization. A major incident can be a powerful wake-up call, emphasizing the importance of information security and driving engagement in cybersecurity awareness training, even among those who usually downplay its importance.

Following updated processes may be more challenging — requiring a special effort in training. Reminders from management and an incentive program may be necessary to ensure the updated regulations are fully adopted.

Preparing for the next incident

All of the measures listed above will enhance cybersecurity resilience, and readiness for incidents — in theory. But to be sure of the result, it’s worth validating their effectiveness through cybersecurity exercises, penetration testing, or red teaming. These simulations of real cyber-incidents serve different purposes, so which combination is most suitable depends on the organization and the measures taken post-incident.

Implementing all the improvements and updated security measures can be a lengthy, phased process, so regular meetings with all involved parties are necessary to collect feedback, discuss implementation, address challenges, and explore further security enhancements. To ensure these meetings are not mere empty talk, it’s essential to agree on specific metrics and milestones to track progress effectively.

Kaspersky official blog – ​Read More

Cyble Research and Intelligence Labs (CRIL) researchers investigated 18 vulnerabilities and 10 dark web exploits in the last week – including an actively exploited Fortinet vulnerability with nearly 1 million exposed assets on the internet.

Other vulnerabilities analyzed by Cyble affect third-party Windows drivers, SharePoint, Qualcomm, Android, QNAP and more.

Here are the vulnerabilities highlighted by Cyble as meriting high-priority attention by security teams.

CVE-2024-23113: FortiOS Format String Vulnerability

CVE-2024-23113 is a critical format string vulnerability affecting Fortinet’s FortiOS, specifically within the FGFM (FortiGate to FortiManager) service. The vulnerability could allow unauthenticated remote code execution (RCE) by malicious actors.

While the vulnerability dates from February, CISA added it to its Known Exploited Vulnerabilities (KEV) catalog last month, and Cyble researchers have seen multiple exploits and proofs of concept (PoC) targeting the vulnerability discussed on the dark web and in cybercrime forums.

Cyble’s ODIN vulnerability search tool has detected 978,000 vulnerable Fortinet instances:

CVE-2024-50550: LiteSpeed Cache plugin for WordPress

Another vulnerability with wide exposure is CVE-2024-50550, a critical privilege escalation vulnerability in LiteSpeed Cache plugin for WordPress, which is installed on over 6 million websites. Cyble honeypot sensors recently detected attacks on a different LiteSpeed vulnerability (CVE-2024-44000) and another WordPress plugin.

Cyble researchers said the new LiteSpeed vulnerability “could be leveraged to access backend databases as well to install arbitrary plugins or sniffers, leading attackers to exfiltrate payment card data and sensitive information of users,” as well as altering web pages.

CVE-2021-41285 and CVE-2020-14979: Windows Drivers

CVE-2021-41285 and CVE-2020-14979 are high-severity vulnerabilities in drivers that could allow attackers to achieve local privilege escalation to NT AUTHORITYSYSTEM in Windows Systems. A newly identified malware called “SteelFox” has been observed mining for cryptocurrency and stealing credit card data by using the “bring your own vulnerable driver” (BYOVD) technique to create a service that runs WinRing0.sys inside vulnerable drivers, leading to privilege escalation.

CVE-2024-38094: Microsoft SharePoint

CVE-2024-38094 is a high-severity remote code execution vulnerability affecting Microsoft SharePoint. Microsoft recently disclosed that the vulnerability is being exploited to gain initial access to corporate networks by attackers. Researchers also observed that attackers are targeting vulnerable SharePoint servers using publicly disclosed SharePoint proof-of-concept exploit code to plant a web shell that they later leverage to gain privileges and pivot into the compromised network.

CVE-2024-43047 and CVE-2024-43093: Android Kernel Components

CVE-2024-43047 is a high-severity use-after-free issue in closed-source Qualcomm components within the Android kernel that can lead to elevated privileges. CVE-2024-43093 is also a high-severity elevation of privilege flaw, impacting the Android Framework component and Google Play system updates, specifically in the Documents UI. Recently Google fixed both of the actively exploited zero-day flaws as part of its November security updates.

CVE-2024-8956 and CVE-2024-8957: PTZ Cameras

CVE-2024-8956 and CVE-2024-8957 impact PTZ cameras, which are extensively used in organizations around the world for applications such as live streaming, security surveillance, and conference automation. The critical vulnerabilities can also be chained by attackers to execute arbitrary OS commands on these devices, as well as access sensitive data such as usernames, password hashes, and device configuration details.

CVE-2024-10443: Synology NAS Devices

CVE-2024-10443 is a critical vulnerability in Synology’s BeeStation and DiskStation NAS devices, specifically within the BeePhotos and SynologyPhotos applications, which are designed to provide user-friendly personal cloud storage solutions. The vulnerability can allow remote attackers to execute arbitrary code. As NAS devices are commonly used to store sensitive data by both home and enterprise customers, Cyble researchers have assessed that attackers could attempt to leverage the vulnerability to breach the systems and steal data.

CVE-2024-50387: QNAP

CVE-2024-50387: This as of yet unclassified vulnerability detailed in a QNAP advisory was revealed at Pwn2Own 2024. It is a critical SQL injection (SQLi) vulnerability impacting QNAP’s SMB Service, which is the vendor’s implementation of the Server Message Block (SMB) protocol within QNAP NAS devices, enabling file sharing and network services across Windows and other operating systems.

Dark Web and Cybercrime Forum Exploits

Here are 7 vulnerabilities and exploits that Cyble researchers observed under active discussion on underground forums and Telegram channels, plus claims of zero-day vulnerabilities for sale in Palo Alto Networks and Microsoft products.

CVE-2024-6778: A high-severity vulnerability affecting the Chromium web browser prior to version 126.0.6478.182. The vulnerability arises from a race condition in the DevTools component. An attacker can convince a user to install such an extension, allowing them to inject arbitrary scripts or HTML into privileged pages, thereby facilitating a sandbox escape.

CVE-2024-46538: A critical cross-site scripting (XSS) vulnerability identified in pfSense version 2.5.2. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a ‘crafted payload’ into the $pconfig variable, specifically through the ‘interfaces_groups_edit.php’ file.

CVE-2024-44193: A vulnerability affecting Apple iTunes for Windows, specifically versions prior to 12.13.3. The vulnerability allows local attackers to potentially elevate their privileges on affected systems, posing significant security risks.

CVE-2024-39205: A critical vulnerability affecting pyload-ng, versions 0.5.0b3.dev85 running under Python 3.11 or below. This vulnerability allows attackers to execute arbitrary code through crafted HTTP requests, which can lead to complete system compromise.

CVE-2024-40711: A critical vulnerability in Veeam Backup & Replication software classified as a deserialization of untrusted data issue. This vulnerability allows unauthenticated remote code execution (RCE), enabling attackers to execute arbitrary code on affected systems without requiring any authentication.

CVE-2024-0311: A cybersecurity vulnerability identified in the Skyhigh Client Proxy, this flaw allows a malicious insider to bypass existing security policies without needing a valid release code, which can potentially lead to unauthorized access to sensitive data or applications.

CVE-2024-20419: The critical vulnerability affecting Cisco’s Smart Software Manager On-Prem (SSM On-Prem) arises from improper validation in the password change functionality, allowing unauthenticated remote attackers to change user passwords without prior knowledge of the existing password.

Cyble researchers also observed zero-day vulnerabilities being offered for sale on dark web forums, including a remote code execution (RCE) vulnerability in Palo Alto’s PAN-OS, and a privilege escalation (LPE) vulnerability in Windows that a threat actor was asking US$200,000 to $400,000 for. Palo Alto issued an advisory stating that it is aware of the PAN-OS claim.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

• To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
• Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
• Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
• Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
• Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
• Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
• Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products and those that could be weaponized as entry points for wider attacks. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity.

The post IT Vulnerability Report: Exposed Fortinet Vulnerabilities Approach 1 Million appeared first on Cyble.

Blog – Cyble – ​Read More

The Patch Tuesday for November of 2024 includes 89 vulnerabilities, including four that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”

Microsoft assessed that exploitation of the four “critical” vulnerabilities is “less likely.”

CVE-2024-43639 is a remote code execution vulnerability in Windows Kerberos that could be exploited by an attacker by creating a specially crafted application to leverage a vulnerable cryptographic protocol. While considered “critical” it was determined that exploitation is “less likely” and not been detected in the wild.

CVE-2024-43625 is a privilege escalation vulnerability in a VMSwitch driver, which is a networking component of Hyper-V. An attacker could exploit this by sending a specific series of network packets to the driver to trigger a “use after free” vulnerability in the Hyper-V host, allowing the attacker to execute arbitrary code with elevated privileges.Although classified as “critical,” exploitation was deemed “less likely” and the attack complexity considered “high.” Microsoft has not detected active exploitation of this vulnerability in the wild.

CVE-2024-43602 is a remote code execution vulnerability in Azure CycleCloud. Although marked as “critical,” Microsoft has determined that exploitation is “less likely.” If an attacker has gained basic user privileges they may be able to exploit this by sending specially crafted packets to the Azure CycleCloud cluster to gain root privileges. Microsoft has not detected active exploitation of this vulnerability in the wild.

CVE-2024-43498 is a “critical” remote code execution vulnerability in .NET and Visual Studio. Microsoft has assessed exploitation of this vulnerability as “less likely.” A remote attacker could exploit a vulnerable .NET web app by sending specially crafted packets, or loading a specially crafted file into a vulnerable application. In the wild exploitation of this vulnerability has not been detected by Microsoft.

Of the vulnerabilities included in the release, several “important” updates were listed as “exploitation more likely”. These updates are listed below:

• CVE-2024-49033 – Microsoft Word Security Feature Bypass Vulnerability
• CVE-2024-43623 – Windows NT OS Kernel Elevation of Privilege Vulnerability
• CVE-2024-43629 – Windows DWM Core Library Elevation of Privilege Vulnerability
• CVE-2024-43630 – Windows Kernel Elevation of Privilege Vulnerability
• CVE-2024-43636 – Win32k Elevation of Privilege Vulnerability
• CVE-2024-49019 – Active Directory Certificate Services Elevation of Privilege VulnerabilityCisco Confidential
• CVE-2024-43642 – Windows SMB Denial of Service Vulnerability

Additionally, Talos would like to highlight the following “important” vulnerabilities as exploitation has been detected by Microsoft:

• CVE-2024-43451 – NTLM Hash Disclosure Spoofing Vulnerability
• CVE-2024-49039 – Windows Task Scheduler Elevation of Privilege Vulnerability

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62022, 62023, 64218-64224, 64229, 64232 and 64233. There are also Snort 3 rules 301064, 300612, 301065, 301066 and 301073.

Cisco Talos Blog – ​Read More

Contrary to the popular belief that anything online stays online, the internet doesn’t remember everything. In a previous post in this series, we examined no fewer than nine scenarios in which you could lose access to online content. We also provided a detailed guide to what information you absolutely must (and preferably quickly) back up to your computer and how to do it. Today, we’ll discuss how to easily save web pages to your computer, how to organize these archives, and what to do if your favorite site has gone AWOL.

Let’s say you want to save a blog post with a recipe, compile a bibliography for your research paper, or even preserve a specific online publication for legal purposes. All of the above are published as web pages — which have a tendency to disappear at the wrong moment. Want to reminisce about music news and gossip from 2005? Good luck with that — the MTV News site shut down and all its articles and interviews are no longer available. Check references in Wikipedia articles? 11% of them lead nowhere, even though they were working when the article was published. This phenomenon of “link rot” — the gradual deletion or relocation of online content — is rapidly becoming a major problem. 38% of pages that existed ten years ago are no longer accessible today. So, if there’s a web page out there that you like or need, the wise move would be to create a backup.

How to save a web page to your computer

Since a web page consists of dozens or even hundreds of files, backing it up will require a bit of effort. Here are the main ways to do it:

Save only the text as an HTML file. Select the “Save page as…” menu command or button in your browser and then select “Webpage, HTML Only”. This will only save the text of the web page, without any graphics or other eye candy.

Save text and images. The “Webpage, Complete” option will create, besides an HTML file, a folder with the same name containing all graphic elements, styles, and scripts from the page. A downside of this option is that saving a lot of auxiliary files clutters your drive. The “Webpage, Single File” option is more convenient, bundling the web page and all its resources into a single .mhtml file. This will open freely in Chrome or Edge, but other browsers may have issues. This option is not available in all browsers, but if you install the SingleFile extension (available for most browsers), you can save the entire web page and its media content as a single HTML file that opens perfectly fine in all modern browsers.

Print to PDF. To preserve the main content of the page, but scrap menus and banners, your best option is Print to PDF. The resulting file will open on any computer.

With any of these options, make sure that the main text that you actually want to keep is still readable when you open the document.

An easier way to save a web page

The methods described above are a bit time-consuming and create clutter on your hard drive. For greater convenience, use a dedicated service such as Pocket (formerly Read It Later), wallabag, or Raindrop.io. They all work the same way: you send a link from which the service retrieves a document with all the illustrations, cleans the page of anything unnecessary, and saves it in your personal online storage. Even if the original page gets deleted or modified, the version you want will remain in your archive. These services allow you to group and sort your links, search for text inside, and view your saved pages on any device. For desktop, there’s an extension available for all the major browsers; and for mobile, there’s an app.

All these services offer an “eternal” archive only with a premium subscription, meaning you’ll have to pay for the convenience. That said, Wallabag is open-source — you can install it on your own server and not pay for third-party services or worry about the service getting shut down.

Some note-taking apps can also save complete web pages. These include Evernote, where the feature is called “Web Clipper”.

How to save a web page for others

If it’s not just a copy for yourself that you need, but to share a certain version of the page with others, you’ll need a public-archiving service.

The best-known is the Internet Archive (archive.org) and its Wayback Machine. Other options include archive.today (aka archive.is), perma.cc, and megalodon.jp. They all work on a similar principle: either at the user’s request or automatically they visit web pages and save a copy on their servers.

To request archiving of a web page, go to web.archive.org and enter the full address in the Save Page Now box. After you click Save, a window appears describing all of the page’s loaded components, followed by a permanent link to the site in its preserved state. It looks like this: https://web.archive.org/web/20240924045754/https://www.kaspersky.com/blog. The link shows both the address of the saved page and the exact time of saving — perfect for archival purposes.

Registering on archive.org lets you manage a collection of such links, take screenshots of saved sites, and download copies of them in the special web-archiving format.

On archive.org, you can view previously saved versions of websites and save the current state of any site — for example, our blog

On opening the archive link, you’ll see the saved page with a timestamp indicating when the snapshot was taken. This feature is useful for tracking and demonstrating changes in website data: price fluctuations, product description updates, edited news reports, and deleted information. The latter is particularly important for historical and cultural researchers based on defunct websites. Below, you can check out one of the first versions of GeoCities, a once popular web-hosting service that let you create “home pages”, express yourself, and find friends with shared interests long before social networks. It’s only thanks to the Wayback Machine that we can see it now — the site closed shop in 2016.

A gift for the old-timers: one of the earliest versions of GeoCities.com

How to find deleted internet content or an old version of a website

To view an old version of any website:

• Open archive.org.
• Enter the full address of the website or a specific page in the box next to the logo and click Enter. If the exact URL is unknown, you can enter the name of the website or words that describe it well.
• Select the desired website from the list. The results show at a glance how many copies are archived and for what period.
• Use the calendar to select which of the saved copies of the site you wish to view. Dates for which there is a saved copy are circled — the larger the circle, the more copies were made that day.
• Click the desired date and inspect the saved site. Note that loading a copy from the archive may take a few minutes.
• The calendar graph above the site copy lets you navigate to older and newer copies.

How to explore old versions of sites at web.archive.org

You can copy the link to the retrieved copy from the address bar to access the archived site directly, bypassing the search interface.

What if archive.org can’t help

The foundation behind archive.org sometimes complies with the requests of copyright holders and other authorized parties to exclude certain sites from the Wayback Machine. Also, the service never aimed to preserve the entire internet, so it may happen that the page you need was never indexed. In such cases, try looking for it in other time capsules.

Archive.today (aka archive.is) doesn’t automatically save pages — it does so only at the request of users. Among other things, this does away with having to follow instructions for search robots (robots.txt), and means that the archive contains documents that aren’t available in the Wayback Machine.

Another important web-archiving project is perma.cc, created by a consortium of major world libraries. However, it’s only free for participating organizations. Individual users can subscribe to a paid plan, with pricing based on the number of archived links.

A powerful alternative to specialized archives is search engines’ cached content. To index any web page, search engines retrieve its text, so a crude but readable version of almost any page can be found there. For a long time, Google’s cache was the most accessible, but in early 2024, the search giant removed the direct link to its cache from search results. The service still works, but accessing it directly is very difficult.

Therefore, it’s better to use browser extensions that make internet archives easier to work with. For example, if a link takes you to a deleted page or a defunct website, the Web Archives extension redirects you straight to an archived copy of this page at web.archive.org, archive.today, or perma.cc, or shows a cached version of it from Google, Bing, or Yandex.

How to save data from other online services

Besides web pages, there are many other online services — from photo albums and notes to social networks — that hold data you also may want to save. Of course, recommendations vary for different types of data and specific services, but for your convenience, we’ve grouped all related instructions under the backup tag. You can read about creating backups for:

• Notion
• Telegram
• WhatsАpp
• 2FA authenticator apps
• Other services

And don’t forget to safeguard your backups against ransomware and spyware!

Kaspersky official blog – ​Read More