Cyber Security Agency of Singapore Warns of Exploited Apache Vulnerabilities in 2024

Cyble | CVE-2024-43441

Overview 

The Cyber Security Agency of Singapore (CSA) has alerted users of multiple vulnerabilities in Apache software. According to the alert, three Apache vulnerabilities have been reported, including CVE-2024-43441, CVE-2024-45387, and CVE-2024-52046. In late 2024, the Apache Software Foundation released security updates for several of its widely used products to address critical vulnerabilities.  

These vulnerabilities, identified as CVE-2024-43441, CVE-2024-45387, and CVE-2024-52046, affect Apache HugeGraph, Apache Traffic Control, and Apache MINA. Exploitation of these vulnerabilities could lead to severe security risks, including remote code execution (RCE), authentication bypasses, and SQL injection attacks. 

Details of the Apache Vulnerabilities 

Here are the vulnerabilities identified in the Apache software:  

CVE-2024-43441: Authentication Bypass in Apache HugeGraph 

The first critical vulnerability, CVE-2024-43441, impacts Apache HugeGraph-Server, a graph database server. This flaw allows an attacker to bypass existing authentication mechanisms in versions prior to 1.5.0. Apache HugeGraph, which is used for managing and querying large-scale graph data, could become an easy target for attackers if this vulnerability is exploited. 

By bypassing authentication, an attacker could gain unauthorized access to sensitive data or modify the server’s configuration, potentially disrupting the services relying on HugeGraph. Users and administrators are urged to update to version 1.5.0 or higher to mitigate the risk posed by this vulnerability. 

CVE-2024-45387: SQL Injection in Apache Traffic Control 

Another vulnerability, CVE-2024-45387, affects Apache Traffic Control, a tool used for managing content delivery networks (CDNs). This vulnerability exists in the Traffic Ops component of Apache Traffic Control, which is responsible for the management and optimization of traffic routing across CDN servers. The flaw allows attackers to perform SQL injection attacks in versions 8.0.0 to 8.0.1. 

SQL injection is one of the most well-known forms of attack, allowing attackers to manipulate database queries by inserting malicious SQL code. If successfully exploited, this vulnerability could allow an attacker to gain access to or manipulate the underlying database of an organization’s CDN, potentially compromising sensitive information or altering configurations. Users of affected versions are strongly advised to upgrade to later versions as soon as possible to patch this vulnerability. 

CVE-2024-52046: Remote Code Execution in Apache MINA 

Perhaps the most critical of the three vulnerabilities, CVE-2024-52046, affects Apache MINA, a network application framework used to build scalable and high-performance network applications. This vulnerability is particularly severe because it allows remote code execution (RCE) attacks due to improper handling of serialized data. 

Apache MINA uses Java’s native deserialization protocol to process incoming serialized data. However, due to a lack of necessary security checks, attackers can exploit this flaw by sending specially crafted malicious serialized data, leading to RCE. This flaw affects versions of MINA core prior to 2.0.27, 2.1.10, and 2.24. 

Remote code execution is one of the most dangerous types of vulnerabilities, as it allows attackers to execute arbitrary code on the affected system, potentially leading to full system compromise. For applications using Apache MINA, it is essential to upgrade to the latest versions (2.0.27, 2.1.10, or 2.24) and, in some cases, apply additional mitigation steps.  

Users must explicitly configure the system to reject all deserialization requests unless they come from a trusted source. This additional step is necessary because simply upgrading the software will not be sufficient to fully secure the system. 

Detailed Instructions for Mitigation of CVE-2024-52046 

The CVE-2024-52046 vulnerability requires users to not only upgrade to the latest version of Apache MINA but also manually configure the deserialization process to limit which classes are accepted. The update includes three methods for controlling which classes the ObjectSerializationDecoder will accept: 

  1. ClassNameMatcher: Accept class names that match a specified pattern. 

  1. Pattern: Accept class names that match a regular expression pattern. 

  1. String Patterns: Accept class names that match a wildcard pattern. 

By default, the decoder will reject all classes unless explicitly allowed, making it critical to follow these instructions to properly secure systems that use Apache MINA. It is also important to note that certain sub-projects, such as FtpServer, SSHd, and Vysper, are not affected by this vulnerability. 

Emmanuel Lécharny, a user and contributor on the Apache MINA mailing list, noted the risk of RCE attacks associated with this issue. In his post dated December 25, 2024, he stressed the importance of upgrading to the latest versions of Apache MINA and applying the necessary security settings to protect against exploitation. 

Conclusion 

To protect their infrastructure, organizations relying on Apache products must take immediate action to address these vulnerabilities. For CVE-2024-43441, updating to Apache HugeGraph-Server version 1.5.0 or later is essential to resolve the authentication bypass issue.  

Organizations should also upgrade to a version of Apache Traffic Control newer than 8.0.1 to mitigate the SQL injection vulnerability in CVE-2024-45387. For CVE-2024-52046 in Apache MINA, upgrading to the latest versions (2.0.27, 2.1.10, or 2.24) and configuring the deserialization process to restrict accepted classes is critical.  

Keeping systems up-to-date with the latest security patches and updates from the Apache Software Foundation is key to defending against active exploitation of these vulnerabilities. Proactively applying these measures will significantly reduce the risk of attacks and ensure a more secure environment. 

References:  

The post Cyber Security Agency of Singapore Warns of Exploited Apache Vulnerabilities in 2024 appeared first on Cyble.

Blog – Cyble – ​Read More

Attack Surface Management (ASM) in 2025: Key Trends to Watch 

Cyble | Attack Surface Management

The digital world is evolving at lightning speed, and so are the challenges that come with it. For organizations today, their attack surface—the sum of all potential entry points for a cyberattack—is expanding faster than ever before. From misconfigured cloud environments to overlooked IoT devices, vulnerabilities creep around places many don’t think to check. 

In 2025, Attack Surface Management (ASM) will take center stage as organizations shift from reactive defenses to proactive strategies. ASM is no longer just a buzzword; it’s a necessity in the cybersecurity resource. It’s about seeing what attackers see and mitigating threats before they escalate. As organizations struggle with increasing cyber threats, understanding the trends shaping ASM is crucial to staying ahead of adversaries. 

This article delves into the pivotal ASM trends to watch in 2025 and explores how Cyble’s ASM platform is helping organizations adapt to this dynamic landscape. 

Key Trends in Attack Surface Management for 2025 

1. AI-Powered ASM Solutions 

AI and machine learning (ML) have become integral to ASM, enabling organizations to identify threats faster and more accurately. AI-driven platforms analyze vast amounts of data in real time, uncovering vulnerabilities that would be nearly impossible for human analysts to detect.  

For example, in 2024, a global financial institution used an AI-powered ASM tool to identify misconfigured cloud storage buckets. The tool flagged over 1,000 vulnerabilities within hours, preventing a potential data breach that could have exposed millions of customer records. 

In 2025, we expect AI to play an even larger role in predictive analysis, helping organizations anticipate potential attack vectors before they are exploited. 

2. Integration with Zero Trust Architectures 

Zero Trust Architecture (ZTA) is now a standard in cybersecurity frameworks. ASM platforms are being integrated into ZTA to provide a continuous monitoring loop that verifies all devices, users, and applications interacting with the network. This integration ensures that no component of the attack surface is overlooked. 

3. Focus on IoT and OT Security 

The proliferation of Internet of Things (IoT) and Operational Technology (OT) devices has dramatically expanded the attack surface. In 2025, ASM tools are focusing more on securing these devices by identifying vulnerabilities such as default credentials, unpatched firmware, and unsecured communications. 

4. Cloud-Native ASM Solutions 

With organizations increasingly relying on multi-cloud environments, cloud-native ASM solutions are gaining traction. These solutions are designed to monitor cloud assets continuously, ensuring compliance and security across hybrid and multi-cloud setups. 

For instance, a global e-commerce platform operating across AWS, Azure, and Google Cloud leveraged a cloud-native ASM tool to identify misconfigurations in its storage settings. This proactive measure protected the platform from a potential data leak involving millions of transaction records. 

5. Proactive Threat Intelligence Integration 

During a 2024 supply chain attack targeting a major software vendor, an ASM solution integrated with threat intelligence helped downstream customers identify and mitigate the vulnerabilities exploited in the attack within hours. 

ASM platforms are evolving to integrate real-time threat intelligence, providing context around vulnerabilities and enabling faster, more informed decision-making. This trend helps organizations prioritize remediation efforts based on the likelihood and potential impact of an exploit. 

6. ASM for Third-Party Risk Management 

Third-party risk has become a critical area of focus, as vendors and partners often introduce vulnerabilities into an organization’s ecosystem. ASM tools are being used to monitor the digital footprints of third-party vendors, ensuring their security posture aligns with organizational standards. 

In 2024, a multinational retailer discovered a vulnerability in its payment processing partner’s infrastructure using an ASM platform. By addressing the issue proactively, the retailer avoided a potentially catastrophic data breach

7. Shift from Reactive to Proactive ASM 

Traditionally, ASM was seen as a reactive process—responding to discovered vulnerabilities after they had already been exploited. In 2025, the shift towards proactive ASM is evident, with platforms emphasizing continuous monitoring, real-time alerts, and predictive analytics. 

8. Human-Centric ASM 

Despite advancements in automation, human expertise remains essential. Human-centric ASM focuses on empowering security teams with intuitive tools and actionable insights. By combining human intuition with machine efficiency, organizations can achieve a more strong security posture. 

The Role of Cyble in Attack Surface Management 

Cyble has established itself as a leading provider of AI-driven ASM solutions. Recognized by Forrester in its Q2 2024 report, Cyble’s innovative approach to securing digital assets makes it a valuable partner for organizations striving to protect their expanding attack surfaces. 

Cyble’s ASM platform offers: 

  1. Comprehensive Visibility: Cyble’s platform provides a 360-degree view of the attack surface, covering assets such as cloud environments, web and mobile applications, IoT devices, email servers, and public code repositories. 

  1. AI-Driven Insights: The platform uses advanced AI algorithms to identify vulnerabilities and predict potential attack vectors, enabling proactive threat mitigation. 

  1. Ease of Integration: Designed to integrate seamlessly with existing SecOps solutions, Cyble’s ASM platform enhances the overall cybersecurity framework without adding complexity. 

  1. Proactive Threat Intelligence: Cyble continuously updates its threat intelligence database, providing organizations with actionable insights tailored to their unique attack surfaces. 

Why Cyble Stands Out: According to Beenu Arora, Founder and CEO of Cyble, “We provide organizations with the tools and insights they need to proactively identify and mitigate potential cyber threats before they escalate. Cyble’s inclusion in Forrester’s ASM Solutions Landscape report underscores our commitment to innovation and customer success.” 

Real-World Benefits: For instance, a global logistics firm used Cyble’s ASM platform to identify shadow IT assets that posed significant risks to its operations. By addressing these vulnerabilities, the company not only improved its security posture but also enhanced its operational efficiency. 

Conclusion 

Attack Surface Management in 2025 is characterized by rapid technological advancements, the integration of AI, and a growing focus on proactive security measures. As organizations face increasingly complex attack surfaces, staying ahead of the curve requires adopting cutting-edge ASM solutions. 

Cyble’s AI-driven ASM platform offers a comprehensive, proactive approach to securing digital assets. By leveraging Cyble’s innovative solutions, organizations can strengthen their cybersecurity posture, mitigate risks, and navigate the ever-evolving threat landscape with confidence.

The post Attack Surface Management (ASM) in 2025: Key Trends to Watch  appeared first on Cyble.

Blog – Cyble – ​Read More

A Look at CISA Known Exploited Vulnerabilities in 2024 

Cyble | CISA Known Exploited Vulnerabilities

Overview 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 185 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in 2024, as the database grew to 1,238 software and hardware flaws at high risk of cyberattacks. 

The agency removed at least two vulnerabilities from the catalog in 2024, but the database has generally grown steadily since its launch in November 2021. 

We’ll look at some of the trends and vulnerabilities from 2024, along with the vendors and projects that had the most CVEs added to the list this year. 

CISA Known Exploited Vulnerabilities Growth Stabilizes 

CISA’s KEV catalog has grown at a steady rate in 2023 and 2024, with 187 vulnerabilities added in 2023 and 185 this year. That’s a pretty stable rate after KEV’s first year, when the agency added more than 300 vulnerabilities in the first two months of the program and nearly 500 more in the first six months of 2022. 

The addition of older vulnerabilities has also stabilized, as 115 of this year’s vulnerabilities were 2024 CVEs, compared to 121 CVEs from 2023 in last year’s additions. That still leaves 60 to 70 older vulnerabilities coming under active exploit each year. 

The oldest vulnerability in the catalog dates from 2002 – CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used in ransomware attacks. 

The oldest vulnerability added to the KEV database in 2024 was CVE-2012-4792, a Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8. CISA also added four Adobe Flash Player vulnerabilities from 2013 and 2014 this year, in addition to one vulnerability each from Cisco and D-Link from 2014. 

Most Common Software Weaknesses in CISA KEV 

Five software and hardware weaknesses (common weakness enumerations, or CWEs) were particularly prominent among the 2024 KEV additions. 

  • CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – was the most common weakness among vulnerabilities added to the KEV database this year, accounting for 14 of the 185 vulnerabilities. 
  • CWE-502 – Deserialization of Untrusted Data – occurred in 11 of the vulnerabilities. 
  • CWE-416 – Use After Free – was behind 10 of the vulnerabilities. 
  • CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, or ‘Path Traversal’) and CWE-287 (Improper Authentication) occurred 9 times each. 

Vendors with the Most Vulnerabilities in CISA KEV 

Not surprisingly, Microsoft had the most additions to CISA’s KEV database again this year, as the software giant accounted for 36 of the 185 vulnerabilities added this year, up from 27 out of 2023’s 187 additions. 

Second on the list was Ivanti, which had 11 vulnerabilities across multiple products that made the list. Ivanti’s challenges this year were perhaps best exemplified by the fact that CISA itself was breached through an Ivanti vulnerability. Cyble honeypot sensor detected attacks on multiple Ivanti vulnerabilities this year, with the first detections occurring in January

Vendors and projects with four or more CISA KEV additions are noted below: 

Vendor/project  2024 CISA KEV additions 
Microsoft  36 
Ivanti  11 
Google Chromium 
Adobe 
Apple 
Android 
Cisco 
D-Link 
Palo Alto Networks 
Apache 
VMware 
Fortinet 
Linux 
Oracle 

Interestingly, while Fortinet vulnerabilities attracted widespread attention this year, in part due to the large number of exposed devices, network security rival Palo Alto Networks actually had more vulnerabilities added to the KEV database this year. Palo Alto may soon get another KEV addition, as the just-announced CVE-2024-3393 vulnerability is reportedly under active attack. 

One interesting thing about the 2024 CISA KEV list is that the number of web-facing exposures or vulnerabilities a vendor has or even Common Vulnerability Scoring System (CVSS) severity ratings don’t always reflect the damage a particular vulnerability can cause. 

A case in point: CVE-2024-39717, a 7.2-severity Versa Director vulnerability with just 31 web-exposed instances, may have been weaponized in supply chain attacks against ISPs and MSPs. 

Cleo had just two vulnerabilities added to the KEV catalog this year (CVE-2024-50623 and CVE-2024-55956), and yet vulnerabilities in the company’s managed file transfer (MFT) solutions have apparently been used to breach 66 organizations. 

Conclusion 

CISA’s Known Exploited Vulnerabilities catalog remains a valuable tool for helping IT security teams prioritize patching and mitigation efforts. 

CISA KEV can also alert organizations to third-party risks – although by the time a vulnerability gets added to the database it’s become an urgent problem requiring immediate attention. Third-party risk management (TPRM) solutions could provide earlier warnings about partner risk through audits and other tools. 

Finally, software and application development teams should monitor CISA KEV additions to gain awareness of common software weaknesses that threat actors routinely target. 

The post A Look at CISA Known Exploited Vulnerabilities in 2024  appeared first on Cyble.

Blog – Cyble – ​Read More

Malware Trends Report: Q4, 2024 

Can you believe 2024 has come to an end? As we prepare to step into 2025, we’re excited to share key updates on the cybersecurity front from Q4. The last three months were anything but quiet—new threats emerged, familiar ones evolved, and cybercriminals kept raising the stakes. 

At ANY.RUN, we’ve been monitoring these shifts every step of the way. This report pulls together the most significant trends, from the most active malware families to the tactics and techniques shaping cybersecurity. 

Let’s jump in and see what this quarter taught us about the intriguing world of malware. 

Summary 

The number of sandbox sessions has grown compared to Q3 2024

In Q4 2024, ANY.RUN users ran 1,151,901 public interactive analysis sessions, marking a 5.6% increase from Q3 2024. Out of these, 259,898 (22.6%) were flagged as malicious, and 71,565 (6.2%) as suspicious. 

Compared to the previous quarter, the percentage of malicious sandbox sessions rose from 19.4% in Q3 2024 to 22.6% in Q4 2024. At the same time, the share of suspicious sessions grew from 4.3% to 6.2%. 

Users collected an impressive 712,151,966 indicators of compromise (IOCs) during Q4, reflecting the heightened activity and complexity of the threats analyzed. 

Top Malware Types in Q4 2024 

Stealers beat Loaders as the top malware type in Q4 2024

Let’s dive into the most common malware types identified by ANY.RUN’s sandbox in Q4 2024: 

# Type Detections
1 Stealer 25,341
2 Loader 10,418
3 RAT 6,415
4 Ransomware 5,853
5 Keylogger 1,915
6 Adware 1,666
7 Exploit 905
8 Backdoor 679
9 Trojan 466
10 Rootkit 386

Top Malware Types: Highlights 

Q4 2024 saw significant changes in the most detected malware types compared to previous quarters.

  • Stealers took the lead with 25,341 detections, continuing their dominance as the top malware threat. This marks a significant rise from 16,511 detections in Q3, reflecting an increase of 53.5% in Stealer activity. In Q2, Stealers had 3,640 detections, meaning their activity more than doubled from Q2 to Q4. 
  • Loaders also remained a prominent threat, holding steady in second place with 10,418 detections. This is an increase of 27% compared to Q3, where they were detected 8,197 times. In Q2, Loaders had 5,492 detections, so we’re seeing consistent growth in this malware type across the quarters. 
  • RATs continued to be a major concern in Q3 and Q4, although their position dropped to third place in both quarters. In Q4, RATs were detected 6,415 times, representing a 10.8% decrease from Q3 (7,191 detections).  
  • Ransomware saw a slight decrease in Q4, with 5,853 detections, down from 5,967 in Q3, marking a decrease of 1.9%. However, compared to Q2, where ransomware detections were at 2,946, there has still been a clear increase in ransomware activity over the last two quarters. 
  • Keylogger detections had a notable decrease in Q4, with 1,915 detections compared to 3,172 in Q3. This represents a 39.5% drop from Q3. In Q2, Keyloggers were also detected frequently, but the numbers were lower than what we saw in Q3 and Q4. 

A new threat category appeared in the top ten: Adware, which had 1,666 detections in Q4.  

Other notable malware types include Exploits (905 detections), Backdoors (679 detections), and Trojans (466 detections). These malware types had a relatively stable presence, with minor fluctuations in the number of detections compared to the previous quarter.

Rootkits, at the bottom of the list with 386 detections, are also showing up more frequently in analyses, though still less common than other types of malware.

Collect Fresh Intel on Emerging Cyber Threats

Make sure to use ANY.RUN’s TI Lookup to collect and enrich threat intelligence on the latest malware and phishing attacks.

The service provides access to a database of over 40 types of Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs), from IP addresses to mutexes, extracted from the public samples analyzed in ANY.RUN’s Interactive Sandbox.

With the following query you can find recent samples of Stealer malware uploaded by users in the UK:

The service provides results that match the submitted query

TI Lookup returns dozens of sandbox analyses matching the query that you can explore in detail and gather intel on the current threat landscape.

One of the analyses provided by TI Lookup

In this session, we can observe the execution process of a Lumma malware sample.

Get 50 free search requests to test TI Lookup 



Contact us


Top Malware Families in Q4 2024 

Lumma retained its position for the second quarter in a row
# Malware Family Detections 
1 Lumma 6,982
2 Stealc 4,790
3 Redline 4,321
4 Amadey 3,870
5 Xworm 3,141
6 Asyncrat 2,828
7 Remcos 2,032
8 Snake 1,926
9 AgentTesla 1,906
10 Sality 1,194

In Q4 2024, the malware landscape continued to evolve with several shifts in the prevalence of different malware families.

  • Lumma maintained its strong position, leading the list with 6,982 detections, showing a significant increase compared to Q3 (4,140 detections). 
  • Stealc made an impressive jump to second place, with 4,790 detections, up from 2,030 in Q3. This is a 136.3% increase and positions Stealc as a rising threat in the malware world. 
  • Redline followed with 4,321 detections, a 26.7% rise from Q3. 
  • AsyncRAT and Remcos showed some decrease in activity, indicating possible shifts in threat actor strategies. 
  • Xworm, another notable family, saw a substantial rise, reaching 3,141 detections in Q4, up from 2,188 in Q3. This is a 43.7% increase, making Xworm one of the most concerning threats of the quarter. 

Snake, which appeared on the list for the first time in Q3, continued its activity in Q4, with 1,926 detections, up from 1,782 in Q3, reflecting an 8.1% increase. 

AgentTesla showed a noticeable decrease in activity, dropping to 1,906 detections in Q4 from 2,316 in Q3, which is a 17.7% decline. 

Finally, Sality, which had previously been less active, saw a return to the list with 1,194 detections, making it the tenth most detected malware family in Q4. 

Phishing Activity in Q4 2024 

Tycoon2FA became the most common phishing kit in Q4 2024

Phishing activity saw a significant uptick in Q4 2024, with a total of 82,684 phishing-related threats flagged across the ANY.RUN sandbox. This shows just how active cybercriminals were, using phishing tactics to target victims. 

Activity by cyber criminal groups: 

  • Storm1747 led the pack with 11,015 phishing-related uploads, making it the most active group. 
  • Storm1575 followed with 3,756 uploads, showing strong but more limited activity. 

Activity by phishing kits: 

  • The Tycoon2FA kit dominated the scene, with 8,785 instances of use. 
  • Mamba2FA came in second with 4,991 detections, reflecting notable activity. 
  • Evilginx2/EvilProxy made a smaller but significant impact with 573 detections. 
  • Gabagool had 384 detections, indicating a more niche but active presence. 

Top 5 Protectors and Packers from Q4 2024 

UPX is the most commonly used packer by threat actors

In Q4 2024, the top protectors and packers continued to play a significant role in obfuscating malware to evade detection. Here’s a look at the most common ones: 

  1. UPX: The clear leader with 12,262 detections, making it the most widely used protector/packer. 
  2. Netreactor: With 8,333 detections, it remains a popular choice for malware obfuscation. 
  3. Themida: Used in 4,627 detections, Themida was a key player in malware protection.
  4. Confuser: Close behind with 4,610 detections, Confuser also stood out for its effectiveness. 
  5. Aspack: The least common in the top 5, but still notable with 566 detections. 

These protectors and packers are integral to malware campaigns, helping cybercriminals hide their malicious code and avoid detection. 

See detailed guide on unpacking and decrypting malware

Top 20 MITRE ATT&CK Techniques in Q4 2024 

Threat actors continue to utilize Windows Command Shell in their attacks

In Q4 2024, several adversary techniques saw a rise in activity, with PowerShell, Windows Command Shell, and phishing techniques dominating the list. Here’s a breakdown of the top 20 techniques observed: 

MITRE ATT&CK Technique  Detections 
Command and Scripting Interpreter: Windows Command Shell, T1059.003  44,850 
Masquerading: Rename System Utilities, T1036.003  42,217 
Phishing: Spearphishing Link, T1566.002  28,685 
Command and Scripting Interpreter: PowerShell, T1059.001  26,503 
Virtualization/Sandbox Evasion: Time Based Evasion, T1497.003  24,177 
Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder, T1547.001  18,394 
Scheduled Task/Job: Scheduled Task, T1053.005  17,873 
Virtualization/Sandbox Evasion: System Checks, T1497.001  16,735 
Credentials from Password Stores: Credentials from Web Browsers, T1553.004  15,042 
10  System Binary Proxy Execution: Rundll32, T1218.011  13,981 
11  System Services: Service Execution, T1569.002  12,245  
12  Masquerading: Match Legitimate Name or Location, T1036.005  10,530 
13  Scheduled Task/Job: Systemd Timers, T1053.006  10,000 
14  Create or Modify System Process: Systemd Service, T1543.002  10,000 
15  Command and Scripting Interpreter: Visual Basic, T1059.005  7,150 
16  Impair Defenses: Disable or Modify Tools, T1562.001  6,686 
17  System Information Discovery: Application Layer Protocol, T1222.001  6,589 
18  Command and Scripting Interpreter: Unix Shell, T1059.004  6,339 
19  System Information Discovery: Remote System Discovery, T1222.002  5,577 
20  Impact: Data Destruction, T1564.003  5,429 

Top TTPs: Q4 2024 vs Q3 2024 

In Q4 2024, the landscape of detected techniques saw a few shifts compared to Q3. Here are the key highlights: 

The top three spots for Q4 were claimed by: 

  • T1059.003, Command and Scripting Interpreter: Windows Command Shell – claiming the top spot, up from the 3rd position in Q3, with a substantial rise in detections (41,384). 
  • T1036.003, Masquerading: Rename System Utilities – staying strong in 2nd place, though with a slight dip in detections compared to Q3 (41,254). 
  • T1566.002, Phishing: Spearphishing Link – a significant leap from its previous position, climbing to 3rd with 28,685 detections, marking an increase in phishing-related activities. 

Worthy mentions: 

  • T1059.001, Command and Scripting Interpreter: PowerShell – dropped to 4th place after holding the 2nd spot in Q3, now with 26,503 detections. 
  • T1497.003, Virtualization/Sandbox Evasion: Time-Based Evasion – although it slipped to 5th place from 4th in Q3, it still saw a notable number of detections (24,177). 
  • T1547.001, Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – entering the list in 6th place, showing a steady increase in activity (18,394).
Tactics, techniques and procedures of phishing (T1566) 

Use TI Lookup’s interactive MITRE ATT&CK matrix which accompanies each TTP with real-world examples of cyber threat samples, analyzed in ANY.RUN’s Interactive Sandbox.

Report Methodology

For this report, we analyzed data from a total of 1,151,901 interactive analysis sessions. This data is drawn from researchers in our community who contributed by running public analysis sessions on ANY.RUN.  

These sessions provided valuable insights into the latest trends and activities in cybersecurity, helping us identify key threats and techniques that are currently on the rise. 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI LookupYARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Get a 14-day free trial of ANY.RUN’s products →

The post Malware Trends Report: Q4, 2024  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

2024 Wrapped: A Year of Growth, Innovation, and Community at ANY.RUN 

As we wrap up 2024, let’s take a moment to reflect on what an incredible year it’s been for ANY.RUN. Together, we’ve achieved so much: breaking barriers, improving tools, and working side by side with you, our amazing community of cybersecurity heroes. 

From big product launches to small tweaks that make a huge difference, everything we’ve done this year has been with one goal in mind: to make your fight against cyber threats easier, smarter, and faster. 

Let’s take a look back at some of the highlights that made this year unforgettable! 

Interactive Sandbox 

This year, we took significant strides to enhance your experience with the ANY.RUN sandbox, introducing new features and upgrades to help you combat cyber threats more effectively. 

Linux OS Support for In-Depth Malware Analysis 

For the first time, our sandbox extended its capabilities beyond Windows, making it possible for malware analysts, SOC teams, and DFIR experts to analyze Linux-based samples in a secure and interactive cloud environment. 

Analyzing malware inside secure Linux environment 

With real-time monitoring of suspicious activities, detailed reports featuring the MITRE ATT&CK Matrix, Process Graphs, and IOCs, you can now uncover threats on Linux systems with the same precision and speed you’ve come to expect from ANY.RUN. 

Universal Windows 10 x64 Access 

In 2024, we made Windows 10 (64-bit) VMs available to all users, including those on the Community plan! 

Everyone can analyze malware and phishing threats in a modern Windows environment, leveling the playing field for cybersecurity investigations. 

WIndows 10 (64 bit) available to everyone, including on free plan

This update ensures everyone can access powerful threat analysis tools and helps improve threat detection for the entire ANY.RUN community. 

Automated Interactivity: Smarter and Faster Malware Detonation 

With Stage 2 Automated Interactivity, ANY.RUN’s Interactive Sandbox now handles even more complex malware and phishing scenarios automatically. From extracting URLs in QR codes to detonating payloads in email attachments and navigating long redirect chains, it’s all done without user input. 

Automated Interactivity quickly identifies and detonates Formbook inside an archive attached to an email

Our analyst team continuously adds new attack scenarios, ensuring your sandbox stays one step ahead of evolving threats! 

Try Automated Interactivity and other PRO features
of the ANY.RUN Sandbox for free 



Request 14-day trial


A New Look at Network Threats: Redesigned Details Window 

IIn 2024, we revamped the Threat details window to give you a clearer view of malware activity. Now, you can access all key intel, like source data, IP addresses, ports, and protocols, in one streamlined view. 

Hunter and Enterprise subscribers can look inside Suricata rules 

And for Hunter and Enterprise users, the new Suricata rule tab opens the door to the signatures behind the detections. 

PowerShell Support in Script Tracer 

This year, we supercharged our Script Tracer by adding PowerShell support to its arsenal, alongside JScript, VB Script, VBA, and Macro 4.0. 

Example of PowerShell script in ANY.RUN’s Tracer 

Now, you can follow PowerShell scripts step by step, making it easier to analyze and counter malware leveraging persistence, lateral movement, or payload execution. 

Your Private AI Assistant: Smarter, Safer, and Always There to Help 

This year, we introduced a private AI model inside ANY.RUN’s sandbox, replacing ChatGPT.  

AI assistance inside ANY.RUN’s sandbox 

Now, you can get fast, AI-powered explanations in both public and private sessions, without worrying about data leaving your hands. 

Phishing Detection with Rspamd 

In 2024, we leveled up our phishing detection game with the integration of Rspamd, an open-source email filtering system, into ANY.RUN’s Static Discovering module.

Rspamd analysis inside the ANY.RUN sandbox

With features like Score, Content, and Header Descriptions, you can dive deep into email analysis. 

STIX Reports 

We added the ability to export threat data in the STIX format, a standardized language for sharing cyber threat intelligence. The report contains the link to the sandbox session, hashes, network traffic details, file system modifications, TTPs, and more. 

Click Export → STIX to download threat data 

A Fresh Look for Faster Analysis: Sandbox Home Screen Redesign 

We gave the ANY.RUN Sandbox home screen a sleek makeover to make navigation easier and faster. 

ANY.RUN sandbox has a new home page 

New shortcut buttons let you launch analysis sessions in just a click 

Tag It Your Way: Custom Tags via API 

Now you can set custom tags to sandbox sessions directly through the API, adding to the flexibility of the web interface. Organize and categorize your analyses your way, with more control than ever before! 

Teamwork Upgrades 

This year, we made significant upgrades to the Teamwork functionality of the ANY.RUN sandbox. Some of the key changes include: 

  • Single Sign-On (SSO): We’ve tackled key issues like fixing the logout process and resolving setup problems. Plus, you now can log in not just through our authorization window but also using third-party services. 
  • Exporting team history: Enterprise users can now export structured lists of their team’s sandbox sessions in JSON format.  
  • Mutli-admin support: Team owners can now appoint multiple admins to manage their teams more effectively. Admins have the ability to enable and disable SSO, invite or remove team members, and manage licenses, including Threat Intelligence (TI) licenses. 

Threat Intelligence Lookup 

In 2024, we introduced Threat Intelligence Lookup, a tool designed to give you access to a centralized repository of millions of Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs).

TI Lookup released in 2024 

This powerful service allows you to build precise queries, use them to search across threat data from public sandbox sessions, and enrich your threat intelligence with additional context, connecting isolated IOCs to broader malware campaigns, all in one place. 

Get 50 free requests to test TI Lookup 



Contact us


But we didn’t stop there! 

Throughout the year, we worked hard to refine TI Lookup, adding new features and capabilities to make it even better for security teams and professionals.  

Here’s how we’ve enhanced it: 

YARA Search: Your Custom Threat-Hunting Tool 

This year, we expanded our Threat Intelligence suite with YARA Search, giving users the power to scan ANY.RUN’s extensive database using custom YARA rules. 

YARA search inside TI Lookup 

With a built-in editor, you can easily write, edit, test, and manage your rules. Once matching malicious files are identified, dive deeper by analyzing their behavior directly in the sandbox. 

Mutex Search: Precision Meets Speed in TI Lookup 

We’ve enhanced Threat Intelligence Lookup with a powerful Mutex Search feature, designed to make your investigations faster and more precise. 

List of DCRat mutexes 

Using queries like SyncObjectName:”[name of the malware]”, you can quickly locate relevant sandbox analysis sessions tied to specific mutexes. 

Suricata Search: Deeper Dive into Network Threats 

The Threat Intelligence Lookup now includes Suricata search fields, making it easier to pinpoint specific network threats. 

Suricata search inside TI Lookup 

Search using fields like SuricataClass, SuricataMessage, SuricataThreatLevel, and SuricataID to uncover detailed information about network activity.  

Malware Config Insights: Unlocking Hidden IOCs 

We’ve expanded Threat Intelligence Lookup to include IOCs from malware configurations, manually extracted from reverse-engineered samples. 

“malconf” domains in TI Lookup

Currently covering 79 malware families, these config-based IOCs are tagged with “malconf” for easy identification. This feature gives you a clearer understanding of malware behavior and helps you uncover actionable insights faster than ever. 

Notifications 

Threat Intelligence Lookup has also been upgraded with the new Notifications feature

Notifications in TI Lookup 

Subscribe to specific search queries and receive alerts on new IOCs, IOAs, and IOBs directly in your dashboard. New results are clearly highlighted, making it easier to stay on top of emerging threats and act quickly. 

Redesigned Home Screen with Interactive MITRE ATT&CK Matrix 

In 2024, we took the time to give the Threat Intelligence home screen a thoughtful upgrade, making it more user-friendly and packed with valuable features. 

Updated version of the Threat Intelligence home page lets you explore samples with specific TTPs

The new design offers a clearer, more intuitive view of the threat landscape. We’ve added a MITRE ATT&CK matrix with refined techniques and tactics, along with real-world examples of malware and phishing threats analyzed in the ANY.RUN sandbox. 

TI Feeds 

Our Threat Intelligence Feeds provide actionable data on malicious IPs, URLs, and domains, collected from analysis sessions created by over 500,000 researchers in the ANY.RUN sandbox. 

This year, we further improved TI Feeds by introducing STIX and MISP formats.

You can test demo TI Feeds for free 

We also introduced demo samples of our feeds that any user can try for free via API. 

Try TI Feeds demo sample via API 



Integrate now


Safebrowsing 

In 2024, we brought you Safebrowsing, a new tool designed for faster and simpler threat analysis. 

You are free to interact with websites just like in a standard browser

With Safebrowsing, you can safely analyze suspicious URLs in a fully interactive, isolated browser environment. It’s a quick and secure way to explore websites, verify malicious content, and protect your local system from risk. 

Browser Extension 

We made malware analysis even easier with the launch of the ANY.RUN Browser Extension for Chromium-based browsers. 

ANY.RUN’s browser extension can be used for streamlining threat analysis

With this extension, you can start analysis sessions directly from your browser and view results instantly, either in the extension or in the sandbox for deeper investigation. It’s fast, simple, and designed to save you valuable time. 

Integrations 

At ANY.RUN, we know how important integrations are for streamlining your threat analysis workflows.  

That’s why in 2024 we focused on expanding our connectivity with industry-leading platforms to make your investigations faster and more efficient. 

Integration with OpenCTI 

OpenCTI interface 

We integrated with OpenCTI, allowing users to enrich their threat intelligence with data from ANY.RUN. Malware labels, malicious scores, TTPs, file hashes, and IP addresses are now transferred into OpenCTI, eliminating manual work and centralizing your analysis. 

Integration with Splunk 

We also launched an integration with Splunk, bringing our Interactive Sandbox and Threat Intelligence Lookup directly into the Splunk SOAR environment. 

Official page of ANY.RUN’s connector for Splunk

It lets you analyze malicious files and URLs, and enrich your investigations with comprehensive threat intelligence, all without leaving your familiar Splunk environment.

Security Training Lab 

In 2024, we launched Security Training Lab, addressing a critical gap in cybersecurity education—bridging theory with hands-on practice. 

Universities often struggle to keep pace with evolving cyber threats. Our program empowers educators and students with tools like ANY.RUN’s sandbox, real-world threat simulations, and a practical curriculum designed to prepare future professionals for real challenges. 

Highlights of Security Training Lab 

  • 30+ hours of content: Comprehensive academic resources, tasks, and tests. 
  • Hands-on experience: Analyze real malware samples in a secure environment. 
  • Easy management: Track progress with our user-friendly platform. 
  • Community support: A private Discord group for students. 

With Security Training Lab, we’re shaping confident, skilled cybersecurity professionals ready to take on the future. 

Cyber Threat Research from ANY.RUN Team

In 2024, ANY.RUN’s team of malware analysts continued to share their research on new and emerging threats, helping the cybersecurity community stay informed. Take a look at some of the article published by our team throughout the year:

Make sure to subscribe to us on X and other social media to get quick rundowns on active malware and phishing campaigns.

ANY.RUN’s Top Awards in 2024 

Awards won by ANY.RUN in 2024

In 2024, ANY.RUN’s commitment to innovation and excellence in cybersecurity was recognized with prestigious industry awards. They reflect the hard work of our team and the impact of our tools on the global cybersecurity community: 

  • Cybersecurity excellence awards– Winner in the Threat Hunting category, highlighting our impact and commitment to excellence. 
  • Best security solution– Our platform was named the Best Threat Intelligence & Interactive Malware Analysis Platform, praised for its innovation and user-friendly design. 
  • Top 150 cybersecurity vendors– ANY.RUN earned a spot on IT-Harvest’s Top 150 Vendors, a global benchmark in the cybersecurity field. 
  • Best in behavior analytics– The CyberSecurity Breakthrough Awards recognized our behavior analytics and the advanced Automated Interactivity feature. 

We’re proud of these achievements and look forward to raising the bar even higher in 2025! 

Stronger Together: Collaboration with the ANY.RUN Community 

We were closer than ever with the incredible ANY.RUN community. Together, we uncovered new threats, presented cutting-edge technical analyses, and pushed the boundaries of what’s possible in malware research. 

Your active engagement has been at the heart of our success. We can’t thank you enough for your support and collaboration throughout the year. 

As we look ahead to 2025, we’re excited to bring even more opportunities for mutual collaboration.  

Let’s continue to grow, learn, and tackle cyber threats together! 

More to Come in 2025 

As we celebrate these milestones, we’re already looking ahead to 2025. With exciting projects on the horizon, new features in development, and your continued support, we’re confident that the best is yet to come. 

To every researcher, analyst, and team who trusted ANY.RUN this year: thank you. You are the reason we do what we do. Here’s to another year of fighting cybercrime—together. 

Happy New Year, 
The ANY.RUN Team

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI LookupYARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Get a 14-day free trial of ANY.RUN’s Interactive Sandbox →

The post 2024 Wrapped: A Year of Growth, Innovation, and Community at ANY.RUN  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Integrate ANY.RUN Threat Intelligence Feeds with Your Security Platform

Editor’s Note: This article was originally published on June 11, 2024, and updated on December 28, 2024.

The ANY.RUN Threat Intelligence Feeds provide data on the known indicators of compromise: malicious IPs, URLs, domains, files, and ports.   

The data is collected and pre-processed from public malware and phishing samples analyzed by our community of 500,000 researchers in the ANY.RUN sandbox environment.

How ANY.RUN’s TI Feeds Help Organizations

Cyber Threat Intelligence Feeds from ANY.RUN extend the threat coverage of your SIEM and TIP systems. They provide IOCs of recently seen cyber threats so you can proactively prepare to defend your infrastructure against them, as well as: 

  • Expand Threat Coverage: Improve system’s ability to detect emerging malware and phishing attacks.  
  • Improve Incident Response: Enrich incident response processes with contextual data, providing deeper insights into threats and their behaviors.  
  • Strengthen Security Posture: Ensure proactive defense against new and evolving threats.  
  • Optimize Threat Hunting: Streamline threat hunting activities, identifying and investigating potential threats more effectively. 

Feeds are easy to use. It’s practically a plug and play solution (as long as your team is already using a SIEM or TIP system).  

Contact us and we’ll help you integrate ANY.RUN TI Feeds
in your organization 



Contact Sales


Indicators Provided by ANY.RUN’s TI Feeds

The IOCs include information on malicious IP addresses, domain names, and URLs, enriched with contextual details such as related files and ports.   

IP addresses 

IP addresses are important for detecting and preventing malicious network activity. They serve as digital markers of cybercriminal operations, often linked to Command-and-Control (C2) servers or phishing campaigns. 

By analyzing IP addresses, cybersecurity teams can identify and block malicious sources, trace attack origins and monitor threat patterns. 

Domains 

Domains are often used as staging points for cyberattacks. They provide a higher-level view of malicious activity, often connecting multiple IPs or malware instances within a single campaign. 

ANY.RUN’s TI feeds provide comprehensive information about domains, including all the details available for IP addresses, such as threat names, types, detection timestamps, and related file hashes.  

URLs 

URL addresses serve as gateways to distribute malware, execute phishing campaigns, or redirect users to malicious content. Their flexibility and ease of use make them a preferred tool for attackers. 

By analyzing URLs, cybersecurity teams can uncover attack patterns, block harmful traffic, and prevent unauthorized access to systems and data. 

More information on TI Feeds’ structure and additional IOCs  — in our blog post.  

Key Features of ANY.RUN’s TI Feeds

  • Fresh Indicators: Mined from the latest public samples uploaded to our interactive sandbox by a global network of over 500,000 security professionals and updated every few hours.  
  • Contextual Information: Offer more than just IOCs by providing direct links to sandbox sessions that include memory dumps, network traffic, and events.  
  • Rigorous Pre-Processing: Advanced algorithms and proprietary technology used for data filtering and validation.  
  • STIX and MISP Formats: Deliver threat intelligence feeds in the STIX and MISP formats, making it easy for security teams to integrate our data into their existing infrastructure.  

Try Demo Sample of ANY.RUN’s TI Feeds 

We provide free samples of ANY.RUN’s Threat Intelligence Feeds with data from 6 months ago, so you can test them in your security setting.

Contact us to access the most up-to-date TI Feeds version or make a purchase.

For ANY.RUN  Have an account registered with a custom domain email 
For your SIEM/TIP system  Have an account with admin role 

Here are the steps to integrate the demo feeds: 

Setting up TI Feeds is simple

1. First, go to the feeds dashboard

Select the types of feeds you want by checking the boxes

2. Choose which indicators to receive by checking the boxes — URLs, Domains, IPs or any combination of them. 

Copy the feeds URL and add it as a source in your SIEM or TIP system

3. Copy the URL and paste it into the threat intelligence feeds section of your SIEM or TIP system. This step depends on your vendor, but generally search for “threat intelligence feeds” and find an input for URL or source. 

You can also download a STIX or MISP feeds sample by clicking Get Demo button. 

Get the API key from Threat Intelligence Feeds dashboard

4. Copy the API key and paste it into the API field in the same SIEM/TIP section where you provided the feeds URL. 

That’s it! You are now receiving demo threat data from ANY.RUN! 

Contact us to access the full version of ANY.RUN TI Feeds 



Contact Sales


Which vendors can integrate with ANY.RUN? 

Our threat intelligence feeds share data in the standardized STIX and MISP formats. This means that you can practically integrate ANY.RUN feeds with any vendor, including popular platforms like OpenCTI and ThreatConnect.

Contact us to get assistance with your integration.

How TI Feeds Support Business Performance 

Adding Threat Intelligence feeds to your cybersecurity framework significantly raises the sustainability of your organization.  

  • Cost reduction: Investing in TI feeds can lead to significant cost savings by preventing data breaches and minimizing the need for reactive security measures.  
  • Informed decision-making: Quality TI feeds provide critical insights, ensuring that security efforts are focused on the most pressing threats.  
  • Brand reputation: Early detection of threats reduces the likelihood of incidents that could damage a company’s name. 
  • Operational efficiency: Integrating CTI feeds with can contribute to better response process, improving mean time to resolution (MTTR). 
  • Compliance: TI feeds help document incidents, enrich security reports, and meet requirements for frameworks like GDPR, HIPAA, and PCI.  

For detailed information on the role of Cybersecurity Threat Intelligence Feeds in improving company’s operational performance, refer to this article.  

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post Integrate ANY.RUN Threat Intelligence Feeds with Your Security Platform appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Release Notes: New Search Operators in TI Lookup, MISP Integration, Multi-admin Support 

As we wrap up 2024, we’re excited to share the final release notes of the year, and they’re packed with updates you’re going to love! 

This December, we’ve shared some great news with our ANY.RUN community. From new wildcards and search operators in TI Lookup to the launch of our MISP instance and an upgraded Teamwork feature, we’ve been working to make your workflows smoother and more collaborative.  

And of course, we’ve expanded our threat coverage to ensure you’re ready to tackle whatever comes next.  

Let’s dive in! 

New Wildcards and Search Operators in ANY.RUN’s TI Lookup 

Searching through massive amounts of cyber threat data isn’t exactly fun. It can be frustrating when small variations in domain names or IP addresses make it hard to connect the dots. That’s why we’ve updated Threat Intelligence Lookup (TI Lookup) with new wildcards and search operators to give you more control and flexibility when crafting queries. 

Before this update, TI Lookup allowed you to use the basic operators AND along the wildcard *, which work great for flexible searches.  

In December, we’ve expanded this functionality by adding new wildcards and operators to make threat intelligence even more versatile. 

What’s new? 

  • OR: The OR operator broadens your search by including results where at least one of the specified conditions is met.  
Example of a query with OR search operator inside TI Lookup 
  • NOT: The NOT operator excludes results matching specific conditions, narrowing your search to focus on relevant entries. 
  • Parentheses (): They group conditions to ensure your query processes operators in the correct order, enabling precise, complex searches. 
  • Question mark (?): Acts as a placeholder for a single character or none, making it perfect for handling variable strings. 
  • Dollar sign ($): Ensures your search term appears at the end of a string, useful for pinpointing entries with specific endings. 
  • Caret (^): Makes sure your search term appears at the beginning of a string, ideal for narrowing searches to items starting with specific patterns. 

For more details, check out the guide to using wildcards and operators

Get 50 free requests in TI Lookup
to enrich your threat investigations 



Contact us


MISP Integration: A New Option for Threat Intelligence Sharing 

We’re excited to share that in December, we introduced our own MISP instance, providing access to Indicators of Compromise (IOCs) from ANY.RUN’s Threat Intelligence Feeds. This new feature brings even greater collaboration and efficiency to threat intelligence sharing. 

MISP (Malware Information Sharing Platform) is a free, open-source tool that streamlines the sharing of threat intelligence, enabling organizations to exchange data, identify compromises, and automate correlations. 

MISP attributes dashboard in Elastic Search 

With ANY.RUN’s MISP instance, you can: 

  • Access TI Feeds: Get real-time streams of malicious IPs, URLs, domains, ports, file names, and hashes from ANY.RUN’s Interactive Sandbox. The IOCs are pulled from different sources, including network activities and malware configurations. 
  • Integrate with security tools: Connect ANY.RUN’s MISP instance to your SIEM, XDR, or other tools via API. 
  • Improve threat detection: Enrich your IOCs with ANY.RUN’s data for a clearer understanding of threats. 
  • Generate IDS rules: Export attributes in NIDS-compatible formats for use in IDS/IPS or NGFW systems. 
ANY.RUN offering demo feeds samples in STIX and MISP formats 

You can test ANY.RUN’s MISP and STIX feeds by getting a free demo sample or contacting us

New Teamwork Feature: Multiple Admin Support  

We’re excited to announce a powerful December update to ANY.RUN’s Teamwork feature, designed to simplify team management and improve collaboration for organizations of all sizes. 

Team owners can now assign admin roles to team members, with no limits on the number of admins.  

Admins have the following capabilities: 

  • Enable or disable Single Sign-On (SSO) for the team. 
  • Invite or remove team members as needed. 
  • Manage licenses for team members, including access to features like TI Lookup. 

Besides, admins can assign or revoke admin rights, ensuring flexible and efficient management. 

This update was driven by feedback from our customers, who needed a way to share responsibilities within their teams. Here’s how it can help: 

  • Delegation: If a team owner is unavailable (e.g., on vacation), responsibilities can easily be handed over to admins. 
  • Time zone flexibility: Large teams operating in different time zones can now have admins based in various regions, improving responsiveness and workflow efficiency. 

How to start using this feature  

Team owners can assign admin roles in the Teamwork section under Licenses. Once set up, admins can immediately start managing the team and sharing responsibilities. 


ANY.RUN cloud interactive sandbox interface

What is Enterprise plan?

Discover all features of the Enterprise plan
and learn about its Team Management capabilities



Threat Coverage Updates

In December, we expanded our detection capabilities, adding 58 new malware signatures, introducing advanced YARA rules, and further improving our machine learning (ML) models to keep up with evolving threats. 

Signatures 

We’ve introduced 58 new signatures targeting a diverse range of malware families. Here are some of them: 

APT Detection Updates 

We’ve enhanced our detection capabilities for several known APT attacks: 

  • SimpleHelp, BugSleep, and PortStarter are now comprehensively monitored. 

New YARA Rules 

5 new YARA rules were added this month for more precise detection: 

Suricata Rule Updates 

This month, we’ve significantly expanded our Suricata rule collection by adding 5,159 new rules, enhancing our detection accuracy across a variety of threats.  

These updates include focused detections for phishing kits, such as: 

Automated Interactivity Enhancements 

We’ve fine-tuned our automated interactivity clicker, making it smarter. These updates mean it’s now even better at interacting with malware samples, accurately simulating how real users might behave. 

With these improvements, detecting complex threats just got easier. We made sure you get even more reliable results for your investigations. 

About ANY.RUN  

ANY.RUN is a leading provider of a cloud-based malware analysis sandbox for effective threat hunting. Our service lets users safely and quickly analyze malware without the need for on-premises infrastructure. ANY.RUN is used by organizations of all sizes, including Fortune 500 companies, government agencies, and educational institutions.

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Get a 14-day free trial of ANY.RUN’s Interactive Sandbox →

The post Release Notes: New Search Operators in TI Lookup, MISP Integration, Multi-admin Support  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Cybersecurity trends in 2025 | Kaspersky official blog

The outgoing 2024 brought a number of record-breaking data breaches — from the Taylor Swift concert ticket case, to the incident with 100 million Americans’ medical records. AI technology and cybercrime made leaps and bounds all year long. So how can you stay on top of all this to ensure personal information security? Here’s how: make these seven New Year resolutions — and stick to them throughout 2025.

1. Learn to use AI assistants securely

Over the past year, the use of AI has evolved from a trending novelty to a part of life — especially after AI assistants became smartphone features. Given that AI is now literally in the palm of your hand — offering at times quite personal advice — it’s worth getting to grips with the rules for safe chatbot use to keep yourself and others out of harm’s way. Here they are in a nutshell:

  • Double-check AI advice — especially when asking for information about medicines, investments, or other queries where errors are costly. Chatbots are known to “hallucinate”, so never blindly follow their tips.
  • Disable AI features unless you know what they’re for. The “smart” craze is driving companies to integrate AI even where it’s not needed. The most striking example is the rollout of the controversial Recall feature in Windows 11, where it continuously captures screenshots for AI analysis. Disable AI if you’re not actively using it.
  • Never give personal information to AI. Photos of documents, passport details, financial and medical information are almost never needed for AI to function correctly. Given that such data may get stored for a long time and used for AI training — and thus be more likely to leak — it’s better not to upload such data in the first place.
  • Don’t chat with family and friends through AI. Such automation is rarely useful and won’t help maintain closeness.

2. Switch to passkeys instead of passwords

Tech majors are gradually ditching passwords for more reliable passkeys; for example, Microsoft plans to move a billion users over to this new technology. With it, logging in to any site will be by means of biometric verification or PIN code. The check is carried out locally on your computer or smartphone, after which the device decrypts from its storage a unique cryptographic key for the website in question, which “recognizes” you by this key. In some services, “Passkey” is the actual name of the login method; others, like Microsoft, mention “Face, Fingerprint, or PIN”. Whatever name it goes by, the method is more reliable than a combination of a password and one-time code — as well as easier and faster to use. If passkeys are on offer — get them!

3. Find and change all old passwords

Despite the advent of passkeys, passwords will remain with us for many years to come, and that means lots more leaks and hacks. Old passwords that you created years ago with little thought to length or strength can be brute-forced without too much trouble. For example, this year saw the biggest password leak in history. Dubbed RockYou2024, it contained 10 billion (!) unique records. Many of them are encrypted, but modern video cards can be used to crack shorter passwords. In our study of password strength, it turned out that six out of ten user passwords found in this leak could be broken in a few seconds to one hour.

To thwart password crackers, go through all your passwords and reset any that are short (fewer than 12 characters) or very old, and create new ones in accordance with best security practices. As you know, passwords should never be reused, so it’s best to generate new ones and store them in a reliable password manager.

4. Teach family and friends how to spot deepfakes

The rapid advance of neural networks has allowed scammers to move from deepfake videos of celebrities, to inexpensive and relatively massive attacks on specific individuals using fake voices and images of… absolutely anyone. Deepfakes were first used to promote financial pyramids or fake charities, but now targeted scams are in play; for example, calls from the victim’s “boss” or a “loved one”. It’s now easier than ever to make a video of someone you know well asking for money or something else, so always double-check unusual requests by making contact with the person through another channel.

Given the vast leakage of medical records in 2024, we can expect to see new targeted “doctor scams” in the coming year.

5. Switch to private messengers

For those who still believe in privacy, 2024 delivered a couple of major setbacks. First, the arrest of Telegram founder Pavel Durov raised fears that intelligence agencies could start snooping on users’ correspondence. Next, the United States was rocked by scandal when it broke that foreign intelligence agencies had hacked the legal wiretapping system operated by all U.S. telecom providers, and gained access to the calls and texts of Americans. The authorities went so far as to advise people to switch to private messengers for greater privacy.

To sleep more soundly at night, follow this tip and, together with your main contacts, move to a messenger with end-to-end encryption.

6. Set aside a monthly “backup hour” in your calendars

If you don’t even remember when you last backed up your data, it’s time to schedule this activity — which is no less important than annual car maintenance or spring cleaning your house; however, backups should be much more frequent: daily, weekly or monthly — depending on the data type.

Backup must be two-way: back up data on your phone and computer to cloud storage, and download cloud data to local storage. An example of the former is photos on your phone. An example of the latter is Gmail messages.

This way, you’ll be protected against a wide range of problems: computer crashes, smartphone theft, ransomware attacks, house fires, your favorite recipe site being shut down, movies and music disappearing from streaming platforms, sudden hikes in cloud-hosting charges, and so on. For best practices for backing up from the cloud, see our post here; and to the cloud, see here. Another of our guides explains how to save important online data stress-free, so you don’t have to worry about your favorite sites or services disappearing. And under the backup tag on our blog, you’ll find no end of practical tips on saving data from anywhere, including messengers, authenticator apps, and note-taking tools.

7. Enter your card number less often

In 2024, cloud storage provider Snowflake suffered a string of massive leaks of customer data. Among the companies affected were AT&T, Live Nation (Ticketmaster), and Santander. The exact makeup of the information in each leak remains unclear.

So as not to be left guessing if your payment data is safe, and not to mess around with contacting banks and reissuing cards after every major leak, save your card to a reputable, secure service (PayPal, Google Pay, Apple Pay, or similar), and use it to pay for purchases wherever possible. That goes for both offline and online purchases. This will make it harder for attackers to intercept your payment data and reduce the likelihood of damage in the event of a large store or online service hack.

If you need to enter card details but your preferred payment service isn’t an option, use the Safe Money feature in any of our home security solutions.

Kaspersky official blog – ​Read More

Russia, Ukraine, China, and More: The Nations at the Center of the Cybercrime Epidemic 

Cyble | Cybercrime threats

Overview

Cyberattacks on a country’s critical infrastructure have become a growing malicious trend globally. The surge in cybercrime threats and its growing impact on national security, businesses, and individuals has led experts to closely examine which regions face the most cyberattacks.  

A recent study from the World Cybercrime Index (WCI) compiled by an international team of researchers, shed light on the most targeted countries, ranking them based on the severity of cyberattacks, the skill of the perpetrators, and the professionalism of the cybercriminals involved. 

As of 2024, these countries face the highest levels of cybercrime threats, driven by a complex mix of geopolitical factors, technological infrastructure, and economic conditions. This blog explores the top 10 countries that are most impacted by cyberattacks and why they are at the forefront of the global cybersecurity challenge. 

10. India: A Victim of Cybercrime Amid Rapid Digitalization 

India ranks tenth in the global cybercrime index, experiencing an uptick in cyberattacks due to its rapid digital transformation. The country’s massive online population and growing e-commerce sector make it an appealing target for cybercriminals. Phishing scams, financial fraud, and ransomware attacks are common in India, with both individuals and organizations being affected. The Indian government has been working to bolster cybersecurity, but the increasing maliciousness of cybercriminals presents an ongoing challenge for the country. 

Read also: https://cyble.com/resources/research-reports/india-threat-landscape-report-2024/ 

9. Brazil: A Growing Cybercrime Hotspot in Latin America 

Brazil, the largest economy in Latin America, has witnessed a surge in cyberattacks, particularly those targeting its financial sector and government institutions. Brazil’s growing digital economy has made it an attractive target for cybercriminals involved in fraud, data breaches, and ransomware. The WCI places Brazil ninth, citing its vulnerability to cybercrime despite efforts to improve cybersecurity regulations. Cybercriminal groups operating in Brazil often specialize in online fraud, identity theft, and other forms of financial cybercrime. 

Read also: https://cyble.com/blog/goatrat-android-banking-trojan-variant-targeting-brazilian-banks/ 

8. United Kingdom: A Rising Cyberattack Target 

The United Kingdom faces major cybersecurity threats, ranking eighth on the WCI. As a major financial and technological hub, the UK is often targeted by both cybercriminals and state-sponsored actors. Ransomware attacks and data breaches have been particularly impactful, with high-profile incidents affecting public and private sector organizations. The UK government has increased its efforts to combat cybercrime, but the country remains a target due to its global standing and the increasing digitization of its economy. 

7. North Korea: Cyber Warfare and Financial Theft 

North Korea’s cybercriminal activities are well-documented, with the country’s state-sponsored hackers playing a prominent role in cyberwarfare and financial cybercrime. The regime has been linked to several high-profile cyberattacks, including the infamous WannaCry ransomware attack and attacks on South Korean entities.  

North Korea’s cyber units, such as Lazarus Group, are involved in stealing funds through cybercrime to finance the country’s regime. Their targets are often financial institutions, cryptocurrency exchanges, and government agencies, making North Korea a critical player in the global cybercrime arena. 

6. Romania: A Hotbed for Cybercrime Groups 

Romania is a big player in the global cybercrime ecosystem, ranking sixth on the WCI. The country is home to several notorious cybercriminal groups involved in ransomware attacks, data theft, and financial fraud.  

Romanian hackers are known for their technical expertise and ability to deploy malware across multiple sectors. The Romanian government has made efforts to crack down on cybercrime, but the country remains a hotbed for cyberattacks on countries worldwide, particularly targeting financial institutions and online businesses. 

Read also: https://cyble.com/blog/romania-urges-energy-sector-of-proactive-scanning-amid-lynx-ransomware-threat/ 

5. Nigeria: A Leading Hub for Cybercrime in Africa 

Nigeria has earned a place on the list of the top cyberattack countries due to its increasing involvement in online fraud, scams, and cybercrimes. Known for its widespread involvement in “419” fraud (advance-fee fraud) and cyber scams targeting both individuals and corporations globally, Nigeria’s cybercriminal activities are a growing concern. The country is also home to highly organized cybercrime groups, some of which use cybersecurity tools to launch phishing campaigns and steal sensitive data. The lack of sufficient cybersecurity infrastructure and regulatory enforcement contributes to the persistent cybercrime problem in Nigeria. 

4. United States: A Prime Target and Source of Cyberattacks 

The United States is not only a major source of cyberattacks but also one of the most heavily targeted nations globally. As the world’s largest economy and a hub for technological innovation, the U.S. faces an array of cyberthreats, from cybercriminals seeking financial gain to nation-state actors pursuing espionage objectives. 

The U.S. has witnessed high-profile cyberattacks, including those targeting critical infrastructure, government agencies, and multinational corporations. Ransomware attacks, data breaches, and election interference campaigns are just a few examples of the cybercrimes affecting the U.S., positioning it as one of the countries most impacted by cyberattacks. 

Read also: https://cyble.com/resources/research-reports/us-threat-landscape-report-a-time-of-growing-peril/ 

3. China: A Major Player in Cyber Espionage 

China ranks third in the global cybercrime rankings, largely due to its involvement in large-scale cyber espionage operations. The country has been accused of conducting numerous cyberattacks aimed at stealing intellectual property and accessing sensitive government and corporate data across the globe. 

Chinese cybercriminals are notorious for their high level of technical skill and have been linked to various attack methods, including Advanced Persistent Threats (APT). China’s rapid technological growth and its economic prominence have made it both a source and a victim of cyberattacks, making it one of the top cyberattack countries. 

2. Ukraine: A Geopolitical Hotspot for Cyberattacks 

Ukraine is another country that faces immense cybercrime threats. Since the 2014 annexation of Crimea, Ukraine has been subject to numerous state-sponsored cyberattacks, primarily from Russia. The country has been the target of ransomware attacks and power grid disruptions, making it a prominent example of cyberwarfare in the 21st century. 

The WCI ranks Ukraine second due to its vulnerability to cyberattacks, especially amid ongoing political tensions and military conflicts with Russia. Ukrainian government agencies, critical infrastructure, and businesses have been the focus of cyber attackers.  

Read also: Hackers Target Ukrainian Army with Fake Military Apps to Siphon Authentication and GPS Data 

1. Russia: The Epicenter of Cybercrime 

Russia remains the undisputed leader in terms of cybercriminal activity. Ranked number one on the World Cybercrime Index, Russia has been a hub for various cybercrime types, including state-sponsored attacks, ransomware campaigns, and hacking for espionage purposes.  

The country’s role in cyberattacks on countries globally, particularly targeting political opponents, is well-documented.  

Read also: Russian State Hackers Biggest Cyber Threat to US, UK and EU Elections 

The troubling nature of cybercriminal operations in Russia, coupled with their expertise in developing malware, makes the nation a constant threat to others. 

Conclusion: The Global Fight Against Cybercrime 

As we move into 2025, cyberattacks on countries are increasingly impacting vital sectors like government, finance, and healthcare. Countries such as Russia, Ukraine, China, and the United States are at the forefront of this growing global issue. To combat these threats, governments, organizations, and cybersecurity experts must collaborate to strengthen defenses and proactively monitor cybercriminal activities.  

Cyble, a leader in AI-powered cybersecurity, is playing an important role in this effort. Cyble offers multiple threat intelligence platforms that offer real-time monitoring, which processes vast amounts of dark web data and provides actionable insights. By leveraging AI-driven platforms like Cyble, organizations and government sectors can protect their infrastructure and respond to cyberattacks more effectively, helping to ensure a more secure future. 

References 

The post Russia, Ukraine, China, and More: The Nations at the Center of the Cybercrime Epidemic  appeared first on Cyble.

Blog – Cyble – ​Read More

China Accuses the U.S. of Hacking Back as Cyber Conflict Grows 

Cyble | Cyber espionage

Overview

U.S. national security and cybersecurity agencies have leveled cyber espionage accusations against the People’s Republic of China (PRC) for much of 2024, accusing the PRC of infiltrating U.S. critical infrastructure and telecom networks – possibly in preparation for a potential cyber war between the two global powers. 

China has pushed back, calling such charges misinformation and accusing the U.S. of its own espionage campaigns. While the PRC’s claims merit skepticism – most notably that alleged Volt Typhoon activities have been U.S. misinformation or “false flag” operations – new claims by China that two recent sophisticated cyberattacks were carried out by the U.S. are worth examining if only for the details and security insights they provide. 

We’ll examine those claims – along with an overview of the depth and breadth of PRC activities in 2024, U.S. responses, and recommendations for telecom and critical infrastructure security. 

China Claims Two U.S. Cyber Espionage Attacks 

China’s counter charges to U.S. cyber espionage claims have largely been based on decade-old NSA leaks, so the PRC’s latest claims are notable for their focus on two recent specific incidents while avoiding those larger claims. 

In a December 18 bulletin, China’s National Internet Emergency Center (CNCERT) claims it “discovered and handled two cases in which the United States launched cyber attacks on large Chinese technology companies and institutions to steal commercial secrets” [translated]. 

Beginning in August 2024, an “advanced material design and research unit … has been attacked by a suspected US intelligence agency,” CNCERT claims. The attackers “exploited a vulnerability in a certain electronic document security management system in China to invade the software upgrade management server deployed by the company, and delivered control Trojans to more than 270 hosts of the company through the software upgrade service, stealing a large amount of commercial secrets and intellectual property of the company.” 

The second alleged attack was against “a large-scale high-tech enterprise in … smart energy and digital information.” The attackers in that case “used multiple overseas springboards to exploit Microsoft Exchange vulnerabilities, invaded and controlled the company’s mail server and implanted backdoor programs to continuously steal mail data. At the same time, the attackers used the mail server as a springboard to attack and control more than 30 devices of the company and its subsidiaries, stealing a large amount of the company’s commercial secrets.” 

While it is impossible to determine the veracity of China’s latest claims, given the extent of PRC campaigns against U.S. targets, it would not be surprising if the U.S. were engaged in counter efforts. Whether those efforts would include what may be industrial espionage in these cases is perhaps less likely, unless the targets could provide important strategic information – which may be possible in the case of the smart energy company, for example. Nonetheless, there is no shortage of nation-state or financially motivated threat actors (TAs) capable of carrying out such attacks, so without technical specifics that could link the attacks to a TA, the claims are unsupported. 

A Timeline of PRC Campaigns Targeting the U.S. 

2024 has seen a notable increase in cyber tensions between the two countries. Here are some of the key developments. 

PRC Positioning in U.S. Critical Infrastructure 

In February, the U.S. and the other “Five Eyes” countries warned that “People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.” 

U.S. national security and cybersecurity agencies have repeated those claims a number of times since then – including speculation that China may be preparing for cyber conflict as part of its goal of having the capability to invade Taiwan by 2027. 

U.S. Government Breaches 

A July 2023 breach of U.S. government email accounts received a thorough accounting in 2024 in reports and hearings, including pledges from Microsoft that it would address the security failings that led to the breaches as well as make security a top priority for the company going forward. 

Wiretap System and Telecom Breaches 

The revelation in early October that the PRC-linked Salt Typhoon group had breached the U.S. court wiretap system was followed a few weeks later by news that the telecom network breaches behind that attack also led to attacks targeting the phone communications of U.S. officials at the highest levels

What followed was a stark reassessment of telecom network security – some of which may not be as risk-focused as perhaps would be ideal. 

Focus on Chinese Network Equipment May Overlook Other Risks 

The U.S. is engaged in a $5 billion “rip and replace” effort to remove Chinese equipment from U.S. telecom networks in an effort to address those security issues. 

While government intervention may well be necessary to shore up the significant gaps in telecom and critical infrastructure security, focusing narrowly on only equipment from China ignores gaps from other vulnerabilities that may be just as critical. 

While not revealing details, Senator Mark Warner – a former telecom venture capitalist – recently told the Washington Post that “thousands and thousands and thousands” of vulnerable telecom network devices might need to be replaced. “The big networks are combinations of a whole series of acquisitions, and you have equipment out there that’s so old it’s unpatchable,” Warner said. 

Vulnerable legacy devices, whether in telecom or operational technology (OT) networks, are at the heart of the cybersecurity crisis confronting telecom and critical infrastructure. Replacing just one source of those issues likely won’t provide a comprehensive solution. 

A much broader program that emphasizes replacing legacy devices wherever possible, along with essential security practices like network segmentation and access control, will likely be required to solve persistent security vulnerabilities and threats in telecom and other critical infrastructure. 

The post China Accuses the U.S. of Hacking Back as Cyber Conflict Grows  appeared first on Cyble.

Blog – Cyble – ​Read More