First month of the year, and we’re starting it off with updates that support faster decisions and more predictable SOC operations. 

In January, we introduced a major workflow enhancement with the new ANY.RUN Sandbox integration with MISP, alongside expanded detection coverage across behavior signatures, YARA rules, and Suricata. 

Let’s find out what this means for your team. 

Product Updates 

January brought another solid round of improvements focused on practical SOC workflows: faster alert validation, less manual back-and-forth, and earlier decisions that help stop incidents from growing into bigger problems. 

The main highlight of the month was the release of the ANY.RUN Sandbox integration with MISP; an important step for teams that use MISP daily for threat intelligence and investigations. 

ANY.RUN x MISP: Boost Your Triage & Response 

Most SOC teams spend too much time validating alerts, moving samples between tools, and filling in missing context. When execution evidence is separated from threat intelligence platforms, investigations slow down, MTTR increases, and SLAs come under pressure. 

With the ANY.RUN Sandbox integration for MISP, analysts can now bring real execution behavior directly into MISP, turning it from a passive intelligence repository into an active investigation layer. 

Using native MISP modules, suspicious files and URLs can be sent straight from MISP into the ANY.RUN Sandbox, without any context switching or manual handoffs.  

You can easily integrate the modules, using the following links: 

• Submit files/URLs for analysis 

• Get analysis reports 

Analysis runs automatically using Automated Interactivity. This allows the sandbox to behave like a real user by clicking, opening files, and waiting when needed. This is critical for exposing modern threats that delay execution or hide behind user-driven actions. 

Once execution completes, results are automatically returned to MISP, including, verdict and risk assessment, extracted IOCs, adirect link to the interactive sandbox session, HTML analysis report, mapped MITRE ATT&CK techniques and tactics. 

This allows analysts to validate alerts using real behavior, not assumptions, directly inside their existing workflow. 

Benefits for Your SOC and Business 

For organizations using MISP as part of daily operations, this integration delivers clear operational gains: 

• Lower incident costs: Shorter investigations reduce effort per case 

• Reduced MTTR: Faster validation and response limit business impact 

• Stronger SLA performance: Helps MSSPs meet response time and quality commitments 

• No extra headcount: Scale investigation capacity without growing the team 

• Zero integration overhead: No custom development required when MISP is already in use 

To support proactive coverage at scale, ANY.RUN Threat Intelligence Feeds deliver verified malicious network IOCs from real attacks across 15,000+ organizations, in STIX/TAXII format, ready for use in MISP, SIEM, or SOAR platforms. 

Learn more about TI Feeds integration with MISP 

• Early detection with continuously updated indicators 

• 99% unique indicators for broader coverage 

• Verified data to reduce false positives 

• Improved correlation across campaigns 

• Less manual enrichment work for the team 

Threat Coverage Update 

In January, our team continued expanding the detection layer across sandbox execution, behavioral analytics, and network visibility, reinforcing ANY.RUN as a unified operational solution for detection, validation, and response. 

This month’s updates include: 

• 158 new behavior signatures were added to strengthen coverage across ransomware and loader activity, plus common attacker tradecraft, helping security teams spot malicious intent earlier in execution. 

• 4 new YARA rules went live in production, improving classification and hunting coverage for active malware and tooling seen in recent investigations. 

• 1,897 new Suricata rules were deployed, expanding network visibility for phishing infrastructure (including PhaaS URL patterns), backdoor C2 attempts, and stealer-related HTTP traffic. 

Together, these updates help security teams move faster from alert to decision, without switching tools or waiting for late-stage indicators. 

New Behavior Signatures  

January’s behavior signature updates focus on early-stage execution signals and hands-on attacker activity, helping teams identify malicious intent before payloads fully deploy or damage occurs. 

The new detections expand coverage across ransomware families, loaders, stealers, and post-exploitation techniques, with particular attention to abuse of native Windows tooling and suspicious command-line behavior often seen in real-world intrusions. 

This month, our team added signatures that detect: 

Malware and loader execution patterns, such as 

• Dropper behavior, 

• Loader pattern detection, 

• Possible code assembly via raw command-line parameters, 

• FOR cycle usage in command line 

Suspicious use of built-in Windows tools, including 

• PowerShell used for ZIP file operations, 

• PowerShell used for GZIP file operations, 

• CertUtil used for decoding hex-encoded data, 

• Password parameters passed via command line 

Persistence and system modification techniques, such as 

• Service autostart disabling, 

• Browser launch with unusual user-data-dir configuration 

Remote access and administrative tools observed in malicious contexts, including 

• RuDesktop, 

• Remote Ripple, 

• Kontur Admin, 

• Assistant, 

• RustDesk, 

• SharpHound 

Mutex- and pattern-based detections, including 

• Bumerang mutex identified during execution 

New YARA Rules 

In January, 4 new YARA rules went live in production, expanding detection and hunting coverage inside ANY.RUN, especially useful when teams need quick classification and reliable pivots during triage. 

Highlighted additions include: 

• Neverliet 

• Anubis 

These rules help security teams tag and cluster related samples faster, validate whether a file matches known patterns, and speed up investigation workflows without relying on a single indicator type. 

New Suricata Rules  

Our team deployed 1,897 new Suricata rules to expand network-level visibility into phishing infrastructure, backdoor communication, and stealer-related traffic patterns. These detections help teams identify malicious activity even when payloads are fileless, heavily obfuscated, or delivered through multi-stage web flows. 

Highlighted additions include: 

• Sneaky2FA-related URL pattern (sid:85005763): Tracks HTTP requests to URLs associated with Sneaky2FA PhaaS infrastructure 

• VShell backdoor C2 connection (sid:85005789): Identifies attempts by a fileless Go-based backdoor to establish communication with its C2 infrastructure 

• SantaStealer HTTP activity (sid:84000895): Detects malware C2 communication based on specific artifacts present in outbound HTTP requests 

About ANY.RUN 

ANY.RUN is a core part of modern security operations, helping organizations make faster, more confident decisions across the full investigation lifecycle, from early alert validation to deep analysis and continuous threat awareness. 

By exposing real attacker behavior in real time, ANY.RUN adds the context that alerts often lack and keeps detections aligned with how threats actually operate in the wild. This allows SOC teams to reduce noise, shorten response times, and focus effort where it matters most. 

Today, more than 600,000 security specialists and 15,000 organizations worldwide rely on ANY.RUN to accelerate triage, limit unnecessary escalations, and stay ahead of fast-moving phishing and malware campaigns 

Integrate ANY.RUN’s solution for Tier 1/2/3 in your organization → 

The post Release Notes: Workflow Improvements, MISP Integration & 2,000+ New Detections  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Cyble Vulnerability Intelligence researchers tracked 1,147 vulnerabilities in the last week, and more than 128 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks. 

A total of 108 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 54 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Below are some of the IT vulnerabilities flagged by Cyble threat intelligence researchers for prioritization by security teams in recent reports to clients. 

The Week’s Top IT Vulnerabilities 

Cyble’s network of honeypot sensors detected attack attempts on CVE-2025-68613, a critical remote code execution flaw in the n8n open-source workflow automation platform. Workflow expressions supplied by authenticated users could execute in an insufficiently isolated context under the Improper Control of Dynamically-Managed Code Resources flaw, potentially enabling arbitrary code execution with n8n privileges and potential full system compromise. The issue is fixed in versions 1.120.4, 1.121.1, and 1.122.0. 

Vulnerabilities generating discussion in open-source communities included CVE-2025-8088, a high-severity path traversal vulnerability in WinRAR that exploits Alternate Data Streams (ADS) in crafted RAR archives. The vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog last August, but recent reports reveal that multiple actors, including nation-state adversaries and financially motivated groups, are exploiting the flaw to establish initial access and deploy a diverse array of payloads. 

Also under active discussion is CVE-2025-15467, a critical stack buffer overflow in OpenSSL’s CMS (Cryptographic Message Syntax) AuthEnvelopedData parsing when using AEAD ciphers like AES-GCM. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to the issue, while FIPS modules and OpenSSL 1.1.1 and 1.0.2 are not. 

Among the recent additions to CISA’s Known Exploited Vulnerabilities (KEV) catalog were CVE-2026-24858, an authentication bypass vulnerability in Fortinet products; CVE-2025-68645, a Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite (ZCS); and CVE-2026-1281, an Ivanti Endpoint Manager Mobile (EPMM) Code Injection vulnerability. 

CVE-2026-24061 is another recent CISA KEV addition, a critical authentication bypass vulnerability in GNU Inetutils telnetd. The flaw lies in the improper neutralization of argument delimiters, specifically allowing an attacker to inject the “-f root” value into the USER environment variable. After successful exploitation, a remote unauthenticated attacker can bypass authentication mechanisms to gain immediate root-level access to the system over the network. Cyble dark web researchers have observed threat actors on underground forums discussing weaponizing the vulnerability. 

Another vulnerability under discussion by threat actors on the dark web is CVE-2025-27237, a high-severity local privilege escalation vulnerability affecting Zabbix Agent and Agent 2 on Windows. The vulnerability is caused by an uncontrolled search path that loads the OpenSSL configuration file from a directory writable by low-privileged users. By modifying this configuration file and injecting a malicious DLL, a local attacker could elevate their privileges to the SYSTEM level on the affected Windows host. 

CVE-2026-22794, a critical authentication bypass vulnerability in Appsmith, is also under active discussion by threat actors. The flaw occurs because the application trusts a user-controlled HTTP “Origin” header during security-sensitive workflows, such as password resets. An attacker could use this to generate fraudulent links that, when clicked by a victim, send secret authentication tokens to an attacker-controlled domain, enabling full account takeover of any user, including administrators. 

Among industrial control system (ICS) vulnerabilities of note, Festo Didactic SE MES PCs shipped with Windows 10 include a copy of XAMPP that contains around 140 vulnerabilities from third-party open-source applications, CISA said in a recent advisory. The issues can be fixed by replacing XAMPP with Festo Didactic’s Factory Control Panel application. 

Conclusion 

The high number of number of open-source vulnerabilities this week highlights the ever-present threat of software supply chain attacks, requiring constant vigilance by both security and development teams. Best practices aimed at reducing cyber risk and improving resilience include: 

• Prioritizing vulnerabilities based on risk.  

• Protecting web-facing assets.  

• Segmenting networks and critical assets.  

• Hardening endpoints and infrastructure.  

• Strong access controls, allowing no more access than is required, with frequent verification.  

• A strong source of user identity and authentication, including multi-factor authentication and biometrics, as well as machine authentication with device compliance and health checks.  

• Encryption of data at rest and in transit.  

• Ransomware-resistant backups that are immutable, air-gapped, and isolated as much as possible.  

• Honeypots that lure attackers to fake assets for early breach detection.  

• Proper configuration of APIs and cloud service connections.  

• Monitoring for unusual and anomalous activity with SIEM, Active Directory monitoring, endpoint security, and data loss prevention (DLP) tools.  

• Routinely assessing and confirming controls through audits, vulnerability scanning, and penetration tests.  

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.  

Additionally, Cyble’s third-party risk intelligence can help organizations carefully vet partners and suppliers, providing an early warning of potential risks. 

The post The Week in Vulnerabilities: Open-Sources Fixes Urged by Cyble appeared first on Cyble.

Cyble – ​Read More

For many residents in Perth, finding a rental has become a high-stakes challenge. As demand for housing surges, a troubling trend has just been revealed. An Australian housing scam preying on renters who are willing to stretch every dollar to secure a roof over their heads. These rent scams, often orchestrated by individuals posing as private landlords on online platforms like Facebook Marketplace, have left victims financially and emotionally drained. 

The scheme typically begins with a seemingly genuine rental listing. Scammers steal photos from legitimate properties and post them online, offering rent well below the market rate. In Perth, median rental prices are at historic highs, with houses averaging $700 per week and units $670. Scammers exploit this stress by pitching “exclusive” opportunities that seem almost too good to be true. 

The Mechanics of the Australian Housing Scam 

Messages from these fraudsters are carefully crafted to manipulate potential tenants. One such message promises that the apartment will be “reserved exclusively only for you” in exchange for a security deposit or “commitment fee” of just a few hundred dollars. The deposit is presented as fully refundable or deductible from the first week’s rent. In reality, once the money is transferred, the scammer vanishes, leaving victims without the property and out of pocket. 

WA Commissioner for Consumer Protection, Trish Blake, describes the situation as a “perfect playground for scammers.” She explains that the perpetrators often groom their targets by appealing to their sense of urgency and personal integrity, portraying themselves as allies to those struggling in the rental market. “They’ll tell you that you’re a real battler, that you’re a good person, and that they want to help you out,” Blake said, as reported by Nine News. 

Rising Numbers and Financial Impact 

The scale of the problem is growing. In 2025, WA ScamNet, part of the Department of Local Government, Industry Regulation and Safety, documented 20 cases of rental scams, totaling losses of $51,875, a 27 percent increase from the previous year. Scammers typically provide a property address for drive-by inspections but evade any requests for in-person viewings. To add credibility, fake rental agreements featuring official logos may be used, and tenants are pressured to pay via bank transfer, bypassing safer, traceable channels. 

Rob Mandanici, a member of the Real Estate Institute of Western Australia, stresses the emotional pressure on renters. “People have pure desperation, and they will do what they can for their family, thinking they’re doing the right thing while potentially dealing with unsavoury characters,” he said. 

Commerce Minister Dr. Tony Buti noted the heartbreak of seeing renters targeted in this way. “It is particularly heartbreaking to see scammers targeting renters because they know they are under pressure and may take risks to secure a property,” he said. He advises tenants to insist on inspecting the property in person and to treat unusually cheap rent as a red flag. 

Why Perth Is Vulnerable to Housing and Rent Scams 

Several factors make Perth an ideal environment for this type of Australian housing scam. Rental vacancies are low, demand is high, and properties are snatched quickly, often in as little as 16 days. This scarcity creates a sense of urgency among renters, which scammers exploit. 

The Cook Government has issued repeated warnings to Western Australian tenants to remain vigilant, especially when dealing with private landlords or online marketplaces. Inspecting the property before paying, verifying the landlord’s identity, and consulting licensed real estate agents are critical protection methods. 

Several practical tips to avoid falling victim to rental scams include: 

• Be suspicious of properties advertised for well below market rent. 

• Do not rely solely on photos; perform reverse image searches to verify authenticity. 

• Check the property on reputable real estate websites and contact previous listing agents. 

• Avoid landlords or listings that use the same email address for multiple properties. 

• Always inspect the property in person before signing a lease or paying funds. 

• Ensure a formal lease agreement (Form 1AA) and keys are provided before transferring any money. 

• Be cautious with direct bank transfers; only pay verified landlords or licensed agents. 

Scams can be reported through the WA ScamNet website, or further guidance on rent is available via the Consumer Protection website. The Australian housing scam in Perth is more than a financial threat; it exploits human vulnerability in a market under immense pressure.  

Renters finding high prices and fierce competition must combine caution with diligence, balancing urgency with verification. While there is no substitute for careful vetting, awareness and education remain the most effective defense against campaigns like the Australian housing scam.  

References: 

• https://www.9news.com.au/national/perth-rentals-deposit-scam-targets-desperate-renters/b505ff04-a476-4478-b248-eb903ddd5c20 

• https://www.wa.gov.au/government/media-statements/Cook%20Labor%20Government/Rise-in-rent-scams-targeting-Western-Australian-tenants–20260129 

The post Desperate Perth Renters Targeted by Rising Australian Housing Scam appeared first on Cyble.

Cyble – ​Read More