With browser bookmarks, Gmail’s bottomless inbox, the ever-present Wikipedia, and the effective backup of iOS devices in iCloud, it’s easy to get the impression that data online is stored both safely and forever. Sadly though —  it’s not always the case. Therefore, it’s a good idea to make a backup of important personal information and protect it from ransomware and spyware. This post examines the whats, whys, and hows of the backup process.

Nine loss scenarios

We could write a fat textbook on how online data can disappear or otherwise become inaccessible, but we’ll limit ourselves here to listing some real-life instances of data going AWOL to better demonstrate their variety:

You bookmark your favorite recipes on a cooking website, but, after a redesign and restructuring of the site, the articles move to new addresses and your links are broken.
You listen to music on a streaming service, but songs disappear from your playlist because of copyright issues.
You chat with friends in a messenger and expect the chat history to be there forever — but the service shuts down and your history is lost.
You compile a bibliography for a thesis or research paper, but some of the referenced articles are published on sites that later close down or get paywalled.
You use a free note-taking service that suddenly becomes payable or shuts down.
You saved a link to a helpful tax and benefits guide on a government website, but some time later it becomes unavailable.
You store your photos and videos in an online photo album, but the provider decides to lower the image resolution, which causes blurring of video backgrounds and text in screenshots.
You published a website, but the hosting provider loses all your data in a cyberattack.
You liked or published a social media post, but a few months later you can’t find it. It might not even be deleted — you just have no means to search for it.

Online content loss can be divided up into two distinct types: (1) where you can no longer find information that used to be publicly available; and (2) where you lose your own data: notes, photos, or documents.

The first type of data loss is global in scale: according to a recent study, 38% of links active in 2013 were broken ten years later. For government websites, this figure is 13%; for Wikipedia links — 11%. A recent report on China’s internet landscape stated that web pages published before 2004 were near impossible to find since site owners actively purge old content. In an ironic twist, the posts of a Chinese blogger on this topic were themselves deleted.

Losing your own non-public data occurs less often, but hits much harder, so backing it up should be a priority.

What to save and how

First of all, make a list of all your important data. Think carefully about what’s really valuable to you in the digital world, and where it’s stored. Family photos? Household accounts? PhD thesis? Design ideas for your future apartment? Personal notes? Tracks of all your runs? Sort everything in descending order of importance, and make backups working your way down. Depending on the type of information, there are several backup options.

Downloading files to your drive

This is the simplest way to back up photos, documents, and other files that are stored online and can be easily opened on a computer. Saving web pages in the same way is harder, but still doable — for example, you can use the “Save as PDF” option. We recommend creating a coherent storage system on your computer so that you can easily find such files later. If their volume is too large, you can use a removable drive or set up network-attached storage (NAS) at home. To protect your data from ransomware and spyware, use robust security software, such as Kaspersky Premium. And to insure against equipment malfunction, you can set up a RAID array of drives on your computer or NAS device (the simplest, most reliable, but pricier option is RAID 1).

Exporting from online services

Online applications and services that don’t use files as such (messengers, email clients, databases, note apps) often let you export data, or create an archive file or backup. Read the respective help and explore the settings to find out how to export and what formats are available.

Usually, the most common formats are offered: HTML, PDF, TXT, or CSV. In this case, exported data can be easily viewed without specialized software and then migrated to another service. At the end of this post you’ll find links to backup-guides for popular online services.

But sometimes the export file is a black box containing a backup that only allows data restoration within the same service. This is the case, for example, with WhatsApp backups stored on Google Drive or iCloud.

Using specialized software

Some online services offer no export or backup options at all — social networks and streaming services are often guilty of this. In this case, it’s worth doing a search for a specialized export tool or online service using queries like SERVICENAME export or SERVICENAME backup. Two important warnings: before downloading anything, (1) install reliable protection on your computer to avoid picking up malware instead of a useful tool; and (2) make sure that the export procedure doesn’t violate local laws or copyrights.

Saving data backup to another online service

For important web pages, you can create backups in specialized services. For example, Pocket is great for personal use — the premium version saves not just a link to the document, but a full-text copy of it. For public use, copies of web pages can be saved to the internet archive web.archive.org or the like-minded archive.is. We’ll soon be posting about these services separately.

Storing backups in multiple online services at the same time

This insures against shutdown or technical issues with one of the services. You can combine this tip with the first one above by downloading files and saving them, say, to a Dropbox local folder on your own drive, which will automatically sync with your cloud storage. This way, the file will have both offline and cloud backups. Storing two copies of a document, for example, in OneDrive and Google Drive may seem paranoid, but it truly is reliable.

Setting up automatic backups to another service

This is the pinnacle of internet archiving — eliminating the need to update backups manually. For files, you can create a scheduled task for copying from one folder to another — allowing you to duplicate them on your home server and in cloud storage. Some note-taking services have additional sync modules that let you automatically create, say, a note in Joplin or Obsidian when new tasks appear in Todoist, add movies marked “favorite” on IMDb to separate notes, copy articles saved in Pocket to Evernote, and so on. Many such scenarios can be implemented through ready-made recipes in cross-platform automation tools like IFTTT and Zapier.

When data migration is backed up by the law

In some countries and regions, the right to download one’s data and migrate it to another service (data portability) is enshrined in law: among them are the European Union, India, Brazil, and the US State of California. If your online service offers no export or backup options, you can contact support, cite the relevant law, and get a copy of your data.

Remember to back up your online data on a regular basis — at least once a month.

How to back up data from specific online services

Because recommendations vary depending on the service and type of data, we have a series of dedicated posts grouped together with the backup tag. The list will be updated and supplemented regularly, but right now you can read about creating backups for the following:

Notion
Telegram
WhatsАpp
Authenticator apps for two-factor authentication
Other services

And don’t forget to keep your backups safe!…

Kaspersky official blog – ​Read More

Current security measures against phishing links focus on automated checks and timely blocking before they reach users. Yet, some links still make it to their targets, leaving them vulnerable as they often have no simple, fast, and reliable tool at hand to check these links at the final stage. 

To address this security gap, we created Safebrowsing, which makes it easy to safely and easily open any link and manually verify its content.

What is Safebrowsing? 

Safebrowsing offers a fully-interactive browser in the cloud that lets you open and navigate any website as you normally would in a completely isolated and secure environment. This ensures that any malicious activity encountered during browsing is contained and does not affect your local systems or network. 

With Safebrowsing, you can launch a quick virtual browser session to manually explore potentially harmful URLs. The service identifies malicious content in real time using ANY.RUN‘s proprietary technology and notifies you about it.  

After each session, you receive a list of indicators of compromise (IOCs) along with a detailed threat report. 

Safebrowsing gives you the ability to follow the entire chain of attack when facing phishing threats and get an in-depth network traffic analysis, including: 

Connections  

DNS and HTTP requests 

Network threats identified by Suricata IDS 

How does it work? 

Safebrowsing is built to be simple and effective, letting you quickly run analysis in three steps: 

Step 1: Submit URL

You enter the URL of the website you want to analyze and hit “Browse”. 

Step 2: Interact and Examine Threats

You interact with the website, clicking links, opening tabs, solving CAPTCHAs, and seeing what happens after each step with your own eyes.

While you explore, the service monitors the websites for any malicious content and lets you know about the danger. 

Step 3: Collect IOCs

Once you finish, the service generates a report outlining detected threats and suspicious activities, as well as lets you export packet data in PCAP. 

Safebrowsing demonstration 

The service quickly identifies malicious content and provides access to triggered Suricata detection rules

Check out the video above in which we investigate a phishing link using Safebrowsing. 

How is Safebrowsing different from the ANY.RUN sandbox? 

Unlike our advanced malware sandbox, Safebrowsing focuses exclusively on URL analysis.  

It provides a less complex interface that eliminates the need for in-depth system monitoring and file system access, which makes it easy-to-use for non-experts. Yet, ANY.RUN’s signature interactivity is still there. 

How is Safebrowsing different from a URL scanner? 

Compared to URL scanners that simply check any given URL against a database of known malicious URLs, Safebrowsing provides a fully interactive environment for exploring websites. 

What are possible use cases for Safebrowsing? 

Safebrowsing is a universal tool that can be of great help in different scenarios.  

Open URLs within a secure, isolated, and full-size virtual browser to prevent any potential threats from affecting your local system. 

Speed up the process of analyzing and responding to suspicious links.   

Make link checks safe, simple, and quick for non-security employees. 

Prevent infections and increase the general level of security in the organization. 

Demonstrate the risks of clicking on suspicious links as part of training on safe browsing practices. 

Observe network traffic for malicious activity to detect threats in real time. 

Improve detection of phishing threats thanks to ANY.RUN’s advanced capabilities. 

Download traffic data and the identified indicators of compromise. 

Share the completed session as evidence of malicious content. 

How Safebrowsing can help your business 

Phishing Protection  

By allowing your team to safely explore suspicious URLs, Safebrowsing helps in identifying phishing attempts before they can impact your organization. The proactive approach significantly reduces the risk of data breaches and financial losses. 

Staff Training  

Safebrowsing can be used as a training tool to educate employees about the dangers of phishing and other web-based threats. By demonstrating real-world examples in a safe environment, you can enhance your team’s awareness and preparedness. 

Empowering Non-Expert Employees  

Safebrowsing equips non-expert employees with a fast and safe way to check suspicious links without needing to involve the security team. This saves time and resources, allowing your security professionals to focus on more critical tasks 

Try Safebrowsing beta now 

Real-time threat detection, fast performance, and easy-to-use interface make Safebrowsing a perfect tool for any individual and organization that wants to avoid falling victim to phishing attacks.  

The FREE beta version is available to all ANY.RUN users. 

Analyze your first URL right away. 

About ANY.RUN  

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

Detect malware in seconds

Interact with samples in real time

Save time and money on sandbox setup and maintenance

Record and study all aspects of malware behavior

Collaborate with your team 

Scale as you need

Request free trial →

The post Introducing Safebrowsing: Explore Suspicious Links in a Safe Virtual Browser appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Recently, our team of analysts discovered a sample of a yet-unknown ransomware that they dubbed Kransom. The malware employed the malicious DLL-sideloading technique to hijack the execution flow of an .exe file belonging to the popular game Honkai: Star Rail. Here is everything we have on the threat so far.

Initial Infection Vector

View the sandbox session for detailed analysis.

The Kransom ransomware attack began with a deceptive archive containing two files: an executable and a DLL (Dynamic Link Library) file.

The executable was signed with a valid certificate from COGNOSPHERE PTE. LTD, the publishing company for Honkai: Star Rail, a popular RPG. 

DLL Side-Loading Technique

Kransom employs a technique known as DLL side-loading to evade detection and inject its malicious payload. The method involves loading a malicious DLL into the process of a legitimate application.

Upon launching the legitimate executable named “StarRail.exe”, the user triggers the loading of the malicious DLL (see analysis of StarRailBase.dll), which is responsible for initiating the infection and encrypting the victim’s files.

File Encryption Method

Kransom utilizes a simple XOR encryption algorithm with a weak key (0xaa) to encrypt files on the infected system.

ANY.RUN’s sandbox helps you track all the encrypted files and see their contents.

Ransom Note

Following successful file encryption, Kransom drops a ransom note that instructs the user to contact “hoyoverse” for solutions. 

This is a social engineering tactic designed to impersonate the game’s legitimate developer, Hoyoverse, and extort money from victims.

Collecting Threat Intelligence on Kransom Ransomware

To stay updated on the latest Kransom attacks and enrich your investigations to this and other threats, use Threat intelligence Lookup. 

The service pulls threat data from thousands of public malware and phishing samples analyzed in the ANY.RUN sandbox on a daily basis.

It lets you search its database using over 40 different parameters, helping you zero in on threat using different details like registry keys, IP addresses, mutexes, and more.

Here is an example of a query you can use to find more samples of Kransom that use the DLL-sideloading technique:

The service returns more than 20 sandbox sessions that you can explore along with synchronization events and files that match the query.

Conclusion

The targeting of games like Honkai: Star Rail in ransomware attacks suggests a potential risk of threat actors using similar methods with other popular software. Organizations need to stay alert and take proactive steps to protect their systems. This includes being careful with downloads from unknown sources, receiving official software updates, and using reliable tools like ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup as part of a layered security architecture.

About ANY.RUN  

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

Detect malware in seconds

Interact with samples in real time

Save time and money on sandbox setup and maintenance

Record and study all aspects of malware behavior

Collaborate with your team 

Scale as you need

Request free trial →

The post Kransom Ransomware: New Threat Using DLL-Sideloading to Hijack Popular RPG appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Key Takeaways

Since June 2024, a new Android Spyware campaign has been identified targeting individuals in South Korea, leveraging an Amazon AWS S3 bucket as its Command and Control (C&C) server.

The Spyware is capable of exfiltrating sensitive information from an infected device, including SMSs, contact lists, images, and videos.

The stolen data, stored openly on the S3 bucket, suggests poor operational security, potentially leading to unintended leaks of sensitive information.

The spyware operates with a simple source code and few key permissions, demonstrating that even simple malware can be highly effective in exfiltrating sensitive data.

The malware remained undetected by all major antivirus solutions. Four unique samples were identified, exhibiting zero detection rates across all engines.

Overview

Cyble Research and Intelligence Labs (CRIL) has uncovered a previously undetected Android spyware campaign targeting individuals in South Korea, which has been active since June 2024. The spyware leverages an Amazon AWS S3 bucket as its Command and Control (C&C) server and is designed to exfiltrate sensitive data from compromised devices, including contacts, SMS messages, images, and videos.

The spyware samples observed disguise themselves as live video apps, adult apps, refund apps, and interior design applications. Below are the icons used by the malware.

Two malicious URLs distributing the spyware have been identified:

hxxps://refundkorea[.]cyou/REFUND%20KOREA.apk

hxxps://bobocam365[.]icu/downloads/pnx01.apk

Since its emergence, this malware has remained undetected by all security solutions, allowing it to operate stealthily. CRIL has identified four unique samples linked to this spyware, all exhibiting zero detection rates across major antivirus engines.

All identified spyware samples were observed communicating with the same Command and Control (C&C) server hosted on an Amazon S3 bucket: hxxps://phone-books[.]s3.ap-northeast-2.amazonaws.com/. Our analysis revealed that the stolen data, including contacts, SMS messages, images, and videos, was openly stored in the S3 bucket (C&C server), further confirming that the malware specifically targeted individuals in South Korea.

The attackers’ poor operational security resulted in the unintentional exposure of sensitive data. We reported the misuse of the AmazonAWS S3 bucket to Amazon Trust and Safety, which disabled access to the URL and made the data no longer accessible. Furthermore, our investigation found no other C&C servers utilizing S3 buckets or exposing stolen data linked to this campaign.

Technical Details

After installation, all spyware samples display a single screen with a message in Korean tailored to the app’s theme.

The source code of this spyware is relatively simple. It utilizes a minimal set of permissions, including “READ_SMS,” “READ_CONTACTS,” and “READ_EXTERNAL_STORAGE,” to carry out its malicious operations. The manifest file specifies only the main activity, which triggers the malicious functionality upon execution.

Upon installation, the spyware requests the necessary permissions; once granted, it executes its malicious functions. These functions, responsible for collecting data from the infected device, are executed within the API method “onRequestPermissionsResult”, as illustrated in the image below.

To exfiltrate images and videos, the malware queries the device’s content provider and uploads each file to the C&C server via the endpoint “/media/+filename”. This behavior is evident in the exposed data, as shown in Figure 3.

The malware gathers contacts and SMS messages from the infected device and stores them in two separate files: phone.json for contacts and sms.json for SMS data. These files are then transmitted to the C&C server, as demonstrated in the figure below.

Conclusion

This campaign highlights the growing sophistication of Android spyware targeting individuals in South Korea. By utilizing an Amazon AWS S3 bucket for Command and Control infrastructure, the threat actors were able to maintain stealth and evade detection for an extended period. This spyware strain utilizes a minimalist approach—leveraging only a few key permissions to exfiltrate sensitive data such as contacts, SMS messages, images, and videos—and demonstrates how even simple malware can be extremely effective.

It is concerning that attackers are increasingly turning to trusted cloud services like AWS as part of their malicious infrastructure. This tactic allows them to bypass traditional security measures and stay under the radar.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Download and install software only from official app stores like Google Play Store or the iOS App Store.

Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.

Use strong passwords and enforce multi-factor authentication wherever possible.

Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.

Be wary of opening any links received via SMS or emails delivered to your phone.

Ensure that Google Play Protect is enabled on Android devices.

Be careful while enabling any permissions.

Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

Tactic
Technique ID
Procedure

Initial Access (TA0027)
Phishing (T1660)
Malware distribution via phishing site

Collection (TA0035)
Protected User Data: Contact List (T1636.003)
The malware collects contacts from the infected device

Collection (TA0035)
Protected User Data: SMS Messages
(T1636.004)
Steals SMSs from the infected device

Collection (TA0035)
Data from the Local System (T1533)
Malware steals images and videos from an infected device

Command and Control (TA0037)
Application Layer Protocol: Web Protocols (T1437)
Malware uses HTTPS protocol for C&C communication

Exfiltration (TA0036)
Exfiltration Over C2 Channel (T1646)
Sending exfiltrated data over C&C server

Indicators of Compromise (IOCs)

Indicators
Indicator Type
Description

afc2baf71bc16bdcef943172eb172793759d483470cce99e542d750d2ffee851 63952a785e2c273a4dc939adc46930f9599b9438 1d7bbb5340a617cd008314b197844047
SHA256 SHA1 MD5
Spyware hashes

d9106d06d55b075757b2ca6a280141cbdaff698094a7bec787e210b00ad04cde 46eb3ba5206baf89752fe247eff9ce64858f4135 68e6401293e525bf583bade1c1a36855
SHA256 SHA1 MD5
Spyware hashes

a8e398fc4b483a1779706d227203647db3e04d305057fdc7f3f6a4318677b9c8 d07a165b1b7c177c2f57b292ae1b2429b6187e45 16139baf56200f3975e607f89e39419a
SHA256 SHA1 MD5
Spyware hashes

3608f739c66c9ca18628fecded6c3843630118baaab80e11a2bacee428ef01b3 1fc56a6d34f1a59a4987c3f8ff266f867e80d35c fa073ca9ae9173bb5f0384471486cce2
SHA256 SHA1 MD5
Spyware hashes

hxxps://phone-books.s3.ap-northeast-2.amazonaws.com/
URL
C&C server

hxxps://bobocam365[.]icu/downloads/pnx01.apk
hxxps://refundkorea[.]cyou/REFUND%20KOREA.apk
URL
Distribution URL

The post Undetected Android Spyware Targeting Individuals In South Korea appeared first on Cyble.

Blog – Cyble – ​Read More

Key Takeaways

Five exploits of recent vulnerabilities were detected by Cyble honeypot sensors this week.

A 9.8-severity PHP flaw identified in June remains under widespread attack, and organizations are urged to upgrade as soon as possible.

Cyble researchers also identified 9 phishing scams, a number of very active brute-force attack networks, and the most commonly targeted ports.

Security teams are advised to use the information provided to harden defenses

Overview

The Cyble Global Sensor Intelligence Network, or CGSI, monitors and captures real-time attack data through Cyble’s network of Honeypot sensors. This week, Cyble’s Threat Hunting service discovered and investigated dozens of exploit attempts, malware intrusions, financial fraud, and brute-force attacks. 

The full report is available to subscribers; here we’ll cover a number of important attacks and exploits that security teams need to be aware of, plus Cyble investigations into phishing campaigns and brute force attacks. The report covers the week of Sept. 11-Sept. 17.

Attack Case Studies

The Cyble Sensor Intelligence report examined 18 attacks in all; here are five that stand out.

CVE-2024-7954: Arbitrary Code Execution Vulnerability in SPIP’s Porte Plume Plugin

CVE-2024-7954 affects the porte_plume plugin in SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16, and allows remote unauthenticated attackers to ecute arbitrary PHP code by sending a specially crafted HTTP request. Users should upgrade to patched versions to mitigate this vulnerability.

CVE-2024-7120: OS Command Injection Vulnerability in Raisecom MSG Devices

CVE-2024-7120 is a critical OS command injection vulnerability in the web interface of Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 devices running version 3.90. The flaw in the list_base_config.php file allows remote attackers to exploit the template parameter to execute arbitrary commands. Public exploits are available for this vulnerability.

CVE-2024-4577: PHP CGI Argument Injection Vulnerability

CVE-2024-4577 is a critical PHP vulnerability that impacts CGI configurations. It enables attackers to execute arbitrary commands through specially crafted URL parameters. Given PHP’s importance and wide use, impacted organizations must upgrade to a more secure PHP version as soon as possible.

CVE-2024-36401: GeoServer Vulnerability Allows Remote Code Execution via Unsafe XPath Evaluation

CVE-2024-36401 is a critical RCE vulnerability in GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2. The flaw arises from the unsafe evaluation of OGC request parameters as XPath expressions, allowing unauthenticated users to execute arbitrary code on default installations. The issue affects all GeoServer instances due to improper handling of simple feature types. Patches are available, and a workaround involves removing the vulnerable gt-complex library, though it may impact functionality.

CVE-2024-7029: Network Command Injection Vulnerability Without Authentication in AVTECH IP Cameras

CVE-2024-7029 allows remote attackers to inject and execute commands over the network without requiring authentication. This critical flaw poses a significant risk, enabling unauthorized control over affected systems. AVM1203, firmware version FullImg-1023-1007-1011-1009 and prior, are affected, and other IP cameras and network video recorder products may also be affected.

Phishing Scams Identified

Cyble researchers identified nine email phishing scams this week. Below are the subject lines and deceptive email addresses used in the scams, along with a description of each.

E-mail Subject 
Scammers Email ID 
Scam Type 
Description 

COMPASSION FUND OF 5.5 MILLION DOLLARS. 
info@uba.group.org 
Charity Scam 
Fake charitable fund to steal personal or financial details 

Compensation 
info.us.com 
Compensation Scam 
Offering fake compensation to collect sensitive data 

Dear Beneficiary !!! 
info@federalreservebank.com 
Impersonation Scam 
Scammers posing as a bank CEO to solicit sensitive information 

FACEBOOK GIFTS 
info@fam-koeppel.de 
Social Media Giveaway Scam 
Pretending to offer gifts to steal personal info 

WINNING GIFTS 
fachrisalman.2020@student.uny.ac.id 
Lottery/Prize Scam 
Fake prize winnings to extort money or information 

INVESTMENT PROPOSAL 
David@uS.com 
Investment Scam 
Unrealistic investment offers to steal funds or data 

UN Compensation Fund 
info@usa.com 
Government Organization Scam 
Fake UN compensation to collect financial details 

Your abandoned shipment 
contact@wine.plala.or.jp 
Shipping Scam 
Unclaimed shipment trick to demand fees or details 

RE: Request Commercial We need your product 
accounts@eswil.com 
Business Commercial Scam 
Fake business requests to obtain goods without payment 

Brute-Force Attacks

Brute-force attacks consist of an attacker submitting many passwords or passphrases with the hope of eventually guessing a combination correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. A brute force attack uses the trial-and-error method to guess login info and encryption keys or to find a hidden web page. Hackers work through all possible combinations, hoping to guess correctly.

Cyble observed thousands of brute-force attacks in the last week. A close inspection of the distribution of attacked ports based on the top five attacker countries revealed that attacks originating from the United States targeted ports 3389 (60%), 445 (19%), 22 (13%), 5900 (6%), and 9200 (3%). Attacks originating from Russia targeted ports 5900 (96%), 445 (2%), 25 (1%), 3389 (1%), and 1025 (1%). Attacks originating from The Netherlands, India, and Bulgaria largely targeted ports 5900 and 445.

 Security analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, and 3306).

The most frequently used usernames and passwords in brute-force attacks are shown in the figure below. The analysis report indicates brute-force attacks on IT automation software and servers frequently employing usernames such as 3comcso, elasticsearch, and hadoop and database attacks as in mysql and Postgres. Some of the most common username/password combinations were “root”, “admin”, “password”, “123456”, etc. Hence, it is critically important to set up strong passwords for servers and devices, and to always change default credentials.

Cyble Recommendations

Cyble researchers offered a number of recommendations for subscribers in the report:

Blocking the listed hashes, URLs, and email info on security systems.

Immediately patching all open vulnerabilities listed here and routinely monitoring the top Suricata alerts in internal networks.

Constantly check for attackers’ ASNs and IPs in the real-time attack table.

Block brute force attack IPs and the targeted ports listed in the IoC table in security products.

Immediately resetting default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.

For servers, set up strong passwords that are difficult to guess.

The post Cyble Sensor Intelligence: Attacks, Phishing Scams and Brute-Force Detections appeared first on Cyble.

Blog – Cyble – ​Read More