Weekly IT Vulnerability Report: Critical Updates for SAP, Microsoft, Fortinet, and Others

/in

Cyble Weekly IT Vulnerability Report: Critical Updates for SAP, Microsoft, Fortinet, and Others

Key vulnerabilities in SAP, Microsoft, Fortinet, and others demand immediate attention as threat actors exploit critical flaws.

Overview

Cyble Research and Intelligence Labs (CRIL) analyzed significant IT vulnerabilities disclosed between January 8 and 14, 2025.

The Cybersecurity and Infrastructure Security Agency (CISA) added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

Microsoft released its January 2025 Patch Tuesday updates, addressing 159 vulnerabilities, including eight zero-days, three of which are under active exploitation.

Other notable vulnerabilities this week are flaws in SAP NetWeaver Application Server and other high-profile products. CRIL’s monitoring of underground forums also revealed discussions on critical zero-day vulnerabilities and their potential weaponization.

Key Vulnerabilities

SAP NetWeaver and BusinessObjects

  • CVE-2025-0070: Improper authentication in SAP NetWeaver AS for ABAP, enabling privilege escalation.

  • CVE-2025-0066: Weak access controls leading to unauthorized information disclosure.

  • CVE-2025-0063: SQL injection vulnerability allowing unauthorized database manipulation.

  • CVE-2025-0061: Session hijacking in SAP BusinessObjects, risking sensitive data exposure.

Impact: SAP NetWeaver’s foundational role in critical industries like finance, healthcare, and manufacturing makes these vulnerabilities particularly concerning.

Mitigation: Patches are available for all vulnerabilities, and immediate application is recommended.

Fortinet FortiOS

  • CVE-2024-55591: A critical authorization bypass vulnerability in FortiOS with a CVSS score of 9.8, allowing unauthorized users to execute arbitrary commands.

Impact: Exploited in the wild, this vulnerability has been observed in attempts to gain super-admin privileges on affected systems.

Mitigation: Upgrade FortiOS to the latest patched versions (7.0.17 or above for version 7.0 and 7.2.13 or above for version 7.2).

Also read: Fortinet’s Authentication Bypass Zero-Day: Mitigation Strategies and IoCs for Enhanced Security

Microsoft Hyper-V

  • CVE-2025-21333, CVE-2025-21334, CVE-2025-21335: Use-after-free and buffer overflow vulnerabilities in Microsoft Hyper-V NT Kernel Integration VSP.

Impact: These vulnerabilities pose risks of denial-of-service or privilege escalation within virtualized environments.

Mitigation: Apply Microsoft’s January Patch Tuesday updates.

Vulnerabilities on Underground Forums

CRIL observed active discussions and Proof-of-Concept (PoC) code for vulnerabilities on underground forums:

  • CVE-2024-55956: Critical unauthenticated file upload vulnerability in Cleo Harmony, VLTrader, and LexiCom products, allowing arbitrary code execution.

Observed Activity: PoC shared on Telegram by a threat actor.

  • CVE-2024-45387: SQL injection vulnerability in Apache Traffic Ops, enabling attackers to execute SQL commands against backend databases.

Observed Activity: Threat actor “dragonov_66” posted PoC on cybercrime forums.

Additionally, a threat actor advertised for sale zero-day pre-authentication Remote Code Execution (RCE) vulnerabilities affecting GoCloud Routers and Entrolink PPX VPN services.

CISA’s Known Exploited Vulnerabilities (KEV) Catalog

The following vulnerabilities were added to CISA’s KEV catalog:

CVE ID Vendor Product CVSSv3 Exploitation
CVE-2025-21335 Microsoft Windows 7.8 Not observed
CVE-2024-55591 Fortinet FortiOS 9.8 Observed
CVE-2023-48365 Qlik Sense 9.8 Observed
CVE-2025-0282 Ivanti Connect Secure 9.0 Observed

Also read: Inside the Active Threats of Ivanti’s Exploited Vulnerabilities

Recommendations

To mitigate risks associated with the identified vulnerabilities:

  • Apply Patches Promptly:
    • Install vendor-released patches for all affected products immediately.

    • Use tools like Fortinet’s upgrade path utility for smooth version transitions.

  • Implement Network Segmentation:
    • Isolate critical assets using VLANs and firewalls.

    • Restrict access to administrative interfaces through IP whitelisting.

  • Monitor for Indicators of Compromise (IoCs):
    • Analyze logs for suspicious activities, such as unauthorized account creation or modifications to security policies.

    • Investigate IPs associated with malicious activity:
      • 45.55.158.47

      • 87.249.138.47

      • 149.22.94.37

  • Strengthen Incident Response Plans:
    • Regularly test and update incident response protocols to address emerging threats.

  • Enhance Visibility:
    • Maintain an up-to-date inventory of assets and perform regular vulnerability assessments.

  • Adopt Multi-Factor Authentication (MFA):
    • Ensure strong authentication measures for all accounts, especially admin accounts.

  • Engage in Threat Intelligence Monitoring:
    • Stay informed about security advisories from vendors and public authorities, including CISA and CERTs.

The post Weekly IT Vulnerability Report: Critical Updates for SAP, Microsoft, Fortinet, and Others appeared first on Cyble.

Blog – Cyble – ​Read More

Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques

/in

Cyble Germany Sliver

Key Takeaways

  • Cyble Research and Intelligence Labs (CRIL) has identified an ongoing cyberattack – targeting organizations in Germany.

  • The attack is initiated through a deceptive LNK file embedded within an archive. When executed by an unsuspecting user, this LNK file triggers cmd.exe to copy and run wksprt.exe, a legitimate executable.

  • This executable sideloads a malicious DLL that employs DLL proxying, ensuring the host application continues to operate seamlessly while executing malicious shellcode in the background.

  • The shellcode ultimately decrypts and executes the final payload: Sliver, a well-known open-source Red Team/adversary emulation framework.

  • Once deployed, Sliver functions as an implant, enabling threat actors to establish communication with the compromised system and conduct further malicious operations, thereby enhancing their control over the infected network.

Overview

Cyble Research & Intelligence Labs (CRIL) recently identified an ongoing campaign involving an archive file containing a deceptive LNK file. While the initial infection vector remains unclear, this attack is likely initiated via spear-phishing email.

The archive file “Homeoffice-Vereinbarung-2025.7z,” once extracted, contains a shortcut (.LNK) file along with several other components, including legitimate executables (DLL and EXE files), a malicious DLL file, an encrypted DAT file, and a decoy PDF. Interestingly, the creation times of most files in the archive are about a year old, with only the lure document being recently created. This suggests that the Threat Actor (TA) has not updated their core components, opting instead to introduce a new lure document to maintain the campaign’s relevance.

Upon execution, the LNK file triggers the opening of a decoy document, masquerading as a Home Office Agreement. This document serves as a lure to deceive the user. Concurrently, the LNK file also executes a legitimate executable, which subsequently performs DLL sideloading. The legitimate executable loads the malicious DLL, which is designed to retrieve and decrypt the shellcode from the DAT file stored in the same extracted archive. This entire process occurs entirely in memory, enabling the attack to evade detection by security products.

The shellcode is designed to decrypt and execute an embedded payload, a Sliver implant—an open-source red teaming and command and control framework employed by the TA for further malicious actions. Upon execution, the implant establishes connections to specific remote servers/endpoints, enabling the TA to conduct additional malicious operations on the victim’s system.

The figure below provides an overview of the infection process.

Cyble Figure 1 - Infection Chain
Figure 1 – Infection chain

Technical Details

The attack begins once the victim extracts an archive file, likely delivered via an email attachment, containing several files:

  • IPHLPAPI.dll – malicious DLL file

  • IPHLPLAPI.dll – renamed legitimate IPHLPAPI.DLL

  • ccache.dat – Contains Encrypted Shellcode

  • wksprt.lnk  – Shortcut file to load wksprt file

  • 00_Homeoffice-Vereinbarung-2025.pdf – Lure document

  • Homeoffice-Vereinbarung-2025.pdf.lnk – Main shortcut file

However, only Homeoffice-Vereinbarung-2025.pdf.lnk, disguised as a PDF, is visible, while the other files remain hidden. When the user runs this LNK file, it triggers cmd.exe to execute a series of commands, copying files to specific directories and performing additional tasks. The image below shows the command embedded in the LNK file.

Cyble Figure 2 - Contents of the .LNK file
Figure 2 – Contents of the .LNK file

Following the execution of the LNK file, a directory named “InteI” is created within the user’s local app data folder (%localappdata%InteI). A legitimate Windows file, wksprt.exe, from C:WindowsSystem32 is then copied into this newly created InteI directory. Subsequently, the hidden files IPHLPAPI.dll, IPHLPLAPI.dll, and ccache.dat are copied into the “InteI” directory, with their hidden attributes preserved.

To establish persistence on the victim’s machine, wksprt.lnk, one of the files from the extracted folder, is copied to the Startup folder (%appdata%MicrosoftWindowsStart MenuProgramsStartup). This LNK file is designed to execute wksprt.exe, which has been copied to the “InteI” directory, ensuring that the executable runs automatically upon system startup.

Cyble Figure 3 - Command line parameters of LNK file
Figure 3 – Command line parameters of LNK file

Before the final step, the decoy file “00_Homeoffice-Vereinbarung-2025.pdf” is executed to maintain the appearance of a legitimate document being opened.

Cyble Figure 4 - Lure document
Figure 4 – Lure document

The lure document is a Home Office Agreement (Homeoffice-Vereinbarung) written in German, serving as a supplementary agreement to an existing employment contract between an organization and an employee, outlining the terms for remote work. Based on the content of this lure document, we believe this campaign is designed to target individuals or organizations in Germany. Furthermore, the initial .7z file was observed to have been uploaded to VirusTotal from a German location, supporting this assessment. Finally, wksprt.exe is launched from the “InteI” directory to carry out further actions.

The malicious DLL file has a very low detection rate, as shown below.

Cyble Figure 5 - Low Detection rate of Malicious DLL file
Figure 5 – Low Detection rate of Malicious DLL file

DLL Sideloading and DLL Proxying:

The legitimate executable wksprt.exe sideloads a malicious DLL (IPHLPAPI.dll) from the current directory. The malicious IPHLPAPI.dll then loads a slightly renamed legitimate DLL (IPHLPLAPI.dll), designed to appear authentic. Both DLLs export the same functions, as shown below.

Cyble Figure 6 - Export functions of both DLLs
Figure 6 – Export functions of both DLLs

The malicious DLL acts as a proxy, intercepting function calls from the executable and forwarding them to the legitimate DLL, which contains the actual implementation of the function, as shown below.

Cyble Figure 7 – DLL proxying
Figure 7 – DLL proxying

The forwarding of function calls ensures that the application maintains its normal behavior while allowing the malicious DLL to execute its own code. In addition, the malicious DLL spawns a new thread to read the contents of the file ccache.dat, as shown below.

Cyble Figure 8 - Reading the encrypted content from the .dat file
Figure 8 – Reading the encrypted content from the .dat file

After the “ccache.dat” file’s content is read, the malicious thread decrypts the malicious data. It employs the following cryptographic APIs for key generation and decryption:

  • CryptAcquireContextW

  • CryptCreateHash

  • CryptHashData

  • CryptDeriveKey

  • CryptDecrypt

The thread now copies the decrypted content to the newly allocated memory and executes it. The figure below shows the decrypted content of “ccache.dat” and the control transfer to the decrypted content.

Cyble Figure 9 - Decrypted content
Figure 9 – Decrypted content

The decrypted content is a shellcode that runs another decryption loop to retrieve the actual payload embedded within it, as shown below.

Cyble Figure 10 - Final payload
Figure 10 – Final payload

The shellcode is designed to execute the embedded Sliver implant—an open-source red teaming framework used for malicious purposes by the TAs. Once executed, the implant connects to the following endpoints to carry out additional activities on the victim’s system.

  • hxxp://www.technikzwerg[.]de/auth/auth/authenticate/samples.html

  • hxxp://www.technikzwerg[.]de/auth/auth/authenticate/samples.php

Attribution

While we cannot definitively attribute this campaign to any specific group at this point, the initial infection vector, stager DLL behavior, shellcode injection, and Sliver framework exhibit patterns typically associated with APT29 in past campaigns. Additionally, this group has frequently employed the DLL sideloading technique in its operations. However, the most recent sample analyzed introduces DLL proxying, a technique not previously observed in APT29’s campaigns.

Conclusion

This campaign targets organizations in Germany by impersonating an employee agreement for remote working. Using this lure, the threat actors deploy a deceptive LNK file and malicious components to gain an initial foothold on the victim’s system, leading to its compromise and further exploitation.

By employing advanced evasion techniques such as DLL sideloading, DLL proxying, shellcode injection, and the Sliver framework, the attackers effectively bypass traditional security measures. This multi-stage cyberattack highlights the increasing sophistication and adaptability of threat actors, underscoring the growing complexity of APT operations and the urgent need for enhanced detection and defense strategies.

Yara and Sigma rules to detect this campaign are available for download from the linked Github repository.  

Our Recommendations

  • The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments.

  • Exercise caution when handling email attachments or links, particularly those from unknown senders. Verify the sender’s identity, particularly if an email seems suspicious.

  • Use application whitelisting to prevent unauthorized execution of LNK files and other suspicious components.

  • Deploy Endpoint Detection and Response (EDR) solutions to identify and block malicious behaviors, such as DLL sideloading and shellcode injection.

  • Monitor for anomalous network activities, such as unexpected outbound connections, to detect Sliver framework-related activities.

MITRE ATT&CK® Techniques

Tactic Technique Procedure
Initial Access (TA0001) Phishing (T1566) The archive file may be delivered through phishing or spam emails
Execution  (TA0002)  Command and Scripting  
Interpreter (T1059		 TAs abuse command and script interpreters to execute commands
Persistence 
(TA0003) 		 Registry Run Keys / Startup  
Folder (T1547.001		 Creates persistence by  
adding a lnk to a startup folder
Privilege  
Escalation  (TA0004)  		 Hijack Execution Flow:  
DLL Side-Loading (T1574.002		 Execute malicious Dll using Dll Sideloading 
Defense Evasion (TA0005)  Obfuscated Files or  
Information (T1027.002)		 Binary includes encrypted data
Command and Control (TA0011) Application Layer Protocol: Web Protocols (T1071.001 Implant communicates with its C&C server

Indicators of Compromise (IOCs)

Indicators Indicator Type Description
83a70162ec391fde57a9943b5270c217d63d050aae94ae3efb75de45df5298be SHA-256 Archive File
f778825b254682ab5746d7b547df848406bb6357a74e2966b39a5fa5eae006c2 SHA-256 LNK file
9b613f6942c378a447c7b75874a8fff0ef7d7fd37785fdb81b45d4e4e2d9e63d SHA-256 Malicious DLL
86f8a979bd887955f0491a0ed5e00de2f3fe53e6eb5856fb823115ce43b7c0ca SHA-256 Encrypted .dat file

References

https://lab52.io/blog/2162-2/
https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf
https://www.ired.team/offensive-security/persistence/dll-proxying-for-persistence

The post Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques appeared first on Cyble.

Blog – Cyble – ​Read More

AI Takes the Center Stage in Biden’s Landmark Cybersecurity Order

/in

Cyble AI Takes the Center Stage in Biden’s Landmark Cybersecurity Order

Overview

Outgoing U.S. President Joe Biden issued an order yesterday outlining measures to improve government cybersecurity. The lengthy order includes suggestions to improve cloud and software security by building requirements into the federal acquisition process. It also orders federal agencies to adopt a number of cybersecurity technologies and practices and takes a forward-thinking approach to AI.

As the culmination of efforts that began nearly four years ago in response to the Colonial Pipeline ransomware attack, the order is also valuable as a “lessons learned” document from an Administration that has had much to deal with in four years of dramatic cybersecurity events.

Cloud, Software Security Goals

Biden’s final cybersecurity plan is also ambitious in its implementation timeline, as many of the initiatives would be completed within a year.

The lead federal agencies would develop contract language requiring software providers to attest and validate that they use secure software development practices. Open-source software would also be included in the plans, as agencies would be given guidance on security assessments and patching, along with best practices for contributing to open-source projects.

Federal government contractors would be required to follow minimum cybersecurity practices identified by NIST “when developing, maintaining, or supporting IT services or products that are provided to the Federal Government.”

Cloud service providers that participate in the FedRAMP Marketplace would create “baselines with specifications and recommendations” for securely configuring cloud-based systems to protect government data.

IAM, Post-Quantum Encryption Goals

Federal agencies would be required to “adopt proven security practices” to include in identity and access management (IAM) practices. Pilot tests for commercial phishing-resistant standards such as WebAuthn would be conducted to help those authentication efforts.

The Biden plan says post-quantum cryptography (PQC) – in at least a hybrid format – should be implemented “as soon as practicable upon support being provided by network security products and services already deployed” in government network architectures.

The plan also requires secure management of access tokens and cryptographic keys used by cloud service providers and encryption of DNS, email, video conferencing, and instant messaging traffic.

CISA would lead the development of “the technical capability to gain timely access” to data from agency EDR solutions and security operation centers (SOCs) to enable rapid threat hunting.

BGP’s security flaws are also addressed, with requirements that ISPs implement routing security measures such as Route Origin Authorizations, Route Origin Validation, route leak mitigation, and source address validation.

AI Cybersecurity Innovation

The executive order says AI “has the potential to transform cyber defense by rapidly identifying new vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense. The Federal Government must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity.”

AI cybersecurity implementation would start with a pilot program on the use of AI to improve critical infrastructure security in the energy sector. That program may gauge the effectiveness of AI technologies in detecting vulnerabilities, automating patch management, and identifying malicious threats.

The Department of Defense would start its own program on the use of “advanced AI models for cyber defense.”

The order asks science and research agencies to prioritize research on AI cybersecurity that meets the following criteria:

  • Human-AI interaction methods to assist with defensive cyber analysis

  • AI coding security assistance, including the security of AI-generated code

  • Designing secure AI systems

  • Methods for “prevention, response, remediation, and recovery of cyber incidents involving AI systems.”

Conclusion

Biden’s cybersecurity order is the culmination of four years which began even before the Colonial Pipeline incident with the SolarWinds software supply chain attack.

The order includes longer-term goals, including a three-year plan for modernizing federal information systems, networks, and practices, with a focus on zero-trust architectures, EDR capabilities, encryption, network segmentation, and phishing-resistant multi-factor authentication.

The post AI Takes the Center Stage in Biden’s Landmark Cybersecurity Order appeared first on Cyble.

Blog – Cyble – ​Read More

Find the helpers

/in

Find the helpers

Welcome to this week’s edition of the Threat Source newsletter. 

“When I was a boy and I would see scary things in the news, my mother would say to me, ‘Look for the helpers. You will always find people who are helping.’” 

 ― Fred Rogers 

There’s no world where following Mr. Roger’s advice is wrong. With the wildfires raging in Greater Los Angeles now more than ever I am very aware of the need to look for the helpers. I get it, I see the news and it’s overwhelming and terrifying. So Gentle Reader I’m asking that instead of just finding the helpers – be the helper.  
 
I’d like everyone to take a moment and think about what you can do to be a helper – not just with the catastrophic fires and the incredible destruction but in your own world. In your home life and in your work life. Nothing is more intrinsic to information security than the sharing of knowledge and information. It’s how we all got the roles that we are in now. The older I get the more joy I find in sharing anything and everything that I know. I’m proud to be a mentor in Cisco’s Women in Cybersecurity and outside of work I’ve started volunteering to teach English as a second language – and cannot tell you how rewarding both are. There are so many incredible non-profits that you can give your time and money. Do both. There are so many infosec groups that are in need of your time, your invaluable experience, and mentorship. Be the helper. Find a local group, find an internal team within your organization, and if you can’t find one – create one.  
 
Be the helper.  

Let’s use this terrible event as a driver to push us all to do more to be the helpers. After all, what would Mr. Rogers do?  

The one big thing 

Cisco Talos discovered forty-four vulnerabilities, and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.   

 The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point. Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability 

Why do I care? 

An attacker can send a specially crafted set of network packets over WAN to gain root access to the router via the wcrtrl service and static login credentials. With the ongoing state-sponsored attacks on infrastructure this is critical to a secure environment.  

So now what? 

 
Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against the exploitation of these vulnerabilities.  

Top security headlines of the week 

Hackers are exploiting a new Fortinet firewall bug to breach company networks. (TechCrunch

CISA is urging federal agencies to patch a command injection flaw tracked as CVE-2024-12686, otherwise known as BT24-11, and has added it to the Known Exploited Vulnerabilities (KEV) Catalog. The medium-severity security bug was found as a part of BeyondTrust’s Remote Support SaaS Service security investigation, which was launched after a major data breach at the US Treasury Department. (DarkReading)  

Microsoft rings in 2025 with record security update. Microsoft has issued patches for an unprecedented 159 CVEs, including eight zero-days, three of which attackers are already exploiting. (DarkReading)  

Can’t get enough Talos? 

Our latest Talos Takes podcast sees Hazel sits down with Vanja Svajcer to discuss new research on vulnerable drivers.

Upcoming events where you can find Talos 

Cisco Live EMEA (February 9-14, 2025)   
Amsterdam, Netherlands 

Most prevalent malware files from Talos telemetry over the past week  

 SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   

MD5: ff1b6bb151cf9f671c929a4cbdb64d86   

  

VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5 

Typical Filename: endpoint.query   

Claimed Product: Endpoint-Collector   

Detection Name: W32.File.MalParent   

  

  

SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

 VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Detection Name: Simple_Custom_Detection 

  

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  

MD5: 71fea034b422e4a17ebb06022532fdde  

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: N/A   

Detection Name: Coinminer:MBT.26mw.in14.Talos 

  

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   

MD5: 7bdbd180c081fa63ca94f9c22c457376  

  

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0 

Typical Filename: c0dwjdi6a.dll  

Claimed Product: N/A   

Detection Name: Trojan.GenericKD.33515991 

Cisco Talos Blog – ​Read More

Government Sector Bears the Brunt of Cyberattacks in Ukraine: Report 

/in

Cybe Inc | ukrain-cyberthreat

Overview 

Ukraine’s fight against cyberthreats has reached new heights, with its top cybersecurity agency releasing the 2024 annual cyberthreat landscape report detailing its efforts to protect critical infrastructure and government systems.  

The report, prepared by the State Cyber Defense Center under the State Service for Special Communications and Information Protection, outlines key findings, incident statistics, and strategies employed to counteract persistent cyber threats. 

Key Findings 

Ukraine processed a staggering 3 million security events in 2024, a reflection of the heightened activity in its cyber domain. Of these, over 1,000 incidents were confirmed as direct cyberthreats.  

The year saw a surge in advanced persistent threats (APTs) and state-sponsored cyber espionage campaigns, with attackers leveraging legitimate services to obfuscate their malicious activities. 

  • Malware Dominance: Over 58% of incidents involved malicious software, ranging from ransomware to spyware designed for prolonged infiltration. These attacks targeted data exfiltration and operational disruption. 

  • Sectoral Breakdown: Government agencies accounted for 90% of reported incidents, making them a primary target for the year. The energy sector, critical to Ukraine’s resilience, and the defense sector, pivotal in ongoing geopolitical conflicts, also faced significant threats. 

  • Primary Attack Vectors: Phishing campaigns remained the predominant method of attack. Threat actors exploited spear-phishing emails laden with malicious attachments or links, leveraging human error as an entry point. 

The Major Threat Clusters 

Ukraine identified three major threat actor clusters, each with distinct methodologies and objectives that remained most active in the year gone by: 

  1. UAC-0010 (Gamaredon/Trident Ursa): 

  • Activity: Conducted over 270 documented incidents in 2024. 

  • Tactics: Utilized tailored malware delivery mechanisms, including infected removable media and phishing emails. 

  • Targets: Government institutions, military organizations, and diplomatic entities. 

  • Objective: Cyber espionage aimed at gathering intelligence on Ukraine’s governance and defense. 

  1. UAC-0006: 

  • Activity: Responsible for 174 attacks, particularly in the financial sector. 

  • Tactics: Employed SmokeLoader malware to infiltrate systems and extract sensitive data. 

  • Objective: Financial gain through data theft and subsequent ransom demands. 

  1. UAC-0050: 

  • Activity: Linked to 99 incidents with a mix of espionage and sabotage. 

  • Tactics: Relied heavily on phishing and malware propagation via compromised email accounts. 

  • Objective: Espionage with a secondary focus on spreading disinformation. 

Advanced Tools and Techniques 

To combat increasingly sophisticated threats, Ukraine’s SOC deployed a range of advanced tools and methodologies: 

  • Network Detection and Response (NDR): SOC teams monitored anomalies in traffic patterns across 69 sensors strategically placed in critical networks. These sensors facilitated early detection of intrusions. 

  • Endpoint Detection and Response (EDR): Secured over 28,000 devices, providing a critical layer of defense against endpoint-based attacks. 

  • Attack Surface Management (ASM): Regular scans of over 1,200 assets enabled the identification and mitigation of vulnerabilities before they could be exploited. 

  • SOAR and AI Integration: The integration of Security Orchestration, Automation, and Response (SOAR) with AI algorithms streamlined incident response processes, reducing detection-to-remediation times significantly. 

Sector Specific Insights 

Ukraine’s cyber agency’s analysis provides a granular view of the sectors most impacted by cyber threats

  • Government Agencies: As the backbone of Ukraine’s operational and strategic initiatives, government networks faced relentless attacks. Over 90% of incidents were concentrated here, ranging from attempts to steal classified information to disruptions in communication systems. 

  • Energy Sector: With Ukraine’s energy infrastructure being a critical target, adversaries focused on disrupting power grids and supply chains, aiming to weaken national stability. 

  • Defense Sector: Sophisticated attacks aimed to infiltrate military communications and logistics systems, compromising national security. 

Recommendations for Enhanced Cyber Resilience 

Ukraine’s cyberthreat landscape suggests a multi-layered approach to cybersecurity, advocating for the following measures: 

  1. Regular Software Updates: Ensure that all systems, software, and firmware are updated promptly to address known vulnerabilities. 

  2. Advanced Email Security: Deploy filters to detect and block phishing attempts, and train employees to recognize suspicious communications. 

  3. Comprehensive Endpoint Protection: Utilize advanced antivirus and EDR solutions to secure devices against malware and unauthorized access. 

  4. Network Segmentation: Isolate critical systems from less secure areas to limit the scope of potential breaches. 

  5. Multi-Factor Authentication (MFA): Enforce MFA across all user accounts to bolster identity verification processes. 

  6. Incident Response Plans: Develop and regularly test robust incident response protocols to ensure rapid recovery from cyber events. 

  7. Continuous Monitoring: Leverage SIEM tools and log analysis to detect and respond to anomalies in real-time. 

The Path Forward 

Ukraine’s annual cyberthreat landscape report 2024 shows the dynamic and persistent nature of cyberthreats that the country is facing. The integration of advanced technologies and proactive collaboration with international allies has significantly enhanced the nation’s cyber defense capabilities. However, the evolving tactics of adversaries demand an equally adaptive and forward-looking approach. 

As Ukraine continues to navigate its geopolitical challenges, the role of cybersecurity in safeguarding national sovereignty and infrastructure remains paramount. By fostering a culture of resilience and collaboration, Ukraine is setting an example for global cybersecurity efforts, proving that even under relentless attack, robust defenses can prevail. 

References: 

https://scpc.gov.ua/api/files/72e13298-4d02-40bf-b436-46d927c88006
https://www.cip.gov.ua/ua/news/sistema-viyavlennya-vrazlivostei-i-reaguvannya-na-kiberincidenti-ta-kiberataki-dckz-dopomogla-viyaviti-ta-opracyuvati-1042-kiberincidenti-u-2024-roci

The post Government Sector Bears the Brunt of Cyberattacks in Ukraine: Report  appeared first on Cyble.

Blog – Cyble – ​Read More

ICS Vulnerability Report: Hitachi Energy Network Management Flaw Scores a Perfect 10

/in

Cybe Inc | ics-vulnerability

Overview 

Critical vulnerabilities in Hitachi Energy UNEM Network Management Systems were among the highlights in Cyble’s weekly Industrial Control System (ICS) Vulnerability Intelligence Report, which also examined flaws in products from Delta Electronics, Schneider Electric and other ICS vendors. 

Cyble Research & Intelligence Labs (CRIL) examined 16 vulnerabilities in the report for clients – half of which affect Hitachi Energy FOXMAN-UN products – based on ICS alerts by the Cybersecurity and Infrastructure Security Agency (CISA) between January 8-14. 

Of the 16 vulnerabilities, two are critical, nine are high severity, and five are medium severity. They span Communication, Critical Manufacturing, Chemical, Energy, Wastewater Systems and Commercial Facilities, and could lead to operational disruption, data compromise, and unauthorized access or exploitation of key functionality in power supply systems, which are foundational to numerous industries. 

Hitachi Energy Vulnerabilities 

The Hitachi Energy vulnerabilities include improper authentication, buffer overflow, excessive authentication attempts, hard-coded passwords, and cleartext storage of sensitive information, underscoring the systems’ complexity and potential attack surfaces. 

CVE-2024-2013, a 10.0-severity authentication bypass vulnerability in FOXMAN-UN, UNEM servers and API Gateways, could allow attackers without credentials to access the services and the post-authentication attack surface. 

CVE-2024-2012, a 9.8-severity authentication bypass vulnerability in the network management products, could allow attackers to execute commands or code on UNEM servers, potentially allowing sensitive data to be accessed or changed. 

The vulnerabilities were first reported in June 2024, but were the subject of a CISA advisory this week that cited the vulnerabilities’ low complexity and ability to be exploited remotely. CISA also cited six additional Hitachi Energy vulnerabilities, with CVSS v3 scores ranging from 4.1 to 8.6. 

While some of the affected products can be patched with updates, Hitachi Energy notes that UNEM R16A and UNEM R15A are end of life (EOL) and recommends that users upgrade to UNEM R16B PC4 or R15B PC5 in addition to applying recommended mitigations. 

Schneider Electric and Delta Electronics Vulnerabilities 

Schneider Electric’s vulnerabilities, primarily in HMI and control system software, highlight the challenges in securing operational technology (OT) interfaces.  

CVE-2024-11999 is an 8.7-rated Use of Unmaintained Third-Party Components vulnerability in Harmony HMI and Pro-face HMI automation components that could allow complete control of the device if an authenticated user installs malicious code into the HMI product. 

CVE-2024-10511 is an Improper Authentication vulnerability in PowerChute Serial Shutdown UPS management software. 

CVE-2024-8306 is an Improper Privilege Management vulnerability in Vijeo Designer HMI Configuration Software that could allow unauthorized access when non-admin authenticated users try to perform privilege escalation by tampering with the binaries. 

CVE-2024-8401is a Cross-site Scripting (XSS) vulnerability in EcoStruxure power monitoring and operation products. 

The three Delta Electronics vulnerabilities are all high-severity Remote Code Execution flaws tied to its DRASimuCAD design software: CVE-2024-12834, CVE-2024-12835 and CVE-2024-12836

Recommendations for Mitigating ICS Vulnerabilities  

Cyble recommended a number of controls for mitigating ICS vulnerabilities and improving the overall security of ICS systems. The measures include: 

  1. Staying on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA. A risk-based approach to vulnerability management is recommended, with the goal of reducing the risk of exploitation. 

  1. Implementing a Zero-Trust Policy to minimize exposure and ensuring that all internal and external network traffic is scrutinized and validated. 

  1. Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification. Automating these processes can help maintain consistency and improve efficiency. 

  1. Proper network segmentation can limit the potential damage caused by an attacker and prevent lateral movement across networks. This is particularly important for securing critical ICS assets. 

  1. Conducting regular vulnerability assessments and penetration testing to identify gaps in security that might be exploited by threat actors

  1. Establishing and maintaining an incident response plan, and ensuring that the plan is tested and updated regularly to adapt to the latest threats. 

  1. Ongoing cybersecurity training programs should be mandatory for all employees, especially those working with Operational Technology (OT) systems. Training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations. 

Conclusion 

Industrial Control Systems (ICS) vulnerabilities can threaten critical infrastructure environments, with the potential to disrupt operations, compromise sensitive data, and cause physical damage. Staying on top of ICS vulnerabilities and applying good cybersecurity hygiene and controls can limit risk. 

To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape. 

The post ICS Vulnerability Report: Hitachi Energy Network Management Flaw Scores a Perfect 10 appeared first on Cyble.

Blog – Cyble – ​Read More

New gadgets unveiled at CES 2025, and their impact on security | Kaspersky official blog

/in

One of the world’s premier tech events traditionally takes place every year in Las Vegas in early January. Sure, the Consumer Electronics Show (CES) pays attention to cybersecurity, but by no means is it top of the agenda. Looking for a giant monitor or AI washing machine? You’re in luck! Smart home protection against hackers? Might have to shop around a bit…

We’ve picked out the top trending announcements at CES 2025, with a focus on what new cyberthreats to expect as the latest innovations hit the shelves.

NVIDIA Project DIGITS: your own mini supercomputer for running AI locally

NVIDIA founder Jensen Huang unveiled the company’s Mac-Mini-sized supercomputer to CES visitors. Powered by the GB10 Grace Blackwell “superchip” with a minimum 128 GB of memory, the device is capable of running large language models (LLMs) with 200 billion parameters. Connect two such computers, and you can run even larger models with up to 400 billion parameters! However, the US$3000 price tag will limit the buyer audience.

Cybersecurity aspect: running LLMs locally stops confidential information from leaking to OpenAI, Google Cloud, and other such services. Until now, this wasn’t very practical: on offer were either greatly simplified models that struggled to run on gaming computers, or solutions deployed on powerful servers in private clouds. “NVIDIA Project DIGITS” now made it easier for both small companies and wealthy hobbyists to run powerful local LLMs.

The GB10 Grace Blackwell superchip, 128 GB of RAM, and 4 TB of SSD storage make this NVIDIA offer a decent platform for a local neural network.

The GB10 Grace Blackwell superchip, 128 GB of RAM, and 4 TB of SSD storage make this NVIDIA offer a decent platform for a local neural network. Source

Roborock Saros Z70: a “handy” vacuum cleaner

The inability of robot vacuum cleaners to cope with stairs and other obstacles, including things lying around, greatly limits their usefulness. Roborock’s new model solves the latter issue with an extensible arm that picks up small and light objects from the floor.

Cybersecurity aspect: the Saros Z70’s object-rearranging ability is very limited, and Roborock has not been involved in any major cybersecurity scandals. So we’re unlikely to see any game-changing risks compared to existing vacuum cleaners. But later models or competitors’ products can theoretically be used in cyberphysical attacks such as burglary. For instance, researchers recently showed how to hack Ecovacs robot vacuums.

But the Saros Z70 is notable for more than just its mechanical hand. Another of its officially announced features is video surveillance. The vendor claims that camera footage never leaves the device, but we’ll believe that when we see it. After all, you’ll probably at least need a separate device to view the footage. The StarSight 2.0 system, due with a later software update, will let you train the robot to recognize specific household objects (for example, favorite toys) so that it can show where it last saw them on a map of your home. As to whether this handy feature works entirely on the device — or data about things in your home gets fed to the cloud — press releases are maintaining a tactful silence.

The Roborock Saros Z70 can lift and carry objects weighing up to 300 grams.

The Roborock Saros Z70 can lift and carry objects weighing up to 300 grams. Source

Bosch Revol: preying on parental fear

How did a baby rocker manage to take home the “Least private” mock award for gadgets at CES 2025, as judged by Electronic Frontier Foundation and iFixIt? The Bosch Revol Smart Crib not only automatically rocks the crib, but continuously collects video and audio data, while simultaneously scanning the baby’s pulse and breathing rate using millimeter-wave radar. It also monitors temperature, humidity and fine-particle pollution levels. The camera is equipped with object recognition to detect toys, blankets and other potentially dangerous objects near the infant’s face. All data is instantly streamed to a parental smartphone and to the cloud, where it remains.

Cybersecurity aspect: other vendors’ video baby monitors have been dogged by scandals, and hacked to conduct nasty pranks and spy on parents. In the case of the Revol, not only video, but medical data could end up in cybercriminal hands. When it comes to child and health-related tech, a cloud-free setup as part of a well-protected smart home is the way to go.

TP-Link Tapo DL130: in the same vein?

Among the many smart locks unveiled at CES 2025, it was TP-Link’s model that stood out for a feature that’s still quite rare — biometrics based not only on face/fingerprint recognition, but also on palm veins matching. Simply wave your hand in front of the sensor, and the system will identify you as the owner with high accuracy. Unlike more common biometric factors, this method doesn’t depend on lighting conditions, and works well even with wet and dirty hands. Plus, it’s more difficult to fake.

Cybersecurity aspect: smart locks can be integrated into your home network and interact with your smart home (such as Alexa or Google Home), which creates a wide cyberattack surface. Given the numerous critical vulnerabilities in other TP-Link equipment, there’s a risk that flaws in smart locks will allow attackers to open them in unconventional ways.

Security researchers are sure to put TP-Link's smart lock under the microscope once it goes on sale.

Security researchers are sure to put TP-Link’s smart lock under the microscope once it goes on sale. Source

Google Home + Matter: a cloud-free sky home

A major update to Google’s smart home hubs means they can now control curtains, sockets, light bulbs and other devices via the Matter protocol without connecting to a cloud server. At the heart of your smart home can be a Google Nest — an Android 14 smart TV or even a Chromecast device. Tell Google Assistant to “switch on the bedroom light”, and the command will be carried out even without an internet connection, and with minimal delay.

If a staunch advocate of a cloud-based future like Google has implemented such offline scenarios, the demand for such functionality must be huge.

Cybersecurity aspect: local control of your smart home reduces the risk of compromise and improves privacy — less data about what goes on in your home will leak to equipment vendors.

Halliday Glasses: improve your AI-sight

We chose Halliday AR glasses for the innovative image projection system that makes them lighter and more compact — though our takeaways also apply to dozens of other smart glasses presented at CES 2025. While some models address a simple and specific issue — such as combining glasses with a hearing aid or serving as a near-eye display for computer users on board a plane — quite a few of them come equipped with an AI assistant, camera, ChatGPT integration, and other features that potentially can be used to spy on you. They’re used for live translation, teleprompting and other productivity-boosting tasks.

Cybersecurity aspect: all AI features involve shifting large amounts of data to the makers’ servers for processing, so local AI in glasses is still a long way off. But unlike with computers and smartphones, the voices, photos and videos of all those around you will be included in the information flow generated by the glasses. From an ethical or legal standpoint, wearers of such glasses may have to continuously ask permission from everyone around to record them. And those who don’t want to pose for Sam Altman should look out for wearers of smart glasses among their peers.

Sony Honda AFEELA: I feel it’s going to be driving by subscription

This luxury electric car from two Japanese giants is available to preorder — but only to California residents and with rollout scheduled for 2026 or later. Nevertheless, the Japanese vision could become the envy even of Google: the price of the vehicle includes a “complimentary three-year subscription” to a variety of in-car features, including Level 2+ ADAS driver-assist and an AI-powered personal assistant, and a choice of interactive car design and entertainment features such as augmented reality and “virtual worlds”.

At the CES 2025 demonstration, the car was summoned onstage by the voice command “Come on out, Afeela” — but it remains unclear whether this handy feature will be available to drivers.

Cybersecurity aspect: we’ve spotlighted the risks and vulnerabilities of “connected” cars many times. Whether manufacturers will be able to keep the security bar high, not only for vehicles, but also for telematics systems (especially critical if smart driving becomes subscription-based), is a big question for the future. Those who don’t like the idea of their car suddenly turning into an iron pumpkin pending a software update or after a cyberattack are advised to refrain from splashing out… at least for another decade or so.

BenjiLock: a biometric padlock

Now you can lock up your bike (or barn or whatever) without memorizing a code or carrying around a key. As the name suggests, the BenjiLock Outdoor Fingerprint Padlock is a padlock that stores and recognizes fingerprints — up to ten of them. No smartphone or Wi-Fi required, all the magic happens inside the lock itself. The device is resistant to both moisture and dust, and (according to the manufacturer) works on one charge for up to a year.

Cybersecurity aspect: only real-world tests can prove resistance to old-school lock picking and inexpensive fingerprint faking. Smart locks are often vulnerable to both.

Kaspersky official blog – ​Read More

Malware Trends Overview Report: 2024

/in

2024 has been an eventful year in the world of cybersecurity, with new trends emerging and malware families evolving at an alarming rate. Our analysis highlights the most prevalent malware families, types, and TTPs of the year, giving you a snapshot of the changing threat landscape. 

The number of sandbox sessions in ANY.RUN has grown by 33% in 2024

This report is based on the analysis of 4,001,036 public sessions conducted by ANY.RUN’s community inside the Interactive Sandbox over the last 12 months, which is 1 million more than the 2,991,551 sessions in 2023. Of these, 790,549 were tagged as malicious and 211,517 as suspicious, reflecting a rise in suspicious activity compared to the 148,124 suspicious sessions identified in 2023. 

ANY.RUN identified an astonishing 1,872,273,168 IOCs in 2024—nearly three times more than the 640,158,713 IOCs uncovered in 2023. This sharp growth highlights not only the expanding use of the platform but also the improved threat coverage and detection capabilities of ANY.RUN

Top Malware Types in 2024 

In 2024, Stealers dominated with 51,291 detections, marking a significant rise compared to 2023, when they were in second place with just 18,290 detections. This highlights their growing popularity among attackers for data theft. 

Loaders moved to second place in 2024 with 28,754 detections, a slight increase from their leading position in 2023, where they accounted for 24,136 detections. Despite the shift, Loaders remain a critical component in delivering malware payloads. 

RATs (Remote Access Trojans) maintained their third position but saw an increase from 17,431 detections in 2023 to 24,430 detections in 2024, reflecting their continued importance in providing attackers remote control over compromised systems. 

Stealers made a jump from the second spot in 2023 to being the most common malware type in 2024
# Type Detections
1 Stealer 51,291
2 Loader 28,754
3 RAT 24,430
4 Ransomware 21,434
5 Keylogger 8,119
6 Trojan 6,156
7 Miner 5,803
8 Adware 4,591
9 Exploit 4,271
10 Backdoor 2,808

To collect fresh threat intelligence on emerging cyber threats, make sure to use TI Lookup, a service that lets you search ANY.RUN’s vast database of the latest threat data.

Search results in TI Lookup for RAT malware targeting users in Colombia

It features over 40 search parameters, including IPs, mutexes, and even YARA rules, allowing you to pin the tiniest artifacts to specific malware and phishing attacks and enrich your TI with additional context and actionable indicators.

Learn more about Threat Intelligence Lookup →


Enrich your threat knowledge with TI Lookup

Enrich your threat knowledge with TI Lookup

Learn about TI Lookup and its capabilities to see how it can contribute to your company’s security


Explore more


Top Malware Families in 2024 

In 2024, Lumma Stealer jumped straight to the top with 12,655 detections, taking over the ranking from nowhere as it wasn’t seen in the 2023 report. Its rapid rise shows how quickly cybercriminals have adopted it. 

Agent Tesla moved up to second place in 2024 with 8,443 detections, compared to 4,215 detections in 2023 when it was in third place. Its continued presence shows it remains a go-to choice for attackers. 

AsyncRAT claimed third place in 2024 with 8,257 detections, while in 2023, Redline was the most popular malware family with 9,205 detections, and Remcos followed with 4,407 detections. 

Lumma dominated the threat landscape in 2024
# Name Detections
1 Lumma 12,655
2 Agent Tesla 8,443
3 AsyncRAT 8,257
4 Remcos 8,004
5 Stealc 7,653
6 Xworm 7,237
7 Redline 7,189
8 Amadey 5,902
9 Snake 4,304
10 njRAT 3,522

With TI Lookup, you can track all of these and other malware families and stay updated on their evolving infrastructure. Here is an example of a request to TI Lookup to find Lumma domains:

threatName:”lumma” AND domainName:””
TI Lookup can provide you with auto updates on specific queries

The service provides a list of relevant domain names used by the malware. Many of them are marked with the malconf tag, indicating that these domains were extracted from Lumma samples’ configurations.

Get 50 free search requests to test TI Lookup 



Contact us


Top MITRE ATT&CK Techniques in 2024 

The MITRE ATT&CK framework is a globally recognized resource that breaks down how attackers operate, mapping their tactics and techniques into clear categories. It’s an invaluable tool for cybersecurity professionals to understand and respond to threats effectively. 

2024 results show an increase in the abuse of PowerShell by attackers

In 2024, ANY.RUN recorded over 1.4 million matches to ATT&CK techniques, a noticeable increase from 1.2 million matches in 2023.  

The rankings saw some significant changes: Masquerading (T1036.005), the top technique in 2023 with 486,058 matches, was overtaken in 2024 by PowerShell (T1059.001) and CMD (T1059.003), which led the list with 162,814 and 148,443 matches, respectively. 

In 2024, new techniques appeared that were absent in 2023, including Python scripting (T1059.004) with 50,002 matches, System Checks for Sandbox Evasion (T1497.001) with 47,630 matches, and Linux Permissions Modification (T1222.002) with 38,760 matches. 

Rank  Technique ID  Technique Name  Detections
T1059.001  Command and Scripting Interpreter: PowerShell  162,814
T1059.003  Command and Scripting Interpreter: Windows CMD  148,443 
T1497.003  Virtualization/Sandbox Evasion: Time-Based  134,260 
T1036.003  Masquerading: Rename System Utilities  126,008 
T1562.002  Impair Defenses: Disable Antivirus Tools  122,256 
T1218.011  System Binary Proxy Execution: Rundll32  86,760 
T1114.001  Email Collection: Local Email Collection  85,546 
T1547.001  Boot or Logon Autostart Execution: Registry Run Keys  73,842 
T1053.005  Scheduled Task/Job: Scheduled Task  68,423 
10  T1569.002  System Services: Service Execution  51,345 
11  T1059.004  Command and Scripting Interpreter: Python  50,002 
12  T1036.005  Masquerading: Match Legitimate Name or Location  49,031 
13  T1497.001  Virtualization/Sandbox Evasion: System Checks  47,630 
14  T1543.002  Create or Modify System Process: Windows Service  39,231 
15  T1053.006  Scheduled Task/Job: Cron  39,228 
16  T1222.002  File and Directory Permissions Modification: Linux  38,760 
17  T1566.002  Phishing: Spearphishing Link  35,272 
18  T1059.005  Command and Scripting Interpreter: Visual Basic  27,213 
19  T1562.001  Impair Defenses: Disable or Modify Tools  24,133 
20  T1222.001  File and Directory Permissions Modification: Windows  19,275 

Top TTPs highlights: 

  • Scripting Dominance (T1059.001 & T1059.003): 
    PowerShell and Windows CMD remain the top tools for attackers, with over 310,000 detections combined. Their flexibility and integration with systems make them ideal for executing malicious commands. Monitoring script activity and implementing strict execution policies are critical defenses. 
  • Evasion Tactics on the Rise (T1497.003 & T1036.003): 
    Sandbox evasion through time-based delays (134,260 detections) and masquerading via renamed system utilities (126,008 detections) highlight attackers’ focus on stealth. Behavioral analysis and anomaly detection can help counter these techniques. 
  • Targeting Defenses (T1562.002): 
    Disabling antivirus tools was detected 122,256 times in 2024, showcasing its effectiveness for attackers. Organizations must invest in layered defenses that can identify and respond to tampering attempts in real-time. 
  • Exploiting System Services (T1569.002 & T1218.011): 
    Adversaries frequently used system services like Rundll32 (86,760 detections) and service execution (51,345 detections) to execute malicious code while blending into normal operations.  
  • Phishing and Email Collection (T1114.001 & T1566.002): 
    Techniques like local email collection (85,546 detections) and spearphishing links (35,272 detections) remained effective, especially in targeted attacks. Robust email filtering and user training remain vital for reducing these risks. 

Report Methodology 

This report is built on insights from 4,001,036 tasks submitted to our public threat database in 2024. Each task represents the hard work and curiosity of our community of researchers, who used ANY.RUN to uncover threats and analyze malware.  

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI LookupYARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Get a 14-day free trial of ANY.RUN’s products →

The post Malware Trends Overview Report: 2024 appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Legitimate Chrome extensions are stealing Facebook passwords

/in

Right after Christmas, news broke of a multi-stage attack targeting developers of popular Chrome extensions. Ironically, the biggest-name target was a cybersecurity extension created by Cyberhaven — compromised just before the holidays (we’d previously warned about such risks). As the incident investigation unfolded, the list grew to include no fewer than 35 popular extensions, with a combined total of 2.5 million installations. The attackers’ goal was to steal data from the browsers of users who installed trojanized updates of these extensions. The focus of the campaign was on stealing credentials for Meta services to compromise business accounts and display ads at victims’ expense. However, that’s not the only data that malicious extensions can steal from browsers. We explain how the attack works, and what measures you can take to protect yourself against it at different stages.

Attacking developers: OAuth abuse

To inject trojan functionality into popular Chrome extensions, cybercriminals have developed an original phishing scheme. They send developers emails disguised as standard Google alerts claiming that their extension violates Chrome Web Store policies and needs a new description. The text and layout of the message mimic typical Google emails, so the victim is often convinced. Moreover, the email is often sent from a domain set up to attack a specific extension and containing the name of the extension in the actual domain name.

Clicking the link in the email takes the user to a legitimate Google authentication page. After that, the developer sees another standard Google screen prompting to sign in via OAuth to an app called “Privacy Policy Extension”, and to grant certain permissions to it as part of the authentication process. This standard procedure takes place on legitimate Google pages, except that the “Privacy Policy Extension” app requests permission to publish other extensions to the Chrome Web Store. If this permission is granted, the creators of “Privacy Policy Extension” are able to publish updates to the Chrome Web Store on behalf of the victim.

In this case, there’s no need for the attackers to steal the developer’s password or other credentials, or to bypass multi-factor authentication (MFA). They simply abuse Google’s system for granting permissions to trick developers into authorizing the publication of updates to their extensions. Judging by the long list of domains registered by the attackers, they attempted to attack far more than 35 extensions. In cases where the attack was successful, they released an updated version of the extension, adding two files for stealing Facebook cookies and other data (worker.js and content.js).

Attacking users

Chrome extensions typically receive updates automatically, so users who switched on their machines between December 25 and December 31, and opened Chrome, may have received an infected update of a previously installed extension.

In this event, a malicious script runs in the victim’s browser and sends data needed for compromising Facebook business accounts to the attackers’ server. In addition to Facebook identifiers and cookies, the malware steals information required to log in to the target’s advertising account, such as the user-agent data to identify the user’s browser. On facebook.com, even mouse-click data is intercepted to help the threat actors bypass CAPTCHA and two-factor authentication (2FA). If the victim manages ads for their company or private business on Meta, the cybercriminals get to spend their advertising budget on their own ads — typically promoting scams and malicious sites (malvertising). On top of the direct financial losses, the targeted organization faces legal and reputational risks, as the fake ads are published under its name.

The malware can conceivably steal data from other sites too, so it’s worth checking your browser even if you don’t manage Facebook ads for a company.

What to do if you installed an infected extension update

To stop the theft of information from your browser, the first thing you need to do is to uninstall the compromised extension or update it to a patched version. See here for a list of all known infected extensions with their current remediation status. Unfortunately, simply uninstalling or updating the infected extension is not enough. You should also reset any passwords and API keys that were stored in the browser or used during the incident period.

Then, check the available logs for signs of communication with the attackers’ servers. IoCs are available here and here. If communication with malicious servers was made, look for traces of unauthorized access in all services that were opened in the infected browser.

After that, if Meta or any other advertising accounts were accessed from the infected browser, manually check all running ads, and stop any unauthorized advertising activity you find. Lastly, deactivate any compromised Facebook account sessions on all devices (Log out all other devices), clear the browser cache and cookies, log in to Facebook again, and change the account password.

Incident takeaways

This incident is another example of supply-chain attacks. In the case of Chrome, it’s made worse by the fact that updates are installed automatically without notifying the user. While updates are usually a good thing, here the auto-update mechanism allowed malicious extensions to spread quickly. To mitigate the risks of this scenario, companies are advised to do the following:

  • Use group policies or the Google Admin console to restrict the installation of browser extensions to a trusted list;
  • Create a list of trusted extensions based on business needs and information security practices used by the developers of said extensions;
  • Apply version pinning to disable automatic extension updates. At the same time, it’ll be necessary to put in place a procedure for update monitoring and centralized updating of approved extensions by administrators;
  • Install an EDR solution on all devices in your organization to protect against malware and monitor suspicious events.

Companies that publish software, including web extensions, need to ensure that permission to publish is granted to the minimum number of employees necessary — ideally from a privileged workstation with additional layers of protection, including MFA and tightly configured application launch control and website access. Employees authorized to publish need to undergo regular information security training, and be familiar with the latest attacker tactics, including spear phishing.

Kaspersky official blog – ​Read More

YARA Rules: Cyber Threat Detection Tool for Modern Cybersecurity

/in

Every ticking second is a chance for cyber threats to creep in. 

For businesses, the stakes couldn’t be higher. One malicious email opened by an employee, and the malware can spread across office computers faster than mushrooms after rain. The consequences? Lost data, financial damage, and a hit to your company’s reputation. 

To stop these threats before they cause harm, businesses need to stay prepared. 

This is where YARA rules come in. They help cybersecurity teams to detect potential threats, simplify the process, and deliver clear, actionable insights to fight back against potential dangers. 

In this article, we’ll dive into the crucial role of YARA rules, how they work, and how their integration into ANY.RUN’s sandbox helps teams to detect and handle cyber threats with confidence and efficiency. 

What Are YARA Rules?

Just as a lighthouse guides sailors safely past hidden rocks and treacherous waters, YARA rules guide cybersecurity professionals by identifying malicious patterns and offering a clear signal amidst the noise of potential threats. 

YARA, funnily enough, stands for Yet Another Ridiculous Acronym. However, its actions are far more serious than its name suggests. YARA rules play a critical role in cybersecurity, helping professionals identify and classify malware by matching patterns in files, processes, or even memory. 

At its core, YARA is a rule-based system that scans for specific characteristics, like unique strings or byte sequences, that are commonly found in malicious software. Think of it as a highly specialized filter that can sift through data to pinpoint potential threats with precision and speed. 

How YARA Helps Organizations Detect Cyber Threats 

YARA simplifies threat detection by identifying malicious patterns in files, processes, and memory with precision. It automates the scanning process, reducing the need for manual analysis and speeding up response times.  

The beauty of YARA lies in its adaptability. Organizations can customize rules to target specific threats or emerging malware families, ensuring their defenses evolve alongside the threat landscape.  

Combined with the real-time capabilities of ANY.RUN’s sandbox, this framework not only detects threats but also helps businesses understand their behavior, enabling them to mitigate risks before serious damage occurs. 

Main benefits of YARA rules in organizations: 

  • Quickly identify threats, reducing the time spent on manual analysis. 
  • Tailored to detect specific malware families or new attack patterns. 
  • Minimize false positives and improve detection accuracy. 
  • Streamline the scanning process, saving resources and improving efficiency. 
  • Reduce the financial impact of cybersecurity breaches by catching threats early. 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis


Read full guide


How does YARA work? 

YARA operates as a powerful pattern-matching tool that scans files, processes, or memory dumps for specific characteristics. At its core, it relies on rules, predefined sets of instructions that describe what YARA should look for and under what conditions it should flag something as suspicious. 

Here’s how the main process works: 

  1. Creating rules: The first step in using YARA is to create a rule. A rule defines the patterns or conditions YARA will look for in the data.  
  2. Scanning the target: Once the rules are defined, YARA scans the target data, this could be a file, a process, or even a memory dump. During the scan, YARA compares the data against the strings and conditions outlined in the rules. 
  3. Matching patterns: If YARA identifies patterns in the data that match those defined in the rule, it triggers a match. For example, if a rule is designed to detect ransomware, it might flag a file containing encryption-related commands or unique file headers used by ransomware families. 
  4. Flagging threats: When a match occurs, YARA provides a detailed report of the findings. This includes information about the matched rule, the specific patterns detected, and where they were found in the data. 
  5. Providing insights: The output from YARA gives cybersecurity teams actionable insights. These insights help analysts decide whether the flagged file or process is malicious and what steps to take next. 

YARA Elements You Should Know

YARA rules are made up of several essential components, each playing a critical role in detecting and classifying malware. To better understand how YARA works, let’s break down its key elements and examine an example. 

Meta section 

The meta section provides descriptive information about the rule. This includes details like the author, creation date, a brief description of the rule’s purpose, and additional contextual data. While it doesn’t affect the execution of the rule, it helps organize and document it for future use. 

Strings section

This section contains the patterns the rule will search for in files or processes. These patterns can include: 

  • Text strings: Words or phrases often found in malicious code. 
  • Hexadecimal sequences: Byte-level patterns unique to malware. 
  • Regular expressions: For advanced matching of dynamic content. 

Condition section 

The condition section defines the logic that determines when the rule will trigger. It specifies the criteria for matching patterns, such as requiring a minimum number of matches from the strings section or looking for specific file characteristics. 

Real-World Example of YARA Rule 

Below is an example of a YARA rule created to detect the Sakula malware family. It shows how each element works together to flag potential threats: 

rule Sakula {    
   meta:        
   author = "ANY.RUN"        
   date = "2024-12-11"        
   description = "Detects Sakula samples"        
   family = "Sakula"        
   sample1= "https://app.susp.io/tasks/3c4f4b5e-7254-4fb4-a31e-4617b03110b1"        
   sample2= "https://app.susp.io/tasks/5722f2e3-64fc-49a4-beac-600c992ab765"        
   hash1 = "5de4e79682120f5b115eea30ce2da200df380f6256f03e38d3692a785f06fd64"    
   hash2 = "a9430482e5695c679f391429c7f7a6d773985f388057e856d50a54d1b19f463b"    
strings:        
   $s1 = "%d_of_%d_for_%s_on_%s"        
   $s2 = "/c ping 127.0.0.1 & del "%s""        
   $s3 = "/c ping 127.0.0.1 & del /q "%s""        
   $s4 = "cmd.exe /c rundll32 "%s""        
   $s5 = "I'm a virus. My name is sola" ascii        
   $s6 = "Local\SM0:%d:%d:%hs" wide        
   $s7 = "Vxzruua/5.0" ascii        
   $s8 = "MicroPlayerUpdate.exe" ascii         
   $s9 = "CCPUpdate" ascii        
   $s10 = "Self Process Id:%d" ascii        
   $op1 = { 81 3E 78 03 00 00 75 57 8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF 15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31 41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15 24 F0 40 00 E8 0F 09 00 }        
   $op2 = { 50 E8 CD FC FF FF 83 C4 04 68 E8 03 00 00 FF D7 56 E8 54 12 00 00 E9 AE FE FF FF E8 13 F5 FF FF }    
condition:        
   uint16(0) == 0x5a4d and        
   (4 of ($s*) or         
   any of ($op*))}

Let’s highlight some of the key elements in this rule:

Meta

  • author = “ANY.RUN”: Indicates the creator of the rule. 
  • date = “2024-12-11”: Specifies when the rule was written, useful for tracking its relevance. 
  • description = “Detects Sakula samples”: Explains the rule’s purpose—targeting Sakula malware. 
  • family = “Sakula”: Categorizes the malware family the rule focuses on. 
  • sample1, sample2: Links to Sakula malware samples used for testing and refining the rule. 
  • hash1, hash2: Cryptographic hashes uniquely identifying the malware samples analyzed.

Strings

  • $s6 = “Local\SM0:%d:%d:%hs” wide
    This is a wide string (Unicode) that includes placeholders for integers (%d) and a short string (%hs).
  • $op1 = { 81 3E 78 03 00 00 75 57 8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF 15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31 41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15 24 F0 40 00 E8 0F 09 00 }
    This is a hexadecimal byte sequence that represents a specific operation or function in the malware.

Condition

  • uint16(0) == 0x5a4d:
    This condition checks if the first two bytes of the file are 0x5a4d, which is the signature for a Windows PE (Portable Executable) file.
  • (4 of ($s) or any of ($op))**:
    This condition checks if at least 4 of the strings ($s1 to $s9) are found in the file, or if any of the hexadecimal byte sequences ($op1 or $op2) are found in the file.  

See YARA in Action 

To better understand how this YARA rule detects Sakula malware, you can observe its behavior in real time using ANY.RUN’s Interactive Sandbox.

View analysis session 

Sakula malware detected by YARA inside ANY.RUN sandbox

This analysis session showcases the malware’s activity and how the rule effectively identifies its patterns.  

Analyze malware and phishing
with ANY.RUN’s Interactive Sandbox 



Sign up free


ANY.RUN’s interactive sandbox is a dynamic environment where cybersecurity teams can analyze files and observe their behavior in real time. Unlike traditional sandboxes, ANY.RUN lets users interact with the malware, providing deeper insights and faster results. 

YARA is an inseparable part of this process. By integrating YARA rules into the sandbox, ANY.RUN identifies malicious patterns in files and processes with precision and speed. 

ANY.RUN experts are constantly adding new YARA rules to the core of our malware sandbox, making the analysis process faster and saving security teams loads of time.  

You can easily upload any suspicious file or link into the sandbox, and during the analysis, YARA rules will kick in. If there’s malware hiding in your file or link, the sandbox will spot it for you. 

For example, after analyzing the following sample in the ANY.RUN sandbox, the process fgfkjsh.exe was flagged as malicious with the “MassLogger” tag.

Malicious file detected by ANY.RUN sandbox 

By clicking on the process located on the right side of the screen, the sandbox displays the message “MASSLOGGER has been detected (YARA).” 

Masslogger has been detected by YARA rule

But note that YARA isn’t working alone: ANY.RUN’s sandbox also uses Suricata rules to make detections even sharper.  

Discover more about Suricata rules and how they complement YARA in this detailed article: Detection with Suricata IDS 

YARA Search in TI Lookup 

YARA rules aren’t just limited to the sandbox: they’re also available in ANY.RUN’s Threat Intelligence (TI) Lookup. This tool lets you search a massive database of malware artifacts using YARA rules, helping you find connections between known threats and your own files. 

It’s perfect for teams handling big datasets or looking to spot trends in cyber threats. By combining YARA’s precision with the power of the sandbox and TI Lookup, ANY.RUN gives businesses a complete solution to fight back the evolving threats. 

Check out this video on YARA Search in TI Lookup.

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post YARA Rules: Cyber Threat Detection Tool for Modern Cybersecurity appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More