The Indian Computer Emergency Response Team (CERT-In) has issued an alert regarding a critical security vulnerability in the WPForms plugin for WordPress. The flaw, identified as CVE-2024-11205, could allow attackers to bypass authorization controls and perform payment refunds and subscription cancellations on Stripe-powered websites.
This WPForms plugin vulnerability, affecting WPForms versions 1.8.4 through 1.9.2.1, leaves WordPress sites vulnerable to exploitation by authenticated users with lower-level permissions. The vulnerability was disclosed publicly on December 9, 2024, by Wordfence researchers, and a patch was made available in WPForms version 1.9.2.2.
The flaw stems from the absence of a capability check in the wpforms_is_admin_page function. This function is responsible for determining whether a user is accessing the admin interface via an AJAX request. Without proper authorization checks, attackers with Subscriber-level access or higher could bypass the restrictions and execute critical actions such as refunds and subscription cancellations on Stripe-powered sites.
This vulnerability has been documented in the CIVN-2025-0001 Vulnerability Note, issued by CERT-In on January 1, 2025, indicating a High severity rating. Websites that rely on WPForms for financial transactions are particularly at risk of unauthorized modifications to their data, potentially causing significant financial losses and disruption of services.
Technical Details of the WPForms Plugin Vulnerability (CVE-2024-11205)
The vulnerability exists in versions 1.8.4 through 1.9.2.1 of the WPForms plugin, where the wpforms_is_admin_ajax function lacks proper checks to ensure that the user requesting sensitive actions is authorized to do so. This function is intended to confirm whether a request originates from an admin interface, but because it does not perform capability checks, attackers can exploit the flaw to trigger ajax_single_payment_refund and ajax_single_payment_cancel functions.
These functions are used to process Stripe payments, but in the vulnerable versions of WPForms, they can be exploited by authenticated users with as little as Subscriber-level access. While nonce protection exists to prevent attacks such as Cross-Site Request Forgery (CSRF), authenticated attackers can bypass this protection by obtaining the nonce. This means that an attacker could potentially:
Initiate unauthorized refunds for legitimate payments, resulting in financial harm to businesses.
Cancel active subscriptions, disrupting services and harming customer relationships.
These unauthorized actions could lead to a loss of revenue, significant operational costs, and reputational damage, particularly for businesses that rely on WPForms for managing payments and subscriptions.
Exploitation Scenario
The vulnerability allows attackers with Subscriber-level access or higher to exploit the ajax_single_payment_refund and ajax_single_payment_cancel functions. Normally, these actions are restricted to administrators, but the missing capability checks allow lower-level users to initiate them.
Once an attacker gains access to these functions, they can initiate unauthorized refunds for Stripe payments and cancel active subscriptions. This could result in:
Unauthorized refunds can cause significant revenue loss for businesses.
Attacks that cancel subscriptions can interfere with customer services, leading to customer dissatisfaction and churn.
Unauthorized transactions can lead to a loss of trust among customers and potential harm to the business’s reputation.
Given WPForms’ widespread use, this flaw affects millions of WordPress websites, with businesses of all sizes being vulnerable to exploitation.
Remediation and Patch Details
WPForms quickly addressed the issue by releasing a patched version of the plugin, version 1.9.2.2, on November 18, 2024. Users who are running versions 1.8.4 through 1.9.2.1 are strongly advised to update to the latest version immediately to protect their websites from exploitation.
In addition to the patch, Wordfence, a leading security service for WordPress, took swift action to protect its users. On November 15, 2024, Wordfence Premium, Care, and Response users received a firewall rule to protect against potential exploits targeting this vulnerability. Protection for users of the free version of Wordfence was rolled out on December 15, 2024.
The impact of this CVE-2024-11205 vulnerability is severe for businesses that rely on WPForms to manage payments and subscriptions via Stripe. If exploited, the vulnerability could result in:
Financial damage from unauthorized refunds and subscription cancellations.
Disruption of business operations, particularly for e-commerce sites that rely on WPForms for processing payments.
Loss of customer trust, as attackers could interfere with services and create doubts about the site’s security.
Conclusion
The CVE-2024-11205 vulnerability poses a risk to WPForms users, allowing attackers with Subscriber-level access or higher to initiate unauthorized payment refunds and cancel subscriptions. To mitigate this threat, it is crucial for users to update to the latest patched version, 1.9.2.2, which addresses the issue. The vulnerability’s potential impact on financial transactions and business operations makes it imperative for WordPress site administrators to prioritize this update, particularly those using WPForms for payment and subscription management.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2025-01-03 11:06:362025-01-03 11:06:36CERT-In Issues Alert on WPForms Vulnerability That Can Disrupt Payment and Subscription Services
Ukraine has taken significant steps to enhance its cybersecurity posture, introducing key updates to its Organizational and Technical Model (OTM) of Cybersecurity and implementing new standards for safeguarding critical infrastructure facilities (CIF). These developments are part of the country’s broader Cybersecurity Strategy, aligning with global best practices and addressing evolving cyber threats.
Unified Cybersecurity Framework Inspired by NIST
The Cabinet of Ministers of Ukraine has approved amendments to the OTM of Cybersecurity, adopting a unified approach based on NIST’s Cybersecurity Framework 2.0. The updated framework provides state bodies and critical infrastructure operators with a structured methodology for identifying, mitigating, and recovering from cyber risks.
We take into account the best global practices in responding to cyber threats to more effectively counter the challenges facing Ukraine and the global cyberspace. By improving the organizational and technical model of cyber defense, the Administration of the State Service for Special Communications is introducing a single common approach to ensuring cybersecurity in the state,” said Oleksandr Potiy, Head of the State Service for Special Communications and Information Protection of Ukraine.
Key components of the updated Cyber Defense Strategy include:
Risk Management: Developing strategies and policies to identify, analyze, and manage cyber risks.
Risk Identification: Assessing current and potential vulnerabilities to preemptively address threats.
Data Protection: Leveraging advanced procedures to secure sensitive information against unauthorized access and breaches.
Threat Detection: Utilizing specialized tools and system monitoring to identify suspicious activities and incidents.
Incident Response: Implementing rapid measures to contain and remediate cyber threats.
Post-Attack Recovery: Ensuring systems are restored to full functionality and analyzing root causes to prevent recurrence.
The revised OTM also fosters better coordination among national cybersecurity entities, introducing a three-tiered infrastructure to streamline defense mechanisms.
Modernizing Cyber Threat Protection Plans
The Administration of the State Service for Special Communications, in collaboration with the Security Service of Ukraine (SBU), has also introduced updated guidelines for developing and implementing CIF-specific cyber threat protection plans. This initiative aims to strengthen the security of critical infrastructure, particularly in light of heightened geopolitical tensions.
Key features of the updated protection plans include:
Risk Assessment and Dependency Mapping: Identifying critical interdependencies among infrastructure components and evaluating risks.
Adaptation to New Threats: Addressing emerging cyber challenges, including those linked to military aggression.
Dual-Approval Process: Ensuring a comprehensive review by both the State Service for Special Communications and the SBU, enhancing accountability and effectiveness.
These measures are designed to provide a robust defense mechanism for critical infrastructure, safeguarding essential services and national security.
Streamlining Cybersecurity Governance
The updated policies emphasize a coordinated approach to cybersecurity governance, bringing together key stakeholders under a unified framework. The dual-approval process for CIF protection plans exemplifies the integration of efforts between the State Service for Special Communications and the SBU, ensuring that cybersecurity measures are both comprehensive and rigorously evaluated.
A Response to Modern Challenges
The need for these enhancements is due to the escalating complexity of cyber threats, ranging from ransomware and espionage to disinformation campaigns and sabotage. The cybersecurity strategy also considers the increasing risks posed by hybrid warfare, particularly from state-sponsored adversaries.
By adopting these proactive measures, Ukraine is not only bolstering its internal defenses but also aligning its cybersecurity practices with international standards, signaling its commitment to global cyber resilience.
Conclusion
Ukraine’s recent policy advancements reflect a comprehensive effort to address the ever-evolving cybersecurity landscape. By incorporating global best practices, fostering inter-agency collaboration, and emphasizing proactive risk management, the country is laying the groundwork for a resilient and secure digital future.
These initiatives will serve as a model for nations striving to safeguard their critical infrastructure and adapt to the rapidly changing cyber threat environment.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2025-01-02 15:06:542025-01-02 15:06:54Ukraine Takes Steps to Strengthen its Cybersecurity Framework with Policy Advancements and Strategic Initiatives
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-3393, a Palo Alto Networks PAN-OS Malformed DNS Packet vulnerability, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability impacts the DNS Security feature of PAN-OS, which powers firewalls and security solutions. The vulnerability allows attackers to exploit the system through specially crafted DNS packets, leading to a denial-of-service (DoS) condition, affecting the availability of essential firewall services.
On December 27, 2024, Palo Alto Networks reported a Denial of Service (DoS) vulnerability in the DNS Security feature of PAN-OS, specifically linked to the malformed DNS packet handling process. This issue, now documented as CVE-2024-3393, has been added to the CISA’s Known Exploited Vulnerabilities Catalog.
The threat presented by CVE-2024-3393 PAN-OS is particularly alarming for organizations relying on DNS Security for protection, as attackers can exploit this flaw to send malicious DNS packets that cause the affected firewall to reboot. Repeated attempts can cause the firewall to enter maintenance mode, severely disrupting services. With the increasing reliance on firewalls to secure critical infrastructure, this vulnerability poses an urgent risk to many organizations globally.
Technical Analysis of CVE-2024-3393 PAN-OS
CVE-2024-3393 affects PAN-OS versions on PA-Series, VM-Series, CN-Series firewalls, and Prisma Access deployments. The vulnerability arises when DNS Security logging is enabled with a valid DNS Security or Advanced DNS Security license. When exploited, this vulnerability could allow unauthenticated attackers to send a specially crafted DNS packet through the firewall’s data plane, causing a reboot. Continuous exploitation could force the firewall into maintenance mode, leading to prolonged service disruption.
The CVSS score for this vulnerability is 8.7, indicating a high-severity risk. The exploit maturity is classified as attacked, meaning that attackers are actively exploiting the vulnerability. It is worth noting that CVE-2024-3393 PAN-OS does not affect all PAN-OS versions. Specific versions are vulnerable, including PAN-OS 11.1, 10.2, and 10.1, depending on the release, while PAN-OS 9.1 and PAN-OS 11.0 have reached their end of life (EOL) and are no longer receiving patches.
For this issue to be successfully exploited, two primary conditions must be met:
A DNS Security License (either standard or advanced) must be applied.
DNS Security logging must be enabled on the system.
This configuration creates an avenue for attackers to initiate the DoS attack by sending malicious DNS packets that the firewall fails to handle appropriately.
Global Exposure and Implications
Cyble Research & Intelligence Labs reported a number of exposed PAN-OS instances, many of which belong to critical infrastructure sectors. As of recent scans, over 3,300 instances were detected with vulnerable PAN-OS versions. Many of these exposed assets belong to organizations in vital sectors such as healthcare, energy, and telecommunications, industries that play an essential role in national security, public health, and economic stability.
The vulnerability presents a dual threat: first, the direct impact of the DoS attack on network availability, and second, the potential for reflected amplification-based denial-of-service (RDoS) attacks, where attackers can obfuscate their identities by exploiting these vulnerable systems. The risk is not just to individual organizations but to entire regions and industries that depend on uninterrupted access to critical services.
Mitigation and Countermeasures: Securing PAN-OS Deployments
To address the growing risk posed by CVE-2024-3393, here are some of the recommended several actions to mitigate the impact of this vulnerability:
Organizations should ensure they are running the latest version of PAN-OS, as security updates have been released for PAN-OS 10.1.15, PAN-OS 10.2.14, and PAN-OS 11.1.5. These versions fix the DNS packet vulnerability.
For organizations unable to immediately upgrade their systems, workarounds are available. These include disabling DNS Security logging or adjusting the logging severity to reduce the risk of exploitation.
Implementing proper network segmentation to limit the exposure of critical assets to the public internet is crucial in minimizing attack vectors.
Limiting access to remote services through VPNs and ensuring strict access policies can help mitigate the potential for external attackers to exploit the vulnerability.
Review and configure DNS Security settings to ensure logging is not excessively detailed, reducing the chance of triggering the DoS condition.
Conclusion
While DNS Security is designed to protect against DNS infrastructure threats, this vulnerability exposes systems to DoS attacks, which can result in prolonged outages and potential data breaches.Organizations must prioritize strengthening their DNS Security practices, actively monitor DNS traffic, and keep configurations up-to-date to mitigate the risk posed by such vulnerabilities.
With the increasing sophistication of cyberattacks targeting systems like PAN-OS, timely patching, effective workarounds, and limiting external exposure are essential to securing firewalls and critical infrastructure. A proactive, comprehensive approach to cybersecurity—coupled with industry collaboration—will be key to preventing exploitation and maintaining a secure digital ecosystem.
The Cybersecurity and Infrastructure Security Agency (CERT-In) released an urgent vulnerability note (CIVN-2024-0360) concerning several critical VibeBP vulnerabilities . These vulnerabilities in VibeBP pose online risk to website owners using affected versions, and they could lead to severe security breaches, including arbitrary code execution, privilege escalation, and SQL injection attacks.
VibeBP is a WordPress plugin developed by VibeThemes that enhances the BuddyPress plugin by adding social networking features to WordPress sites. These features enable users to create profiles, manage activity feeds, send private messages, form groups, and more, transforming an ordinary WordPress website into a dynamic community platform.
Details of the VibeBP Vulnerabilities
While VibeBP offers useful features for WordPress users, multiple vulnerabilities have been discovered within the plugin that could potentially compromise the security of the affected sites. These vulnerabilities in VibeBP allow attackers to exploit weaknesses in the plugin, including unauthorized privilege escalation, arbitrary code execution, and SQL injection risks.
The critical flaws identified in VibeBP primarily allow attackers to exploit unauthenticated or low-privilege users (e.g., Subscribers) to gain access to higher-privilege roles, such as administrators. By doing so, attackers could execute arbitrary SQL queries, potentially compromising or extracting sensitive database information.
The vulnerabilities are particularly concerning because they allow attackers to bypass security restrictions, which could lead to severe consequences such as data theft, system compromise, and unauthorized access. If exploited, these vulnerabilities could allow a malicious actor to take full control of an affected WordPress site, potentially leading to the installation of malware, propagation of ransomware, or even a full system takeover.
Types of Vulnerabilities in VibeBP
The vulnerabilities discovered in VibeBP are critical, as they enable attackers to:
Escalate Privileges: Low-privilege users can be granted administrator-level access, allowing them to take control of a WordPress site.
Execute Arbitrary Code: Attackers can exploit weaknesses to execute arbitrary code on the server, which could lead to remote code execution (RCE) attacks and full site compromise.
Perform SQL Injection Attacks: These vulnerabilities allow attackers to inject malicious SQL queries, enabling them to access or manipulate sensitive data stored in the site’s database.
Each of these flaws presents online risks, potentially exposing users to data theft, loss of control over their WordPress sites, and other malicious actions that could affect the site’s security and performance.
Impact and Risk Assessment
The risks associated with these VibeBP vulnerabilities are extremely high. Successful exploitation could allow a remote attacker to execute arbitrary code on a WordPress site, leading to the installation of malicious software or ransomware.
In addition, attackers could elevate their privileges to administrator levels, gaining complete control over the website and allowing for unauthorized actions. The potential impact includes the theft of user data, malware propagation, and even the destruction or alteration of the affected site’s content and structure.
Additionally, since SQL injection vulnerabilities are present, attackers could manipulate databases, exposing sensitive information or causing major disruptions in site functionality. These types of security flaws can have devastating consequences for website owners, as the unauthorized access could lead to long-term reputational and financial damage.
Solution and Mitigation
To mitigate the risks associated with these vulnerabilities, CERT-In has urged all users of the VibeBP plugin to update to version 1.9.9.7.7 or later. This version of the plugin includes important security patches that address the vulnerabilities, particularly by implementing stricter controls over file uploads, upgraded privilege management during user registration, and improved input validation to prevent SQL injection attacks.
By upgrading to the latest version, website administrators can protect their sites from potential exploitation. The updated version of VibeBP includes:
File Upload Controls: The new update limits the types of files that can be uploaded, adds permission checks, and removes vulnerable code that previously allowed malicious file uploads.
Role-Based Restrictions: The update enforces stricter role management during registration, ensuring that only authorized users can register as higher-privilege roles, preventing privilege escalation.
SQL Injection Prevention: The developers have introduced stronger input validation measures to secure the plugin’s SQL queries, ensuring that all user inputs are properly escaped and safe from malicious SQL injection attacks.
Conclusion
The VibeBP WordPress plugin has been found to contain multiple vulnerabilities that could have severe security consequences for affected WordPress sites. These vulnerabilities expose websites to risks including arbitrary code execution, privilege escalation, and SQL injection attacks, which can lead to unauthorized access, data theft, and even complete system compromise.
Website owners who use VibeBP are strongly encouraged to upgrade to version 1.9.9.7.7 or higher immediately to protect their sites. By implementing the necessary updates and taking proactive security measures, administrators can minimize the risk of exploitation and protect their WordPress installations from potential attacks.
For further details about the vulnerabilities in VibeBP or to learn more about the patch released by VibeThemes, users can visit the VibeThemes official website or refer to security resources.
The Cyber Security Agency of Singapore (CSA) has alerted users of multiple vulnerabilities in Apache software. According to the alert, three Apache vulnerabilities have been reported, including CVE-2024-43441, CVE-2024-45387, and CVE-2024-52046. In late 2024, the Apache Software Foundation released security updates for several of its widely used products to address critical vulnerabilities.
These vulnerabilities, identified as CVE-2024-43441, CVE-2024-45387, and CVE-2024-52046, affect Apache HugeGraph, Apache Traffic Control, and Apache MINA. Exploitation of these vulnerabilities could lead to severe security risks, including remote code execution (RCE), authentication bypasses, and SQL injection attacks.
Details of the Apache Vulnerabilities
Here are the vulnerabilities identified in the Apache software:
CVE-2024-43441: Authentication Bypass in Apache HugeGraph
The first critical vulnerability, CVE-2024-43441, impacts Apache HugeGraph-Server, a graph database server. This flaw allows an attacker to bypass existing authentication mechanisms in versions prior to 1.5.0. Apache HugeGraph, which is used for managing and querying large-scale graph data, could become an easy target for attackers if this vulnerability is exploited.
By bypassing authentication, an attacker could gain unauthorized access to sensitive data or modify the server’s configuration, potentially disrupting the services relying on HugeGraph. Users and administrators are urged to update to version 1.5.0 or higher to mitigate the risk posed by this vulnerability.
CVE-2024-45387: SQL Injection in Apache Traffic Control
Another vulnerability, CVE-2024-45387, affects Apache Traffic Control, a tool used for managing content delivery networks (CDNs). This vulnerability exists in the Traffic Ops component of Apache Traffic Control, which is responsible for the management and optimization of traffic routing across CDN servers. The flaw allows attackers to perform SQL injection attacks in versions 8.0.0 to 8.0.1.
SQL injection is one of the most well-known forms of attack, allowing attackers to manipulate database queries by inserting malicious SQL code. If successfully exploited, this vulnerability could allow an attacker to gain access to or manipulate the underlying database of an organization’s CDN, potentially compromising sensitive information or altering configurations. Users of affected versions are strongly advised to upgrade to later versions as soon as possible to patch this vulnerability.
CVE-2024-52046: Remote Code Execution in Apache MINA
Perhaps the most critical of the three vulnerabilities, CVE-2024-52046, affects Apache MINA, a network application framework used to build scalable and high-performance network applications. This vulnerability is particularly severe because it allows remote code execution (RCE) attacks due to improper handling of serialized data.
Apache MINA uses Java’s native deserialization protocol to process incoming serialized data. However, due to a lack of necessary security checks, attackers can exploit this flaw by sending specially crafted malicious serialized data, leading to RCE. This flaw affects versions of MINA core prior to 2.0.27, 2.1.10, and 2.24.
Remote code execution is one of the most dangerous types of vulnerabilities, as it allows attackers to execute arbitrary code on the affected system, potentially leading to full system compromise. For applications using Apache MINA, it is essential to upgrade to the latest versions (2.0.27, 2.1.10, or 2.24) and, in some cases, apply additional mitigation steps.
Users must explicitly configure the system to reject all deserialization requests unless they come from a trusted source. This additional step is necessary because simply upgrading the software will not be sufficient to fully secure the system.
Detailed Instructions for Mitigation of CVE-2024-52046
The CVE-2024-52046 vulnerability requires users to not only upgrade to the latest version of Apache MINA but also manually configure the deserialization process to limit which classes are accepted. The update includes three methods for controlling which classes the ObjectSerializationDecoder will accept:
ClassNameMatcher: Accept class names that match a specified pattern.
Pattern: Accept class names that match a regular expression pattern.
String Patterns: Accept class names that match a wildcard pattern.
By default, the decoder will reject all classes unless explicitly allowed, making it critical to follow these instructions to properly secure systems that use Apache MINA. It is also important to note that certain sub-projects, such as FtpServer, SSHd, and Vysper, are not affected by this vulnerability.
Emmanuel Lécharny, a user and contributor on the Apache MINA mailing list, noted the risk of RCE attacks associated with this issue. In his post dated December 25, 2024, he stressed the importance of upgrading to the latest versions of Apache MINA and applying the necessary security settings to protect against exploitation.
Conclusion
To protect their infrastructure, organizations relying on Apache products must take immediate action to address these vulnerabilities. For CVE-2024-43441, updating to Apache HugeGraph-Server version 1.5.0 or later is essential to resolve the authentication bypass issue.
Organizations should also upgrade to a version of Apache Traffic Control newer than 8.0.1 to mitigate the SQL injection vulnerability in CVE-2024-45387. For CVE-2024-52046 in Apache MINA, upgrading to the latest versions (2.0.27, 2.1.10, or 2.24) and configuring the deserialization process to restrict accepted classes is critical.
Keeping systems up-to-date with the latest security patches and updates from the Apache Software Foundation is key to defending against active exploitation of these vulnerabilities. Proactively applying these measures will significantly reduce the risk of attacks and ensure a more secure environment.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-31 09:06:462024-12-31 09:06:46Cyber Security Agency of Singapore Warns of Exploited Apache Vulnerabilities in 2024
The digital world is evolving at lightning speed, and so are the challenges that come with it. For organizations today, their attack surface—the sum of all potential entry points for a cyberattack—is expanding faster than ever before. From misconfigured cloud environments to overlooked IoT devices, vulnerabilities creep around places many don’t think to check.
In 2025, Attack Surface Management (ASM) will take center stage as organizations shift from reactive defenses to proactive strategies. ASM is no longer just a buzzword; it’s a necessity in the cybersecurity resource. It’s about seeing what attackers see and mitigating threats before they escalate. As organizations struggle with increasing cyber threats, understanding the trends shaping ASM is crucial to staying ahead of adversaries.
This article delves into the pivotal ASM trends to watch in 2025 and explores how Cyble’s ASM platform is helping organizations adapt to this dynamic landscape.
Key Trends in Attack Surface Management for 2025
1. AI-Powered ASM Solutions
AI and machine learning (ML) have become integral to ASM, enabling organizations to identify threats faster and more accurately. AI-driven platforms analyze vast amounts of data in real time, uncovering vulnerabilities that would be nearly impossible for human analysts to detect.
For example,in 2024, a global financial institution used an AI-powered ASM tool to identify misconfigured cloud storage buckets. The tool flagged over 1,000 vulnerabilities within hours, preventing a potential data breach that could have exposed millions of customer records.
In 2025, we expect AI to play an even larger role in predictive analysis, helping organizations anticipate potential attack vectors before they are exploited.
2. Integration with Zero Trust Architectures
Zero Trust Architecture (ZTA) is now a standard in cybersecurity frameworks. ASM platforms are being integrated into ZTA to provide a continuous monitoring loop that verifies all devices, users, and applications interacting with the network. This integration ensures that no component of the attack surface is overlooked.
3. Focus on IoT and OT Security
The proliferation of Internet of Things (IoT) and Operational Technology (OT) devices has dramatically expanded the attack surface. In 2025, ASM tools are focusing more on securing these devices by identifying vulnerabilities such as default credentials, unpatched firmware, and unsecured communications.
4. Cloud-Native ASM Solutions
With organizations increasingly relying on multi-cloud environments, cloud-native ASM solutions are gaining traction. These solutions are designed to monitor cloud assets continuously, ensuring compliance and security across hybrid and multi-cloud setups.
For instance, a global e-commerce platform operating across AWS, Azure, and Google Cloud leveraged a cloud-native ASM tool to identify misconfigurations in its storage settings. This proactive measure protected the platform from a potential data leak involving millions of transaction records.
5. Proactive Threat Intelligence Integration
During a 2024 supply chain attack targeting a major software vendor, an ASM solution integrated with threat intelligence helped downstream customers identify and mitigate the vulnerabilities exploited in the attack within hours.
ASM platforms are evolving to integrate real-time threat intelligence, providing context around vulnerabilities and enabling faster, more informed decision-making. This trend helps organizations prioritize remediation efforts based on the likelihood and potential impact of an exploit.
6. ASM for Third-Party Risk Management
Third-party risk has become a critical area of focus, as vendors and partners often introduce vulnerabilities into an organization’s ecosystem. ASM tools are being used to monitor the digital footprints of third-party vendors, ensuring their security posture aligns with organizational standards.
In 2024, a multinational retailer discovered a vulnerability in its payment processing partner’s infrastructure using an ASM platform. By addressing the issue proactively, the retailer avoided a potentially catastrophic data breach.
7. Shift from Reactive to Proactive ASM
Traditionally, ASM was seen as a reactive process—responding to discovered vulnerabilities after they had already been exploited. In 2025, the shift towards proactive ASM is evident, with platforms emphasizing continuous monitoring, real-time alerts, and predictive analytics.
8. Human-Centric ASM
Despite advancements in automation, human expertise remains essential. Human-centric ASM focuses on empowering security teams with intuitive tools and actionable insights. By combining human intuition with machine efficiency, organizations can achieve a more strong security posture.
The Role of Cyble in Attack Surface Management
Cyble has established itself as a leading provider of AI-driven ASM solutions. Recognized by Forrester in its Q2 2024 report, Cyble’s innovative approach to securing digital assets makes it a valuable partner for organizations striving to protect their expanding attack surfaces.
Cyble’s ASM platform offers:
Comprehensive Visibility: Cyble’s platform provides a 360-degree view of the attack surface, covering assets such as cloud environments, web and mobile applications, IoT devices, email servers, and public code repositories.
AI-Driven Insights: The platform uses advanced AI algorithms to identify vulnerabilities and predict potential attack vectors, enabling proactive threat mitigation.
Ease of Integration: Designed to integrate seamlessly with existing SecOps solutions, Cyble’s ASM platform enhances the overall cybersecurity framework without adding complexity.
Proactive Threat Intelligence: Cyble continuously updates its threat intelligence database, providing organizations with actionable insights tailored to their unique attack surfaces.
Why Cyble Stands Out: According to Beenu Arora, Founder and CEO of Cyble, “We provide organizations with the tools and insights they need to proactively identify and mitigate potential cyber threats before they escalate. Cyble’s inclusion in Forrester’s ASM Solutions Landscape report underscores our commitment to innovation and customer success.”
Real-World Benefits: For instance, a global logistics firm used Cyble’s ASM platform to identify shadow IT assets that posed significant risks to its operations. By addressing these vulnerabilities, the company not only improved its security posture but also enhanced its operational efficiency.
Conclusion
Attack Surface Management in 2025 is characterized by rapid technological advancements, the integration of AI, and a growing focus on proactive security measures. As organizations face increasingly complex attack surfaces, staying ahead of the curve requires adopting cutting-edge ASM solutions.
Cyble’s AI-driven ASM platform offers a comprehensive, proactive approach to securing digital assets. By leveraging Cyble’s innovative solutions, organizations can strengthen their cybersecurity posture, mitigate risks, and navigate the ever-evolving threat landscape with confidence.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 185 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in 2024, as the database grew to 1,238 software and hardware flaws at high risk of cyberattacks.
The agency removed at least two vulnerabilities from the catalog in 2024, but the database has generally grown steadily since its launch in November 2021.
We’ll look at some of the trends and vulnerabilities from 2024, along with the vendors and projects that had the most CVEs added to the list this year.
CISA Known Exploited Vulnerabilities Growth Stabilizes
CISA’s KEV catalog has grown at a steady rate in 2023 and 2024, with 187 vulnerabilities added in 2023 and 185 this year. That’s a pretty stable rate after KEV’s first year, when the agency added more than 300 vulnerabilities in the first two months of the program and nearly 500 more in the first six months of 2022.
The addition of older vulnerabilities has also stabilized, as 115 of this year’s vulnerabilities were 2024 CVEs, compared to 121 CVEs from 2023 in last year’s additions. That still leaves 60 to 70 older vulnerabilities coming under active exploit each year.
The oldest vulnerability in the catalog dates from 2002 – CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used in ransomware attacks.
The oldest vulnerability added to the KEV database in 2024 was CVE-2012-4792, a Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8. CISA also added four Adobe Flash Player vulnerabilities from 2013 and 2014 this year, in addition to one vulnerability each from Cisco and D-Link from 2014.
Most Common Software Weaknesses in CISA KEV
Five software and hardware weaknesses (common weakness enumerations, or CWEs) were particularly prominent among the 2024 KEV additions.
CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – was the most common weakness among vulnerabilities added to the KEV database this year, accounting for 14 of the 185 vulnerabilities.
CWE-502 – Deserialization of Untrusted Data – occurred in 11 of the vulnerabilities.
CWE-416 – Use After Free – was behind 10 of the vulnerabilities.
CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, or ‘Path Traversal’) and CWE-287 (Improper Authentication) occurred 9 times each.
Vendors with the Most Vulnerabilities in CISA KEV
Not surprisingly, Microsoft had the most additions to CISA’s KEV database again this year, as the software giant accounted for 36 of the 185 vulnerabilities added this year, up from 27 out of 2023’s 187 additions.
Second on the list was Ivanti, which had 11 vulnerabilities across multiple products that made the list. Ivanti’s challenges this year were perhaps best exemplified by the fact that CISA itself was breached through an Ivanti vulnerability. Cyble honeypot sensor detected attacks on multiple Ivanti vulnerabilities this year, with the first detections occurring in January.
Vendors and projects with four or more CISA KEV additions are noted below:
Vendor/project
2024 CISA KEV additions
Microsoft
36
Ivanti
11
Google Chromium
9
Adobe
8
Apple
7
Android
6
Cisco
6
D-Link
6
Palo Alto Networks
6
Apache
5
VMware
5
Fortinet
4
Linux
4
Oracle
4
Interestingly, while Fortinet vulnerabilities attracted widespread attention this year, in part due to the large number of exposed devices, network security rival Palo Alto Networks actually had more vulnerabilities added to the KEV database this year. Palo Alto may soon get another KEV addition, as the just-announced CVE-2024-3393 vulnerability is reportedly under active attack.
One interesting thing about the 2024 CISA KEV list is that the number of web-facing exposures or vulnerabilities a vendor has or even Common Vulnerability Scoring System (CVSS) severity ratings don’t always reflect the damage a particular vulnerability can cause.
A case in point: CVE-2024-39717, a 7.2-severity Versa Director vulnerability with just 31 web-exposed instances, may have been weaponized in supply chain attacks against ISPs and MSPs.
Cleo had just two vulnerabilities added to the KEV catalog this year (CVE-2024-50623 and CVE-2024-55956), and yet vulnerabilities in the company’s managed file transfer (MFT) solutions have apparently been used to breach 66 organizations.
Conclusion
CISA’s Known Exploited Vulnerabilities catalog remains a valuable tool for helping IT security teams prioritize patching and mitigation efforts.
CISA KEV can also alert organizations to third-party risks – although by the time a vulnerability gets added to the database it’s become an urgent problem requiring immediate attention. Third-party risk management (TPRM) solutions could provide earlier warnings about partner risk through audits and other tools.
Finally, software and application development teams should monitor CISA KEV additions to gain awareness of common software weaknesses that threat actors routinely target.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-30 09:06:542024-12-30 09:06:54A Look at CISA Known Exploited Vulnerabilities in 2024
Can you believe 2024 has come to an end? As we prepare to step into 2025, we’re excited to share key updates on the cybersecurity front from Q4. The last three months were anything but quiet—new threats emerged, familiar ones evolved, and cybercriminals kept raising the stakes.
At ANY.RUN, we’ve been monitoring these shifts every step of the way. This report pulls together the most significant trends, from the most active malware families to the tactics and techniques shaping cybersecurity.
Let’s jump in and see what this quarter taught us about the intriguing world of malware.
Summary
The number of sandbox sessions has grown compared to Q3 2024
In Q4 2024, ANY.RUN users ran 1,151,901 public interactive analysis sessions, marking a 5.6% increase from Q3 2024. Out of these, 259,898 (22.6%) were flagged as malicious, and 71,565 (6.2%) as suspicious.
Compared to the previous quarter, the percentage of malicious sandbox sessions rose from 19.4% in Q3 2024 to 22.6% in Q4 2024. At the same time, the share of suspicious sessions grew from 4.3% to 6.2%.
Users collected an impressive 712,151,966 indicators of compromise (IOCs) during Q4, reflecting the heightened activity and complexity of the threats analyzed.
Top Malware Types in Q4 2024
Stealers beat Loaders as the top malware type in Q4 2024
Let’s dive into the most common malware types identified by ANY.RUN’s sandbox in Q4 2024:
Q4 2024 saw significant changes in the most detected malware types compared to previous quarters.
Stealers took the lead with 25,341 detections, continuing their dominance as the top malware threat. This marks a significant rise from 16,511 detections in Q3, reflecting an increase of 53.5% in Stealer activity. In Q2, Stealers had 3,640 detections, meaning their activity more than doubled from Q2 to Q4.
Loaders also remained a prominent threat, holding steady in second place with 10,418 detections. This is an increase of 27% compared to Q3, where they were detected 8,197 times. In Q2, Loaders had 5,492 detections, so we’re seeing consistent growth in this malware type across the quarters.
RATs continued to be a major concern in Q3 and Q4, although their position dropped to third place in both quarters. In Q4, RATs were detected 6,415 times, representing a 10.8% decrease from Q3 (7,191 detections).
Ransomware saw a slight decrease in Q4, with 5,853 detections, down from 5,967 in Q3, marking a decrease of 1.9%. However, compared to Q2, where ransomware detections were at 2,946, there has still been a clear increase in ransomware activity over the last two quarters.
Keylogger detections had a notable decrease in Q4, with 1,915 detections compared to 3,172 in Q3. This represents a 39.5% drop from Q3. In Q2, Keyloggers were also detected frequently, but the numbers were lower than what we saw in Q3 and Q4.
A new threat category appeared in the top ten: Adware, which had 1,666 detections in Q4.
Other notable malware types include Exploits (905 detections), Backdoors (679 detections), and Trojans (466 detections). These malware types had a relatively stable presence, with minor fluctuations in the number of detections compared to the previous quarter.
Rootkits, at the bottom of the list with 386 detections, are also showing up more frequently in analyses, though still less common than other types of malware.
Collect Fresh Intel on Emerging Cyber Threats
Make sure to use ANY.RUN’s TI Lookup to collect and enrich threat intelligence on the latest malware and phishing attacks.
The service provides access to a database of over 40 types of Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs), from IP addresses to mutexes, extracted from the public samples analyzed in ANY.RUN’s Interactive Sandbox.
With the following query you can find recent samples of Stealer malware uploaded by users in the UK:
In Q4 2024, the malware landscape continued to evolve with several shifts in the prevalence of different malware families.
Lumma maintained its strong position, leading the list with 6,982 detections, showing a significant increase compared to Q3 (4,140 detections).
Stealc made an impressive jump to second place, with 4,790 detections, up from 2,030 in Q3. This is a 136.3% increase and positions Stealc as a rising threat in the malware world.
Redline followed with 4,321 detections, a 26.7% rise from Q3.
AsyncRAT and Remcos showed some decrease in activity, indicating possible shifts in threat actor strategies.
Xworm, another notable family, saw a substantial rise, reaching 3,141 detections in Q4, up from 2,188 in Q3. This is a 43.7% increase, making Xworm one of the most concerning threats of the quarter.
Snake, which appeared on the list for the first time in Q3, continued its activity in Q4, with 1,926 detections, up from 1,782 in Q3, reflecting an 8.1% increase.
AgentTesla showed a noticeable decrease in activity, dropping to 1,906 detections in Q4 from 2,316 in Q3, which is a 17.7% decline.
Finally, Sality, which had previously been less active, saw a return to the list with 1,194 detections, making it the tenth most detected malware family in Q4.
Phishing Activity in Q4 2024
Tycoon2FA became the most common phishing kit in Q4 2024
Phishing activity saw a significant uptick in Q4 2024, with a total of 82,684 phishing-related threats flagged across the ANY.RUN sandbox. This shows just how active cybercriminals were, using phishing tactics to target victims.
Activity by cyber criminal groups:
Storm1747 led the pack with 11,015 phishing-related uploads, making it the most active group.
Storm1575 followed with 3,756 uploads, showing strong but more limited activity.
Activity by phishing kits:
The Tycoon2FA kit dominated the scene, with 8,785 instances of use.
Mamba2FA came in second with 4,991 detections, reflecting notable activity.
Evilginx2/EvilProxy made a smaller but significant impact with 573 detections.
Gabagool had 384 detections, indicating a more niche but active presence.
Top 5 Protectors and Packers from Q4 2024
UPX is the most commonly used packer by threat actors
In Q4 2024, the top protectors and packers continued to play a significant role in obfuscating malware to evade detection. Here’s a look at the most common ones:
UPX: The clear leader with 12,262 detections, making it the most widely used protector/packer.
Netreactor: With 8,333 detections, it remains a popular choice for malware obfuscation.
Themida: Used in 4,627 detections, Themida was a key player in malware protection.
Confuser: Close behind with 4,610 detections, Confuser also stood out for its effectiveness.
Aspack: The least common in the top 5, but still notable with 566 detections.
These protectors and packers are integral to malware campaigns, helping cybercriminals hide their malicious code and avoid detection.
Threat actors continue to utilize Windows Command Shell in their attacks
In Q4 2024, several adversary techniques saw a rise in activity, with PowerShell, Windows Command Shell, and phishing techniques dominating the list. Here’s a breakdown of the top 20 techniques observed:
#
MITRE ATT&CK Technique
Detections
1
Command and Scripting Interpreter: Windows Command Shell, T1059.003
44,850
2
Masquerading: Rename System Utilities, T1036.003
42,217
3
Phishing: Spearphishing Link, T1566.002
28,685
4
Command and Scripting Interpreter: PowerShell, T1059.001
26,503
5
Virtualization/Sandbox Evasion: Time Based Evasion, T1497.003
24,177
6
Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder, T1547.001
18,394
7
Scheduled Task/Job: Scheduled Task, T1053.005
17,873
8
Virtualization/Sandbox Evasion: System Checks, T1497.001
16,735
9
Credentials from Password Stores: Credentials from Web Browsers, T1553.004
15,042
10
System Binary Proxy Execution: Rundll32, T1218.011
13,981
11
System Services: Service Execution, T1569.002
12,245
12
Masquerading: Match Legitimate Name or Location, T1036.005
10,530
13
Scheduled Task/Job: Systemd Timers, T1053.006
10,000
14
Create or Modify System Process: Systemd Service, T1543.002
10,000
15
Command and Scripting Interpreter: Visual Basic, T1059.005
7,150
16
Impair Defenses: Disable or Modify Tools, T1562.001
6,686
17
System Information Discovery: Application Layer Protocol, T1222.001
6,589
18
Command and Scripting Interpreter: Unix Shell, T1059.004
6,339
19
System Information Discovery: Remote System Discovery, T1222.002
5,577
20
Impact: Data Destruction, T1564.003
5,429
Top TTPs: Q4 2024 vs Q3 2024
In Q4 2024, the landscape of detected techniques saw a few shifts compared to Q3. Here are the key highlights:
The top three spots for Q4 were claimed by:
T1059.003, Command and Scripting Interpreter: Windows Command Shell – claiming the top spot, up from the 3rd position in Q3, with a substantial rise in detections (41,384).
T1036.003, Masquerading: Rename System Utilities – staying strong in 2nd place, though with a slight dip in detections compared to Q3 (41,254).
T1566.002, Phishing: Spearphishing Link – a significant leap from its previous position, climbing to 3rd with 28,685 detections, marking an increase in phishing-related activities.
Worthy mentions:
T1059.001, Command and Scripting Interpreter: PowerShell – dropped to 4th place after holding the 2nd spot in Q3, now with 26,503 detections.
T1497.003, Virtualization/Sandbox Evasion: Time-Based Evasion – although it slipped to 5th place from 4th in Q3, it still saw a notable number of detections (24,177).
T1547.001, Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – entering the list in 6th place, showing a steady increase in activity (18,394).
Tactics, techniques and procedures of phishing (T1566)
Use TI Lookup’s interactive MITRE ATT&CK matrix which accompanies each TTP with real-world examples of cyber threat samples, analyzed in ANY.RUN’s Interactive Sandbox.
Report Methodology
For this report, we analyzed data from a total of 1,151,901 interactive analysis sessions. This data is drawn from researchers in our community who contributed by running public analysis sessions on ANY.RUN.
These sessions provided valuable insights into the latest trends and activities in cybersecurity, helping us identify key threats and techniques that are currently on the rise.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
As we wrap up 2024, let’s take a moment to reflect on what an incredible year it’s been for ANY.RUN. Together, we’ve achieved so much: breaking barriers, improving tools, and working side by side with you, our amazing community of cybersecurity heroes.
From big product launches to small tweaks that make a huge difference, everything we’ve done this year has been with one goal in mind: to make your fight against cyber threats easier, smarter, and faster.
Let’s take a look back at some of the highlights that made this year unforgettable!
Interactive Sandbox
This year, we took significant strides to enhance your experience with the ANY.RUN sandbox, introducing new features and upgrades to help you combat cyber threats more effectively.
Linux OS Support for In-Depth Malware Analysis
For the first time, our sandbox extended its capabilities beyond Windows, making it possible for malware analysts, SOC teams, and DFIR experts to analyze Linux-based samples in a secure and interactive cloud environment.
Analyzing malware inside secure Linux environment
With real-time monitoring of suspicious activities, detailed reports featuring the MITRE ATT&CK Matrix, Process Graphs, and IOCs, you can now uncover threats on Linux systems with the same precision and speed you’ve come to expect from ANY.RUN.
Everyone can analyze malware and phishing threats in a modern Windows environment, leveling the playing field for cybersecurity investigations.
WIndows 10 (64 bit) available to everyone, including on free plan
This update ensures everyone can access powerful threat analysis tools and helps improve threat detection for the entire ANY.RUN community.
Automated Interactivity: Smarter and Faster Malware Detonation
With Stage 2 Automated Interactivity, ANY.RUN’s Interactive Sandbox now handles even more complex malware and phishing scenarios automatically. From extracting URLs in QR codes to detonating payloads in email attachments and navigating long redirect chains, it’s all done without user input.
Automated Interactivityquicklyidentifies and detonates Formbook inside an archive attached to an email
Our analyst team continuously adds new attack scenarios, ensuring your sandbox stays one step ahead of evolving threats!
Try Automated Interactivity and other PRO features of the ANY.RUN Sandbox for free
A New Look at Network Threats: Redesigned Details Window
IIn 2024, we revamped the Threat details window to give you a clearer view of malware activity. Now, you can access all key intel, like source data, IP addresses, ports, and protocols, in one streamlined view.
Hunter and Enterprise subscribers can look inside Suricata rules
And for Hunter and Enterprise users, the new Suricata rule tab opens the door to the signatures behind the detections.
PowerShell Support in Script Tracer
This year, we supercharged our Script Tracer by adding PowerShell support to its arsenal, alongside JScript, VB Script, VBA, and Macro 4.0.
Example of PowerShell script in ANY.RUN’s Tracer
Now, you can follow PowerShell scripts step by step, making it easier to analyze and counter malware leveraging persistence, lateral movement, or payload execution.
Your Private AI Assistant: Smarter, Safer, and Always There to Help
This year, we introduced a private AI model inside ANY.RUN’s sandbox, replacing ChatGPT.
AI assistance inside ANY.RUN’s sandbox
Now, you can get fast, AI-powered explanations in both public and private sessions, without worrying about data leaving your hands.
Phishing Detection with Rspamd
In 2024, we leveled up our phishing detection game with the integration of Rspamd, an open-source email filtering system, into ANY.RUN’s Static Discovering module.
Rspamd analysis inside the ANY.RUN sandbox
With features like Score, Content, and Header Descriptions, you can dive deep into email analysis.
STIX Reports
We added the ability to export threat data in the STIX format, a standardized language for sharing cyber threat intelligence. The report contains the link to the sandbox session, hashes, network traffic details, file system modifications, TTPs, and more.
Click Export → STIX to download threat data
A Fresh Look for Faster Analysis: Sandbox Home Screen Redesign
New shortcut buttons let you launch analysis sessions in just a click
Tag It Your Way: Custom Tags via API
Now you can set custom tags to sandbox sessions directly through the API, adding to the flexibility of the web interface. Organize and categorize your analyses your way, with more control than ever before!
Teamwork Upgrades
This year, we made significant upgrades to the Teamwork functionality of the ANY.RUN sandbox. Some of the key changes include:
Single Sign-On (SSO): We’ve tackled key issues like fixing the logout process and resolving setup problems. Plus, you now can log in not just through our authorization window but also using third-party services.
Exporting team history: Enterprise users can now export structured lists of their team’s sandbox sessions in JSON format.
Mutli-admin support: Team owners can now appoint multiple admins to manage their teams more effectively. Admins have the ability to enable and disable SSO, invite or remove team members, and manage licenses, including Threat Intelligence (TI) licenses.
Threat Intelligence Lookup
In 2024, we introduced Threat Intelligence Lookup, a tool designed to give you access to a centralized repository of millions of Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs).
TI Lookup released in 2024
This powerful service allows you to build precise queries, use them to search across threat data from public sandbox sessions, and enrich your threat intelligence with additional context, connecting isolated IOCs to broader malware campaigns, all in one place.
Throughout the year, we worked hard to refine TI Lookup, adding new features and capabilities to make it even better for security teams and professionals.
Here’s how we’ve enhanced it:
YARA Search: Your Custom Threat-Hunting Tool
This year, we expanded our Threat Intelligence suite with YARA Search, giving users the power to scan ANY.RUN’s extensive database using custom YARA rules.
YARA search inside TI Lookup
With a built-in editor, you can easily write, edit, test, and manage your rules. Once matching malicious files are identified, dive deeper by analyzing their behavior directly in the sandbox.
Mutex Search: Precision Meets Speed in TI Lookup
We’ve enhanced Threat Intelligence Lookup with a powerful Mutex Search feature, designed to make your investigations faster and more precise.
List of DCRat mutexes
Using queries like SyncObjectName:”[name of the malware]”, you can quickly locate relevant sandbox analysis sessions tied to specific mutexes.
Suricata Search: Deeper Dive into Network Threats
The Threat Intelligence Lookup now includes Suricata search fields, making it easier to pinpoint specific network threats.
Suricata search inside TI Lookup
Search using fields like SuricataClass, SuricataMessage, SuricataThreatLevel, and SuricataID to uncover detailed information about network activity.
Currently covering 79 malware families, these config-based IOCs are tagged with “malconf” for easy identification. This feature gives you a clearer understanding of malware behavior and helps you uncover actionable insights faster than ever.
Notifications
Threat Intelligence Lookup has also been upgraded with the new Notifications feature.
Notifications in TI Lookup
Subscribe to specific search queries and receive alerts on new IOCs, IOAs, and IOBs directly in your dashboard. New results are clearly highlighted, making it easier to stay on top of emerging threats and act quickly.
Redesigned Home Screen with Interactive MITRE ATT&CK Matrix
In 2024, we took the time to give the Threat Intelligence home screen a thoughtful upgrade, making it more user-friendly and packed with valuable features.
Updated version of the Threat Intelligence home pagelets you explore samples with specific TTPs
The new design offers a clearer, more intuitive view of the threat landscape. We’ve added a MITRE ATT&CK matrix with refined techniques and tactics, along with real-world examples of malware and phishing threats analyzed in the ANY.RUN sandbox.
TI Feeds
Our Threat Intelligence Feeds provide actionable data on malicious IPs, URLs, and domains, collected from analysis sessions created by over 500,000 researchers in the ANY.RUN sandbox.
This year, we further improved TI Feeds by introducing STIX and MISP formats.
You can test demo TI Feeds for free
We also introduced demo samples of our feeds that any user can try for free via API.
In 2024, we brought you Safebrowsing, a new tool designed for faster and simpler threat analysis.
You are free to interact with websites just like in a standard browser
With Safebrowsing, you can safely analyze suspicious URLs in a fully interactive, isolated browser environment. It’s a quick and secure way to explore websites, verify malicious content, and protect your local system from risk.
Browser Extension
We made malware analysis even easier with the launch of the ANY.RUN Browser Extension for Chromium-based browsers.
ANY.RUN’s browser extension can be used for streamlining threat analysis
With this extension, you can start analysis sessions directly from your browser and view results instantly, either in the extension or in the sandbox for deeper investigation. It’s fast, simple, and designed to save you valuable time.
Integrations
At ANY.RUN, we know how important integrations are for streamlining your threat analysis workflows.
That’s why in 2024 we focused on expanding our connectivity with industry-leading platforms to make your investigations faster and more efficient.
Integration with OpenCTI
OpenCTI interface
We integrated with OpenCTI, allowing users to enrich their threat intelligence with data from ANY.RUN. Malware labels, malicious scores, TTPs, file hashes, and IP addresses are now transferred into OpenCTI, eliminating manual work and centralizing your analysis.
Integration with Splunk
We also launched an integration with Splunk, bringing our Interactive Sandbox and Threat Intelligence Lookup directly into the Splunk SOAR environment.
Official page of ANY.RUN’s connector for Splunk
It lets you analyze malicious files and URLs, and enrich your investigations with comprehensive threat intelligence, all without leaving your familiar Splunk environment.
Security Training Lab
In 2024, we launched Security Training Lab, addressing a critical gap in cybersecurity education—bridging theory with hands-on practice.
Universities often struggle to keep pace with evolving cyber threats. Our program empowers educators and students with tools like ANY.RUN’s sandbox, real-world threat simulations, and a practical curriculum designed to prepare future professionals for real challenges.
Highlights of Security Training Lab
30+ hours of content: Comprehensive academic resources, tasks, and tests.
Hands-on experience: Analyze real malware samples in a secure environment.
Easy management: Track progress with our user-friendly platform.
Community support: A private Discord group for students.
With Security Training Lab, we’re shaping confident, skilled cybersecurity professionals ready to take on the future.
Cyber Threat Research from ANY.RUN Team
In 2024, ANY.RUN’s team of malware analysts continued to share their research on new and emerging threats, helping the cybersecurity community stay informed. Take a look at some of the article published by our team throughout the year:
Make sure to subscribe to us on X and other social media to get quick rundowns on active malware and phishing campaigns.
ANY.RUN’s Top Awards in 2024
Awards won by ANY.RUN in 2024
In 2024, ANY.RUN’s commitment to innovation and excellence in cybersecurity was recognized with prestigious industry awards. They reflect the hard work of our team and the impact of our tools on the global cybersecurity community:
Cybersecurity excellence awards– Winner in the Threat Hunting category, highlighting our impact and commitment to excellence.
Best security solution– Our platform was named the Best Threat Intelligence & Interactive Malware Analysis Platform, praised for its innovation and user-friendly design.
Top 150 cybersecurity vendors– ANY.RUN earned a spot on IT-Harvest’s Top 150 Vendors, a global benchmark in the cybersecurity field.
Best in behavior analytics– The CyberSecurity Breakthrough Awards recognized our behavior analytics and the advanced Automated Interactivity feature.
We’re proud of these achievements and look forward to raising the bar even higher in 2025!
Stronger Together: Collaboration with the ANY.RUN Community
We were closer than ever with the incredible ANY.RUN community. Together, we uncovered new threats, presented cutting-edge technical analyses, and pushed the boundaries of what’s possible in malware research.
Your active engagement has been at the heart of our success. We can’t thank you enough for your support and collaboration throughout the year.
As we look ahead to 2025, we’re excited to bring even more opportunities for mutual collaboration.
Let’s continue to grow, learn, and tackle cyber threats together!
More to Come in 2025
As we celebrate these milestones, we’re already looking ahead to 2025. With exciting projects on the horizon, new features in development, and your continued support, we’re confident that the best is yet to come.
To every researcher, analyst, and team who trusted ANY.RUN this year: thank you. You are the reason we do what we do. Here’s to another year of fighting cybercrime—together.
Happy New Year, The ANY.RUN Team
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-28 08:06:412024-12-28 08:06:412024 Wrapped: A Year of Growth, Innovation, and Community at ANY.RUN
Editor’s Note: This article was originally published on June 11, 2024, and updated on December 28, 2024.
The ANY.RUN Threat Intelligence Feeds provide data on the known indicators of compromise: malicious IPs, URLs, domains, files, and ports.
The data is collected and pre-processed from public malware and phishing samples analyzed by our community of 500,000 researchers in the ANY.RUN sandbox environment.
How ANY.RUN’s TI Feeds Help Organizations
Cyber Threat Intelligence Feeds from ANY.RUN extend the threat coverage of your SIEM and TIP systems. They provide IOCs of recently seen cyber threats so you can proactively prepare to defend your infrastructure against them, as well as:
Expand Threat Coverage: Improve system’s ability to detect emerging malware and phishing attacks.
Improve Incident Response: Enrich incident response processes with contextual data, providing deeper insights into threats and their behaviors.
Strengthen Security Posture: Ensure proactive defense against new and evolving threats.
Optimize Threat Hunting: Streamline threat hunting activities, identifying and investigating potential threats more effectively.
Feeds are easy to use. It’s practically a plug and play solution (as long as your team is already using a SIEM or TIP system).
Contact us and we’ll help you integrate ANY.RUN TI Feeds in your organization
The IOCs include information on malicious IP addresses, domain names, and URLs, enriched with contextual details such as related files and ports.
IP addresses
IP addresses are important for detecting and preventing malicious network activity. They serve as digital markers of cybercriminal operations, often linked to Command-and-Control (C2) servers or phishing campaigns.
By analyzing IP addresses, cybersecurity teams can identify and block malicious sources, trace attack origins and monitor threat patterns.
Domains
Domains are often used as staging points for cyberattacks. They provide a higher-level view of malicious activity, often connecting multiple IPs or malware instances within a single campaign.
ANY.RUN’s TI feeds provide comprehensive information about domains, including all the details available for IP addresses, such as threat names, types, detection timestamps, and related file hashes.
URLs
URL addresses serve as gateways to distribute malware, execute phishing campaigns, or redirect users to malicious content. Their flexibility and ease of use make them a preferred tool for attackers.
By analyzing URLs, cybersecurity teams can uncover attack patterns, block harmful traffic, and prevent unauthorized access to systems and data.
More information on TI Feeds’ structure and additional IOCs — in our blog post.
Key Features of ANY.RUN’s TI Feeds
Fresh Indicators: Mined from the latest public samples uploaded to our interactive sandbox by a global network of over 500,000 security professionals and updated every few hours.
Contextual Information: Offer more than just IOCs by providing direct links to sandbox sessions that include memory dumps, network traffic, and events.
Rigorous Pre-Processing: Advanced algorithms and proprietary technology used for data filtering and validation.
STIX and MISP Formats: Deliver threat intelligence feeds in the STIX and MISP formats, making it easy for security teams to integrate our data into their existing infrastructure.
Select the types of feeds you want by checking the boxes
2. Choose which indicators to receive by checking the boxes — URLs, Domains, IPs or any combination of them.
Copy the feeds URL and add it as a source in your SIEM or TIP system
3. Copy the URL and paste it into the threat intelligence feeds section of your SIEM or TIP system. This step depends on your vendor, but generally search for “threat intelligence feeds” and find an input for URL or source.
You can also download a STIX or MISP feeds sample by clicking Get Demo button.
Get the API key from Threat Intelligence Feeds dashboard
4. Copy the API key and paste it into the API field in the same SIEM/TIP section where you provided the feeds URL.
That’s it! You are now receiving demo threat data from ANY.RUN!
Contact us to access the full version of ANY.RUN TI Feeds
Our threat intelligence feeds share data in the standardized STIX and MISP formats. This means that you can practically integrate ANY.RUN feeds with any vendor, including popular platforms like OpenCTI and ThreatConnect.
Adding Threat Intelligence feeds to your cybersecurity framework significantly raises the sustainability of your organization.
Cost reduction: Investing in TI feeds can lead to significant cost savings by preventing data breaches and minimizing the need for reactive security measures.
Informed decision-making: Quality TI feeds provide critical insights, ensuring that security efforts are focused on the most pressing threats.
Brand reputation: Early detection of threats reduces the likelihood of incidents that could damage a company’s name.
Operational efficiency: Integrating CTI feeds with can contribute to better response process, improving mean time to resolution (MTTR).
Compliance: TI feeds help document incidents, enrich security reports, and meet requirements for frameworks like GDPR, HIPAA, and PCI.
For detailed information on the role of Cybersecurity Threat Intelligence Feeds in improving company’s operational performance, refer to this article.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
